The Cable Guy - April 2004
Configuring Routing and Remote Access for RADIUS Authentication and Accounting
The Microsoft Windows Serverâ„¢ 2003 Routing and Remote Access service supports two different types of authentication providers:
- Windows Authentication Routing and Remote Access uses Windows Server 2003 local accounts, an Active Directory directory service domain, or a Windows NT 4.0 domain to authenticate connection credentials and user account properties and local remote access policies to authorize a connection attempt.
- RADIUS Authentication Routing and Remote Access uses a Remote Authentication Dial-In User Service (RADIUS) server to authenticate and authorize a connection attempt.
Similarly, Routing and Remote Access supports two different types of accounting providers:
- Windows Accounting Routing and Remote Access logs connection accounting information in log files that are configured from the properties of the local Remote Access Logging folder in the Routing and Remote Access snap-in.
- RADIUS Accounting Routing and Remote Access sends connection accounting information to a RADIUS server.
The selection of authentication and accounting providers is done from the Security tab from the properties of a server in the Routing and Remote Access snap-in. The following figure shows an example.
If your browser does not support inline frames, click here to view on a separate page.
Notice that you can configure the authentication and accounting providers separately. For example, you can configure Windows authentication and RADIUS accounting.
Once you specify either the RADIUS authentication provider or the RADIUS accounting provider, you must configure one or more RADIUS authentication or accounting servers. When you click Configure next to Authentication provider, you configure RADIUS servers for RADIUS-based authentication and authorization. When you click Configure next to Accounting provider, you configure RADIUS servers for RADIUS-based accounting.
Notice that you can configure different sets of RADIUS servers for authentication and accounting. For example, you can have one set of RADIUS servers whose sole function is to provide authentication and authorization services and a different set of RADIUS servers whose sole function is to accumulate accounting data for multiple RADIUS-based access servers in the organization.
Configuring RADIUS Servers for Authentication and Authorization When you click Configure next to Authentication provider, Windows displays the following dialog box. The RADIUS Authentication dialog box lists the configured set of RADIUS authentication servers. When you click Add to add a RADIUS authentication server to the list, Windows displays the following dialog box. The Add RADIUS Server dialog box for RADIUS authentication servers has the following fields:
Server name
Type the name or the IP address of the RADIUS server.
Secret
Click Change to type the RADIUS shared secret that is used to encrypt parts of RADIUS messages sent between the Routing and Remote Access server and the RADIUS server. You must configure the same shared secret on both the Routing and Remote Access server and the RADIUS server for successful RADIUS communications to occur. The shared secret is case-sensitive. It is recommended that each shared secret be a random sequence of upper and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random character generation program to create shared secrets.
Time-out
Type the amount of time (in seconds) that Routing and Remote Access tries to obtain responses from the RADIUS server before trying another RADIUS server in the list.
Initial score
Routing and Remote Access uses a scoring mechanism to decide which RADIUS server to use. The score associated with a given RADIUS server is a combination of an initial score (configured here) and a dynamic score based on the RADIUS server's responsiveness. Routing and Remote Access uses the RADIUS server with the highest current score. You can use the Initial score setting to configure the preference order of the RADIUS servers in the list when Routing and Remote Access starts, but the actual order might change over time based on the responses of the RADIUS servers.
Port
Type the User Datagram Protocol (UDP) port that is used by the RADIUS server for incoming RADIUS authentication requests. The default value of 1812 is based on Request for Comments (RFC) 2138. For older RADIUS servers, set the UDP port value to 1645.
Always use message authenticator
Select this setting when you want Routing and Remote Access to include the Message-Authenticator RADIUS attribute with each RADIUS message. The Message-Authenticator RADIUS attribute includes information encrypted with the shared secret, providing proof to the receiving RADIUS server that a configured RADIUS client sent the message. Extensible Authentication Protocol (EAP) messages are always sent with the Message-Authenticator RADIUS attribute. If you select this setting, ensure that your RADIUS servers are capable of and configured to receive messages from this RADIUS client that include the Message-Authenticator RADIUS attribute.
You must select this option if your RADIUS server is a Windows Server 2003-based computer running Internet Authentication Service (IAS) and the RADIUS client on the IAS server that is configured for this Routing and Remote Access server has the Client must always send the signature attribute in the request option selected. For more information, see "Configuring IAS with a RADIUS Client" in this article.
When you click OK, the RADIUS server is added to the list of RADIUS authentication servers in the Add RADIUS Server dialog box.
Configuring RADIUS Servers for Accounting When you click Configure next to Accounting provider, Windows displays the following dialog box. The RADIUS Accounting dialog box displays the configured list of RADIUS accounting servers. When you click Add to add a RADIUS accounting server to the list, Windows displays the following dialog box. The Add RADIUS Server dialog box for RADIUS accounting servers has the following fields:
Server name
Type the name or the IP address of the RADIUS server.
