Confused about VPN and Radius

Hi!

Today our VPN users (Laptops with Cisco VPN client) are veryfied against a
server at our ISP. Now we want the authentication with Radius (our own
server) so that users will be authenticated with their normal windows
usernames and password. We have a 2003 server.

Is this doable and what do I need to do?

1) install RRAS
2) Radius
3) configure which clients are allowed to use VPN connection

Am I offroad?

Tomppa

Radius is used for:
- Authentication
- Accounting
- Network quarantine (WinSrv2003)

However, Radius alone does not authenticate users. It passes authentication
request to authenticating server (DC) and then, based on access policy,
grants or denies access to VPN and dial in clients.

With Radius we have unique remote access policy. Without it, we would have
to set up remote access policy on each remote access server.

Microsoft's implementation of Radius is called IAS (Internet Authentication
Service).

What you need is:
- Remote Access Service (RAS)
- IAS
- AD - Active Direcory (Domain Controller -DC)

All servicess can run on Windows Server 2000/2003.

You set up:
- IAS service so that it targets DC for authentication.
- IAS service - add RAS servers as IAS clients

- RAS server so that it uses IAS for authentication
- RAS server so that it uses IAS for accounting

- Configure Remote access policies on IAS server

You may need to raise AD functional level to at least Win2000 native mode

Dusko Savatovic

"Tommy Forsman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi!
>
> Today our VPN users (Laptops with Cisco VPN client) are veryfied against a
> server at our ISP. Now we want the authentication with Radius (our own
> server) so that users will be authenticated with their normal windows
> usernames and password. We have a 2003 server.
>
> Is this doable and what do I need to do?
>
> 1) install RRAS
> 2) Radius
> 3) configure which clients are allowed to use VPN connection
>
> Am I offroad?
>
> Tomppa
>

Thanks for a very good answer.

Ok maybe Radius is to overdo it at the moment when we only have 1 remote
access server, but you´ll never know what the future brings.
2003 DC up and running
RRAS installed on a 2003 member server

next thing would then be:
> - IAS service so that it targets DC for authentication.
> - IAS service - add RAS servers as IAS clients
>
> - RAS server so that it uses IAS for authentication
> - RAS server so that it uses IAS for accounting
>
> - Configure Remote access policies on IAS server
>

I´ll take a look at those things asap.

Thanks again

Tomppa




"Dusko Savatovic" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Radius is used for:
> - Authentication
> - Accounting
> - Network quarantine (WinSrv2003)
>
> However, Radius alone does not authenticate users. It passes
> authentication request to authenticating server (DC) and then, based on
> access policy, grants or denies access to VPN and dial in clients.
>
> With Radius we have unique remote access policy. Without it, we would have
> to set up remote access policy on each remote access server.
>
> Microsoft's implementation of Radius is called IAS (Internet
> Authentication Service).
>
> What you need is:
> - Remote Access Service (RAS)
> - IAS
> - AD - Active Direcory (Domain Controller -DC)
>
> All servicess can run on Windows Server 2000/2003.
>
> You set up:
> - IAS service so that it targets DC for authentication.
> - IAS service - add RAS servers as IAS clients
>
> - RAS server so that it uses IAS for authentication
> - RAS server so that it uses IAS for accounting
>
> - Configure Remote access policies on IAS server
>
> You may need to raise AD functional level to at least Win2000 native mode
>
> Dusko Savatovic
>
> "Tommy Forsman" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi!
>>
>> Today our VPN users (Laptops with Cisco VPN client) are veryfied against
>> a server at our ISP. Now we want the authentication with Radius (our own
>> server) so that users will be authenticated with their normal windows
>> usernames and password. We have a 2003 server.
>>
>> Is this doable and what do I need to do?
>>
>> 1) install RRAS
>> 2) Radius
>> 3) configure which clients are allowed to use VPN connection
>>
>> Am I offroad?
>>
>> Tomppa
>>
>
>

If your RRAS server is a Windows server, you do not need to use RADIUS at
all. You can use normal Windows authentication. You just need to make the
RRAS server a member of the IAS and RAS server group in AD.

RADIUS is a cross platform standard. IAS is the Windows version of a
RADIUS server
..
If your RRAS server was not a Windows device, you could use RADIUS to
authenticate against AD. If your RRAS server is a Windows server, AD can
handle it directly. You authenticate against AD.

