Microsoft KB Archive/936924

= A Deny rule does not prevent access for users who connect by using 802.1X authentication on a Windows Server 2003-based computer that is running Internet Authentication Service =

Article ID: 936924

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition

-



SYMPTOMS
On a Microsoft Windows Server 2003-based member server that is running Microsoft Internet Authentication Service (IAS), you create a Deny rule as a policy condition in a remote access policy. In this scenario, you experience the following problem.

If a user authenticates by using a virtual private network (VPN) connection, the Deny rule works as expected. However, if the user authenticates by using 802.1X authentication, the Deny rule does not work. In this scenario, IAS unexpectedly lets the user access the network. You experience this problem even though the user uses the same credentials to authenticate with IAS.

You experience this problem if the following conditions are true:
 * The policy condition is based on a Windows-Groups attribute.
 * You specify a domain local group or a local Security Accounts Manager (SAM) group in the policy condition.



WORKAROUND
To work around this problem, specify a global group in the policy condition that is based on the Windows-Groups attribute.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Additional query words: RADIUS

Keywords: kbtshoot kbprb KB936924

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.