IAS/RADIUS server has passed an invalid value

Hi, I try to configure special ip filter rules for specific VPN dialin user.
But on my ISA2004 I get the following error message:
================================================== ============================
Logfile: System
Typ: Error
SourceName: RemoteAccess
EventCode: 20210
Event date: 20061012144700.000000+120
Description: The IAS/RADIUS server has passed an invalid value to the server
running Routing and Remote Access for the following RADIUS attribute:
Attribute Type 26, Vendor ID 311, Vendor specific type 22. Use the netsh ras
set trace command to enable packet tracing. Ensure that the RADIUS packets
conform to the standards specified in RFC 2548.

================================================== ============================

My configuration:

Authentication over IAS. Configuration in IAS: "Connection
Request Policy" named ip-filter with:
- Policy condition: User-Name matches "pu-q1"
- Profile configuration/Advanced/RADIUS Attributes:
Name: MS-Filter
Vendor: Microsoft
Value/Input Filter: Permit only to ...

But this attribut seems to me not correct. If the IAS receive this attribut
he doesnt understand this.
Other attributes are correct, e.g. Session-Timeout.

Question: Can anybody helps me? I want to configure, that a specific dialin
user have only IP-access to specific ip addesses.

Regards,
Frank Pusch

Hi Frank,
As the event says , you shouldn't be getting this error. Please send
across the RAS tracing logs from the RRAS server for this. Steps to enable
RAS tracing are given at
http://blogs.technet.com/rrasblog/ar...22/416421.aspx

Besides that, what you are currenlty using is RQS solution. You can easily
restrict IP access by adding normal IP filters to the remote access policy.
For this, follow the below steps:
1) Doubleclick the Remote access policy
2) Goto the IP tab
3) Click on 'Input filters' or 'Output filters' accordingly and add the
filters.

Let me know if you need more information.

--
Janani Vasudevan [MSFT]
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

http://blogs.msdn.com/jananiv

RRAS blog: http://blogs.technet.com/rrasblog

[This posting is provided "AS IS" with no warranties, and confers no
rights.]

"Frank Pusch" <(E-Mail Removed)> wrote in message
news:4520D4D5-E6DC-467C-AE4E-(E-Mail Removed)...
> Hi, I try to configure special ip filter rules for specific VPN dialin
> user.
> But on my ISA2004 I get the following error message:
> ================================================== ============================
> Logfile: System
> Typ: Error
> SourceName: RemoteAccess
> EventCode: 20210
> Event date: 20061012144700.000000+120
> Description: The IAS/RADIUS server has passed an invalid value to the
> server
> running Routing and Remote Access for the following RADIUS attribute:
> Attribute Type 26, Vendor ID 311, Vendor specific type 22. Use the netsh
> ras
> set trace command to enable packet tracing. Ensure that the RADIUS packets
> conform to the standards specified in RFC 2548.
>
> ================================================== ============================
>
> My configuration:
>
> Authentication over IAS. Configuration in IAS: "Connection
> Request Policy" named ip-filter with:
> - Policy condition: User-Name matches "pu-q1"
> - Profile configuration/Advanced/RADIUS Attributes:
> Name: MS-Filter
> Vendor: Microsoft
> Value/Input Filter: Permit only to ...
>
> But this attribut seems to me not correct. If the IAS receive this
> attribut
> he doesnt understand this.
> Other attributes are correct, e.g. Session-Timeout.
>
> Question: Can anybody helps me? I want to configure, that a specific
> dialin
> user have only IP-access to specific ip addesses.
>
> Regards,
> Frank Pusch
>
>

Many thanks.
Here are the logs:
test 1 (configured connection request policy) as I described initial:
ftp://ftp.klopotek.de/public/support...est_policy.zip

test 2 (configured remote access policy) as you described as alternative:
ftp://ftp.klopotek.de/public/support...ess_policy.zip

In both cases the vpn login is possible, and all IP ranges are reachable.
The ip-filter rules doesnt block any traffic.
I dont know why?

The only different is, that in first case the ISA2004 logs the error message
I described initial.
In the second test there is no hint about the non-active ip filter.

Do you see any hints to solve this issue?

