More From This User
Gayathri and Me
¦ºýÈ Á¡¾õ annual Å¢ÎÓ¨ÈìÌ ÐÀ¡Â¢Ä¢ÕóÐ −ó¾¢Â¡ ÌÎõÀò§¾¡Î Åó¾¢Õó§¾ý. Åó¾ ´Õ Å¡Ãò¾...
INSTALLING AND CONFIGURING WINDOWS SERVER 2003 RADIUS SUPPORT FOR VPNCLIENTS – INCLUDING SUPPORT FOR EAP/TLS AUTHENTICATION
Some organizations may prefer to not join the ISA Server firewall/VPN server to their internalnetwork domain. The primary reason for not joining the ISA Server firewall/VPN server to theinternal network domain is to prevent potential intruders from using the firewall as a launch pointfor an attack on the internal network domain. While the probability of the firewall beingcompromised is very small, it is a fact that the ISA Server firewall is a bastion host and it isexposed to direct attack from the Internet.The only user accounts available to the machine are those configured in the local user databasewhen the ISA Server firewall/VPN server is not joined to the internal network domain,. In thisscenario, all user accounts need to be input into the local user database on the ISA Server firewall/VPN server machine. There is a lot administrative overhead when you mirror your internalnetwork user database, including both user names and passwords, onto the ISA Server firewall/VPN server’s local SAM database.A better solution is to use the Microsoft Windows Server 2003
Internet Authentication Service(IAS)
. The Microsoft IAS Server is a Remote Authentication Dial In User Service (RADIUS)server. A RADIUS server accepts authentication requests from the ISA Server firewall/VPN server and forwards them to an authentication server. In a Windows Server 2003 domain, the domaincontroller represents the authentication server. The authentication server confirms or denies theauthentication request and forwards the result to the RADIUS server. The RADIUS server forwards it to the ISA Server firewall/VPN server.The Microsoft IAS Server can also be used to centralize the management of Routing and RemoteAccess Policy. You may wish to apply the same remote access policies to each server if you havetwo or more ISA Server firewall/VPN servers. You could manually configure Remote AccessPolicy on each server using the graphical interface or the netsh command. A better way is to theMicrosoft IAS Server. You create Remote Access Policy on the IAS Server and then configure theISA Server firewall/VPN servers to use the IAS Server of your choice. The policies configured onthe IAS Server are applied to incoming VPN connections to the ISA Server firewall/VPN server.You can also use the IAS Server to support advanced authentication, such as EAP-TLSauthentication for PPTP and L2TP/IPSec clients. Advanced authentication methods using EAPenhance the security of your ISA Server firewall/VPN server configuration.We discuss the following procedures in this
ISA Server 2000 VPN Deployment Kit Document
:
•
Installing the Windows Server 2003 IAS Server
•
Configuring a VPN client Remote Access Policy on the IAS Server
•
Configuring the ISA Server firewall/VPN server to use the IAS Server for authenticationand accounting
•
Configuring the ISA Server firewall/VPN server to support EAP-TLS authentication for PPTP and L2TP/IPSec clients
Installing and Configuring the Windows Server 2003 IAS Server
Perform the following steps to install and configure the IAS Server:
<!--[if !supportLists]-->
1.
<!--[endif]-->
Click
Start
, point to
Control Panel
and click on
Add or Remove Programs
.
<!--[if !supportLists]-->
2.
<!--[endif]-->
Click the
Add/Remove WindowsComponents
button in the
Add or Remove Programs
window.
<!--[if !supportLists]-->
3.
<!--[endif]-->
In the
Windows Components
dialog box(figure 1), select the
Networking Services
entry and click the
Details
button.Figure 1 (1712)
<!--[if !supportLists]-->
4.
<!--[endif]-->
In the
Networking Services
dialog box (figure2), put a checkmark in the
Internet Authentication Service
checkbox and then click
OK
.Click
Next
in the
Windows Components
dialog box.Figure 2 (1713)
<!--[if !supportLists]-->
5.
<!--[endif]-->
Click the
Finish
button on the
Completing theWindows Components Wizard
page.Now we’ll make some basic configuration changes to the IAS Server.
<!--[if !supportLists]-->
1.
<!--[endif]-->
Click
Start
, point to
Administrative Tools
andclick on
Internet Authentication Services
.
<!--[if !supportLists]-->
2.
<!--[endif]-->
In the
Internet Authentication Services
console, right click on the
Internet Authentication Service (Local)
node in the left paneof the console. Click the
Register Server in Active Directory
command (figure 3).This setting allows the IAS Server to authenticate users in the Active Directory domain.Click
OK
in the
Register Internet Authentication Server in Active Directory
dialog box(figure 4).Click
OK
in the
Server registered:
dialog box (figure 5). This dialog box informs you thatthe IAS Server was registered in a specific domain and if you want this IAS Server toread users’ dial-in properties from other domains, you’ll need to enter this server into the
RAS/IAS Server Group
in that domain.Figure 3 (1714)
of 00
Radius With VPN
1,006 Reads
Info and Rating
| Category: | Uncategorized. |
| Rating: | (2 Ratings) |
| Upload Date: | 07/24/2009 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Leave a Comment