Re: VPN and EAP
- From: lorenzdominic_@xxxxxxxxxxx
- Date: 8 Nov 2006 01:18:42 -0800
Hi Steven
Thanks for your help.
We used to have each user on their client machine use Certificates with
EAP Authentication used to access the Server. The Server was configured
to use Certificates.
Now even though the Server is configured to use Certificates and only
allow access to users who have a valid certificate we are finding that
users can connect by using Windows Authentication with Encryption - so
basic Authentication, just Username and Password.
I have since investigated further upon reading your email and have
found that there are four Access Policies loaded into Routing and
Remote Access.
I will provide the following Policies and there settings in the order
they are in Routing and Remote Access.
1. VPN ACCESS
Nas-Port-Type Matches "Virtual {VPN}" AND
Windows Group Matches "ServerName\VPNUSERS" AND
Tunnel Type Matches "Point to Point Tunnelling Protocol {PPTP}" AND
Authentication Type Matches "EAP"
2. Small Business Remote Access Policy
Windows Group Matches "ServerName\SBS Mobile Users"
3. Connections to Routing and Remote Access Server
MS-Ras-Vendor Matches "some weird number code"
4. Connections to other Access Servers
Day And Time restrictions .....................
I am thinking that if a client trys to connect then if Access Policy 1
is not met then Access Policy 2 might come into play and so because we
have setup that the SBS Mobile Users are also the VPN users then this
is why they can authenticate without using their certificates.
I was under the impression that all four policies had to be true for a
connection to be made.
What do you think?
Regards
Dominic
Steven Zhu [MSFT] wrote:
Hi Dominic,
Thanks for posting here.
From your post, I understand that you want to know why the user can use
username and password login VPN server without certificate. If I am off
base, please feel free to let me know.
Based on my knowledge, please let me know whether you uncheck EAP option on
VPN client, if you use MS-CHAP or MS-CHAP v2 as your authentication method
in your VPN client, then the VPN server need you input username and
password to login VPN server.
So please let me know which authentication method you used on VPN client
and VPN server side so that I can provide further assistance on this
problem. I am looking forward to your reply.
Thanks and have a nice day.
Best Regards,
Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================
.
- Follow-Ups:
- Re: VPN and EAP
- From: lorenzdominic_
- Re: VPN and EAP
- References:
- VPN and EAP
- From: lorenzdominic_
- RE: VPN and EAP
- From: Steven Zhu [MSFT]
- VPN and EAP
- Prev by Date: RE: ERROR: Could not create an ICertificate object
- Next by Date: Re: Help appreciated with Exchange .edb database backup & restore issu
- Previous by thread: RE: VPN and EAP
- Next by thread: Re: VPN and EAP
- Index(es):
Relevant Pages
|
