NAS Idenifier can be let at the defaults.

What about Encryption Tab on IAS Ras Policies .. Profile i think?

Unmark this all, as IVE does not support that.

But i think your actual problem is that IAS wont accept radius requests from you IVE ip address, as you configurd wrong IP on IAS client tab, means check with which IP the radius request packets arrive at the IAS, with network monitor sniffing.

Do you use the internal IP of the IVE System as Radius Client on IVE?

-> oh hell, how could I miss that??? surely, it needs to be entered the physical IP. after doing so, the eventlog message changed. thanks a lot for that tip!

now its not an error at the eventlog anymore, its the following warning now (translated into english):

access denied for user "bla" Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = IP of IVE-Master
NAS-Identifier = FQDN of IVE
Client-Friendly-Name = SA4000 Master
Client-IP-Address = IP of IVE-Master
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = 0
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined> 
Policy-Name = <undetermined>
Authentication-Type = <undetermined>

so it seems as the policy is just wrong. and the other problem is that i dont know how the IAS recognizes the local users.

• i've disabled all encryption settings from the profile, as you said
• well, the users are no local SAM, they are hold by an application. its just a little webinterface where you can create users and assign a PIN to them - thats it (it also sends SMS to the users mobile then, but that works already and has nothing todo with IAS).
• proper secret was setup
• I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?
• userrealm and roles are configured correctly
• log at IVE: "Login failed using auth server SMS-Passcode (Radius Server). Reason: Failed"
• policy trace:

  Info	PTR23370	2010/03/25 10:21:16 - Tmaster - Root::hallo(SMS-Passcode)[] - Attempting to authenticate user "hallo" with auth server "SMS-Passcode"
  Info	PTR23334	2010/03/25 10:21:16 - Tmaster - [10.10.10.10] - Root::hallo(SMS-Passcode)[] - Sign-in rejected using auth server SMS-Passcode (Radius Server). Reason: Failed

So I think now my problem is about the RAS-Policy configuration and the connection to that local userstore.

thanks a lot for your time and support!!! you already helped alot!

I noticed the SMS PASSCODE server and wanted to make you aware of the support page for our product where you are welcome to get live support. http://www.smspasscode.com/support. We would be happy to assist.

Rgds

Lars Nielsen

Proxy-Policy-Name = NOne

Check your RAdius Proxy Policy, enter minimum the policy "allow authentication for windows users" or something like that. its the default policy when you instaled ias radius. maybe you deleted it?

Its under i think "connection request policies". When you dont have there any policy, radius requests will allways be denied.

I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?

Nothing. Here you confgiure "return attributes" which radius server will return to the requesting Radius Client (like IVE) when radius accept message is sent to IVE. You can use this for additional features.

Good idea to use Network Monitor (Sniffer) on the Windows Server, to see whats going on.

It will help you a lot to understand how this works together. Without sniffing for testing you work as "blind", cause you dont see which radius attributes and messages travel between IVE and IAS.

This are attributes and values, which could be used for some rolemapping rules on ive.

Means - it also works, if you dont configure at "advanced" tab ANY attributes.

But i use mostly attribute "class (25)" with any value, for example value "admin".

Then on IvE rolemapping you can configure rules with "user attributes".

Means for IVE...

IF

userattribute

class (25) with value "admin"

then assign userrole

admin

IF

userattribute

class (25) with value "user"

then assign userrole

vpnuser

So you can use these ias radiusattributes to configure rolemappingrules, isnt that fantastic`?

The other attributes on ias "advanced tab" are only for other purposes like dial-in callback number and stuff like that, as historically radius is a "dial-in" authentication service, but nowadays its a standard network authanticationmechanism which is supported by most network devices.

Authentication-Type = <not determined>

What is configured at RAS Policy Authentication Type?`

Mark PAP.

Though PAP does not encrypt authentication, the user passwords will allways be encrypted through radius protocol between IVE and Radiusserver. The strenght of radius encryption depends of the compexity of the radius secret.

So use a long and complex Radius Secret, like AGhafdsa!$Q123TRZHsl$¤!!!123adfjnvuda

thank you spacyfreak. I think something is still wrong with the policy, but I will get back to this later. thanks for your support so far.

@LarsNielsen: Thank you, but we decided not to purchase your product, cause the support wasn't good at all (actually there was no support for implementation), so we sent the test evironment back.