I'm getting a little confused by the behaviour of the IAS when it is being
used as a RADIUS server. We have a 3rd party firewall (fortigate) as the end
point for home user VPN's. We want the firewall to use Radius to
authenticate the users. Which is fine.
In IAS there are Remote Access Policies which includes <b>allowing</b>
Windows Groups and Connection Request Policies that <b>don't allow</b>
windows users or groups.
When I use a Remote Access Policy with the firewall's IP address as the
'Client-IP-Address' I get a message saying "the user attempted to use an
authentication method that is not enabled on the matching remote access
policy". Which only seems to be refering to PAP, CHAP etc.
When I use a Connection Request Policy with the same 'Client-IP-Address' I
have to use a genuine account name and password combination. However this
policy doesn't appear to be restrict me which users are allowed to connect.
When both policies exist and I've added my magic group to the Remote Access
policy I get the remote access error above "the user...access policy" when a
user in the group tries to connect, when I user not in the group attempts to
connect they go straight through. When I look at the IAS log file using
IASParse.exe I find that the group member went through the Remote Access
policy and the non group member when through the Connection Request policy.
So... Is there any way to allow only users of a certain group to create a
VPN to the firewall and use W2003 as the RADIUS server?
|
Similar Threads
Linear Mode
