none
Windows VPN setup in win server 2008R2

    Question

  • Hello,

    I'm trying to setup a VPN server on 200R2. At the monet I've installed routing and remote access and NPS (local)

    I've left the connection request policy as default and created a network policy that check's user group membership and machine group membership. If I just use the machine group membership the conenction works fine. However, when I add the machine group membership to the policy the VPN fails saying. "The account does not have permission to dial in"

    In the log files the messages are below.

    CoId={NA}: The user DOMAIN NAME\username connected from 82.152.46.162 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

    The computer I'm using to connect is a member of the group that is in the network policy machine group.

    How do I get this to work using machine groups?

    Basically I want any VPN connections to only be accessible if the connecting machine is on the domain

     

    Thanks

     

     

     

     

    Friday, August 13, 2010 10:40 AM

Answers

  • Hi Affrojoe,

     

    Thanks for posting here.

     

    Based on my knowledge , if you want to restrict only domain member computers could access internal network via VPN connection , you may like to add a NPS connection requires polices , and assign domain computers in Groups conditions  .

    In your case, The connection log indicate that incorrect user name or password may cause this issue , so please check if it worked with the procedures below:

    1. Permit user dial-in in user properties

    2. Set a new  password for the test account and try again

     

    Network Policy Conditions Properties

    http://technet.microsoft.com/en-us/library/cc731220(WS.10).aspx

     

    Dial-in properties of a user account

    http://technet.microsoft.com/en-us/library/cc738142(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Monday, August 23, 2010 1:28 AM
    Monday, August 16, 2010 8:28 AM

All replies

  • Hi Affrojoe,

     

    Thanks for posting here.

     

    Based on my knowledge , if you want to restrict only domain member computers could access internal network via VPN connection , you may like to add a NPS connection requires polices , and assign domain computers in Groups conditions  .

    In your case, The connection log indicate that incorrect user name or password may cause this issue , so please check if it worked with the procedures below:

    1. Permit user dial-in in user properties

    2. Set a new  password for the test account and try again

     

    Network Policy Conditions Properties

    http://technet.microsoft.com/en-us/library/cc731220(WS.10).aspx

     

    Dial-in properties of a user account

    http://technet.microsoft.com/en-us/library/cc738142(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Monday, August 23, 2010 1:28 AM
    Monday, August 16, 2010 8:28 AM
  • Hi there,  I am currently setting up for a vpn server with NAP and non-joined domain. I just need A VPN server on a work group and not necessary a domain member. Please help me on how to attain this set-up. Below is the configuration I've made and I don't know how to implement NAP on this Setup. I hope someone can help me please.

     

    VPN Server : windows server 2008 r2

    1. installed  network and policy access role. Selected both  RRAS and NPS role services.

    2. on RRAS configuration: selected non working with a radius server. Specified range of IP addresses for VPN client . ( I used 192.168.0.100-192.168.0.110 for testing)

    3. on NPS  configuration:  grant access on connections to microsoft routing and remote access server. Set  EAP-MSCHAPv2 as authentication methods.

     

    VPN client :

    1. created vpn connection and configured security properties : type of vpn set to PPTP or automatic.

     

    the question is how to implement now NAP on this setup? or is there way on how to do it without having a domain controller?

    Please please help me...

    thanks so much.


    Friday, September 03, 2010 8:39 AM