VPN using two-tier authentication: Radius & Active Directory (AD)

Using two-tiers of user authentication to permit VPN access to your corporate network is a best practice.  This ensures that even if a user's commonly used login (Active Directory) password is compromised, (can happen even with complex and aged passwords), that a different initial connection password is required to establish VPN connectivity.

I have used MS ISA Server along with FreeRadius.net to implement this design and best-practice security requirement.

However, one problem we had was the connecting PC when VPN'ed in, would get confused as to which set of credentials to use when accessing Windows Network resources, such as lettered drives.  As such, the user would be incorrectly denied access to normally available Windows Network resources.  The Windows Credential Manager needs to be informed NOT us use the RAS credentials for anything other that the RAS connection.

This can be set as follows: (Win7)

• Open the following file with notepad:  %userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk 
• Set: UseRasCredentials=0 instead of 1