After setting up a RAS VPN server users are experiencing the following error when trying to connect:
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
In this particular instance, the Routing and Remote Access service was setup on a 32-bit Windows 2008 SP1 server.
Typically in a RAS VPN setup on a Windows Server, the NPS settings do not need to be adjusted and work with the defaults. In this particular case it was the default NPS settings on the RAS server that were causing the authentication error.
To resolve this:
Open the “Routing and Remote Access” console, expand the server, right-click “Remote Access Logging & Policies” and select “Launch NPS”.
Some Internet Forums claim to have had success by setting the “Connections to Microsoft Routing and Remote Access server” to enabled. To do this, click on the “Network Policies” item on the left, then right-click “Connections to Microsoft Routing and Remote Access Server” and select “Properties”.
On the “Overview” tab, in the “Access Permissions” section, set the radio button to “Grant Access” and apply.
In our particular case we had to go one step further.
Click the “Constraints” tab and select “Authentication Methods”, and click on the “Add” button.
Select “Microsoft: Secured password (EAP-MSCHAP v2)” and click “OK”.
Highlight the “Microsoft: Secured password (EAP-MSCHAP v2)” item that was just added and move it to the top, then apply the settings.
Restart the “Routing and Remote Access” service and try connecting to the VPN again.
Hopefully this can help somebody struggling with this error. There seems to be multiple fixes for this issue out in the wild but I hadn’t come across any solutions where the “Microsoft: Secured password (EAP-MSCHAP v2)” method was missing.