Solved

Can IAS on Win/2003 server work in Win/2008 network

Posted on 2011-03-08
12
756 Views
Last Modified: 2012-05-11
I have moved my company over to a new Windows 2008 R2 domain network, from the older Windows 2003 domain network we used to be on.

As part of that, I have a Windows 2003 server, standard edition, Service Pack 1, windows server that ran IAS, (Internet Access Service), to authenticate users coming in for VPN on the older Windows 2003 domain.

I moved this IAS server to the new domain, registered it with the new Windows 2008 R2 domain as a RADIUS server, and have it up and running.  However, users are unable to authenticate when they try to VPN in.  The error I am seeing is the following :

Event ID: 2
Reason: The user attempted to use an authentication method that is not enabled on the matching remote access policy.

All of the users DO have "Allow Access" permissions set under the "Dial In" tab of their userid properties.

Is there something on the Windows 2008 R2 Active Directory server that I need to set, so that my users can authenticate to the new domain?

Thank you in advance,
Jeff
0
Comment
Question by:jgrammer42
  • 7
  • 5
12 Comments
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
Hi Jeff, what the authentication methods used with your IAS rules?
I think you use old authentication schemes (like LM/NTLM -> CHAP, MSCHAPv1) that wouldn't be authorized by default with 2008R2.
To resolve, you can:
- modify your IAS rules to use PEAP/MSCHAPv2 only.
- decrese the default domain policy LAN Manager authentication level to allow old LM/NTLM (LAN Manager authentication level)

you can review settings here:
http://support.microsoft.com/kb/823659/en-us
http://adtroubleshooting.deuby.com/2010/03/w2k8-r2-ad-tips-watch-lan-manager.html

but definitivly, i would suggest you to update your IAS rules to use greater authentication level.
0
 

Author Comment

by:jgrammer42
Comment Utility
Tasmant,

I am a bit confused.  Are you saying on the Windows 2003 server that I am running the IAS on that I need to change the Local Security policy?

Or do I need to change the Group Security policy on the Windows 2008 R2 server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
I would sugget you to check first your IAS rules.
in each of your rules you use authentication: http://technet.microsoft.com/en-us/library/cc784383%28WS.10%29.aspx
check if you use PEAP/MSCHAPv2

Else the policy need to be change on the 2008 R2 DC, you're right.
But not really secure.
0
 

Author Comment

by:jgrammer42
Comment Utility
Tasmant,

Ok, so under my Win/2003 server running IAS, here are my options under the Local Security Settings:

Network security: LAN Manager authentication level Properties:
- Send LM & NTLM responses
- Send LM & NTLM - use NTLMv2 session security if negotiated
- Send NTLM response only  
- Send NTLMv2 response only
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM

Currently the Win/2003 IAS server is set for : Sent NTLM response only.

So, which setting do I need to change it to for Windows 2008 R2 Server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
you should review the setting on your DC (defaut domain controller policy) or (local security policy) to check the setting. By default should be "Send NTLMv2 response only".

So you should try to set up your IAS server with at least
- Send LM & NTLM - use NTLMv2 session security if negotiated

If you're sure you don't have old legacy clients (above Windows 2000) then you could use this option:
- Send NTLMv2 response only

With the last 2 options, this is the most secure but should be enable carefully, and i don't think you need them at this time.
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
but did you first checked your IAS access rules?
take a look here, chapter "Configure the Microsoft Windows IAS", and review point 5 to 8 to see if your rules use EAP methods and MSChapv2 is enable.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a829b8.shtml#IAS1
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 

Author Comment

by:jgrammer42
Comment Utility
Tasmant,

I did check the IAS access rules.  It currently has checks in all of the following:

MS-CHAP-v2
MS-CHAP

It does not have checked the following:

CHAP
PAP, SPAP

Should I also go ahead and turn those on?

I will also, at least for troubleshooting, turn on

-Send LM & NTLM - use NTLM v2 session security if negotiated

Unfortunately, I will not be able to test these configurations until this weekend.  

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
Do not turn on CHAP, PAP and SPAP on your IAS rules.
Should be ok with "Send LM & NTLM - use NTLM v2 session security if negotiated" in the local policy.
0
 

Author Comment

by:jgrammer42
Comment Utility
Tasmant,

Ok, thank you.

I will do that, and then run the tests this weekend and see how it goes.

If it works, I will come back and close the ticket, and award the points.

sorry I cannot do this sooner, I just cannot take the customer down until then now.

Thank you,
Jeff
0
 

Author Comment

by:jgrammer42
Comment Utility
To Administrator:

Still working on this.  Please leave open
0
 

Accepted Solution

by:
jgrammer42 earned 0 total points
Comment Utility
A viable solution has never been found.

The only workaround for this, was to reconfig the ASA so that it uses an internal assigned userid, rather than the Active Directory userid.  

0
 

Author Closing Comment

by:jgrammer42
Comment Utility
Self graded...
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now