Conflicting IAS remote access policies problem

[ttripp]

This concerns a IAS RADIUS server. I have a pre-existing IAS remote
access policy that authenticates all wireless users and allows them to
connect to my companies wireless network. I am a member of this
group.

I have created a second policy to allow exec priviledge logins to my
Cisco routers. I set the policy to allow anyone who is a member of
the Domain Admins group this right. I am a member of this group as
well.

When the wireless policy is listed first, and I attempt to login to my
Cisco router, I get an "IAS_INVALID_AUTH_TYPE" error in my IAS log,
but I can connect to my wireless network just fine. If I reverse the
order of the policies, I can log in to the Cisco router just fine, but
then I get the "IAS_INVALID_AUTH_TYPE" error when I connect to my
wireless network.

The logs also show that when the login is failing on the first policy,
it does not fall through to the second policy.

Is there any way around this? I want to stay in both the wireless
users and the Domain Admins groups can I configure IAS to go down my
list of policies until I either reach one that accepts my login, or
I'm rejected by all policies? Thanks.

 

[Brian Komar]

You need to define more specific remote access policies.
Group membership is not good enough (especially when you are members of both
groups you are triggering on).
Add details to the remote access policy that are more specific.
The way RADIUS works is that you will authenticate based on the *first*
matching policy.
For example, to only apply the wireless policy to wirless connection, add
the NAS-Port_Type to be Wireless - IEEE 802.11 condition
Brian


"ttripp" <ttripp@northhighland.com> wrote in message
news:942d1059-df30-47b0-b1b3-6303a7c3e03a@s8g2000prg.googlegroups.com...
> This concerns a IAS RADIUS server. I have a pre-existing IAS remote
> access policy that authenticates all wireless users and allows them to
> connect to my companies wireless network. I am a member of this
> group.
>
> I have created a second policy to allow exec priviledge logins to my
> Cisco routers. I set the policy to allow anyone who is a member of
> the Domain Admins group this right. I am a member of this group as
> well.
>
> When the wireless policy is listed first, and I attempt to login to my
> Cisco router, I get an "IAS_INVALID_AUTH_TYPE" error in my IAS log,
> but I can connect to my wireless network just fine. If I reverse the
> order of the policies, I can log in to the Cisco router just fine, but
> then I get the "IAS_INVALID_AUTH_TYPE" error when I connect to my
> wireless network.
>
> The logs also show that when the login is failing on the first policy,
> it does not fall through to the second policy.
>
> Is there any way around this? I want to stay in both the wireless
> users and the Domain Admins groups can I configure IAS to go down my
> list of policies until I either reach one that accepts my login, or
> I'm rejected by all policies? Thanks.

 

[ttripp]

On Feb 14, 3:59 pm, "Brian Komar" <brian.ko...@nospam.identit.ca>
wrote:
> You need to define more specific remote access policies.
> Group membership is not good enough (especially when you are members of both
> groups you are triggering on).
> Add details to the remote access policy that are more specific.
> The way RADIUS works is that you will authenticate based on the *first*
> matching policy.
> For example, to only apply the wireless policy to wirless connection, add
> the NAS-Port_Type to be Wireless - IEEE 802.11 condition
> Brian
>
> "ttripp" <ttr...@northhighland.com> wrote in message
>
> news:942d1059-df30-47b0-b1b3-6303a7c3e03a@s8g2000prg.googlegroups.com...
>
>
>
> > This concerns a IAS RADIUS server.  I have a pre-existing IAS remote
> > access policy that authenticates all wireless users and allows them to
> > connect to my companies wireless network.  I am a member of this
> > group.
>
> > I have created a second policy to allow exec priviledge logins to my
> > Cisco routers.  I set the policy to allow anyone who is a member of
> > the Domain Admins group this right.  I am a member of this group as
> > well.
>
> > When the wireless policy is listed first, and I attempt to login to my
> > Cisco router, I get an "IAS_INVALID_AUTH_TYPE" error in my IAS log,
> > but I can connect to my wireless network just fine.  If I reverse the
> > order of the policies, I can log in to the Cisco router just fine, but
> > then I get the "IAS_INVALID_AUTH_TYPE" error when I connect to my
> > wireless network.
>
> > The logs also show that when the login is failing on the first policy,
> > it does not fall through to the second policy.
>
> > Is there any way around this?  I want to stay in both the wireless
> > users and the Domain Admins groups can I configure IAS to go down my
> > list of policies until I either reach one that accepts my login, or
> > I'm rejected by all policies?  Thanks.- Hide quoted text -
>
> - Show quoted text -

Thanks. I was afraid I was going to have to set up a separate IAS
server just to handle the routers.

 

[fella5]

Ihave almost the same issue. What I have is 2 remote policies. One is for
internal wireless users (PEAP). My policy is to verify windows group and the
next is the nas-ip-address. My second policy is for wireless guest via web
login (open). This points to a specific AD group and has the same
NAS-IP-Address. The guest username and password is also in AD but in a
different group than policy 1. The internal users can authenticate, but the
guest users fail on policy one and never hit policy two. If I change the
priority then the guest are fine and the internal users fail. i don't want
to combine the policy into one just in case the guest users somehow gets the
ssid and encryption method. What would be the best way to have 2 policies,
one for each?

"Brian Komar" wrote:

> You need to define more specific remote access policies.
> Group membership is not good enough (especially when you are members of both
> groups you are triggering on).
> Add details to the remote access policy that are more specific.
> The way RADIUS works is that you will authenticate based on the *first*
> matching policy.
> For example, to only apply the wireless policy to wirless connection, add
> the NAS-Port_Type to be Wireless - IEEE 802.11 condition
> Brian
>
>
> "ttripp" <ttripp@northhighland.com> wrote in message
> news:942d1059-df30-47b0-b1b3-6303a7c3e03a@s8g2000prg.googlegroups.com...
> > This concerns a IAS RADIUS server. I have a pre-existing IAS remote
> > access policy that authenticates all wireless users and allows them to
> > connect to my companies wireless network. I am a member of this
> > group.
> >
> > I have created a second policy to allow exec priviledge logins to my
> > Cisco routers. I set the policy to allow anyone who is a member of
> > the Domain Admins group this right. I am a member of this group as
> > well.
> >
> > When the wireless policy is listed first, and I attempt to login to my
> > Cisco router, I get an "IAS_INVALID_AUTH_TYPE" error in my IAS log,
> > but I can connect to my wireless network just fine. If I reverse the
> > order of the policies, I can log in to the Cisco router just fine, but
> > then I get the "IAS_INVALID_AUTH_TYPE" error when I connect to my
> > wireless network.
> >
> > The logs also show that when the login is failing on the first policy,
> > it does not fall through to the second policy.
> >
> > Is there any way around this? I want to stay in both the wireless
> > users and the Domain Admins groups can I configure IAS to go down my
> > list of policies until I either reach one that accepts my login, or
> > I'm rejected by all policies? Thanks.
>