lca1630

I am having issues with adding a wireless remote policy to IAS with an
existing, working VPN policy. Ever since I created the wireless policy,
connections to the VPN have been flaky. I am attempting to come up with a
scheme for the conditions. Right now I have groups - domain users for the
vpn, which works great on its own. I have Nas-port type - Wirless - 802.11
and groups - wifi group for the wireless conditions (syntax not exact).
Which order should they be in, which are the best conditions to use and if
you have any tips on this type of set up please help!!!!

S. Pidgorny

Define "flaky".

The order shouldn't matter: policy will apply only if all of the criteria
and profile math the incoming request: group membership, port type, etc.
If users get denied access then you'll see event in the system log on the
IAS and will be able to identify policy in question. If that's the policy
issue, users won't have access at any time 0 which is not "flaky".

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"lca1630" <lca1630@discussions.microsoft.com> wrote in message
news:10527E30-85A7-4E34-B822-C60067373637@microsoft.com...
>I am having issues with adding a wireless remote policy to IAS with an
> existing, working VPN policy. Ever since I created the wireless policy,
> connections to the VPN have been flaky. I am attempting to come up with a
> scheme for the conditions. Right now I have groups - domain users for the
> vpn, which works great on its own. I have Nas-port type - Wirless - 802.11
> and groups - wifi group for the wireless conditions (syntax not exact).
> Which order should they be in, which are the best conditions to use and if
> you have any tips on this type of set up please help!!!!

lca1630

Flaky was used for lack of a better word at the time. Basically I am having
issues with when I create a wirless profile/policy, I find that people are
not being able to log to our VPN. When I remove all instances of my wirless
setup VPN works like it should. In my research once the conditions are
matched, the profile will then be evaluated and then if that matches a
connection should occur. Well, the conditions for the two are completely
different, so it should know which one to choose, right?.
Have you heard of this being a common issue? Please help. Asking me
questions about the setup may help me articulate the issue better.

"S. Pidgorny <MVP>" wrote:

> Define "flaky".
>
> The order shouldn't matter: policy will apply only if all of the criteria
> and profile math the incoming request: group membership, port type, etc.
> If users get denied access then you'll see event in the system log on the
> IAS and will be able to identify policy in question. If that's the policy
> issue, users won't have access at any time 0 which is not "flaky".
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
> "lca1630" <lca1630@discussions.microsoft.com> wrote in message
> news:10527E30-85A7-4E34-B822-C60067373637@microsoft.com...
> >I am having issues with adding a wireless remote policy to IAS with an
> > existing, working VPN policy. Ever since I created the wireless policy,
> > connections to the VPN have been flaky. I am attempting to come up with a
> > scheme for the conditions. Right now I have groups - domain users for the
> > vpn, which works great on its own. I have Nas-port type - Wirless - 802.11
> > and groups - wifi group for the wireless conditions (syntax not exact).
> > Which order should they be in, which are the best conditions to use and if
> > you have any tips on this type of set up please help!!!!
>
>
>

lca1630

I forgot forgot, by "flaky," I meant most of the time people were not allowed
access to the VPN. An example, one employee was rejected 2 out of 3 tries
before finally getting access. This doesn't happen when I have only the VPN
policy setup. Thanks

"S. Pidgorny <MVP>" wrote:

> Define "flaky".
>
> The order shouldn't matter: policy will apply only if all of the criteria
> and profile math the incoming request: group membership, port type, etc.
> If users get denied access then you'll see event in the system log on the
> IAS and will be able to identify policy in question. If that's the policy
> issue, users won't have access at any time 0 which is not "flaky".
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
> "lca1630" <lca1630@discussions.microsoft.com> wrote in message
> news:10527E30-85A7-4E34-B822-C60067373637@microsoft.com...
> >I am having issues with adding a wireless remote policy to IAS with an
> > existing, working VPN policy. Ever since I created the wireless policy,
> > connections to the VPN have been flaky. I am attempting to come up with a
> > scheme for the conditions. Right now I have groups - domain users for the
> > vpn, which works great on its own. I have Nas-port type - Wirless - 802.11
> > and groups - wifi group for the wireless conditions (syntax not exact).
> > Which order should they be in, which are the best conditions to use and if
> > you have any tips on this type of set up please help!!!!
>
>
>

