RAS Policy on Win 2000 AD

[Michael D. Ober]

I have an IAS server working as a Radius server that is registered in AD.
How do I create a Security Group that has "Dial-In" access and then publish
this group to my IAS Server?

Thanks,
Mike Ober.

 

[Steven L Umbach]

Hi Mike.

I believe the IAS server needs to be a member of the domain in which case
you create the security group in Active Directory Users and Computers and
then use that group in your Remore Access Policy on the IAS server by
selecting add and then Windows groups [of course you need to add appropriate
users and maybe computers to the group]. The link below to an excellent
white paper from MS on 802.1X deployment in a lab may be helpful as it goes
into detail about what you are asking about in a step by step fashion. ---
Steve

http://www.microsoft.com/downloads/...a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
http://tinyurl.com/vz3l -- same link in case of wrap

 

[Michael D. Ober]

Thanks, I downloaded this document and started reading it. After a couple
of pages, I realized that this didn't answer my actual question of how to
use AD Security Groups to control remote access, so I went back to the IAS
MMC interface and started poking around the policies. I discoverd a policy
option that uses AD Security Group membership to permit or deny access.
This is the match I needed. Created a new security group with my remote
users as members and then configured both my IAS servers to use this group
to permit. Tested with one of our remote users and everything worked
perfectly. Made the same change to my backup IAS server.

Mike.

Hi Mike.

I believe the IAS server needs to be a member of the domain in which case
you create the security group in Active Directory Users and Computers and
then use that group in your Remore Access Policy on the IAS server by
selecting add and then Windows groups [of course you need to add appropriate
users and maybe computers to the group]. The link below to an excellent
white paper from MS on 802.1X deployment in a lab may be helpful as it goes
into detail about what you are asking about in a step by step shion. ---
Steve

http://www.microsoft.com/downloads/...a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
http://tinyurl.com/vz3l -- same link in case of wrap

I have an IAS server working as a Radius server that is registered in AD.
How do I create a Security Group that has "Dial-In" access and then publish
this group to my IAS Server?

Thanks,
Mike Ober.

 

[Steven L Umbach]

Ok. Glad you got it to work, but I think you pretty much discovered the same thing I
believe where you edit the Remote Access Policy "specify conditions to match" on the
IAS server and select add/Windows groups. If there was a different way let me know as
I am curious what else would work. --- Steve

Thanks, I downloaded this document and started reading it. After a couple
of pages, I realized that this didn't answer my actual question of how to
use AD Security Groups to control remote access, so I went back to the IAS
MMC interface and started poking around the policies. I discoverd a policy
option that uses AD Security Group membership to permit or deny access.
This is the match I needed. Created a new security group with my remote
users as members and then configured both my IAS servers to use this group
to permit. Tested with one of our remote users and everything worked
perfectly. Made the same change to my backup IAS server.

Mike.

Hi Mike.

I believe the IAS server needs to be a member of the domain in which case
you create the security group in Active Directory Users and Computers and
then use that group in your Remore Access Policy on the IAS server by
selecting add and then Windows groups [of course you need to add appropriate
users and maybe computers to the group]. The link below to an excellent
white paper from MS on 802.1X deployment in a lab may be helpful as it goes
into detail about what you are asking about in a step by step shion. ---
Steve

http://www.microsoft.com/downloads/...a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en

http://tinyurl.com/vz3l -- same link in case of wrap