Link to home
Create AccountLog in
Avatar of mikey250
mikey250

asked on

VPN - Allow/Deny or Control access Policy issue

Ive installed and configured a master win 2003, sp2, dns, dhcp & connected via a switch 'LOCALLY' for the time being and no VLANS are being used so it is acting as a HUB.

when i configured IAS & Radius I selected the tick box option on a 'USER' account for 'control policy'.

What is the difference between:

- Allow
- Deny
- Control policy option

??
ASKER CERTIFIED SOLUTION
Avatar of jesaja
jesaja
Flag of Switzerland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of mikey250
mikey250

ASKER

so if i selected 'Allow' and NOT 'Control access policy', does it mean less security - Yes or No?

Does selecting 'Control access policy' - mean more secure?

Or are you saying the 'Disable & Allow' - are only for Dial-up?

what does RAS stand for?

Just trying to understand your explanation
The Dial In settings will control the remote Access Permissions for the user. The same option can be set in the Remote Access Policies of the Internet Authentication (IAS) Service (as depicted)



If the users Dial in Remote Access Permission is set to Allow or Deny access the user remote access permission overrides the policy remote access permission (as depicted) and only if the Remote Access Policy is applied to the user. There can only be one Remote Access Policy applied to a user that is controlled through the Conditions in the Policy. That means no further policy will be processed.

When remote access permission on a user account is set to the Control access through Remote Access Policy option, the policy remote access permission determines whether the user is granted access.


So the best approach is to create a Dial-In Security Group and add the user accounts to this group and set those users to Control access through Remote access Policy and set all other users to deny.
Create a Remote Access Policy and add a condition to this Policy that checks if the user is in this group (Windows Groups)
and set the Option
 - If a connection request matches the specified conditions to Grand remote access permissions

That will gives grater control and transparency to determine  user dial in access thus only members of the security group will have access


what does RAS stand for?
- Routing and Remote Access Server



 User generated image

 User generated image
Thanks for the clarity.