Solved: Re: Windows 2003 "Dial-In" tab controlling remote ...

PhillyEagles_ · ‎07-09-2008

...in Windows 2003 to turn on and off remote access rights for the IVE?

Here is my setup: I'm using an AD server object on the IVE for authentication and an LDAP for IVE server object for authorization via AD groups.

My thoughts is it is simple; I create an 'IVE' group in AD. If we want the user to have remote access via the IVE; they are placed in this group; the IVE will check for this group. If they are in it they are in, if not ... bye bye. Done.

I have some Project Management guys that want to use the "Grant Remote Access" or "Deny Remote Access" button on the "Dial-In" tab of the user account instead of creating a group to do this. Their reason is we will not have to create a group because this .... tab ... will send Radius attributes to the IVE. I ran a TCP Dump and I don't see any Radius packets at all.

Anyone familiar with this concept....?

Steffen_ · ‎07-16-2008

Hi,

if you use Microsoft's RADIUS ("IAS") the "Grant Remote Access" check box will decide if the RADIUS will send an accept or deny message for that user. Other RADIUS-request- and ADS-attributes - if defined - will be checked as well before sending the accept.

- Steffen

View solution in original post

PhillyEagles_ · ‎12-10-2007

Cool. Thanks Steffen. That is exactly what is being proposed. Is there some where that I can take a look at the attributes that AD will send when using IAS or do I just have to run a TCPDump and capture the packets?

PhillyEagles_ · ‎12-10-2007

Cool. thanks.

Steffen_ · ‎04-03-2008

Wireshark will display a good interpretation of the RADIUS packets. It can capture data itself or can read TCPdump and other formats.

The reply-attribues depend on the profile configuration. You can add aditional attributes on the extendedprofile-tab.

We use different profiles to match against different request-attributes or ADS-group-memberships and add "Filter-ID" attributes for example to map them to specific roles.

-Steffen

Skywalker_ · ‎07-15-2008

Philly,

It doesn't sound like you have Radius configured for authentication? Do you have a Radius server pointing to AD for authentication? You might try searching the Steel Belted Radius docs to see if the RADIUS daemon can read this attribute from AD and use it for authentication. If you can define the "Grant Remote Access" flag as a standard RADIUS attribute or a Vendor Specific Attribute in RADIUS then you can use it to control access. But in order to do so you would need to configure the IVE to use RADIUS authentication and point to a RADIUS authentication server for this user realm.

PhillyEagles_ · ‎07-16-2008

Thanks for the input Luke. I, personally don't care to use the Dial-In tab. I just need to know if using that tab will send a Radius attribute, if I'm using Radius for authentication. I would prefer to use AD or LDAP and have them in a group but right now it is above me unfortunately.

:-)

Steffen_ · ‎07-16-2008

Hi,

if you use Microsoft's RADIUS ("IAS") the "Grant Remote Access" check box will decide if the RADIUS will send an accept or deny message for that user. Other RADIUS-request- and ADS-attributes - if defined - will be checked as well before sending the accept.

- Steffen

Windows 2003 "Dial-In" tab controlling remote access.....?

Windows 2003 "Dial-In" tab controlling remote access.....?

Re: Windows 2003 "Dial-In" tab controlling remote access.....?

Re: Windows 2003 "Dial-In" tab controlling remote access.....?

Re: Windows 2003 "Dial-In" tab controlling remote access.....?

Re: Windows 2003 "Dial-In" tab controlling remote access.....?

Re: Windows 2003 "Dial-In" tab controlling remote access.....?

Re: Windows 2003 "Dial-In" tab controlling remote access.....?

Re: Windows 2003 "Dial-In" tab controlling remote access.....?