Authenticating Outgoing Web Proxy Requests with RADIUS in ISA Server 2004
One of the fundamental capabilities of Microsoft Internet Security and Acceleration (ISA) Server 2004 is the ability to apply a firewall policy to specific users. By default, ISA Server can authenticate users against local accounts on the ISA Server computer, communicate with Active Directory servers for Microsoft Windows authentication, with RSA Authentication Managers (for RSA SecurID authentication) and with Remote Authentication Dial-In User Service (RADIUS) servers.
RADIUS is an industry standard authentication protocol. RADIUS authenticates users through a series of communications between RADIUS clients and a RADIUS server. A RADIUS client (in this case, ISA Server) passes information about a user to a designated RADIUS server, and then acts on the response that the RADIUS server returns. Transactions between the RADIUS client and the RADIUS server are encrypted using a shared secret, which is never sent over the network.
There are a number of advantages in deploying ISA Server with RADIUS authentication:
- RADIUS servers do not require domain membership of RADIUS clients from which authentication requests originate. ISA Server, as a RADIUS client, does not need to belong to a domain for authentication purposes.
- The RADIUS protocol is limited to a single User Datagram Protocol (UDP) connection. Added to the fact that ISA Server does not have to be a domain member for authentication purposes, this makes RADIUS useful in a perimeter network (also known as DMZ, demilitarized zone, or screened subnet) configuration.
- You can define remote access policies on the RADIUS server. For example, you can specify that a remote access policy should only allow access to a particular Windows group.
For more information about deploying a RADIUS server securely with ISA Server, see the section Appendix A: Best Practices for RADIUS Server Configuration.
There are a number of limitations when using RADIUS to authenticate Web proxy requests through ISA Server:
- Only unencrypted Password Authentication Protocol (PAP) authentication can be used.
- When you create an access rule with RADIUS authentication, you can specify that the rule should apply to specific users, or to all users in the RADIUS namespace. This may be a limitation if you wish to control access for a particular group of users. If you want to apply the rule to a particular group of users, you can configure a remote access policy on the RADIUS server to limit user access to a specific group.
- In a proxy scenario using RADIUS authentication, the client cannot provide credentials automatically. With RADIUS authentication, ISA Server challenges the client for Basic credentials (browsers such as Internet Explorer cannot automatically supply Basic credentials).
Internet Authentication Service (IAS)
Internet Authentication Service (IAS) is the Microsoft implementation of a RADIUS server. IAS performs centralized connection authentication and authorization. you install IAS as an Active Directory domain member, IAS validates credentials against user accounts in Active Directory. An IAS server can authenticate credentials for user accounts in the domain of which it is a member, and for user accounts in all domains that have a two-way trust relationship. For increased performance, you can install IAS on a domain controller, but this is not necessary. If you install IAS in workgroup mode, and not as a domain member, IAS validates credentials against user accounts in the local Security Accounts Manager (SAM). For more information about configuring IAS as a RADIUS server, see IAS Concepts, and Overview of IAS deployment in the Microsoft Windows Server 2003 documentation.
The scenario described in this document assumes the following:
- ISA Server is not installed as part of a domain, and will authenticate requests from internal users against IAS.
- IAS is a domain member and authenticates against a domain controller.
- Web proxy access is limited to a specific group of users.
The configuration steps are as follows:
- Install IAS Server.
- Configure ISA Server as a RADIUS client in IAS. This includes specifying a shared secret that is also configured on the ISA Server computer.
- Configure the IAS Remote Access Policy. Configure the Remote Access Policy for unencrypted (PAP) authentication. In Active Directory, set the dial-in properties of all user accounts to which you want to allow outgoing Web Proxy access to Control access through Remote Access Policy. For ease of management we will create an Active Directory group to group these users together. Then add a condition on the Remote Access Policy to allow access to this group.
- Configure the RADIUS server in ISA Server Management. Specify the RADIUS server ISA Server should use for authentication, the shared secret they use (which must be identical on the ISA Server and on the RADIUS server. Also indicate the time-out for retrying requests, and whether message authenticator should be used.
- Enable system policy to allow communication between the ISA Server and the RADIUS server.
- Configure RADIUS authentication to be used for Web Proxy requests, on the network object from which client requests will arrive.
- Create an access rule to allow authentication RADIUS users. Create a RADIUS user set to use in this rule.
The option to control user access through Remote Access Policy is only available in a Windows Server 2003 domain or a Windows 2000 native domain.
Controlling access by means of the Remote Access Policy on the IAS computer allows more flexibility than controlling user access on the publishing rule alone. When you create a publishing rule with RADIUS authentication, you can specify that the rule applies to a specific user, or to all users in the RADIUS namespace. Remote Access Policy allows you to apply a rule to a specific group of users.
Walkthrough Procedure 1: Install IAS Server
Install IAS Server. IAS is installed as a Windows component. For instructions, see Install IAS in Windows Server 2003 online Help. If IAS is a domain member after installation, you must register it in Active Directory. For instructions, see Enable the IAS server to read user accounts in Active Directory in Windows Server 2003 online Help.
Walkthrough Procedure 2: Configure ISA Server as a RADIUS client in IAS
Configure ISA Server as a RADIUS client. Ensure that the settings here are the same as those you specify when configuring the IAS server in ISA Server Management.