S. Pidgorny

When access is denied for the VPN users, what's the corresponding event from
IAS in the system log?
What is the port type for the VPN connection policy?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"lca1630" <lca1630@discussions.microsoft.com> wrote in message
news:91E4CCC1-F442-4F97-BDDD-B61EABF3C613@microsoft.com...
> Flaky was used for lack of a better word at the time. Basically I am
> having
> issues with when I create a wirless profile/policy, I find that people are
> not being able to log to our VPN. When I remove all instances of my
> wirless
> setup VPN works like it should. In my research once the conditions are
> matched, the profile will then be evaluated and then if that matches a
> connection should occur. Well, the conditions for the two are completely
> different, so it should know which one to choose, right?.
> Have you heard of this being a common issue? Please help. Asking me
> questions about the setup may help me articulate the issue better.
>
> "S. Pidgorny <MVP>" wrote:
>
>> Define "flaky".
>>
>> The order shouldn't matter: policy will apply only if all of the criteria
>> and profile math the incoming request: group membership, port type, etc.
>> If users get denied access then you'll see event in the system log on the
>> IAS and will be able to identify policy in question. If that's the policy
>> issue, users won't have access at any time 0 which is not "flaky".
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>
>> "lca1630" <lca1630@discussions.microsoft.com> wrote in message
>> news:10527E30-85A7-4E34-B822-C60067373637@microsoft.com...
>> >I am having issues with adding a wireless remote policy to IAS with an
>> > existing, working VPN policy. Ever since I created the wireless policy,
>> > connections to the VPN have been flaky. I am attempting to come up with
>> > a
>> > scheme for the conditions. Right now I have groups - domain users for
>> > the
>> > vpn, which works great on its own. I have Nas-port type - Wirless -
>> > 802.11
>> > and groups - wifi group for the wireless conditions (syntax not exact).
>> > Which order should they be in, which are the best conditions to use and
>> > if
>> > you have any tips on this type of set up please help!!!!
>>
>>
>>

lca1630

I am curerntly attempting to capture a live unsuccessful pptp handshake, I
will post my findings when they happen, thanks for your help.

"S. Pidgorny <MVP>" wrote:

> When access is denied for the VPN users, what's the corresponding event from
> IAS in the system log?
> What is the port type for the VPN connection policy?
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "lca1630" <lca1630@discussions.microsoft.com> wrote in message
> news:91E4CCC1-F442-4F97-BDDD-B61EABF3C613@microsoft.com...
> > Flaky was used for lack of a better word at the time. Basically I am
> > having
> > issues with when I create a wirless profile/policy, I find that people are
> > not being able to log to our VPN. When I remove all instances of my
> > wirless
> > setup VPN works like it should. In my research once the conditions are
> > matched, the profile will then be evaluated and then if that matches a
> > connection should occur. Well, the conditions for the two are completely
> > different, so it should know which one to choose, right?.
> > Have you heard of this being a common issue? Please help. Asking me
> > questions about the setup may help me articulate the issue better.
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> >> Define "flaky".
> >>
> >> The order shouldn't matter: policy will apply only if all of the criteria
> >> and profile math the incoming request: group membership, port type, etc.
> >> If users get denied access then you'll see event in the system log on the
> >> IAS and will be able to identify policy in question. If that's the policy
> >> issue, users won't have access at any time 0 which is not "flaky".
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
> >>
> >>
> >> "lca1630" <lca1630@discussions.microsoft.com> wrote in message
> >> news:10527E30-85A7-4E34-B822-C60067373637@microsoft.com...
> >> >I am having issues with adding a wireless remote policy to IAS with an
> >> > existing, working VPN policy. Ever since I created the wireless policy,
> >> > connections to the VPN have been flaky. I am attempting to come up with
> >> > a
> >> > scheme for the conditions. Right now I have groups - domain users for
> >> > the
> >> > vpn, which works great on its own. I have Nas-port type - Wirless -
> >> > 802.11
> >> > and groups - wifi group for the wireless conditions (syntax not exact).
> >> > Which order should they be in, which are the best conditions to use and
> >> > if
> >> > you have any tips on this type of set up please help!!!!
> >>
> >>
> >>
>
>
>

lca1630

The only thing that will get my VPN back online is to restart the firebox. I
thought at first restarting the IAS service did the trick but that wasn't the
case. So after creating a wireless RAP, my VPN goes down. Even if I delete
this policy, I must restart the firewall to get things back up.

