You’ll need to register the server in AD so that it will query AD’s user database and not the local SAM database. Open IAS, right-click Internet Authentication Service, and choose Register Server in Active Directory, which you can see in Figure 3. Click OK when prompted to authorize the server to read users’ dial-in properties in AD.
Now, right-click RADIUS Clients and choose New RADIUS Client, which Figure 4 shows. Enter a friendly name for the client, such as "PIX VPN Authentication," and the INSIDE IP address of the PIX firewall (assuming that you're using that interface). Click Next, then type in the Shared Secret (aka Server Secret Key) that you configured on the firewall in step 4 above. Use the Radius Settings PDF I mentioned above http://tinyurl.com/c7ezvv to help you keep it straight. Leave the Client-Vendor at the default RADIUS Standard.
The last step is to enable unencrypted authentication in the remote access policies. Yes, I know what you’re thinking: “Why on earth would I allow my user’s passwords to be sent unencrypted over the network?”
I had the same question, and I found the comfort that I needed after I read RFC 2865. According to the RFC, “Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.”
So although the setting specifies “Unencrypted Authentication” on the RADIUS server, the user’s password is encrypted using the Server Secret Key/Shared Secret between the VPN firewall and the Windows RADIUS server. Microsoft recommends a “long” complex shared secret at least 22 characters in length.
Server 2008 If you're using Server 2008, then the configuration process is a bit more complicated. Microsoft has moved the RADIUS services from IAS to a new service called Network Policy Server (NPS). NPS adds a new layer of complexity that IAS didn’t have. However the new features also considerably enhance the overall protection of the network from remote and local clients.
In Server 2008, we need to add a new role called Network Policy and Access Services. The New Role wizard can be found in the Server Manager MMC. Click Add Roles, then click Next until you see a screen with 16 roles. Select Network Policy and Access Services, then click Next two times.
Click Network Policy Server. Clear the check box labeled Routing, and make sure only Remote Access Service is selected. Leave everything else cleared. Click Finish, and reboot if prompted.
When the installation is complete, start Network Policy Server via the icon in Administrative Tools. The pane on the right displays a Getting Started screen. Choose RADIUS server for Dial-up or VPN Connections from the drop-down menu, then click Configure VPN or Dial-Up. A new dialog box labeled Configure VPN or Dial-Up appears. Choose Virtual Private Network (VPN) Connections. I usually leave the default name in the Name window at the bottom and add "PIX" so that it looks like this: PIX Virtual Private Network (VPN) Connections. Click Next.
At this point, the process is very similar to setting up a RADIUS client on Windows 2003. Click Add to add a new RADIUS client. Remember that the client is the Cisco PIX firewall and not an individual user's PC or username. Give the RADIUS client a friendly name, specify the IP address of the Cisco firewall, then enter and document the Shared Secret.
Click OK to close the properties page, then click Next. Leave MSCHAPv2 selected and the other options cleared. Don’t add any groups to the Specify User Groups page; click Next. Don’t add any IP Filters; again, click Next. On the Specify Encryption Settings page, leave the defaults, and click Next. A realm name isn’t necessary in this setup, so click Next. Review the settings that you specified, then click Finish.
As with Windows 2003, you need to enable unencrypted authentication. In the Network Policy Server MMC, which should already be open at this point, click Expand Policies, Network Policies, and double-click Connections to other access servers. Click the Constraints tab and enable Unencrypted authentication (PAP, SPAP).
Troubleshooting Even though the set up of a RADIUS server is pretty straightforward, you might encounter a problem or two. Here are some common Event Log errors that I have run into and how to fix them. (Note that “2003” denotes Windows 2003 while “2008” denotes Server 2008.) Event ID 2 (2003), 6273 (2008): “The user attempted to use an authentication method that is not enabled on the matching network policy.” See whether Unencrypted authentication (PAP,SPAP) is enabled. This policy can be found in Remote Access Policies (2003), or Network Policies (2008). Edit the entry Connections to other access servers and ensure that the checkbox for Unencrypted authentication is selected.
Event ID 2 (2003), 6273 (2008): “Authentication was not successful because an unknown username or incorrect password was used.” As the explanation in this event describes, the user has entered incorrect information. Double-check the username and password. Unfortunately, this event can also indicate a mismatch between the Server Secret key on the VPN device and the Shared Secret on the RADIUS service.
If all of your users except one are able to authenticate their VPN connections via RADIUS, then the Server Secret key/Shared Secret is fine and you need to concentrate on the user experiencing the problem. But if nobody is able to log in, then it might be good to verify that the Server Secret key/Shared Secret is the same.
Event ID 2 (2003), 6273 (2008): “The connection attempt failed because network access permission for the user account was denied.” The username and password are correct, but the user is not authorized to dial in. Find the user in Active Directory Users and Computers and enable Allow Access on the Dial-In tab.
This event could also mean that the server doesn’t have access to read the dial-in attribute of the user objects in AD. As with the other events, to determine the cause, you need to determine if the problem is affecting one user or all users.
If you set everything up correctly, and the user enters in a correct username and password, you should receive an Event ID 1 (2003), 6278 (2008). This event tells you which user was granted access and the IP address of the VPN device that the user tunneled through.
Give RADIUS a Try Those are the basic steps in setting up a RADIUS server in your enterprise. It might seem a bit daunting working with IAS in Windows 2003 and NPS in Server 2008. But as you set up your first RADIUS server and see how the VPN device and Windows Server communicate, you will soon realize that the concepts are very simple, and you might find yourself looking for more network devices to authenticate to AD via a RADIUS server.
Thanks Eric, nice article. Always nice to see how other HW Vendors support this.
The latest Sonicwall NSA devices support LDAP integration for VPN Clients. No need for a RADIUS server on your network, you just point to a Domain Controller and configure the LDAP settings. Regards
chamezzzz June 09, 2009 (Article Rating: )
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
The latest Sonicwall NSA devices support LDAP integration for VPN Clients. No need for a RADIUS server on your network, you just point to a Domain Controller and configure the LDAP settings.
Regards
chamezzzz June 09, 2009 (Article Rating: