FIX: Incoming VPN connections are rejected by an ISA Server 2004 RADIUS server that is operating on a Windows Server 2003-based computer

Consider the following scenario:

• On a Remote Authentication Dial-In User Service (RADIUS) server that is operating on a Windows Server 2003-based computer, you install Microsoft Internet Security and Acceleration (ISA) Server 2004.
• In ISA Server 2004, you enable virtual private network (VPN) access and configure VPN for Radius authentication and Extensible Authentication Protocol (EAP).
• The station ID of the RADIUS authentication packets is specified by using a format other than an IPv4 address.

In this scenario, ISA Server 2004 rejects incoming connections from remote computers.

The RADIUS authentication packets contain a station ID which is larger than 16 bytes. ISA Server 2004 assumes that the station ID is an IP address that is 16 bytes or smaller. For example, this problem may occur if the station ID is using a string format of a MAC address such as "00-00-AA-BB-CC-DD," which is larger than 16 bytes. Because ISA Server uses a static buffer to save and log the ID, it cannot initialize the connection. So, it rejects it.

To resolve this problem, install the hotfix rollup package that is described in the following Microsoft Knowledge Base article:



Note After you install this hotfix, large station IDs will be ignored and will not be logged.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: