I have setup IAS on Server 2003 to authenticate users. I believe I have everythings setup correctly except for the authentication type used by the 3005 and I'm stuck. It appears the 3005 is using PAP to try and authenticate with IAS. I get the following error when using the Test function (of the authentication RADIUS server) and when actually trying to connect to the 3005 with the IPSEC client.

User Tim was denied access.

.

.

.

NAS-Port Type=Virtual

NAS-Port=1056

Proxy-Policy-Name=Use Windows authentication for all users

Authentication Provider=Windows

Authentication Server=<undetermined>

Policy-Name=Authenticate all VPN connections

Authentication-Type=PAP

EAP-Type=<undetermined>

Reason-Code=66

Reson=The user attempted to us an authentication method that is not enabled on the matching remote access policy.

To test I go ahead and enable PAP authentication on the IAS Remote Access Policy and on the RRAS Remote Access Policy. With that done I can connect with no problem and see an IAS event attesting to the authentication. If I disable PAP on either IAS or RRAS policy I get the same error as above. So, it looks like the 3005 is using PAP to authenticate to the IAS server.

I can't for the life of me figure out how to use MSCHAP2. When I look at the properties of the Base Group AND the Test Group, the only place to configure type of authentication is on the PPTP/L2TP tab and that's not for IPSEC. Nevertheless, the only method checked there is MSCHAP-2.

I'm pretty sure everything is setup correctly because if I use an incorrect password or try to connect when dial-up is disabled in AD I get a legitimate event telling me I've used a bad password or RA is disabled on the account. I know IAS is properly querying AD.

Can anyone tell me what I'm doing wrong? How do I get the 3005 to use MSCHAP-2 when querying IAS server?