Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!
Course Of The Month
6 days, 16 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
RADIUS TESTING GUI TOOL
Posted on 2011-03-04
Ive been looking online and found various types of Radius testing tools. Does anyone have any recommendations on a freeware download tool that i can use to ensure my configurations ive followed are correct?
currently ive setup:
1 master dc, ad, dns, dhcp & sp2
- completed radius configurations
- installed and configured IAS
- created and added a single user account - the test client pc, happens to be plugged into the same local switch although the client would be logging on from a remote position but assuming this is ok anyway, but not sure if 'radius or ias' are being used!!??
i havent activated 'Routing & Remote Access' which im assuming is what i would need to do next if the 'test client pc' was actually logging on remotely, so the client would not only be using 'radius, ias, but a vpn' connection aswell.
currently ive setup:
1 master dc, ad, dns, dhcp & sp2
- completed radius configurations
- installed and configured IAS
- created and added a single user account - the test client pc, happens to be plugged into the same local switch although the client would be logging on from a remote position but assuming this is ok anyway, but not sure if 'radius or ias' are being used!!??
i havent activated 'Routing & Remote Access' which im assuming is what i would need to do next if the 'test client pc' was actually logging on remotely, so the client would not only be using 'radius, ias, but a vpn' connection aswell.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
9
4
14 Comments
You can only authenticate against IAS/Radius in some situations: Remote Access or 802.1X Wired or Wireless configuration. It's always based on network authentication to gain access to the network.
If you expect to use Radius when you enter your credentials in the Windows Logon screen, then you're wrong.
You can use Radius after you entered your credentials in the Windows Logon prompt to realize a network authentication (802.1x wireless or wired). But your credentials on the client are not validated by a DC, but used in cache. PEAP MSCHAPv2 authentication.
You can enable network authentication for the computer before you enter user credentials, EAP TLS authentication. You will need a CA to deploy computer certificates.
If you want to test, you should enable Remote access and simulate a VPN between your client and RAS Server. If the connection is successfull then your IAS configuration will be good. Else, you need to review.
If you expect to use Radius when you enter your credentials in the Windows Logon screen, then you're wrong.
You can use Radius after you entered your credentials in the Windows Logon prompt to realize a network authentication (802.1x wireless or wired). But your credentials on the client are not validated by a DC, but used in cache. PEAP MSCHAPv2 authentication.
You can enable network authentication for the computer before you enter user credentials, EAP TLS authentication. You will need a CA to deploy computer certificates.
If you want to test, you should enable Remote access and simulate a VPN between your client and RAS Server. If the connection is successfull then your IAS configuration will be good. Else, you need to review.
"If you expect to use Radius when you enter your credentials in the Windows Logon screen, then you're wrong."
as per your comment above, what i mean is a user will logon as normal although radius is configured although im not sure why after your comment above and then IAS does the AAA part.
if a user is local to a domain do i need to configure anything other than adding user to the domain as a normal user?
as per your comment above, what i mean is a user will logon as normal although radius is configured although im not sure why after your comment above and then IAS does the AAA part.
if a user is local to a domain do i need to configure anything other than adding user to the domain as a normal user?
If the user is local to the computer, then the authentication is against the local SAM Database.
If the user is stored in Active Directory (ie domain account), then the authentication is against the Domain Controllers, using Kerberos protocol by default (else NTLM).
You cannot change this behavior.
AAA is a way to forward authentication request from a system (switch, wireless AP, router, VPN box) to be able to authenticate against Active Directory (instead using multiple repository, by example adding local accounts to a router). IAS will ask to DCs to validate the credentials, and by example check is the user is member of a group configured in a rule. IAS has rules to define which acess the user will gain (by example VLAN guest access, or VLAN production access).
But IAS is never used when you enter credentials with the logon screen.
IAS will be used if you set up a VPN connection, or do network authentication with wired or wireless 802.1X
If the user is stored in Active Directory (ie domain account), then the authentication is against the Domain Controllers, using Kerberos protocol by default (else NTLM).
You cannot change this behavior.
AAA is a way to forward authentication request from a system (switch, wireless AP, router, VPN box) to be able to authenticate against Active Directory (instead using multiple repository, by example adding local accounts to a router). IAS will ask to DCs to validate the credentials, and by example check is the user is member of a group configured in a rule. IAS has rules to define which acess the user will gain (by example VLAN guest access, or VLAN production access).
But IAS is never used when you enter credentials with the logon screen.
IAS will be used if you set up a VPN connection, or do network authentication with wired or wireless 802.1X
"If the user is local to the computer, then the authentication is against the local SAM Database." - ok so if a standalone server was set up and all pc's, servers were connected and NOT on a DC then the authentication is against the Local SAM Database.
"If the user is stored in Active Directory (ie domain account), then the authentication is against the Domain Controllers, using Kerberos protocol by default (else NTLM)." - ok.
when configuring the IAS i selected MD5 and Ethernet which appears to be wrong from what you have advised so I need to change this accordingly.
Although I have routers but not connected as yet i will select vpn in the 'routing and remote access' part and see if it will still function on my local switch anyway. then if it works i will have to plug host pc on the other end of a router.
I have no vlans at this time.
"If the user is stored in Active Directory (ie domain account), then the authentication is against the Domain Controllers, using Kerberos protocol by default (else NTLM)." - ok.
when configuring the IAS i selected MD5 and Ethernet which appears to be wrong from what you have advised so I need to change this accordingly.
