Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Can IAS on Win/2003 server work in Win/2008 network

Posted on 2011-03-08
12
Medium Priority
?
774 Views
Last Modified: 2012-05-11
I have moved my company over to a new Windows 2008 R2 domain network, from the older Windows 2003 domain network we used to be on.

As part of that, I have a Windows 2003 server, standard edition, Service Pack 1, windows server that ran IAS, (Internet Access Service), to authenticate users coming in for VPN on the older Windows 2003 domain.

I moved this IAS server to the new domain, registered it with the new Windows 2008 R2 domain as a RADIUS server, and have it up and running.  However, users are unable to authenticate when they try to VPN in.  The error I am seeing is the following :

Event ID: 2
Reason: The user attempted to use an authentication method that is not enabled on the matching remote access policy.

All of the users DO have "Allow Access" permissions set under the "Dial In" tab of their userid properties.

Is there something on the Windows 2008 R2 Active Directory server that I need to set, so that my users can authenticate to the new domain?

Thank you in advance,
Jeff
0
Comment
Question by:jgrammer42
  • 7
  • 5
12 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070516
Hi Jeff, what the authentication methods used with your IAS rules?
I think you use old authentication schemes (like LM/NTLM -> CHAP, MSCHAPv1) that wouldn't be authorized by default with 2008R2.
To resolve, you can:
- modify your IAS rules to use PEAP/MSCHAPv2 only.
- decrese the default domain policy LAN Manager authentication level to allow old LM/NTLM (LAN Manager authentication level)

you can review settings here:
http://support.microsoft.com/kb/823659/en-us
http://adtroubleshooting.deuby.com/2010/03/w2k8-r2-ad-tips-watch-lan-manager.html

but definitivly, i would suggest you to update your IAS rules to use greater authentication level.
0
 

Author Comment

by:jgrammer42
ID: 35070731
Tasmant,

I am a bit confused.  Are you saying on the Windows 2003 server that I am running the IAS on that I need to change the Local Security policy?

Or do I need to change the Group Security policy on the Windows 2008 R2 server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070891
I would sugget you to check first your IAS rules.
in each of your rules you use authentication: http://technet.microsoft.com/en-us/library/cc784383%28WS.10%29.aspx
check if you use PEAP/MSCHAPv2

Else the policy need to be change on the 2008 R2 DC, you're right.
But not really secure.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:jgrammer42
ID: 35071759
Tasmant,

Ok, so under my Win/2003 server running IAS, here are my options under the Local Security Settings:

Network security: LAN Manager authentication level Properties:
- Send LM & NTLM responses
- Send LM & NTLM - use NTLMv2 session security if negotiated
- Send NTLM response only  
- Send NTLMv2 response only
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM

Currently the Win/2003 IAS server is set for : Sent NTLM response only.

So, which setting do I need to change it to for Windows 2008 R2 Server?

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082649
you should review the setting on your DC (defaut domain controller policy) or (local security policy) to check the setting. By default should be "Send NTLMv2 response only".

So you should try to set up your IAS server with at least
- Send LM & NTLM - use NTLMv2 session security if negotiated

If you're sure you don't have old legacy clients (above Windows 2000) then you could use this option:
- Send NTLMv2 response only

With the last 2 options, this is the most secure but should be enable carefully, and i don't think you need them at this time.
- Send NTLMv2 reponse only\refuse LM
- Send NTLMv2 response only\refuse LM & NTLM
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35082717
but did you first checked your IAS access rules?
take a look here, chapter "Configure the Microsoft Windows IAS", and review point 5 to 8 to see if your rules use EAP methods and MSChapv2 is enable.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a829b8.shtml#IAS1
0
 

Author Comment

by:jgrammer42
ID: 35082820
Tasmant,

I did check the IAS access rules.  It currently has checks in all of the following:

MS-CHAP-v2
MS-CHAP

It does not have checked the following:

CHAP
PAP, SPAP

Should I also go ahead and turn those on?

I will also, at least for troubleshooting, turn on

-Send LM & NTLM - use NTLM v2 session security if negotiated

Unfortunately, I will not be able to test these configurations until this weekend.  

Thank you,
Jeff
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35083626
Do not turn on CHAP, PAP and SPAP on your IAS rules.
Should be ok with "Send LM & NTLM - use NTLM v2 session security if negotiated" in the local policy.
0
 

Author Comment

by:jgrammer42
ID: 35083789
Tasmant,

Ok, thank you.

I will do that, and then run the tests this weekend and see how it goes.

If it works, I will come back and close the ticket, and award the points.

sorry I cannot do this sooner, I just cannot take the customer down until then now.

Thank you,
Jeff
0
 

Author Comment

by:jgrammer42
ID: 35257845
To Administrator:

Still working on this.  Please leave open
0
 

Accepted Solution

by:
jgrammer42 earned 0 total points
ID: 35377356
A viable solution has never been found.

The only workaround for this, was to reconfig the ASA so that it uses an internal assigned userid, rather than the Active Directory userid.  

0
 

Author Closing Comment

by:jgrammer42
ID: 35410295
Self graded...
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question