Discussion:
Access reject code 49 on SBS 2008
(too old to reply)
Jon Fleming
2009-07-07 15:47:02 UTC
Permalink
I had this all working in Small Business Server 2003. I want to use
RADIUS authentication from my router to authenticate VPN users, using
the username. OK, I understand that in SBS 2008 the RADIUS server is
now part of NPS. I've followed the instructions at
http://www.bunkerhollow.com/blogs/matt/archive/2008/06/04/configuring-server-2008-for-radius-authentication.aspx,
setting up a RADIUS client (my laptop) and creating a RADIUS
authentication Network Policy.I'm using CHAP (that's all my router
supports in common with NPS). I've triple-checked that the shared
secret is the same on both ends. I've used two different RADIUS test
clients, and when I try to authenticate as jfleming, I always get:

:Sending Access-Request of id 0 to 192.168.7.250:1645
CHAP-Password = 0x00a2d04b9870ccd4df9d20344e09850e70
User-Name = "jfleming"
Info: Access-Reject packet from host 192.168.7.250:1645, id=0,
length=20

The NPS logs show code 49, "The connection attempt did not match any
connection request policy." My number 1 CRP has a condition of IPv4
address 192\.168\.7\..+, Authentication provider Local Computer,
Authentication method CHAP or MS-CHAP, or MS-CHAP-v2. It sure seems to
me that that CRP matches. But apparently it doesn't.

How can I get this working?
James McIllece [MS]
2009-07-10 21:40:11 UTC
Permalink
Post by Jon Fleming
I had this all working in Small Business Server 2003. I want to use
RADIUS authentication from my router to authenticate VPN users, using
the username. OK, I understand that in SBS 2008 the RADIUS server is
now part of NPS. I've followed the instructions at
http://www.bunkerhollow.com/blogs/matt/archive/2008/06/04/configuring-s
erver-2008-for-radius-authentication.aspx, setting up a RADIUS client
(my laptop) and creating a RADIUS authentication Network Policy.I'm
using CHAP (that's all my router supports in common with NPS). I've
triple-checked that the shared secret is the same on both ends. I've
used two different RADIUS test clients, and when I try to authenticate
:Sending Access-Request of id 0 to 192.168.7.250:1645
CHAP-Password = 0x00a2d04b9870ccd4df9d20344e09850e70
User-Name = "jfleming"
Info: Access-Reject packet from host 192.168.7.250:1645, id=0,
length=20
The NPS logs show code 49, "The connection attempt did not match any
connection request policy." My number 1 CRP has a condition of IPv4
address 192\.168\.7\..+, Authentication provider Local Computer,
Authentication method CHAP or MS-CHAP, or MS-CHAP-v2. It sure seems to
me that that CRP matches. But apparently it doesn't.
How can I get this working?
Hi Jon --

A RADIUS client is a network access server, not a client computer.

Your laptop is not a RADIUS client unless you have a server OS installed
and are using it as a VPN server, terminal server, or some other type of
network access server.

It sounds to me like in this scenario though the laptop is the access
client that you are using to try to connect to the network.

To make this work, you need:

-- The WS08/NPS server configured with a **network policy** that allows
access from a specific group of users or computers that includes you/your
computer. Do not configure connection request policy, just use the default
policy. CRPs are used to specify where the connection request is processed,
and the default policy specifies that connection requests will be processed
locally, which is what you want. (The other option is to forward connection
requests to a remote RADIUS server, but you only have one RADIUS server
in your current setup.)

-- A RADIUS client that is either a VPN server or a WAP or switch that
supports the RADIUS protocol standards (e.g. it must be RADIUS-compliant).
This is just a guess, but because it supports only CHAP, I would suspect
that your router is not RADIUS compliant.

-- Access clients, such as your laptop and other computers, that will
access the network through the RADIUS client/Network access server.

*****************

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Jon Fleming
2009-07-10 23:14:03 UTC
Permalink
I believe that I have the appropriate policies configured at the
server but I'll have to look to get the details.

Could you please tell me why my laptop cannot be a Radius client if I
use a utility such a NTRadPing
(http://www.novell.com/coolsolutions/tools/14377.html) or Radius Test
(http://www.radutils.com/)? How would the server know that an
authentication request packet is coming from my laptop rather than a
network access server? I've snooped the packets and I didn't see
anything in there that specified the requester type.

My router is a Fortigate 50B. It may or may not be Radius compliant,
but it succeeded using Radius authentication with SBS 2003 Standard
(no IAS).

On Fri, 10 Jul 2009 14:40:11 -0700, "James McIllece [MS]"
Post by James McIllece [MS]
Post by Jon Fleming
I had this all working in Small Business Server 2003. I want to use
RADIUS authentication from my router to authenticate VPN users, using
the username. OK, I understand that in SBS 2008 the RADIUS server is
now part of NPS. I've followed the instructions at
http://www.bunkerhollow.com/blogs/matt/archive/2008/06/04/configuring-s
erver-2008-for-radius-authentication.aspx, setting up a RADIUS client
(my laptop) and creating a RADIUS authentication Network Policy.I'm
using CHAP (that's all my router supports in common with NPS). I've
triple-checked that the shared secret is the same on both ends. I've
used two different RADIUS test clients, and when I try to authenticate
:Sending Access-Request of id 0 to 192.168.7.250:1645
CHAP-Password = 0x00a2d04b9870ccd4df9d20344e09850e70
User-Name = "jfleming"
Info: Access-Reject packet from host 192.168.7.250:1645, id=0,
length=20
The NPS logs show code 49, "The connection attempt did not match any
connection request policy." My number 1 CRP has a condition of IPv4
address 192\.168\.7\..+, Authentication provider Local Computer,
Authentication method CHAP or MS-CHAP, or MS-CHAP-v2. It sure seems to
me that that CRP matches. But apparently it doesn't.
How can I get this working?
Hi Jon --
A RADIUS client is a network access server, not a client computer.
Your laptop is not a RADIUS client unless you have a server OS installed
and are using it as a VPN server, terminal server, or some other type of
network access server.
It sounds to me like in this scenario though the laptop is the access
client that you are using to try to connect to the network.
-- The WS08/NPS server configured with a **network policy** that allows
access from a specific group of users or computers that includes you/your
computer. Do not configure connection request policy, just use the default
policy. CRPs are used to specify where the connection request is processed,
and the default policy specifies that connection requests will be processed
locally, which is what you want. (The other option is to forward connection
requests to a remote RADIUS server, but you only have one RADIUS server
in your current setup.)
-- A RADIUS client that is either a VPN server or a WAP or switch that
supports the RADIUS protocol standards (e.g. it must be RADIUS-compliant).
This is just a guess, but because it supports only CHAP, I would suspect
that your router is not RADIUS compliant.
-- Access clients, such as your laptop and other computers, that will
access the network through the RADIUS client/Network access server.
*****************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...