Regards,
Frank Pusch


"Janani Vasudevan [MSFT]" wrote:

> Hi Frank,
> As the event says , you shouldn't be getting this error. Please send
> across the RAS tracing logs from the RRAS server for this. Steps to enable
> RAS tracing are given at
> http://blogs.technet.com/rrasblog/ar...22/416421.aspx
>
> Besides that, what you are currenlty using is RQS solution. You can easily
> restrict IP access by adding normal IP filters to the remote access policy.
> For this, follow the below steps:
> 1) Doubleclick the Remote access policy
> 2) Goto the IP tab
> 3) Click on 'Input filters' or 'Output filters' accordingly and add the
> filters.
>
> Let me know if you need more information.
>
> --
> Janani Vasudevan [MSFT]
> Software Design Engineer/Test
> RRAS, Windows Enterprise Networking
>
> http://blogs.msdn.com/jananiv
>
> RRAS blog: http://blogs.technet.com/rrasblog
>
> [This posting is provided "AS IS" with no warranties, and confers no
> rights.]
>
> "Frank Pusch" <(E-Mail Removed)> wrote in message
> news:4520D4D5-E6DC-467C-AE4E-(E-Mail Removed)...
> > Hi, I try to configure special ip filter rules for specific VPN dialin
> > user.
> > But on my ISA2004 I get the following error message:
> > ================================================== ============================
> > Logfile: System
> > Typ: Error
> > SourceName: RemoteAccess
> > EventCode: 20210
> > Event date: 20061012144700.000000+120
> > Description: The IAS/RADIUS server has passed an invalid value to the
> > server
> > running Routing and Remote Access for the following RADIUS attribute:
> > Attribute Type 26, Vendor ID 311, Vendor specific type 22. Use the netsh
> > ras
> > set trace command to enable packet tracing. Ensure that the RADIUS packets
> > conform to the standards specified in RFC 2548.
> >
> > ================================================== ============================
> >
> > My configuration:
> >
> > Authentication over IAS. Configuration in IAS: "Connection
> > Request Policy" named ip-filter with:
> > - Policy condition: User-Name matches "pu-q1"
> > - Profile configuration/Advanced/RADIUS Attributes:
> > Name: MS-Filter
> > Vendor: Microsoft
> > Value/Input Filter: Permit only to ...
> >
> > But this attribut seems to me not correct. If the IAS receive this
> > attribut
> > he doesnt understand this.
> > Other attributes are correct, e.g. Session-Timeout.
> >
> > Question: Can anybody helps me? I want to configure, that a specific
> > dialin
> > user have only IP-access to specific ip addesses.
> >
> > Regards,
> > Frank Pusch
> >
> >
>
>
>

Hi Frank,
I'm not able to reach these log files. I will try again from outside
corpnet.

For the 2nd scenario, as you say that it is not working right. Can you check
the following:
1) Is the connection actually matching the policy on which filters are
applied? You can check this using the event viewer. The event viewer will
log the name of the remote access policy which has been matched.
2) Have only the IP filters configured on this policy. Remove the RQS
filters from this policy.

--
Janani Vasudevan [MSFT]
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

http://blogs.msdn.com/jananiv

RRAS blog: http://blogs.technet.com/rrasblog

[This posting is provided "AS IS" with no warranties, and confers no
rights.]

"Frank Pusch" <(E-Mail Removed)> wrote in message
news:5296D77A-85F1-4531-9C75-(E-Mail Removed)...
> Many thanks.
> Here are the logs:
> test 1 (configured connection request policy) as I described initial:
> ftp://ftp.klopotek.de/public/support...est_policy.zip
>
> test 2 (configured remote access policy) as you described as alternative:
> ftp://ftp.klopotek.de/public/support...ess_policy.zip
>
> In both cases the vpn login is possible, and all IP ranges are reachable.
> The ip-filter rules doesnt block any traffic.
> I dont know why?
>
> The only different is, that in first case the ISA2004 logs the error
> message
> I described initial.
> In the second test there is no hint about the non-active ip filter.
>
> Do you see any hints to solve this issue?
>
> Regards,
> Frank Pusch
>
>
> "Janani Vasudevan [MSFT]" wrote:
>
>> Hi Frank,
>> As the event says , you shouldn't be getting this error. Please send
>> across the RAS tracing logs from the RRAS server for this. Steps to
>> enable
>> RAS tracing are given at
>> http://blogs.technet.com/rrasblog/ar...22/416421.aspx
>>
>> Besides that, what you are currenlty using is RQS solution. You can
>> easily
>> restrict IP access by adding normal IP filters to the remote access
>> policy.
>> For this, follow the below steps:
>> 1) Doubleclick the Remote access policy
>> 2) Goto the IP tab
>> 3) Click on 'Input filters' or 'Output filters' accordingly and add the
>> filters.
>>
>> Let me know if you need more information.
>>
>> --
>> Janani Vasudevan [MSFT]
>> Software Design Engineer/Test
>> RRAS, Windows Enterprise Networking
>>
>> http://blogs.msdn.com/jananiv
>>
>> RRAS blog: http://blogs.technet.com/rrasblog
>>
>> [This posting is provided "AS IS" with no warranties, and confers no
>> rights.]
>>
>> "Frank Pusch" <(E-Mail Removed)> wrote in message
>> news:4520D4D5-E6DC-467C-AE4E-(E-Mail Removed)...
>> > Hi, I try to configure special ip filter rules for specific VPN dialin
>> > user.
>> > But on my ISA2004 I get the following error message:
>> > ================================================== ============================
>> > Logfile: System
>> > Typ: Error
>> > SourceName: RemoteAccess
>> > EventCode: 20210
>> > Event date: 20061012144700.000000+120
>> > Description: The IAS/RADIUS server has passed an invalid value to the
>> > server
>> > running Routing and Remote Access for the following RADIUS attribute:
>> > Attribute Type 26, Vendor ID 311, Vendor specific type 22. Use the
>> > netsh
>> > ras
>> > set trace command to enable packet tracing. Ensure that the RADIUS
>> > packets
>> > conform to the standards specified in RFC 2548.
>> >
>> > ================================================== ============================
>> >
>> > My configuration:
>> >
>> > Authentication over IAS. Configuration in IAS: "Connection
>> > Request Policy" named ip-filter with:
>> > - Policy condition: User-Name matches "pu-q1"
>> > - Profile configuration/Advanced/RADIUS Attributes:
>> > Name: MS-Filter
>> > Vendor: Microsoft
>> > Value/Input Filter: Permit only to ...
>> >
>> > But this attribut seems to me not correct. If the IAS receive this
>> > attribut
>> > he doesnt understand this.
>> > Other attributes are correct, e.g. Session-Timeout.
>> >
>> > Question: Can anybody helps me? I want to configure, that a specific
>> > dialin
>> > user have only IP-access to specific ip addesses.
>> >
>> > Regards,
>> > Frank Pusch
>> >
>> >
>>
>>
>>

