Accepting a connection attempt

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Accepting a connection attempt

When a user attempts a connection, the connection attempt is accepted or rejected, based on the following logic:

  1. The first policy in the ordered list of remote access policies is checked. If there are no policies, reject the connection attempt.

  2. If all conditions of the policy do not match the connection attempt, go to the next policy. If there are no more policies, reject the connection attempt.

  3. If all conditions of the policy match the connection attempt, check the value of the Ignore-User-Dialin-Properties attribute.

  4. If the Ignore-User-Dialin-Properties attribute is set to False, check the remote access permission setting for the user attempting the connection.

    • If Deny access is selected, reject the connection attempt.

    • If Allow access is selected, apply the user account and profile properties. If the connection attempt does not match the settings of the user account and profile properties, reject the connection attempt. If the connection attempt matches the settings of the user account and profile properties, accept the connection attempt.

    • If the remote access permission is not set to Allow access or Deny access, the remote access permission must be set to Control access through Remote Access Policy. Check the remote access permission setting of the policy.

      If Deny remote access permission is selected, reject the connection attempt.

      If Grant remote access permission is selected, apply the user account and profile properties. If the connection attempt does not match the settings of the user account and profile properties, reject the connection attempt. If the connection attempt matches the settings of the user account properties and profile, accept the connection attempt.

  5. If the Ignore-User-Dialin-Properties attribute is set to True, check the remote access permission setting of the policy.

    • If Deny remote access permission is selected, reject the connection attempt.

    • If Grant remote access permission is selected, apply the profile properties. If the connection attempt does not match the settings of the profile properties, reject the connection attempt. If the connection attempt matches the settings of the profile properties, accept the connection attempt. The following illustration shows the logic of remote access policies.

Remote access policy logic

Notes

  • The profile and user account settings for the first matching policy are applied to the connection. If a connection does not match the profile or user account settings of the remote access policy, the additional remote access policies are not tried.

  • A connection attempt might not match any of the remote access policies. If this is the case, the connection attempt is rejected regardless of the remote access permission setting on the user account.

  • The remote access polices are tried in order. The more specific remote access policies are typically placed in order ahead of the more general remote access policies.

  • The Ignore-User-Dialin-Properties attribute is a new feature for Windows Server 2003, Standard Edition ; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition that allows you to ignore all of the dial-in properties of a user account. For more information, see New features for IAS.

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.

For examples of how different connection attempts are processed, see Remote Access Policies Examples.