Re: Conflicting IAS remote access policies problem

Ihave almost the same issue. What I have is 2 remote policies. One is for
internal wireless users (PEAP). My policy is to verify windows group and the
next is the nas-ip-address. My second policy is for wireless guest via web
login (open). This points to a specific AD group and has the same
NAS-IP-Address. The guest username and password is also in AD but in a
different group than policy 1. The internal users can authenticate, but the
guest users fail on policy one and never hit policy two. If I change the
priority then the guest are fine and the internal users fail. i don't want
to combine the policy into one just in case the guest users somehow gets the
ssid and encryption method. What would be the best way to have 2 policies,
one for each?

"Brian Komar" wrote:

You need to define more specific remote access policies.
Group membership is not good enough (especially when you are members of both
groups you are triggering on).
Add details to the remote access policy that are more specific.
The way RADIUS works is that you will authenticate based on the *first*
matching policy.
For example, to only apply the wireless policy to wirless connection, add
the NAS-Port_Type to be Wireless - IEEE 802.11 condition
Brian


"ttripp" <ttripp@xxxxxxxxxxxxxxxxx> wrote in message
news:942d1059-df30-47b0-b1b3-6303a7c3e03a@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This concerns a IAS RADIUS server. I have a pre-existing IAS remote
access policy that authenticates all wireless users and allows them to
connect to my companies wireless network. I am a member of this
group.

I have created a second policy to allow exec priviledge logins to my
Cisco routers. I set the policy to allow anyone who is a member of
the Domain Admins group this right. I am a member of this group as
well.

When the wireless policy is listed first, and I attempt to login to my
Cisco router, I get an "IAS_INVALID_AUTH_TYPE" error in my IAS log,
but I can connect to my wireless network just fine. If I reverse the
order of the policies, I can log in to the Cisco router just fine, but
then I get the "IAS_INVALID_AUTH_TYPE" error when I connect to my
wireless network.

The logs also show that when the login is failing on the first policy,
it does not fall through to the second policy.

Is there any way around this? I want to stay in both the wireless
users and the Domain Admins groups; can I configure IAS to go down my
list of policies until I either reach one that accepts my login, or
I'm rejected by all policies? Thanks.

.

Relevant Pages

  • Re: Wireless Login help please
    ... bypass domain user configuration Group Policy. ... wireless card, logon with cached credentials, then plug their network card ... certificates may help. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: CRB Checks for 16 year olds
    ... "GAGS" wrote in message ... Because its the policy of the association we are all members of. ... If I was a member of another association, Guiding perhaps and signed a similar form I would follow their policies. ... It comes back with a failure so she can not become a YL, can she still remain as a member of the guide association but just not become a YL? ...
    (uk.rec.scouting)
  • Re: Intermittent Wireless Connectivity
    ... From the Group Policy Properties menu, ... that the wireless policy is broken. ... > channel the kit was attempting to use was sitting at almost full ...
    (microsoft.public.windows.server.sbs)
  • Re: policy confusement
    ... domain policy is loaded. ... There are two components to every GPO - Computer settings and User ... OUs and policies I would strongly suggest ... > The only OU member in the DC OU is the machine that has run dcpromo. ...
    (microsoft.public.win2000.networking)
  • Re: Group Policy loading
    ... Thanks for the help David. ... > It appears there are no issues getting policies to manually apply once you ... > are any known issues with using USB Wireless NICs. ... >> Computer Policy Refresh has completed ...
    (microsoft.public.win2000.group_policy)