Hello,
I am setting up a Server 2008 R2 VPN server in an Active Directory domain and am having trouble getting the conditions I would like on network access policy to work. Basically, I would like to restrict access to this policy based on both user membership in an AD security group *and* computer membership in a different AD security group. In other words, I want only the specified users to be able to connect from the specified computers. ("Specified computers" could be as broad as the Domain Computers group, but preferably not.)
My network access policy has the following conditions:
NAS Port Type: Virtual (VPN)
Tunnel Type: Layer Two Tunneling Protocol (L2TP)
User Groups: <domain user security group>
Machine Groups: <domain computer security group>
It doesn't work. I can only connect successfully if I remove the Machine Groups condition. The client test machine is running Windows 7 and has a computer certificate that works for making the L2TP/IPSec connection. If I have the Machine
Groups condition in place, the client connection fails with error 629 "The connection was closed by the remote computer", and the server logs an error that says
"The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.
Please contact the Administrator of the RAS server and notify them of this error."
If I remove the Machine Groups condition, the L2TP connection succeeds immediately, but this is not a workable solution as I need to be able to resrict access based on the computer's identity as well.
Based on the RRAS logs, it looks like the connecting machine information may not be getting passed correctly to the server. What do I need to configure to get this to work?
Thanks,
-> Thayer