Secret
Click Change to type the RADIUS shared secret.
Time-out
Type the amount of time (in seconds) that Routing and Remote Access tries to obtain responses from the RADIUS server before trying another RADIUS server in the list.
Initial score
Type the initial score for the RADIUS server.
Port
Type the UDP port that is used by the RADIUS server for incoming RADIUS accounting requests. The default value of 1813 is based on RFC 2138. For older RADIUS servers, set the UDP port value to 1646.
Send RADIUS Accounting On and Accounting Off messages
Select this setting when you always want RADIUS Accounting-On and Accounting-Off messages sent to the RADIUS server when the Routing and Remote Access service starts up and shuts down. This allows the RADIUS accounting server to store information regarding whether the Routing and Remote Access service restarted and when.
If you select this setting, ensure that your RADIUS servers, such as IAS servers, are capable of receiving and recording RADIUS Accounting-On and Accounting-Off messages.
When you click OK, the RADIUS server is added to the list of RADIUS accounting servers in the Add RADIUS Server dialog box.
Configuring RADIUS Servers Using the Routing and Remote Access Server Setup Wizard Another way to configure Routing and Remote Access for RADIUS authentication and accounting is with the Routing and Remote Access Server Setup Wizard, which is run when performing the initial configuration of the Routing and Remote Access service. When you select any option that requires the Point-to-Point Protocol (PPP) (such as dial-up or virtual private network-based remote access or demand-dial routing), you are prompted with the Managing Multiple Remote Access Servers page, which is shown in the following figure.
If your browser does not support inline frames, click here to view on a separate page. If you want to use Windows as both the authentication and accounting provider, select No, use Routing and Remote Access to authentication connection requests. If you want to use RADIUS as both the authentication and accounting provider, select Yes, set up this server to work with a RADIUS server. When you click Next, Windows displays the RADIUS Server Selection page, as shown in the following figure.
If your browser does not support inline frames, click here to view on a separate page. This page allows you to configure the IP address or name of a primary RADIUS server, an alternate RADIUS server, and the RADIUS shared secret for both. When you complete the wizard, the Routing and Remote Access server is configured for the following:
- RADIUS authentication provider with up to two RADIUS authentication servers. The primary RADIUS server has an initial score of 30. The alternate RADIUS server, also known as a secondary RADIUS server, has a score of 29.
- RADIUS accounting provider with up to two RADIUS accounting servers. The primary RADIUS server has an initial score of 30. The alternate RADIUS server has a score of 29.
- Both RADIUS servers have the same RADIUS shared secret.
If you want to use different RADIUS servers for authentication and accounting or different RADIUS shared secrets for each RADIUS server, then you must manually change the configuration with the Routing and Remote Access snap-in.
Configuring IAS with a RADIUS Client Routing and Remote Access is an Internet Engineering Task Force (IETF)-compliant RADIUS client that can be used with any IETF-compliant RADIUS server. Windows Server 2003 includes the Internet Authentication Service (IAS), an IETF-compliant RADIUS server and proxy. IAS is installed as an optional Windows networking component through Control Panel-Add or Remove Programs. Once IAS is installed, you must configure the RADIUS clients, the set of networking components that use RADIUS for authentication, authorization, and accounting. To add a RADIUS client that corresponds to the Routing and Remote Access server, do the following:
- Click Start, click Control Panel, double-click Administrative Tools, and then double-click Internet Authentication Service.
- In the Internet Authentication Service snap-in, right-click RADIUS Clients, and then click New RADIUS Client. Windows displays the following dialog box.
If your browser does not support inline frames, click here to view on a separate page. - In Friendly name, type a name for the Routing and Remote Access server that is later used to identify the server in the list of RADIUS clients in the Internet Authentication Service snap-in. In Client address, type the IP address or the name of Routing and Remote Access server. If you type a name, click Verify and the IAS server resolves the name to an IP address.
- Click Next. Windows displays the following dialog box.
If your browser does not support inline frames, click here to view on a separate page. - In Shared secret and Confirm shared secret, type the same shared secret as configured on the Routing and Remote Access server. If you selected Always use message authenticator on the Routing and Remote Access server, you must select Request must contain the Message Authenticator attribute.
- Click Finish to add the RADIUS client.
This procedure allows the Routing and Remote Access server to send RADIUS request messages to the IAS server, but for the IAS server to authenticate and authorize connections, user accounts might have to be modified and IAS might have to be configured with an appropriate remote access policy. For more information see Introduction to remote access policies.
For More Information For more information about Routing and Remote Access and IAS, consult the following resources:
- Windows Server 2003 Networking and Communications Services
- Virtual Private Networks for Windows Server 2003 Web page
- Internet Authentication Service Web page
For a list of all The Cable Guy articles, click here.