Although I have routers but not connected as yet i will select vpn in the 'routing and remote access' part and see if it will still function on my local switch anyway. then if it works i will have to plug host pc on the other end of a router.
I have no vlans at this time.
you could use this guide, it's an excellent help to figure how to setup IAS.
http://www.microsoft.com/downloads/en/confirmation.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en
The most secure connections are PEAP/MsCHAP v2 (you use the user credentials, and there is only one certificate needed on the IAS), or i you prefer the best secure is EAP/TLS but you would deploy certificate for computers and/or users.
http://www.microsoft.com/downloads/en/confirmation.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en
The most secure connections are PEAP/MsCHAP v2 (you use the user credentials, and there is only one certificate needed on the IAS), or i you prefer the best secure is EAP/TLS but you would deploy certificate for computers and/or users.
im going through your url now!! i have no certificates as just testing how to do things so will ignore the EAP/TLS part. ive selected everything in list anyway, ie peap/mschap, md5 and smartcard anyway.but peap/mschap is at top of list. it said the access part was Ethernet so ive selected this although i did not think so. either way i will go through and test just the parts that im looking at.
i haven't connected my router yet so am hoping things will work anyway as if the user was connected remotely anyway.
i haven't connected my router yet so am hoping things will work anyway as if the user was connected remotely anyway.
my test client pc although local for the time being, ive got the vpn working and i can see the username logged on via 'routing & remote access'.
i downloaded a program to test the 'radius server' and kept getting some 'error binding issue'. now that i have read your comments and confirmed the vpn is working. I then ran the software i downloaded again and NOW NO MORE 'ERROR BINDING ERROR' shows!!
As you said in your 1st thread -
"If you want to test, you should enable Remote access and simulate a VPN between your client and RAS Server. If the connection is SUCCESSFUL then your IAS configuration will be good.
so is that it as far as getting this link up and running?
As you said in your 1st thread -
"If you want to test, you should enable Remote access and simulate a VPN between your client and RAS Server. If the connection is SUCCESSFUL then your IAS configuration will be good.
so is that it as far as getting this link up and running?
i did NOT realise that although my my dhcp allocated an address, that when a vpn is connected it would allocated an additional address but not show it in dhcp at all.
the only way to notice is when i open 'Routing & Remote Access' is when i locate the vpn and properties and within there it shows the other ip address given to the vpn user.
The reason for this is because ive logged on as another user and then created a vpn for another as im using to test. Otherwise i realise this would not normally happen.
the only way to notice is when i open 'Routing & Remote Access' is when i locate the vpn and properties and within there it shows the other ip address given to the vpn user.
The reason for this is because ive logged on as another user and then created a vpn for another as im using to test. Otherwise i realise this would not normally happen.
When you create a VPN connection on your client, you will get a specific IP address for your VPN tunnel.
So if you run ipconfig /all you should see your client with 2 IPs.
More, if you launch route /print, you should by default see that the gateway for default route 0.0.0.0 is pointing to your VPN IP.
For the DHCP, it's the RAS service which book a pool of 10 IPs by default to be able to allocate them to clients. When the 10 IPs allocated is reached, another pool is booked.
So if you run ipconfig /all you should see your client with 2 IPs.
More, if you launch route /print, you should by default see that the gateway for default route 0.0.0.0 is pointing to your VPN IP.
For the DHCP, it's the RAS service which book a pool of 10 IPs by default to be able to allocate them to clients. When the 10 IPs allocated is reached, another pool is booked.
yes i did get a specific ip address.
Yes 2 ip's - 1 ip is the allocated address given from the dhcp and all the normally dhcp lease configurations as expected, ie master dc,dns,dhcp.
OK - i did NOT realise that RAS service books a pool of 10 IP's as YES this is what I saw and YOU say when fully allocated another pool is created - ok!!!!!!!
Ive had another expert say that IT MAY BE BECAUSE of some Browser service, but I was not sure.
thanks for that advice!!!!!!!!
Yes 2 ip's - 1 ip is the allocated address given from the dhcp and all the normally dhcp lease configurations as expected, ie master dc,dns,dhcp.
OK - i did NOT realise that RAS service books a pool of 10 IP's as YES this is what I saw and YOU say when fully allocated another pool is created - ok!!!!!!!
Ive had another expert say that IT MAY BE BECAUSE of some Browser service, but I was not sure.
thanks for that advice!!!!!!!!
Hi i keep having intermitant problems with my internet dongle it should be ok now as sometimes i can create a new thread and sometimes my internet connection would cut me off during closure of another. i am going to allocate the points accordingly anyway.
hi my internet my down the other day although it appeared to be intermittant and although i created another thread i went to close other threads but lost my internet connection. my internet connection should be ok now so i wish to allocated points accordingly and go through the other threads i have!!
Featured Post
Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Step by step guide to Clean and Sort your windows registry!
Introduction:
Always remember:
A Clean registry = Better performance = Save your invaluable time
In this article we're going to clear our registry manually! Yes, manually! The e…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:
• PC crashes? Get registry cleaner to repair it!
…
Two types of users will appreciate AOMEI Backupper Pro:
1 - Those with PCIe drives (and haven't found cloning software that works on them).
2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month6 days, 16 hours left to enroll
726 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.