Radius and where to install?

Hello everyone.

I have installed a new Colubris wireless system which requires a RADIUS
server for authentication. To date I have never done anything with a RADIUS
server and feel a bit lost. I have two seperate domains obviously on two
seperate networks and wish to have the wireless available to both using
Radius authentication. Between the two networks I have an ISA 2004 server.

On what server do I place the RADIUS server.? How will it listen and
authenticate from both networks. On the one network I have users entered in
the AD, however on the other the wireless client will imput their own
username and password which I would like RADIUS to hold on to for various
time periods.

Thanks in advance for any help.


RCB

=?Utf-8?B?UkNC?= <(E-Mail Removed)> wrote in
news:C940E5DE-C188-4A20-9FAF-(E-Mail Removed):

> Hello everyone.
>
> I have installed a new Colubris wireless system which requires a
> RADIUS server for authentication. To date I have never done anything
> with a RADIUS server and feel a bit lost. I have two seperate domains
> obviously on two seperate networks and wish to have the wireless
> available to both using Radius authentication. Between the two
> networks I have an ISA 2004 server.
>
> On what server do I place the RADIUS server.? How will it listen and
> authenticate from both networks. On the one network I have users
> entered in the AD, however on the other the wireless client will imput
> their own username and password which I would like RADIUS to hold on
> to for various time periods.
>
> Thanks in advance for any help.
>

Hi there --

For your AD domain, it is recommended that you install Internet
Authentication Service (IAS), which is Microsoft's implementation of
RADIUS, on the domain controller.

For the network that does not have AD, you can install IAS on pretty much
any server. IAS does not consume a lot of processor bandwidth, so it won't
diminish the server performance. Also because you aren't using AD on that
network, you should use the local Security Accounts Manager (SAM) database
on the IAS server for your user accounts. (Local Users and Groups, I think
it's called, don't recall offhand -- but it is accessed through Control
Panel.) I should say that IAS does not manage user acounts, so it can't
"hold onto" a user account for a specified time period. All IAS does is
check the user account to perform authentication and authorization.

RADIUS is not broadcast like DHCP, it is unicast, so you must configure the
access points, which are also RADIUS clients, to send connection requests
to the IAS/RADIUS server; and you must also configure the IAS server so
that it has a list of all the RADIUS clients and their IP addresses.

Because you have two networks and two different user account databases, you
should install two RADIUS servers, with one acting as both a RADIUS server
and a RADIUS proxy. For this server you will need Windows Server 2003, as
it provides both RADIUS server and proxy functionality.

Probably the easiest way to do this is to use the AD domain IAS server as
the proxy and server, with all access points configured to send all
connection requests to this server.

Then in IAS you configure a connection request policy to forward connection
requests that do not contain a domain user account in the User-Name
attribute of the Access-Request message to the other IAS server. So in the
end the picture looks like this:

Access Points (RADIUS clients) --> IAS proxy/server --> IAS server

I know this will seem confusing, but I should mention that in this
configuration, the RADIUS proxy is a RADIUS client to the second IAS
server. So the way you configure the proxy at the second IAS server is as a
RADIUS client. (This will make more sense after you read the Help and see
the IAS UI.)

The IAS Help on the Web is located at
http://www.microsoft.com/technet/pro...3/library/Serv
erHelp/d98eb914-258c-4f0b-ad04-dc4db9e4ee63.mspx


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.