"Tommy Forsman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for a very good answer.
>
> Ok maybe Radius is to overdo it at the moment when we only have 1 remote
> access server, but you´ll never know what the future brings.
> 2003 DC up and running
> RRAS installed on a 2003 member server
>
> next thing would then be:
>> - IAS service so that it targets DC for authentication.
>> - IAS service - add RAS servers as IAS clients
>>
>> - RAS server so that it uses IAS for authentication
>> - RAS server so that it uses IAS for accounting
>>
>> - Configure Remote access policies on IAS server
>>
>
> I´ll take a look at those things asap.
>
> Thanks again
>
> Tomppa
>
>
>
>
> "Dusko Savatovic" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Radius is used for:
>> - Authentication
>> - Accounting
>> - Network quarantine (WinSrv2003)
>>
>> However, Radius alone does not authenticate users. It passes
>> authentication request to authenticating server (DC) and then, based on
>> access policy, grants or denies access to VPN and dial in clients.
>>
>> With Radius we have unique remote access policy. Without it, we would
>> have to set up remote access policy on each remote access server.
>>
>> Microsoft's implementation of Radius is called IAS (Internet
>> Authentication Service).
>>
>> What you need is:
>> - Remote Access Service (RAS)
>> - IAS
>> - AD - Active Direcory (Domain Controller -DC)
>>
>> All servicess can run on Windows Server 2000/2003.
>>
>> You set up:
>> - IAS service so that it targets DC for authentication.
>> - IAS service - add RAS servers as IAS clients
>>
>> - RAS server so that it uses IAS for authentication
>> - RAS server so that it uses IAS for accounting
>>
>> - Configure Remote access policies on IAS server
>>
>> You may need to raise AD functional level to at least Win2000 native mode
>>
>> Dusko Savatovic
>>
>> "Tommy Forsman" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi!
>>>
>>> Today our VPN users (Laptops with Cisco VPN client) are veryfied against
>>> a server at our ISP. Now we want the authentication with Radius (our own
>>> server) so that users will be authenticated with their normal windows
>>> usernames and password. We have a 2003 server.
>>>
>>> Is this doable and what do I need to do?
>>>
>>> 1) install RRAS
>>> 2) Radius
>>> 3) configure which clients are allowed to use VPN connection
>>>
>>> Am I offroad?
>>>
>>> Tomppa
>>>
>>
>>
>
>

Hi Bill and thanks for your comments

so I can skip Radius and just install IAS? Sounds good.

Tomppa

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> If your RRAS server is a Windows server, you do not need to use RADIUS at
> all. You can use normal Windows authentication. You just need to make the
> RRAS server a member of the IAS and RAS server group in AD.
>
> RADIUS is a cross platform standard. IAS is the Windows version of a
> RADIUS server
> .
> If your RRAS server was not a Windows device, you could use RADIUS to
> authenticate against AD. If your RRAS server is a Windows server, AD can
> handle it directly. You authenticate against AD.
>
> "Tommy Forsman" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thanks for a very good answer.
>>
>> Ok maybe Radius is to overdo it at the moment when we only have 1 remote
>> access server, but you´ll never know what the future brings.
>> 2003 DC up and running
>> RRAS installed on a 2003 member server
>>
>> next thing would then be:
>>> - IAS service so that it targets DC for authentication.
>>> - IAS service - add RAS servers as IAS clients
>>>
>>> - RAS server so that it uses IAS for authentication
>>> - RAS server so that it uses IAS for accounting
>>>
>>> - Configure Remote access policies on IAS server
>>>
>>
>> I´ll take a look at those things asap.
>>
>> Thanks again
>>
>> Tomppa
>>
>>
>>
>>
>> "Dusko Savatovic" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Radius is used for:
>>> - Authentication
>>> - Accounting
>>> - Network quarantine (WinSrv2003)
>>>
>>> However, Radius alone does not authenticate users. It passes
>>> authentication request to authenticating server (DC) and then, based on
>>> access policy, grants or denies access to VPN and dial in clients.
>>>
>>> With Radius we have unique remote access policy. Without it, we would
>>> have to set up remote access policy on each remote access server.
>>>
>>> Microsoft's implementation of Radius is called IAS (Internet
>>> Authentication Service).
>>>
>>> What you need is:
>>> - Remote Access Service (RAS)
>>> - IAS
>>> - AD - Active Direcory (Domain Controller -DC)
>>>
>>> All servicess can run on Windows Server 2000/2003.
>>>
>>> You set up:
>>> - IAS service so that it targets DC for authentication.
>>> - IAS service - add RAS servers as IAS clients
>>>
>>> - RAS server so that it uses IAS for authentication
>>> - RAS server so that it uses IAS for accounting
>>>
>>> - Configure Remote access policies on IAS server
>>>
>>> You may need to raise AD functional level to at least Win2000 native
>>> mode
>>>
>>> Dusko Savatovic
>>>
>>> "Tommy Forsman" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Hi!
>>>>
>>>> Today our VPN users (Laptops with Cisco VPN client) are veryfied
>>>> against a server at our ISP. Now we want the authentication with Radius
>>>> (our own server) so that users will be authenticated with their normal
>>>> windows usernames and password. We have a 2003 server.
>>>>
>>>> Is this doable and what do I need to do?
>>>>
>>>> 1) install RRAS
>>>> 2) Radius
>>>> 3) configure which clients are allowed to use VPN connection
>>>>
>>>> Am I offroad?
>>>>
>>>> Tomppa
>>>>
>>>
>>>
>>
>>
>
>