"lca1630" wrote:

> I am having issues with adding a wireless remote policy to IAS with an
> existing, working VPN policy. Ever since I created the wireless policy,
> connections to the VPN have been flaky. I am attempting to come up with a
> scheme for the conditions. Right now I have groups - domain users for the
> vpn, which works great on its own. I have Nas-port type - Wirless - 802.11
> and groups - wifi group for the wireless conditions (syntax not exact).
> Which order should they be in, which are the best conditions to use and if
> you have any tips on this type of set up please help!!!!

S. Pidgorny

The most useful information about IAS policy can be found on the server
running IAS, in the system log. That is the first place to look, well before
capturing traffic (btw I believe you can enable PPP logging for PPTP
diagnostics - http://support.microsoft.com/kb/234014).

Also what happens if you change the order of the policies?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"lca1630" <lca1630@discussions.microsoft.com> wrote in message
news:893B8837-0C6E-4BF4-A009-96498ECC2D81@microsoft.com...
>I am curerntly attempting to capture a live unsuccessful pptp handshake, I
> will post my findings when they happen, thanks for your help.
>
> "S. Pidgorny <MVP>" wrote:
>
>> When access is denied for the VPN users, what's the corresponding event
>> from
>> IAS in the system log?
>> What is the port type for the VPN connection policy?
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "lca1630" <lca1630@discussions.microsoft.com> wrote in message
>> news:91E4CCC1-F442-4F97-BDDD-B61EABF3C613@microsoft.com...
>> > Flaky was used for lack of a better word at the time. Basically I am
>> > having
>> > issues with when I create a wirless profile/policy, I find that people
>> > are
>> > not being able to log to our VPN. When I remove all instances of my
>> > wirless
>> > setup VPN works like it should. In my research once the conditions are
>> > matched, the profile will then be evaluated and then if that matches a
>> > connection should occur. Well, the conditions for the two are
>> > completely
>> > different, so it should know which one to choose, right?.
>> > Have you heard of this being a common issue? Please help. Asking me
>> > questions about the setup may help me articulate the issue better.
>> >
>> > "S. Pidgorny <MVP>" wrote:
>> >
>> >> Define "flaky".
>> >>
>> >> The order shouldn't matter: policy will apply only if all of the
>> >> criteria
>> >> and profile math the incoming request: group membership, port type,
>> >> etc.
>> >> If users get denied access then you'll see event in the system log on
>> >> the
>> >> IAS and will be able to identify policy in question. If that's the
>> >> policy
>> >> issue, users won't have access at any time 0 which is not "flaky".
>> >>
>> >> --
>> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> >> -= F1 is the key =-
>> >>
>> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>> >>
>> >>
>> >> "lca1630" <lca1630@discussions.microsoft.com> wrote in message
>> >> news:10527E30-85A7-4E34-B822-C60067373637@microsoft.com...
>> >> >I am having issues with adding a wireless remote policy to IAS with
>> >> >an
>> >> > existing, working VPN policy. Ever since I created the wireless
>> >> > policy,
>> >> > connections to the VPN have been flaky. I am attempting to come up
>> >> > with
>> >> > a
>> >> > scheme for the conditions. Right now I have groups - domain users
>> >> > for
>> >> > the
>> >> > vpn, which works great on its own. I have Nas-port type - Wirless -
>> >> > 802.11
>> >> > and groups - wifi group for the wireless conditions (syntax not
>> >> > exact).
>> >> > Which order should they be in, which are the best conditions to use
>> >> > and
>> >> > if
>> >> > you have any tips on this type of set up please help!!!!
>> >>
>> >>
>> >>
>>
>>
>>