IAS/RADIUS server has passed an invalid value

Discussion in 'Server Networking' started by Frank Pusch, Oct 18, 2006.

  1. Frank Pusch

    Frank Pusch Guest

    Hi, I try to configure special ip filter rules for specific VPN dialin user.
    But on my ISA2004 I get the following error message:
    ==============================================================================
    Logfile: System
    Typ: Error
    SourceName: RemoteAccess
    EventCode: 20210
    Event date: 20061012144700.000000+120
    Description: The IAS/RADIUS server has passed an invalid value to the server
    running Routing and Remote Access for the following RADIUS attribute:
    Attribute Type 26, Vendor ID 311, Vendor specific type 22. Use the netsh ras
    set trace command to enable packet tracing. Ensure that the RADIUS packets
    conform to the standards specified in RFC 2548.

    ==============================================================================

    My configuration:

    Authentication over IAS. Configuration in IAS: "Connection
    Request Policy" named ip-filter with:
    - Policy condition: User-Name matches "pu-q1"
    - Profile configuration/Advanced/RADIUS Attributes:
    Name: MS-Filter
    Vendor: Microsoft
    Value/Input Filter: Permit only to ...

    But this attribut seems to me not correct. If the IAS receive this attribut
    he doesnt understand this.
    Other attributes are correct, e.g. Session-Timeout.

    Question: Can anybody helps me? I want to configure, that a specific dialin
    user have only IP-access to specific ip addesses.

    Regards,
    Frank Pusch
     
    Frank Pusch, Oct 18, 2006
    #1
    1. Advertisements

  2. Hi Frank,
    As the event says , you shouldn't be getting this error. Please send
    across the RAS tracing logs from the RRAS server for this. Steps to enable
    RAS tracing are given at
    http://blogs.technet.com/rrasblog/archive/2005/12/22/416421.aspx

    Besides that, what you are currenlty using is RQS solution. You can easily
    restrict IP access by adding normal IP filters to the remote access policy.
    For this, follow the below steps:
    1) Doubleclick the Remote access policy
    2) Goto the IP tab
    3) Click on 'Input filters' or 'Output filters' accordingly and add the
    filters.

    Let me know if you need more information.

    --
    Janani Vasudevan [MSFT]
    Software Design Engineer/Test
    RRAS, Windows Enterprise Networking

    http://blogs.msdn.com/jananiv

    RRAS blog: http://blogs.technet.com/rrasblog

    [This posting is provided "AS IS" with no warranties, and confers no
    rights.]
     
    Janani Vasudevan [MSFT], Oct 18, 2006
    #2
    1. Advertisements

  3. Frank Pusch

    Frank Pusch Guest

    Many thanks.
    Here are the logs:
    test 1 (configured connection request policy) as I described initial:
    ftp://ftp.klopotek.de/public/support/connection_request_policy.zip

    test 2 (configured remote access policy) as you described as alternative:
    ftp://ftp.klopotek.de/public/support/remote_access_policy.zip

    In both cases the vpn login is possible, and all IP ranges are reachable.
    The ip-filter rules doesnt block any traffic.
    I dont know why?

    The only different is, that in first case the ISA2004 logs the error message
    I described initial.
    In the second test there is no hint about the non-active ip filter.

    Do you see any hints to solve this issue?

    Regards,
    Frank Pusch


     
    Frank Pusch, Oct 18, 2006
    #3
  4. Hi Frank,
    I'm not able to reach these log files. I will try again from outside
    corpnet.

    For the 2nd scenario, as you say that it is not working right. Can you check
    the following:
    1) Is the connection actually matching the policy on which filters are
    applied? You can check this using the event viewer. The event viewer will
    log the name of the remote access policy which has been matched.
    2) Have only the IP filters configured on this policy. Remove the RQS
    filters from this policy.

    --
    Janani Vasudevan [MSFT]
    Software Design Engineer/Test
    RRAS, Windows Enterprise Networking

    http://blogs.msdn.com/jananiv

    RRAS blog: http://blogs.technet.com/rrasblog

    [This posting is provided "AS IS" with no warranties, and confers no
    rights.]

     
    Janani Vasudevan [MSFT], Oct 25, 2006
    #4
  5. Frank Pusch

    Frank Pusch Guest

    Hi Janani,
    the logfiles are now on the ftp site again.

    The answer to your questions:
    Yes, I checked the event logs. The right policy is active without RQS filter.
    But it doesnt work, I mean this has no effect.

    Many thanks to review the log files.

    Frank Pusch
     
    Frank Pusch, Oct 25, 2006
    #5
  6. From the log files I can see the filters being passed from the IAS server to
    the RRAS server. Let's see why it is not working
    1) What are the filters that you have applied on the remote access policy?
    2) How do you check if the filters are applied or not. i.e. how do you
    decide that the traffic is blocked or not ..for eg. by doing a ping etc.

    --
    Janani Vasudevan [MSFT]
    Software Design Engineer/Test
    RRAS, Windows Enterprise Networking

    http://blogs.msdn.com/jananiv

    RRAS blog: http://blogs.technet.com/rrasblog

    [This posting is provided "AS IS" with no warranties, and confers no
    rights.]
     
    Janani Vasudevan [MSFT], Oct 30, 2006
    #6
  7. Frank Pusch

    Frank Pusch Guest

    Hello,
    1) here are the next screenshots:
    the remote_access_policy configuration:
    ftp://ftp.klopotek.de/public/support/pic_a.zip

    the connection_request_policy configuration:
    ftp://ftp.klopotek.de/public/support/pic_b.zip

    2)
    I tested "ping 10.17.37.230" and get replies.
    I expected no replies.

    Kind regards,
    Frank Pusch



     
    Frank Pusch, Oct 30, 2006
    #7
  8. Frank Pusch

    Frank Pusch Guest

    Dear Randy,
    many thanks for that explanation.

    Yes, it is an ISA2004. So that would be the reason.
    But, wherefrom do you have this fact?
    Is there any Microsoft site with a description and technical reason I can
    read this and maybe some solutions?
    In your solution I have to know ip addresses from the client I have to
    restrict. What can I do, if I don't have this information. Or the ip address
    is dynamicaly?

    Regards,
    Frank Pusch
     
    Frank Pusch, Mar 2, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.