You don't even need to install IAS. It is all handled by Active Directory
if the RRAS server is a Windows server.

"Tommy Forsman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Bill and thanks for your comments
>
> so I can skip Radius and just install IAS? Sounds good.
>
> Tomppa
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> If your RRAS server is a Windows server, you do not need to use RADIUS
>> at
>> all. You can use normal Windows authentication. You just need to make the
>> RRAS server a member of the IAS and RAS server group in AD.
>>
>> RADIUS is a cross platform standard. IAS is the Windows version of a
>> RADIUS server
>> .
>> If your RRAS server was not a Windows device, you could use RADIUS to
>> authenticate against AD. If your RRAS server is a Windows server, AD can
>> handle it directly. You authenticate against AD.
>>
>> "Tommy Forsman" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Thanks for a very good answer.
>>>
>>> Ok maybe Radius is to overdo it at the moment when we only have 1 remote
>>> access server, but you´ll never know what the future brings.
>>> 2003 DC up and running
>>> RRAS installed on a 2003 member server
>>>
>>> next thing would then be:
>>>> - IAS service so that it targets DC for authentication.
>>>> - IAS service - add RAS servers as IAS clients
>>>>
>>>> - RAS server so that it uses IAS for authentication
>>>> - RAS server so that it uses IAS for accounting
>>>>
>>>> - Configure Remote access policies on IAS server
>>>>
>>>
>>> I´ll take a look at those things asap.
>>>
>>> Thanks again
>>>
>>> Tomppa
>>>
>>>
>>>
>>>
>>> "Dusko Savatovic" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Radius is used for:
>>>> - Authentication
>>>> - Accounting
>>>> - Network quarantine (WinSrv2003)
>>>>
>>>> However, Radius alone does not authenticate users. It passes
>>>> authentication request to authenticating server (DC) and then, based on
>>>> access policy, grants or denies access to VPN and dial in clients.
>>>>
>>>> With Radius we have unique remote access policy. Without it, we would
>>>> have to set up remote access policy on each remote access server.
>>>>
>>>> Microsoft's implementation of Radius is called IAS (Internet
>>>> Authentication Service).
>>>>
>>>> What you need is:
>>>> - Remote Access Service (RAS)
>>>> - IAS
>>>> - AD - Active Direcory (Domain Controller -DC)
>>>>
>>>> All servicess can run on Windows Server 2000/2003.
>>>>
>>>> You set up:
>>>> - IAS service so that it targets DC for authentication.
>>>> - IAS service - add RAS servers as IAS clients
>>>>
>>>> - RAS server so that it uses IAS for authentication
>>>> - RAS server so that it uses IAS for accounting
>>>>
>>>> - Configure Remote access policies on IAS server
>>>>
>>>> You may need to raise AD functional level to at least Win2000 native
>>>> mode
>>>>
>>>> Dusko Savatovic
>>>>
>>>> "Tommy Forsman" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> Hi!
>>>>>
>>>>> Today our VPN users (Laptops with Cisco VPN client) are veryfied
>>>>> against a server at our ISP. Now we want the authentication with
>>>>> Radius (our own server) so that users will be authenticated with their
>>>>> normal windows usernames and password. We have a 2003 server.
>>>>>
>>>>> Is this doable and what do I need to do?
>>>>>
>>>>> 1) install RRAS
>>>>> 2) Radius
>>>>> 3) configure which clients are allowed to use VPN connection
>>>>>
>>>>> Am I offroad?
>>>>>
>>>>> Tomppa
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>