Re: IAS/RADIUS server has passed an invalid value

Hi Frank,
I'm not able to reach these log files. I will try again from outside
corpnet.

For the 2nd scenario, as you say that it is not working right. Can you check
the following:
1) Is the connection actually matching the policy on which filters are
applied? You can check this using the event viewer. The event viewer will
log the name of the remote access policy which has been matched.
2) Have only the IP filters configured on this policy. Remove the RQS
filters from this policy.

--
Janani Vasudevan [MSFT]
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

http://blogs.msdn.com/jananiv

RRAS blog: http://blogs.technet.com/rrasblog

[This posting is provided "AS IS" with no warranties, and confers no
rights.]

"Frank Pusch" <FrankPusch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5296D77A-85F1-4531-9C75-F26CC2EC4F71@xxxxxxxxxxxxxxxx
Many thanks.
Here are the logs:
test 1 (configured connection request policy) as I described initial:
ftp://ftp.klopotek.de/public/support/connection_request_policy.zip

test 2 (configured remote access policy) as you described as alternative:
ftp://ftp.klopotek.de/public/support/remote_access_policy.zip

In both cases the vpn login is possible, and all IP ranges are reachable.
The ip-filter rules doesnt block any traffic.
I dont know why?

The only different is, that in first case the ISA2004 logs the error
message
I described initial.
In the second test there is no hint about the non-active ip filter.

Do you see any hints to solve this issue?

Regards,
Frank Pusch


"Janani Vasudevan [MSFT]" wrote:

Hi Frank,
As the event says , you shouldn't be getting this error. Please send
across the RAS tracing logs from the RRAS server for this. Steps to
enable
RAS tracing are given at
http://blogs.technet.com/rrasblog/archive/2005/12/22/416421.aspx

Besides that, what you are currenlty using is RQS solution. You can
easily
restrict IP access by adding normal IP filters to the remote access
policy.
For this, follow the below steps:
1) Doubleclick the Remote access policy
2) Goto the IP tab
3) Click on 'Input filters' or 'Output filters' accordingly and add the
filters.

Let me know if you need more information.

--
Janani Vasudevan [MSFT]
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

http://blogs.msdn.com/jananiv

RRAS blog: http://blogs.technet.com/rrasblog

[This posting is provided "AS IS" with no warranties, and confers no
rights.]

"Frank Pusch" <FrankPusch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4520D4D5-E6DC-467C-AE4E-EA5D127D46F4@xxxxxxxxxxxxxxxx
Hi, I try to configure special ip filter rules for specific VPN dialin
user.
But on my ISA2004 I get the following error message:
==============================================================================
Logfile: System
Typ: Error
SourceName: RemoteAccess
EventCode: 20210
Event date: 20061012144700.000000+120
Description: The IAS/RADIUS server has passed an invalid value to the
server
running Routing and Remote Access for the following RADIUS attribute:
Attribute Type 26, Vendor ID 311, Vendor specific type 22. Use the
netsh
ras
set trace command to enable packet tracing. Ensure that the RADIUS
packets
conform to the standards specified in RFC 2548.

==============================================================================

My configuration:

Authentication over IAS. Configuration in IAS: "Connection
Request Policy" named ip-filter with:
- Policy condition: User-Name matches "pu-q1"
- Profile configuration/Advanced/RADIUS Attributes:
Name: MS-Filter
Vendor: Microsoft
Value/Input Filter: Permit only to ...

But this attribut seems to me not correct. If the IAS receive this
attribut
he doesnt understand this.
Other attributes are correct, e.g. Session-Timeout.

Question: Can anybody helps me? I want to configure, that a specific
dialin
user have only IP-access to specific ip addesses.

Regards,
Frank Pusch







.

Relevant Pages

  • Re: Airbus pic
    ... They have a pretty reasonable policy with regard to that as well. ... traffic and we did monitor the logs. ... please explain why it's felony theft. ...
    (sci.electronics.design)
  • Re: [fw-wiz] Firewall policy generator, capture based - Any idea?
    ... I want to capture my Data Center traffic, with a NAM or Sniffer. ... Basically a packetflow capture based firewall rules generator. ... Put the firewall in place with a policy that allows all traffic to ... Analyze logs. ...
    (Firewall-Wizards)
  • Hacked?
    ... Event Source: Security ... Domain Policy Changed: Password Policy modified ... according to the logs no one with authority to make such a change was logged ... with privelage to change local security policies was logged in at the time. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Airbus pic
    ... They claimed it might have been an 'embarrasement'. ... They have a pretty reasonable policy with regard to that as well. ... I took all the proxy logs with me on a couple CD's when I left ... Besides in a properly designed system even the logs are backed up. ...
    (sci.electronics.design)
  • Re: lame servers resolving
    ... > filter any errors going into the logs. ... > often build filters on the fly and verify that none of the errors ... So instead of directing a lame server ... Fedora GNU/Linux Core 2 on Athlon CPU kernel 2.6.6-1.435 ...
    (Fedora)