Solved

Microsoft RADIUS server

Posted on 2004-09-23
16
7,520 Views
Last Modified: 2010-05-18
RADIUS server

      I am looking to implement a ‘radius server’ to auth some dialup / perhaps wireless accounts.  If an attempt to replace a legacy machine that running a 3rd party application for radius authentication.  This app’ gets all its accounting info from a SQL dB, so I don’t have to worry about user files filled with user/names and pass/words.
I remember reading once about Microsoft Windows 2000 perhaps 2003 even has it.  Its own ‘radius server’, but its going by a different name!  Can anyone here point me in the correct direction as to where I can find some white papers on this and some HowTo documentation?

Thanks in Advanced.

0
Comment
Question by:weguardyou
  • 9
  • 6
16 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12133282
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12133297
check all the link contained in the article.. everything is there..
0
 
LVL 1

Author Comment

by:weguardyou
ID: 12133475
I’ll do that and get back here.  As long as it tests ok, then I can make a machine and put it in place of the existing machine and see if it handles the requests.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12133494
It works great btw.... we are using it for our pix authentification..
0
 
LVL 1

Author Comment

by:weguardyou
ID: 12133522
Well I am banking on it.  This is going to be for PPP ISDN dialup requests.  If it works it saves going out and buying some over priced 3rd party software.

0
 
LVL 1

Author Comment

by:weguardyou
ID: 12134120
Ok the setup seems to be simple …. Install setup point to my existing dB.
How do I test that this wills auth the requests from the NAS?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134172
Hmmm, you wanna see if it works?  In your IAS server, under remote access logging, you can enable logs. after, you just consult the logs to see if everything is working fine..
0
 
LVL 1

Author Comment

by:weguardyou
ID: 12134285
In the old system using (3rd party software) I notice that they have a Radius Client Definition area.  This area has a few columns…

NAS Name, IPAddress, Secret, Type, Security

NAS Names:      Has the names of the remote servers who request from that radius.
IPAddress:      Has their IP Addresses
Secret:            Has their secret word
Type:      Has the type, such as Radius Server, Livingston, Ascend  this is most like the type of client they are using.
Security:      YES/NO Option.

I don’t see settings like this in the Microsoft Version; and I am unsure if it matters.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 15

Expert Comment

by:Yan_west
ID: 12134351
In my config on IAS I have the "friendly name for client", the ip address, the "client-vendor".. (type in your case), and the share secret password..

so this would represent the 4 first field you gave me.. no idea about the last one..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134358
btw, this is in the client folder in IAS..
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12134385
FreeRadius is as good as any, if you're familiar with Linux ?
There's a config example here:

http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 
LVL 1

Author Comment

by:weguardyou
ID: 12134776
Ok I think I have an understanding of my issue.
You see the old server gets its client info from a SQL dB.  I don’t see this option here in the Microsoft’s version.  I am going to plug away at this for a little while longer.

This is what I get in my log:

User 911user was denied access.
 Fully-Qualified-User-Name = RCPTSVR\911user
 NAS-IP-Address = <not present>
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = test
 Client-IP-Address = 127.0.0.1
 NAS-Port-Type = <not present>
 NAS-Port = <not present>
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

The thing that I see I need to change (not sure how to just yet) is:  Use Windows authentication for all users
I need this to auth via SQL server.

0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 12134828
Oh, 2000 radius uses the Active directory database of users to authentify btw.. people have to use their username and password from the domain!..
0
 
LVL 1

Author Comment

by:weguardyou
ID: 12134868
Yes... I am finding this out the hard/way.  It works even when you make local user accounts.
Seeing that this test box isnt a Domained Machine.

Blah... Back to the grind.  I need to find a solution to this server.  I thought a Microsoft out of the box solution would work.
I think i will just award you the points , you have been a big big help to me.

Once more... Go Microsoft.

I am not about to add users from a SQL dB into AD accounts on a domain.  Thats not even needed.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134896
Think you may also have to enable some function in the user properties in ADUC to let them authenticate via radius.. in the dial-in tab, select allow access..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134910
Oh, i'm sorry about that.. but think of it, using radius this way is logical :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now