« articles

Configuring Dialup RAS on Windows Server 2000 / 2003

Windows Server 2003 Config Wizard

Table of Contents:

    Client Configuration


Windows Server 2003 is the first OS I tried setting up a RAS with. I found it extremely straightforward, it's old enough that finding a copy with bypassed activation is absolutely trivial, and it should run on nearly anything from the last 20 years, so I figure this is a good starting point.

If you're setting up a Windows client to connect to a Windows host, you can just bomb through this document and it should work right away.

Anything that isn't Windows is probably going to run into problems with authentication. Find details about this in the Authentication Setup section below.


Routing and Remote Access Server Setup Wizard

  1. Install Windows Server 2003 on a machine with at least one modem.
    1. I'm using Enterprise Edition SP2. I'm guessing some of these instructions will not apply to other versions or releases.
  2. After install, you'll get the Windows Server Post-Setup Security Updates dialog. As far as I can tell this no longer works, so just hit Finish
  3. You should now see the Manage Your Server dialog - if not, open it from the Start menu
  4. Click Add or remove a role
  5. Select Remote access / VPN server and hit Next twice
  6. You'll get the Routing and Remote Access... wizard.
  7. Select Remote Access
  8. Select Dial-up
  9. If you have mutliple network interfaces, select the primary one
  10. Assign IP addresses to clients Automatically
  11. Select No (unless you have a RADIUS server!)
  12. Hit Finish

Dial-In Users GroupRRAS is now enabled, and you'll be able to dial in, but unable to log in until you create a user group and access policy. We'll do the user group first:

  1. Go to the Start menu, then Administrative Tools and Computer Management
  2. Expand Local Users and Groups and click Users
  3. Right click in the right panel and click New User
  4. Enter the username and password you want
  5. Uncheck User must change password, check the following two boxes, and hit OK
  6. Repeat to add as many users as you'd like
  7. Now go to the Groups section
  8. Right click in the right panel and click New Group
  9. Name the group Dial-In
  10. Click Add
  11. Select all the users you created
  12. Click OK

Now create an access policy: RRAS Access Policy List

  1. Return to the main Manage Your Server window and click Manage this remote access/VPN server
  2. Expand your server in the list on the left, then click Remote Access Policies
  3. On the right side, right click and hit New Remote Access Policy
  4. Name the policy "Dial-in"
  5. Select the Dial-up method of access
  6. Select Group, then click Add
  7. Type in "Dial-In Users" and hit OK
  8. Click Next
  9. The default auth method - MS-CHAPv2 - will be fine for Windows clients.
    1. If you have non-Windows clients, see the Authentication section below.
  10. Enable "No Encryption" if you intend to connect with old clients
  11. Hit Finish

You are now ready to receive dialup connections.
You should be able to dial in from another PC using the username and password you set when you created the users, then access the internet.




You can find logs from RRAS in the Windows Event Viewer. They are of varying quality.

If, for instance, your modems fail to handshake due to incompatible speeds, you won't see anything in the event log.
If you connect with a client that doesn't have LCP enabled, you'll also see nothing.
You also won't see anything if you have LCP enabled, but no matching auth protocols - so if MS-CHAP is enabled on the server but not the client, the client will just get unceremoniously disconnected and nothing will appear in the log. It's not great.

For all of these situations and more, you'll have to just go with your gut and play with it until you figure out what the right settings are. Sorry.

Once you clear those hurdles, you'll start getting useful logs. If you have bad creds, or aren't in a valid dialin user group, those things will get logged in the System log and Security log.

Selecting modems to listen with

By default RRAS listens on all modems that are installed. This can be a pain in the ass if you want to use a modem to receive incoming faxes, or if you want to talk to a modem manually with e.g. Hyperterminal for diagnostics. You can change which modems are in the pool however.

From the Routing and Remote Access management window, right click on Ports and go to Properties. From there you'll see all listening devices, and you can pull up Configure on your modem:

RRAS modem configuration

Uncheck "Remote access connections," click OK and then OK on the properties window, and RRAS will let go of the modem.

