General discussion

  • Creator
  • #2290638

    RAS Authentication


    by mrh2014 ·

    I recently set up RAS on a 2000 server machine to have our clients dial into us. I was wondering if there was a way to have it prompt us to accept or reject the client once they dial into us. The way it is set up now any client can dial into us at anytime as long as they know the password. Thanks.

All Comments

  • Author
    • #3346473

      Reply To: RAS Authentication

      by bfilmfan ·

      In reply to RAS Authentication

      In order to prevent a RAS client from launching an attack with dozens of password attempts, a Windows 2000 RAS server can be configured to lockout the client.

      The RAS client lockout is separate from the account lockout in Active Directory.

      You can configure RAS account lockout with both a number of failed attempts and an interval that must pass before the lockout timer is reset.

      If you are using Windows Authentication on the RAS server, you configure these settings in the registry of the RAS server. If you are using RADIUS, configure the registry on the the IAS server.

      To configure the registry:

      1. Use Regedt32 to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout.

      2. Double-click the MaxDenials Value Name, a REG_DWORD data type, and set the data value to the number of failed attempts before the account is locked out, using the Decimal Radix. A data value of 0, the default, disables account lock out.

      3. Double-click the ResetTime (mins) Value Name, a REG_DWORD data type, and set the number of minutes that must elapse before the account is unlocked, using the Decimal Radix. The default is 2,880 minutes, which is two days.

      NOTE: To manually unlock an account, use Regedt32 to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout and delete the : Value Name.

    • #3346085

      Reply To: RAS Authentication

      by mrh2014 ·

      In reply to RAS Authentication

      Thanks that is good to know. However, How can clents that are given the password be managed? Will they be able to connect anytime? I would like when a client dials in for a acceptance box pops up asking whether to accept or reject. That way no one will be able to connect unless accepted. Is this possible??

    • #3345994

      Reply To: RAS Authentication

      by acattr ·

      In reply to RAS Authentication

      By default windows cannot do what you are asking, but you can still make it happen.

      What I would do:
      I would set RAS to only allow users from a group access. By default the group is empty. I would use event log monitoring software to monitor a login attempt over RAS and email me when an attempt was made. At this point you can add the user to the group, and they can the login again.

      Obviously the user would be denied the first time, but you can tell the users that there is a 10 minute lag for authentication purposes.
      YOu can then enable

Viewing 2 reply threads