Forum Discussion
avik_bose_1048
Nimbostratus
NimbostratusWINDOWS 2003 RADIUS SERVER Configuration wiith Firepass
We are trying to add Windows 2003 IAS server with firepass for RADIUS authentication.
The configuration on the RADIUS server is as following:
1.On the AD we have enabled “Store Password using reversible encryption for all users in the domain” by going into
Computer configuration--- windows settings---Security settings---Account Policies – Password Policy.
2.We have installed IAS on a separate WINDOWS2003 SERVER R2 which is a part of the same domain.
3.We have registered the same server with AD by rightclicking on “IAS” and then selecting Register Service in AD and restarted the IAS service.
4.We have set the RADIUS ports 1812 for the authentication and 1646 accounting .
5.We have added a new RADIUS client , named it as “FirepassVPN” added the self ip of the Firepass as the Radius client ip selected the protocol as RADIUS standard and entered a shared secret.
6.Added a new “Remote access policy” by creating a custom policy . Added a Windows groups by adding the domain users,to the group and set the permission as “Grant remote Access permission” and selected the authentication protocols as
7.In the AD , made sure that for the user groups , in the dial-in tab ,”Control access through Remote Access Policy” was selected.
Made the following changes on the Firepass:
1.Created a new master group on the firepass called “Radius Authentication”.
2.Selected the Authentication method for the Master group as “Radius” and users as “External”.
3.In the RADIUS settings page , entered the ip of the “Windows 2003 RADIUS “ server as the Radius server ip, in the shared secret tab
Put in the same shared secret which was entered on the “IAS server”, the port as “1812,1645” and saved the setting
Now when we try to authenticate an user to firepass through the “Windows 2003 Radius server”, this is the error msg we get on the “Windows 2003 RADIUS server”.
User arpan was denied access.
Fully-Qualified-User-Name = MACROSOFTLLC\arpan
NAS-IP-Address = 192.168.1.99
NAS-Identifier =
Called-Station-Identifier =
Calling-Station-Identifier =
Client-Friendly-Name = vpnclient
Client-IP-Address = 198.162.1.50
NAS-Port-Type =
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = PAP
EAP-Type =
Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.
Not sure why we are getting this error. Any help on this error msg will be greatly appreciated.
Avik
mal_57091Hi Avik,
You need to go into the config properties on the IAS server and modify the allowed authentication mechanisms. From memory, by default it only allows MSChapv2. You'll need to enable some of the other methods (not sure exactly which ones off the top of my head) but you can have a fiddle and it should be pretty easy to work out.
Cheers,
Mal
avik_bose_1048Hi Mal,
Thanks for the prompt response. Went into the IAS server and in the remote access policy, selected "Unencrypted Protocols" for authentication and it worked. It seems Firepass sends the authentication requests in PAP.
Thanks
Avik