Solved

Can IAS on Win/2003 server work in Win/2008 network

Posted on 2011-03-08
12
766 Views
Last Modified: 2012-05-11
I have moved my company over to a new Windows 2008 R2 domain network, from the older Windows 2003 domain network we used to be on.

As part of that, I have a Windows 2003 server, standard edition, Service Pack 1, windows server that ran IAS, (Internet Access Service), to authenticate users coming in for VPN on the older Windows 2003 domain.

I moved this IAS server to the new domain, registered it with the new Windows 2008 R2 domain as a RADIUS server, and have it up and running.  However, users are unable to authenticate when they try to VPN in.  The error I am seeing is the following :

Event ID: 2
Reason: The user attempted to use an authentication method that is not enabled on the matching remote access policy.

All of the users DO have "Allow Access" permissions set under the "Dial In" tab of their userid properties.

Is there something on the Windows 2008 R2 Active Directory server that I need to set, so that my users can authenticate to the new domain?

Thank you in advance,
Jeff
0
Comment
Question by:jgrammer42
  • 7
  • 5
12 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070516
Hi Jeff, what the authentication methods used with your IAS rules?
I think you use old authentication schemes (like LM/NTLM -> CHAP, MSCHAPv1) that wouldn't be authorized by default with 2008R2.
To resolve, you can:
- modify your IAS rules to use PEAP/MSCHAPv2 only.
- decrese the default domain policy LAN Manager authentication level to allow old LM/NTLM (LAN Manager authentication level)

you can review settings here:
http://support.microsoft.com/kb/823659/en-us
http://adtroubleshooting.deuby.com/2010/03/w2k8-r2-ad-tips-watch-lan-manager.html

but definitivly, i would suggest you to update your IAS rules to use greater authentication level.
0
 

Author Comment

by:jgrammer42
ID: 35070731
Tasmant,

I am a bit confused.  Are you saying on the Windows 2003 server that I am running the IAS on that I need to change the Local Security policy?

Or do I need to change the Group Security policy on the Windows 2008 R2 server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070891
I would sugget you to check first your IAS rules.
in each of your rules you use authentication: http://technet.microsoft.com/en-us/library/cc784383%28WS.10%29.aspx
check if you use PEAP/MSCHAPv2

Else the policy need to be change on the 2008 R2 DC, you're right.
But not really secure.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:jgrammer42
ID: 35071759
Tasmant,

Ok, so under my Win/2003 server running IAS, here are my options under the Local Security Settings:

Network security: LAN Manager authentication level Properties:
- Send LM & NTLM responses
- Send LM & NTLM - use NTLMv2 session security if negotiated
- Send NTLM response only  
- Send NTLMv2 response only
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM

Currently the Win/2003 IAS server is set for : Sent NTLM response only.

So, which setting do I need to change it to for Windows 2008 R2 Server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082649
you should review the setting on your DC (defaut domain controller policy) or (local security policy) to check the setting. By default should be "Send NTLMv2 response only".

So you should try to set up your IAS server with at least
- Send LM & NTLM - use NTLMv2 session security if negotiated

If you're sure you don't have old legacy clients (above Windows 2000) then you could use this option:
- Send NTLMv2 response only

With the last 2 options, this is the most secure but should be enable carefully, and i don't think you need them at this time.
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082717
but did you first checked your IAS access rules?
take a look here, chapter "Configure the Microsoft Windows IAS", and review point 5 to 8 to see if your rules use EAP methods and MSChapv2 is enable.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a829b8.shtml#IAS1
0
 

Author Comment

by:jgrammer42
ID: 35082820
Tasmant,

I did check the IAS access rules.  It currently has checks in all of the following:

MS-CHAP-v2
MS-CHAP

It does not have checked the following:

CHAP
PAP, SPAP

Should I also go ahead and turn those on?

I will also, at least for troubleshooting, turn on

-Send LM & NTLM - use NTLM v2 session security if negotiated

Unfortunately, I will not be able to test these configurations until this weekend.  

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35083626
Do not turn on CHAP, PAP and SPAP on your IAS rules.
Should be ok with "Send LM & NTLM - use NTLM v2 session security if negotiated" in the local policy.
0
 

Author Comment

by:jgrammer42
ID: 35083789
Tasmant,

Ok, thank you.

I will do that, and then run the tests this weekend and see how it goes.

If it works, I will come back and close the ticket, and award the points.

sorry I cannot do this sooner, I just cannot take the customer down until then now.

Thank you,
Jeff
0
 

Author Comment

by:jgrammer42
ID: 35257845
To Administrator:

Still working on this.  Please leave open
0
 

Accepted Solution

by:
jgrammer42 earned 0 total points
ID: 35377356
A viable solution has never been found.

The only workaround for this, was to reconfig the ASA so that it uses an internal assigned userid, rather than the Active Directory userid.  

0
 

Author Closing Comment

by:jgrammer42
ID: 35410295
Self graded...
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question