Hi Janani,
the logfiles are now on the ftp site again.

The answer to your questions:
Yes, I checked the event logs. The right policy is active without RQS filter.
But it doesnt work, I mean this has no effect.

Many thanks to review the log files.

Frank Pusch

From the log files I can see the filters being passed from the IAS server to
the RRAS server. Let's see why it is not working
1) What are the filters that you have applied on the remote access policy?
2) How do you check if the filters are applied or not. i.e. how do you
decide that the traffic is blocked or not ..for eg. by doing a ping etc.

--
Janani Vasudevan [MSFT]
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

http://blogs.msdn.com/jananiv

RRAS blog: http://blogs.technet.com/rrasblog

[This posting is provided "AS IS" with no warranties, and confers no
rights.]

"Frank Pusch" <(E-Mail Removed)> wrote in message
news:7C5E4D4F-30C7-4543-821D-(E-Mail Removed)...
> Hi Janani,
> the logfiles are now on the ftp site again.
>
> The answer to your questions:
> Yes, I checked the event logs. The right policy is active without RQS
> filter.
> But it doesnt work, I mean this has no effect.
>
> Many thanks to review the log files.
>
> Frank Pusch
>
>

Hello,
1) here are the next screenshots:
the remote_access_policy configuration:
ftp://ftp.klopotek.de/public/support/pic_a.zip

the connection_request_policy configuration:
ftp://ftp.klopotek.de/public/support/pic_b.zip

2)
I tested "ping 10.17.37.230" and get replies.
I expected no replies.

Kind regards,
Frank Pusch



"Janani Vasudevan [MSFT]" wrote:

> From the log files I can see the filters being passed from the IAS server to
> the RRAS server. Let's see why it is not working
> 1) What are the filters that you have applied on the remote access policy?
> 2) How do you check if the filters are applied or not. i.e. how do you
> decide that the traffic is blocked or not ..for eg. by doing a ping etc.
>
> --
> Janani Vasudevan [MSFT]
> Software Design Engineer/Test
> RRAS, Windows Enterprise Networking
>
> http://blogs.msdn.com/jananiv
>
> RRAS blog: http://blogs.technet.com/rrasblog
>
> [This posting is provided "AS IS" with no warranties, and confers no
> rights.]
>
> "Frank Pusch" <(E-Mail Removed)> wrote in message
> news:7C5E4D4F-30C7-4543-821D-(E-Mail Removed)...
> > Hi Janani,
> > the logfiles are now on the ftp site again.
> >
> > The answer to your questions:
> > Yes, I checked the event logs. The right policy is active without RQS
> > filter.
> > But it doesnt work, I mean this has no effect.
> >
> > Many thanks to review the log files.
> >
> > Frank Pusch
> >
> >
>
>
>

Dear Randy,
many thanks for that explanation.

Yes, it is an ISA2004. So that would be the reason.
But, wherefrom do you have this fact?
Is there any Microsoft site with a description and technical reason I can
read this and maybe some solutions?
In your solution I have to know ip addresses from the client I have to
restrict. What can I do, if I don't have this information. Or the ip address
is dynamicaly?

Regards,
Frank Pusch