I have a Win2K8 server with NPS. I am trying to set my VPN authentication on a FortiGate firewall to authorize users via Radius from my Windows server.
I have two policies configured
- a Connection Policy defining the client and the Radius secret
- a Network Policy defining the required AD group membership and the required requesting access server (ie the Firewall)
The Network Policy has the checkbox "Ignore user account dial-in properties" selected.
If the user account has "Control access through NPS Policy" selected on their dial-in properties page, access is denied. If I change it to "Allow access", access is permitted.
If I leave it at "Allow access" and remove the user from the AD group required, then access is granted, which confuses me.
So what is required to get the NPS policy to determine if access is granted regardless of the Dial-In properties selected?
I found the other question on Server Fault which describes this problem, but the suggested solution of reordering the policies does not help.
Best Answer
The solution is: check your policies carefully.
In my case, I didn't read the critieria carefully enough, and both the Connection and Network policies defined referred to "Client IPv4 Address" instead of "Access Client IPv4 Address".