=?Utf-8?B?VGlt?= <(E-Mail Removed)> wrote in
news:875B9CF6-8692-4C04-91A1-(E-Mail Removed):
> We have a CheckPoint firewall that uses ipsec using MD5, 3DES,
> AES-256, etc, etc and an MS2003 DC on our internal network. On the
> firewall I've turned off Check Point authentication and turned on
> RADIUS. On the 2003DC I've enabled RRAS and selected RADIUS
> authentication. The same 25 character shared secret is entered on the
> firewall's RADIUS object and RRAS.
>
> So is that it for setting up RADIUS? Then I got to thinking that on
> our server under RRAS, I added the server name itself as a RADIUS
> server, but does that mean that "RADIUS server" itself is then setup?
> I don't know as the only thing I can find on the web is adding IAS as
> a RADIUS proxy. UGGGGHHHH!!!! So I installed that on our DC as well.
> Do I REALLY need IAS? What if I only want a RADIUS server and NOT a
> IAS server acting as a RADIUS proxy?
>
> I just want VPN through our CheckPoint firewall for 10 people and it's
> turned into this huge royal pain to set up. There's got to be an easy
> way to do this. So our DC should be the RADIUS server and the
> CheckPoint firewall should be the RADIUS client....right?
Nope. If I understand how you have this configured it is as such:
Firewall --> RRAS VPN server --> IAS server
In this scenario all you do on the firewall is allow VPN traffic to pass
through. The RADIUS protocol is not used between access clients and access
servers (in this case the VPN server) -- it is only used between access
servers and IAS.
So if you were going to configure this arrangement, assuming that you have
properly configured the firewall so that the VPN server receives connection
requests from clients, you would do this:
-- Configure the RRAS server as a RADIUS client in IAS (IP address and
shared secret are main configuration items)
-- Configure the RRAS server to use the IAS server as a RADIUS server
(again IP address and shared secret).
-- Then use the default remote access policy in IAS named something like
"Connections to servers running routing and remote access" -- configure it
appropriately and make sure you configure it to ALLOW access. (The default
I think is block access).
-- In Active Directory configure user account dial-in properties to
"Control access through remote access policy."
-- Do not change Connection Request Processing settings.
-- Make sure logging is enabled and there is sufficient disk space for the
logs. (If IAS cannot log but logging is enabled it stops processing
requests.)
Finally I have to tell you two more things:
1. The only reason to use IAS is to simplify management of multiple access
servers, because when you have multiple access servers and you use IAS, you
only have to configure policies (connection request and remote access
policies) in one location.
You are deploying one VPN server; you don't need IAS unless you are
planning on using advanced logging features (like logging to a SQL Server
database, which you don't want to try unless you are a seasoned SQL Server
admin.) Just configure your remote access policy in RRAS and be done with
it. Make sure you enable the policy though.
2. All of this information is sitting on your computer. Read the IAS Help,
it is accurate and complete.
|
Similar Threads
Linear Mode
