Solved

Can IAS on Win/2003 server work in Win/2008 network

Posted on 2011-03-08
12
762 Views
Last Modified: 2012-05-11
I have moved my company over to a new Windows 2008 R2 domain network, from the older Windows 2003 domain network we used to be on.

As part of that, I have a Windows 2003 server, standard edition, Service Pack 1, windows server that ran IAS, (Internet Access Service), to authenticate users coming in for VPN on the older Windows 2003 domain.

I moved this IAS server to the new domain, registered it with the new Windows 2008 R2 domain as a RADIUS server, and have it up and running.  However, users are unable to authenticate when they try to VPN in.  The error I am seeing is the following :

Event ID: 2
Reason: The user attempted to use an authentication method that is not enabled on the matching remote access policy.

All of the users DO have "Allow Access" permissions set under the "Dial In" tab of their userid properties.

Is there something on the Windows 2008 R2 Active Directory server that I need to set, so that my users can authenticate to the new domain?

Thank you in advance,
Jeff
0
Comment
Question by:jgrammer42
  • 7
  • 5
12 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070516
Hi Jeff, what the authentication methods used with your IAS rules?
I think you use old authentication schemes (like LM/NTLM -> CHAP, MSCHAPv1) that wouldn't be authorized by default with 2008R2.
To resolve, you can:
- modify your IAS rules to use PEAP/MSCHAPv2 only.
- decrese the default domain policy LAN Manager authentication level to allow old LM/NTLM (LAN Manager authentication level)

you can review settings here:
http://support.microsoft.com/kb/823659/en-us
http://adtroubleshooting.deuby.com/2010/03/w2k8-r2-ad-tips-watch-lan-manager.html

but definitivly, i would suggest you to update your IAS rules to use greater authentication level.
0
 

Author Comment

by:jgrammer42
ID: 35070731
Tasmant,

I am a bit confused.  Are you saying on the Windows 2003 server that I am running the IAS on that I need to change the Local Security policy?

Or do I need to change the Group Security policy on the Windows 2008 R2 server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070891
I would sugget you to check first your IAS rules.
in each of your rules you use authentication: http://technet.microsoft.com/en-us/library/cc784383%28WS.10%29.aspx
check if you use PEAP/MSCHAPv2

Else the policy need to be change on the 2008 R2 DC, you're right.
But not really secure.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:jgrammer42
ID: 35071759
Tasmant,

Ok, so under my Win/2003 server running IAS, here are my options under the Local Security Settings:

Network security: LAN Manager authentication level Properties:
- Send LM & NTLM responses
- Send LM & NTLM - use NTLMv2 session security if negotiated
- Send NTLM response only  
- Send NTLMv2 response only
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM

Currently the Win/2003 IAS server is set for : Sent NTLM response only.

So, which setting do I need to change it to for Windows 2008 R2 Server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082649
you should review the setting on your DC (defaut domain controller policy) or (local security policy) to check the setting. By default should be "Send NTLMv2 response only".

So you should try to set up your IAS server with at least
- Send LM & NTLM - use NTLMv2 session security if negotiated

If you're sure you don't have old legacy clients (above Windows 2000) then you could use this option:
- Send NTLMv2 response only

With the last 2 options, this is the most secure but should be enable carefully, and i don't think you need them at this time.
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082717
but did you first checked your IAS access rules?
take a look here, chapter "Configure the Microsoft Windows IAS", and review point 5 to 8 to see if your rules use EAP methods and MSChapv2 is enable.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a829b8.shtml#IAS1
0
 

Author Comment

by:jgrammer42
ID: 35082820
Tasmant,

I did check the IAS access rules.  It currently has checks in all of the following:

MS-CHAP-v2
MS-CHAP

It does not have checked the following:

CHAP
PAP, SPAP

Should I also go ahead and turn those on?

I will also, at least for troubleshooting, turn on

-Send LM & NTLM - use NTLM v2 session security if negotiated

Unfortunately, I will not be able to test these configurations until this weekend.  

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35083626
Do not turn on CHAP, PAP and SPAP on your IAS rules.
Should be ok with "Send LM & NTLM - use NTLM v2 session security if negotiated" in the local policy.
0
 

Author Comment

by:jgrammer42
ID: 35083789
Tasmant,

Ok, thank you.

I will do that, and then run the tests this weekend and see how it goes.

If it works, I will come back and close the ticket, and award the points.

sorry I cannot do this sooner, I just cannot take the customer down until then now.

Thank you,
Jeff
0
 

Author Comment

by:jgrammer42
ID: 35257845
To Administrator:

Still working on this.  Please leave open
0
 

Accepted Solution

by:
jgrammer42 earned 0 total points
ID: 35377356
A viable solution has never been found.

The only workaround for this, was to reconfig the ASA so that it uses an internal assigned userid, rather than the Active Directory userid.  

0
 

Author Closing Comment

by:jgrammer42
ID: 35410295
Self graded...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question