Viewing modem status

From the Routing and Remote Access management window, go to Ports and pull up the properties on your modem to see the current status.
There are four different statuses I'm aware of: Listening, Authenticating, Authenticated and Disconnecting

These aren't super informative. The modem will stay in Listening state through the entire handshake process, and only change once the two modems are synced.
When it does change, it'll go straight to Authenticating

If you connect with a client that doesn't have compatible auth protocols, among other things, the status will go to Authenticating for just a moment, then flip to Disconnecting and back to Listening. You have to hit Refresh really fast to see this happen, and sometimes it's the only way to really know you have an auth problem.

Client Configuration

If you don't know how to configure dialup on Windows, here are the rough steps. They change between versions so I'm just going to give the general notion - they all mostly work like this.

  1. 98-era OSes:
    1. In My Computer, under the Dial-Up Networking icon, select Make New Connection
    2. Name it whatever you like; make sure your modem shows up and you have the right one selected
    3. Enter the phone number; area code is optional.
    4. Finish the wizard and click the new connection
    5. Enter your creds and hit Connect - that's it.
  2. XP-era OSes:
    1. In the Control Panel under Network Connections, hit New Connection Wizard
    2. Choose "Connect to the internet" and then "Connect using a dial-up modem"
    3. Enter a connection name
    4. Enter the phone number
    5. When prompted for creds, enter them
After completing the above, Windows may launch the connection automatically when you try to access online resources (like opening IE) or you may have to launch the connection manually.

In either case, the dialin window will prompt you to enter creds, and then start the dialing process. You'll know it has successfully handshooken when you see "Authenticating...". The next step is "Logging on to the network," and for me that always seems to take a very long time.


If your client dials up and just works, great. If not, and if it's not a Windows machine, you're very probably facing an issue with authentication.

Auth on PPP is a complicated mess of different implementations that looks dreadfully, insufferably boring and impossible to care about enough to figure out. I will try to bottom line it for you:

Authentication Modes

First, There are two ways to handle authentication on PPP - interactive login, or LCP authentication.

Interactive login is used almost universally on Unix systems.
You dial in, get connected, and get a username/password prompt which you have to log into manually.
After logging in, you run a command that initiates the PPP session. Typically this is all done by hand.
PPP clients typically have an option to present a terminal after dialup so you can do these steps by hand. Some can automatically simulate the necessary input.

LCP authentication is used on pretty much everything else.
As soon as your modem connects, a PPP session is initialized, and the client and host negotiate credentials over a special packet protocol.

A non-Windows client will probably not support LCP authentication by default. MacPPP, for instance, expects a Unix host by default and will simply connect and do absolutely nothing.
You have to go into the LCP settings and enable "PAP" - described further below.

Authentication Formats

If your host is using LCP auth (and Windows does,) you will need to find a compatible auth protocol.

There are a half dozen authentication protocols LCP can use: PAP, CHAP, MS-CHAP, MS-CHAPv2, PEAP...

You will need to figure out what your client is capable of and pick a matching protocol, and you'll certainly need to adjust what Windows will accept, as described below.

Making Windows Accept Ancient / Non-Windows Clients (enabling PAP Authentication)

When you created the Remote Access Policy earlier, you were forced to select Microsoft's preferred authentication methods. You will now need to change those. This needs to be done in two places.

First, you'll need to fix the access policy. Pull up the Routing and Remote Access admin interface and find the access policy you created:

RRAS Access Policy List

Pull up the properties on that policy and click Edit Profile, then go to the Authentication tab:

Authentication tab of edit profile dialog

As you can see, the default options are the Microsoft protocols. CHAP and PAP are open standards and either one might work on your client, with PAP being a near guarantee. Enable those and try connecting again. You might need to turn off MS-CHAP to get this to take.

Now you need to update the master RRAS configuration.

Right click on your server in the config window (shown as GRAVIS-2K3 below) and go to Properties

Master server list item

Go to the Security tab and select Authentication Methods. Make the same changes here that you made in the other window, then try reconnecting.

For what it's worth, I can't figure out how to make the Unauthenticated option work.

If this was interesting to you, or if you did something interesting with it, email me:

If you like my work, consider tossing me a few bucks. It takes a lot of effort and payment helps me stay motivated.

List of Articles