Troubleshooting IAS as a RADIUS proxy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting IAS as a RADIUS proxy

What problem are you having?

  • No responses to Access-Request messages are sent through the IAS proxy for valid connection attempts.

  • MS-CHAP v2 authentications are being rejected for valid connection attempts.

  • When you try to open the IAS console, you receive an error message and the console does not open.

No responses to Access-Request messages are sent through the IAS proxy for valid connection attempts.

Cause:  A mismatched shared secret is configured between the IAS proxy and the RADIUS server or proxy to which the RADIUS messages are being forwarded.

Solution:  Verify that the shared secret that is configured on the IAS proxy for the appropriate remote RADIUS server group member matches the shared secret of the RADIUS client of the RADIUS server or proxy to which the RADIUS messages are being sent.

See also:  Shared secrets

MS-CHAP v2 authentications are being rejected for valid connection attempts.

Cause:  Attribute manipulation rules on the profile setting for the connection request policy that is forwarding the requests are modifying the User-Name attribute. This causes the validation of the MS-CHAP v2 hash on the authenticating server to fail. The only exception is when a backslash (\) character is used and the manipulation only affects the information to the left of it. A backslash character is typically used to indicate a domain name (the information to the left of the backslash character) and a user account name within the domain (the information to the right of the backslash character). In this case, attribute manipulation rules that only modify or replace the domain name are allowed.

Solution:  Reconfigure attribute manipulation rules so that they are not modifying the User-Name attribute.

See also:  Connection request policies

When you try to open the IAS console, you receive an error message and the console does not open.

Cause:  To administer IAS, you must have administrative credentials.

Solution:  You can use the Runas command to perform tasks (for example, opening the IAS console), when you are logged on as a member of a group that does not have administrative credentials (such as Users or Power Users). Alternately, you can log on as Administrator to open the console.

See also:  Run a program with administrative credentials, Create a shortcut using the runas command, Runas

Note

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.