Solved

Can IAS on Win/2003 server work in Win/2008 network

Posted on 2011-03-08
12
764 Views
Last Modified: 2012-05-11
I have moved my company over to a new Windows 2008 R2 domain network, from the older Windows 2003 domain network we used to be on.

As part of that, I have a Windows 2003 server, standard edition, Service Pack 1, windows server that ran IAS, (Internet Access Service), to authenticate users coming in for VPN on the older Windows 2003 domain.

I moved this IAS server to the new domain, registered it with the new Windows 2008 R2 domain as a RADIUS server, and have it up and running.  However, users are unable to authenticate when they try to VPN in.  The error I am seeing is the following :

Event ID: 2
Reason: The user attempted to use an authentication method that is not enabled on the matching remote access policy.

All of the users DO have "Allow Access" permissions set under the "Dial In" tab of their userid properties.

Is there something on the Windows 2008 R2 Active Directory server that I need to set, so that my users can authenticate to the new domain?

Thank you in advance,
Jeff
0
Comment
Question by:jgrammer42
  • 7
  • 5
12 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070516
Hi Jeff, what the authentication methods used with your IAS rules?
I think you use old authentication schemes (like LM/NTLM -> CHAP, MSCHAPv1) that wouldn't be authorized by default with 2008R2.
To resolve, you can:
- modify your IAS rules to use PEAP/MSCHAPv2 only.
- decrese the default domain policy LAN Manager authentication level to allow old LM/NTLM (LAN Manager authentication level)

you can review settings here:
http://support.microsoft.com/kb/823659/en-us
http://adtroubleshooting.deuby.com/2010/03/w2k8-r2-ad-tips-watch-lan-manager.html

but definitivly, i would suggest you to update your IAS rules to use greater authentication level.
0
 

Author Comment

by:jgrammer42
ID: 35070731
Tasmant,

I am a bit confused.  Are you saying on the Windows 2003 server that I am running the IAS on that I need to change the Local Security policy?

Or do I need to change the Group Security policy on the Windows 2008 R2 server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070891
I would sugget you to check first your IAS rules.
in each of your rules you use authentication: http://technet.microsoft.com/en-us/library/cc784383%28WS.10%29.aspx
check if you use PEAP/MSCHAPv2

Else the policy need to be change on the 2008 R2 DC, you're right.
But not really secure.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:jgrammer42
ID: 35071759
Tasmant,

Ok, so under my Win/2003 server running IAS, here are my options under the Local Security Settings:

Network security: LAN Manager authentication level Properties:
- Send LM & NTLM responses
- Send LM & NTLM - use NTLMv2 session security if negotiated
- Send NTLM response only  
- Send NTLMv2 response only
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM

Currently the Win/2003 IAS server is set for : Sent NTLM response only.

So, which setting do I need to change it to for Windows 2008 R2 Server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082649
you should review the setting on your DC (defaut domain controller policy) or (local security policy) to check the setting. By default should be "Send NTLMv2 response only".

So you should try to set up your IAS server with at least
- Send LM & NTLM - use NTLMv2 session security if negotiated

If you're sure you don't have old legacy clients (above Windows 2000) then you could use this option:
- Send NTLMv2 response only

With the last 2 options, this is the most secure but should be enable carefully, and i don't think you need them at this time.
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082717
but did you first checked your IAS access rules?
take a look here, chapter "Configure the Microsoft Windows IAS", and review point 5 to 8 to see if your rules use EAP methods and MSChapv2 is enable.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a829b8.shtml#IAS1
0
 

Author Comment

by:jgrammer42
ID: 35082820
Tasmant,

I did check the IAS access rules.  It currently has checks in all of the following:

MS-CHAP-v2
MS-CHAP

It does not have checked the following:

CHAP
PAP, SPAP

Should I also go ahead and turn those on?

I will also, at least for troubleshooting, turn on

-Send LM & NTLM - use NTLM v2 session security if negotiated

Unfortunately, I will not be able to test these configurations until this weekend.  

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35083626
Do not turn on CHAP, PAP and SPAP on your IAS rules.
Should be ok with "Send LM & NTLM - use NTLM v2 session security if negotiated" in the local policy.
0
 

Author Comment

by:jgrammer42
ID: 35083789
Tasmant,

Ok, thank you.

I will do that, and then run the tests this weekend and see how it goes.

If it works, I will come back and close the ticket, and award the points.

sorry I cannot do this sooner, I just cannot take the customer down until then now.

Thank you,
Jeff
0
 

Author Comment

by:jgrammer42
ID: 35257845
To Administrator:

Still working on this.  Please leave open
0
 

Accepted Solution

by:
jgrammer42 earned 0 total points
ID: 35377356
A viable solution has never been found.

The only workaround for this, was to reconfig the ASA so that it uses an internal assigned userid, rather than the Active Directory userid.  

0
 

Author Closing Comment

by:jgrammer42
ID: 35410295
Self graded...
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question