I am confused about RRAS Policy

[Jeffery Guan]

Dear all,

I am currently self studying MCSE 70-216 and I am quite confused the
relation between the dial-in properties of a user account and remote access
policies.

From my understanding, when the Deny Access is set in the dial-in
properties, the user is disallowed dial-in (or VPN) regardless of any the
remote access policies. When the Allow Access is set in the dial-in
properties, the user is allowed to dial-in (or VPN) regardless of any of the
remote access policies. When Control Access thru remote access policy is set
in dial-in properties, then the remote access policies will be in effect.

However, from the MCSE book and the Win2k Server Internetwork Guide seems to
mention otherwise. Seems that if allowed access, the server will still refer
to the remote access polices. These 2 books doesn't mentioned anything on
how exactly these 3 dial-in properties work and I am very confused.

Does anyone have any reference somewhere else that can help me? Thanks in
advance.

 

[Carl DaVault [MSFT]]

The simplest way to think about this is using these rules:

1. Properties configured on the User's dial-in tab override those in the
policy
2. "Null" settings or "blank" settings do not override policy settings.
"policy" on the dialin tab is essentially a "blank" or "null"
setting
that doesn't override the the policy setting - anything else
overrides
3. Server 2003 has a new attribute that tells IAS to ignore the user dialin
settings

"Policy" on the dial-in tab just means that the remote access policy setting
determines whether to grant or deny permission.

You'll see the same behavior with "Framed-IP-Address" attribute. The user's
static setting overrides the remote access policy setting. The default "let
the server decide" behavior is essentially a "null" setting.

 

[Jeffery Guan]

After reading your post, I think I am starting to understand the "Deny
Access", "Control Access thru Remote Access Policy" and "Allow Access"

For "Allow Access", if a RAS policy condition match, the "Allow Access" will
override the "Grant" or "Deny" permission in the policy to "Grant".

For "Deny Access", if a RAS policy condition match, the "Deny Access" will
override the "Grant" or "Deny" permission in the policy to "Deny". So, the
user will always be denied dail-in access.

For "Control Access thru Remote Access Policy", if a RAS policy condition
match, then the "Grant" or "Deny" permission in the policy will be used.


1. If a server with 0 policy configured, an "Allow Access" user will be
denied dial-in because there are no conditions to match.

2. Lets say a newly configured RAS server with the default RAS policy (the
one which deny permission to dial in 24 hours, 7 days a week). Any user with
"Allow access" will be allowed to dial-in because he/she matches the
condition of the default RAS policy. But any user with "Control Access thru
Remote Access Policy" will not be able to dial-in because the default RAS
policy denies them to dial in (the deny permission is not ignored).

I hope I got this right.

 

[Herb Martin]

After reading your post, I think I am starting to understand the "Deny
Access", "Control Access thru Remote Access Policy" and "Allow Access"

For "Allow Access", if a RAS policy condition match, the "Allow Access" will
override the "Grant" or "Deny" permission in the policy to "Grant".

Yes. The GRANT and DENY will disable the equivalent settings on the matching
Policy -- the policy will still need to match and will still pick a Profile.

For "Deny Access", if a RAS policy condition match, the "Deny Access" will
override the "Grant" or "Deny" permission in the policy to "Deny". So, the
user will always be denied dail-in access.

Yes, same as above.

For "Control Access thru Remote Access Policy", if a RAS policy condition
match, then the "Grant" or "Deny" permission in the policy will be used.

That's it and if you think about what the user section says it will make
sense, "Control Access through Policy".

The confusion comes (for most people) when they look at the Policy and
try to understand it. The Policy is the misleading part.

1. If a server with 0 policy configured, an "Allow Access" user will be
denied dial-in because there are no conditions to match.

Well, yes, because there MUST be a matching policy.

2. Lets say a newly configured RAS server with the default RAS policy (the
one which deny permission to dial in 24 hours, 7 days a week).

Actually the Win2000 default was to ALLOW 24 hours a match.

Any user with
"Allow access" will be allowed to dial-in because he/she matches the
condition of the default RAS policy.

Yes, no matter which of the "24 hour" matches we assume.

But any user with "Control Access thru
Remote Access Policy" will not be able to dial-in because the default RAS
policy denies them to dial in (the deny permission is not ignored).

Yes with your assumed policy of "DENY".

I hope I got this right.

I think you did. Notice that policies are always needed (at least one
match),
and the User Account is the CONTROLLING allow/deny UNLESS IT
turns over responsibility to the policy.

In NT, all we had were the two (allow/deny) user settings so in Mixed mode
(supporting BDCs) we cannot use the third choice.

 

[Jeffery Guan]

Herb,

Thanks a lot for you time. Without your help, I guess I will have trouble at
the exam. Again, thanks a lot. Yuhooooo......