RADIUS (Simple Answer on How to Install it)

Discussion in 'Windows Networking' started by Tim, Aug 17, 2006.

  1. Tim

    Tim Guest

    We have a CheckPoint firewall that uses ipsec using MD5, 3DES, AES-256, etc,
    etc and an MS2003 DC on our internal network. On the firewall I've turned
    off Check Point authentication and turned on RADIUS. On the 2003DC I've
    enabled RRAS and selected RADIUS authentication. The same 25 character
    shared secret is entered on the firewall's RADIUS object and RRAS.

    So is that it for setting up RADIUS? Then I got to thinking that on our
    server under RRAS, I added the server name itself as a RADIUS server, but
    does that mean that "RADIUS server" itself is then setup? I don't know as
    the only thing I can find on the web is adding IAS as a RADIUS proxy.
    UGGGGHHHH!!!! So I installed that on our DC as well. Do I REALLY need IAS?
    What if I only want a RADIUS server and NOT a IAS server acting as a RADIUS

    I just want VPN through our CheckPoint firewall for 10 people and it's
    turned into this huge royal pain to set up. There's got to be an easy way to
    do this. So our DC should be the RADIUS server and the CheckPoint firewall
    should be the RADIUS client....right?
    Tim, Aug 17, 2006
    1. Advertisements

  2. Tim

    Bill Grant Guest

    Basically yes. As far as RADIUS is concerned, the Checkpoint is the
    client and is offloading the authentication to Active Directory. The DC is
    the RADIUS server, and all you need for that is IAS.
    Bill Grant, Aug 18, 2006
    1. Advertisements

  3. Tim

    FenderAxe Guest

    Nope. If I understand how you have this configured it is as such:

    Firewall --> RRAS VPN server --> IAS server

    In this scenario all you do on the firewall is allow VPN traffic to pass
    through. The RADIUS protocol is not used between access clients and access
    servers (in this case the VPN server) -- it is only used between access
    servers and IAS.

    So if you were going to configure this arrangement, assuming that you have
    properly configured the firewall so that the VPN server receives connection
    requests from clients, you would do this:

    -- Configure the RRAS server as a RADIUS client in IAS (IP address and
    shared secret are main configuration items)

    -- Configure the RRAS server to use the IAS server as a RADIUS server
    (again IP address and shared secret).

    -- Then use the default remote access policy in IAS named something like
    "Connections to servers running routing and remote access" -- configure it
    appropriately and make sure you configure it to ALLOW access. (The default
    I think is block access).

    -- In Active Directory configure user account dial-in properties to
    "Control access through remote access policy."

    -- Do not change Connection Request Processing settings.

    -- Make sure logging is enabled and there is sufficient disk space for the
    logs. (If IAS cannot log but logging is enabled it stops processing

    Finally I have to tell you two more things:

    1. The only reason to use IAS is to simplify management of multiple access
    servers, because when you have multiple access servers and you use IAS, you
    only have to configure policies (connection request and remote access
    policies) in one location.

    You are deploying one VPN server; you don't need IAS unless you are
    planning on using advanced logging features (like logging to a SQL Server
    database, which you don't want to try unless you are a seasoned SQL Server
    admin.) Just configure your remote access policy in RRAS and be done with
    it. Make sure you enable the policy though.

    2. All of this information is sitting on your computer. Read the IAS Help,
    it is accurate and complete.
    FenderAxe, Aug 18, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.