Re: Conflicting IAS remote access policies problem

On Feb 14, 3:59 pm, "Brian Komar" <brian.ko...@xxxxxxxxxxxxxxxxx>
wrote:
You need to define more specific remote access policies.
Group membership is not good enough (especially when you are members of both
groups you are triggering on).
Add details to the remote access policy that are more specific.
The way RADIUS works is that you will authenticate based on the *first*
matching policy.
For example, to only apply the wireless policy to wirless connection, add
the NAS-Port_Type to be Wireless - IEEE 802.11 condition
Brian

"ttripp" <ttr...@xxxxxxxxxxxxxxxxx> wrote in message

news:942d1059-df30-47b0-b1b3-6303a7c3e03a@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



This concerns a IAS RADIUS server.  I have a pre-existing IAS remote
access policy that authenticates all wireless users and allows them to
connect to my companies wireless network.  I am a member of this
group.

I have created a second policy to allow exec priviledge logins to my
Cisco routers.  I set the policy to allow anyone who is a member of
the Domain Admins group this right.  I am a member of this group as
well.

When the wireless policy is listed first, and I attempt to login to my
Cisco router, I get an "IAS_INVALID_AUTH_TYPE" error in my IAS log,
but I can connect to my wireless network just fine.  If I reverse the
order of the policies, I can log in to the Cisco router just fine, but
then I get the "IAS_INVALID_AUTH_TYPE" error when I connect to my
wireless network.

The logs also show that when the login is failing on the first policy,
it does not fall through to the second policy.

Is there any way around this?  I want to stay in both the wireless
users and the Domain Admins groups; can I configure IAS to go down my
list of policies until I either reach one that accepts my login, or
I'm rejected by all policies?  Thanks.- Hide quoted text -

- Show quoted text -

Thanks. I was afraid I was going to have to set up a separate IAS
server just to handle the routers.
.

Relevant Pages

  • Re: Termserv loses security settings each night
    ... It is a member server in a single-domain forest. ... Domain Security Policy might be the key - see below. ... By default, members of the Remote ... I got it working today by adding a GPO ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Locked out of Win2k Server
    ... >> When you joined the rebuilt machine to the domain it was>> subjected to the Group Policy GPO's of the domain. ... Those GPO settings were still in effect ready to>> configure the machine once it was joined. ... >>>> That you cannot log into the member server with either ...
    (microsoft.public.windows.server.security)
  • Re: Cannot logon locally at the console
    ... setting is applied to the Remote Operators group in the Default Domain ... Controllers Group Policy object. ... Domain Power Users group because the Domain Power Users group is a member ... Administrator account from the Remote Operators group and the Domain Power ...
    (microsoft.public.windows.server.sbs)
  • Re: Club Roster Limits at 27????
    ... different idea of how the revolution is supposed to work than the UPA ... The UPA is a member organization. ... the questions and who turns the feedback into policy. ...
    (rec.sport.disc)
  • Re: Conflicting IAS remote access policies problem
    ... You need to define more specific remote access policies. ... The way RADIUS works is that you will authenticate based on the *first* matching policy. ... For example, to only apply the wireless policy to wirless connection, add the NAS-Port_Type to be Wireless - IEEE 802.11 condition ... I am a member of this ...
    (microsoft.public.security)