weguardyou
asked on
Microsoft RADIUS server
RADIUS server
I am looking to implement a ‘radius server’ to auth some dialup / perhaps wireless accounts. If an attempt to replace a legacy machine that running a 3rd party application for radius authentication. This app’ gets all its accounting info from a SQL dB, so I don’t have to worry about user files filled with user/names and pass/words.
I remember reading once about Microsoft Windows 2000 perhaps 2003 even has it. Its own ‘radius server’, but its going by a different name! Can anyone here point me in the correct direction as to where I can find some white papers on this and some HowTo documentation?
Thanks in Advanced.
I am looking to implement a ‘radius server’ to auth some dialup / perhaps wireless accounts. If an attempt to replace a legacy machine that running a 3rd party application for radius authentication. This app’ gets all its accounting info from a SQL dB, so I don’t have to worry about user files filled with user/names and pass/words.
I remember reading once about Microsoft Windows 2000 perhaps 2003 even has it. Its own ‘radius server’, but its going by a different name! Can anyone here point me in the correct direction as to where I can find some white papers on this and some HowTo documentation?
Thanks in Advanced.
check all the link contained in the article.. everything is there..
ASKER
I’ll do that and get back here. As long as it tests ok, then I can make a machine and put it in place of the existing machine and see if it handles the requests.
It works great btw.... we are using it for our pix authentification..
ASKER
Well I am banking on it. This is going to be for PPP ISDN dialup requests. If it works it saves going out and buying some over priced 3rd party software.
ASKER
Ok the setup seems to be simple …. Install setup point to my existing dB.
How do I test that this wills auth the requests from the NAS?
How do I test that this wills auth the requests from the NAS?
Hmmm, you wanna see if it works? In your IAS server, under remote access logging, you can enable logs. after, you just consult the logs to see if everything is working fine..
ASKER
In the old system using (3rd party software) I notice that they have a Radius Client Definition area. This area has a few columns…
NAS Name, IPAddress, Secret, Type, Security
NAS Names: Has the names of the remote servers who request from that radius.
IPAddress: Has their IP Addresses
Secret: Has their secret word
Type: Has the type, such as Radius Server, Livingston, Ascend  this is most like the type of client they are using.
Security: YES/NO Option.
I don’t see settings like this in the Microsoft Version; and I am unsure if it matters.
NAS Name, IPAddress, Secret, Type, Security
NAS Names: Has the names of the remote servers who request from that radius.
IPAddress: Has their IP Addresses
Secret: Has their secret word
Type: Has the type, such as Radius Server, Livingston, Ascend  this is most like the type of client they are using.
Security: YES/NO Option.
I don’t see settings like this in the Microsoft Version; and I am unsure if it matters.
In my config on IAS I have the "friendly name for client", the ip address, the "client-vendor".. (type in your case), and the share secret password..
so this would represent the 4 first field you gave me.. no idea about the last one..
so this would represent the 4 first field you gave me.. no idea about the last one..
btw, this is in the client folder in IAS..
FreeRadius is as good as any, if you're familiar with Linux ?
There's a config example here:
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
There's a config example here:
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
ASKER
Ok I think I have an understanding of my issue.
You see the old server gets its client info from a SQL dB. I don’t see this option here in the Microsoft’s version. I am going to plug away at this for a little while longer.
This is what I get in my log:
User 911user was denied access.
Fully-Qualified-User-Name = RCPTSVR\911user
NAS-IP-Address = <not present>
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = test
Client-IP-Address = 127.0.0.1
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
The thing that I see I need to change (not sure how to just yet) is: Use Windows authentication for all users
I need this to auth via SQL server.
You see the old server gets its client info from a SQL dB. I don’t see this option here in the Microsoft’s version. I am going to plug away at this for a little while longer.
This is what I get in my log:
User 911user was denied access.
Fully-Qualified-User-Name = RCPTSVR\911user
NAS-IP-Address = <not present>
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = test
Client-IP-Address = 127.0.0.1
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
The thing that I see I need to change (not sure how to just yet) is: Use Windows authentication for all users
I need this to auth via SQL server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes... I am finding this out the hard/way. It works even when you make local user accounts.
Seeing that this test box isnt a Domained Machine.
Blah... Back to the grind. I need to find a solution to this server. I thought a Microsoft out of the box solution would work.
I think i will just award you the points , you have been a big big help to me.
Once more... Go Microsoft.
I am not about to add users from a SQL dB into AD accounts on a domain. Thats not even needed.
Seeing that this test box isnt a Domained Machine.
Blah... Back to the grind. I need to find a solution to this server. I thought a Microsoft out of the box solution would work.
I think i will just award you the points , you have been a big big help to me.
Once more... Go Microsoft.
I am not about to add users from a SQL dB into AD accounts on a domain. Thats not even needed.
Think you may also have to enable some function in the user properties in ADUC to let them authenticate via radius.. in the dial-in tab, select allow access..
Oh, i'm sorry about that.. but think of it, using radius this way is logical :)
Here is a great link for windows 2003
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_bnxa.asp