|
||||||||||
Andrew, Here's what worked for me (I assume you're using Win2k3 Server for this too, and I am including all steps just for the record): 1. Ensure that CP works locally (ie, you get the logon prompt and can connect outwards with a username defined *on the m0n0 itself*). If you don't get the logon page, check your DNS settings: first, attempt to connect to a numeric website eg google at http://66.249.87.99/ - if this opens the CP prompt dialog, but http://www.google.com does not, then make sure the DNS forwarder is properly configured (or set your DNS server as an allowed outbound IP while you're testing). 2. Start sniffing on your IAS box 3. Make sure your IAS box's security auditing will log authentication events 4. On the m0n0, define the IAS box as your radius server for the CP 5. Attempt to connect via the CP; ensure you see packets incoming on the IAS from the m0n0 (have a look inside them, too) 6. Assuming that the packets you see arriving on your IAS box are from IP 10.1.2.254 <http://10.2.3.4>, configure a Radius client in IAS, where - friendly name is <FRIENDLY> - IP is 10.1.2.254 <http://10.2.3.4/> - Shared Secret is same as on the m0n0 (alphanumeric only IIRC) - Client-Vendor is 'RADIUS Standard'. 7. Next, configure a Remote Access Policy in IAS, where - Under the Policy Conditions, Client-IP-Address matches " 10.1.2.254<http://10.2.3.4/> " - Connection response is 'Grant remote access permission' It sounds like you're already at this point, so if authentication is failing, it's probably due to the methods allowed for the authentication (see the Authentication tab in the Policy Profile). I did quite a few tests, and found that authentication only worked with *only one* of the options selected - IIRC correctly, it was PAP, but looking at the now inactive IAS (which I can't test), MS-CHAP is ticked... doh! Sorry for that, but I'm sure that's where your problem is. Try both, but one at a time (and whenever you modify the authentication settings, *restart the IAS service*). An incorrect authentication method will give you this in the IAS's System Event Log: Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 02/02/2006 Time: 01:13:45 User: N/A Computer: SERVER03 Description: User server03\rad1 was denied access. Fully-Qualified-User-Name = SERVER03\rad1 NAS-IP-Address = <not present> NAS-Identifier = <not present> Called-Station-Identifier = 00:0d:b9:11:3b:a4 Calling-Station-Identifier = 00:0b:cd:6a:3d:18 Client-Friendly-Name = FRIENDLY Client-IP-Address = 10.1.2.254 NAS-Port-Type = Ethernet NAS-Port = 6 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Connections to Microsoft Routing and Remote Access server Authentication-Type = PAP EAP-Type = <undetermined> Reason-Code = 66 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy. A successful connection looks like this (note the PAP in both - I think the unsucessful one happens when another option is selected): Event Type: Information Event Source: IAS Event Category: None Event ID: 1 Date: 02/02/2006 Time: 01:14:03 User: N/A Computer: SERVER03 Description: User server03\rad1 was granted access. Fully-Qualified-User-Name = SERVER03\rad1 NAS-IP-Address = <not present> NAS-Identifier = <not present> Client-Friendly-Name = FRIENDLY Client-IP-Address = 10.1.2.254 Calling-Station-Identifier = 00:0b:cd:6a:3d:18 NAS-Port-Type = Ethernet NAS-Port = 6 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Connections to Microsoft Routing and Remote Access server Authentication-Type = PAP EAP-Type = <undetermined> Comments: - Above, server03 is a member server, so the account 'rad1' was local. If your IAS is also a domain controller, you may have to check for domain\user style prefixes and such. - If this still fails, check that the IAS isn't passing requests on to another remote Radius group server - Ethereal, and the event logs are your friends As far as I can fathom, the difference between the PPTP and Radius situations is that when a PPTP client is authenticated via IAS, the client itself is talking directly to IAS, whereas via the CP, the m0n0 itself is doing everything, and can't handle anything more robust than PAP. (This is supposition based on experminent, if someone more knowledgable can clarify, please do so.) Hope this helps, boink |