On the computer running IAS, click Start, point to Administrative Tools, and then click Internet Authentication Service.
If the RADIUS server is a domain member, ensure it is registered in Active Directory. To do this, right click the root node Internet Authentication Service, and then click Register server in Active Directory.
From the Internet Authentication Service management console, right-click the RADIUS Clients folder, and then click New RADIUS Client.
On the Name and Address page, in Friendly name, enter a name for the ISA Server computer. In Client address (IP or DNS), enter the IP address of default IP address of the adapter through which ISA Server accesses the domain controller (usually the ISA Server internal adapter).
On the Additional Information page, in Client-Vendor, ensure that RADIUS Standard is selected. In Shared secret, specify a password, and in Confirm shared secret, confirm the password.
Optionally, select Request must contain the Message Authenticator attribute.
You can specify IP addresses or DNS names for RADIUS clients. In most cases, it is more efficient to specify IP addresses, because this prevents IAS from needing to resolve client names at startup. If you are using Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, you can specify a RADIUS client by using an IP address range. All of the RADIUS clients in the range must use the same configuration and shared secret. For more information about expressing such an address range for RADIUS clients, see Configure RADIUS clients in Windows Server 2003 online Help.
Walkthrough Procedure 3: Configure the Remote Access Policy for PAP authentication
For RADIUS Web Proxy authentication, only PAP is supported, and you must configure this setting in the remote access policy. In our procedure, we will modify the default Remote Access Policy: Connections to other access servers. For more information on remote access policy types, see Choosing a remote access policy type, in Windows Server 2003 online Help.
In the Internet Authentication Service console, click Remote Access Policies, and then in the details pane, double-click Connections to other access servers.
In the Settings tab, click Edit Profile.
On the Authentication tab, click Unencrypted authentication (PAP, SPAP). Then click OK.
Click OK to close the dialog box.
Enabling IAS for PAP is a per-profile IAS setting.
Walkthrough Procedure 4: Create a user group for use in the Remote Access Policy
For ease of management we will create an Active Directory group on the domain controller that the IAS Server authenticates against. Then add a condition on the Remote Access Policy to allow access to this group. Add user accounts for which you want to allow Web Proxy access to the group, and configure the dial-in properties of each user account in the group to Control access through Remote Access Policy. This option is only available in a Windows Server 2003 domain or a Windows 2000 native domain.
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, click to expand the domain name.
- Right-click Users, click New, and then click Group.
- Type a name for the new group. For example WebProxy_Clients.
- Click to select Global Domain for the Group Scope, and then click to select Security for the Group Type.
- Add user accounts to the group and assign dial-in permissions:
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, click to expand the domain name.
- Right-click Users. For each user you want to add to the WebProxy_Clients group, do the following:
- Double-click the user to display its properties.
- On the Member Of tab, click Add, choose the group you created. For example, WebProxy_Clients, and then click OK.
- On the Dial-in tab, check that Control access through Remote Access Policy is selected. Then, click OK.
Walkthrough Procedure 5: Specify access permissions on the Remote Access Policy
Specify a condition on the remote access policy to limit Web Proxy access only to the Active Directory group you created.
In the Internet Authentication Service console, click Remote Access Policies, and then in the details pane, double-click the Connections to other access servers remote access policy.
In the Settings tab, click Grant remote access permission.
In the Settings tab, click Add.
In the Attribute types list, click Windows-Groups. Then click Add.
In the Groups dialog, click Add.
In the Select Groups dialog, specify the Groups to be allowed access (in our case, the WebProxy_Clients group. Click OK to close the dialog box.
Click OK to close the Groups dialog, and then click OK to close the remote access policy properties.\
You can also select Deny remote access permission, to deny access to specified Windows groups. For example, you can set the access rule to allow access to all users in the RADIUS namespace, and then set the remote access policy to exclude specific groups.
Walkthrough Procedure 6: Configure the RADIUS server in ISA Server Management
Configure RADIUS server settings in ISA Server Management. Ensure that the settings here are the same as those you specify when configuring ISA Server as a RADIUS client.
In ISA Server Management, click to expand the Configuration node, and then click General.
In the details pane, click Define RADIUS Servers.
On the RADIUS Servers tab, click Add.
In Server name, type the name or IP address of the RADIUS server to be used for authentication. (In this case, the IAS server is in the Internal network with an IP address of 10.0.0.1).
Click Change, and in New secret and Confirm new secret, type the shared secret to be used for communications between the ISA Server computer and the RADIUS server. Be sure to specify the same secret you entered when configuring ISA Server as a client on the RADIUS server.
In Port, specify the UDP port used by the RADIUS server for incoming RADIUS authentication requests. The default value of 1812 is based on RFC 2138.
In Time-out (seconds), specify the time (in seconds) that ISA Server should try to obtain a response from the RADIUS server before trying an alternate server.
The RADIUS server configuration settings are applied to all Web listeners or network objects using RADIUS authentication.
Walkthrough Procedure 7: Enable the RADIUS system policy rule
Enable this RADIUS system policy rule to allow communication between the RADIUS server and the ISA Server computer (Local Host network). This procedure assumes that the RADIUS server is located in the Internal network. You can modify this rule to indicate the specific RADIUS server rather than the entire Internal network.
- In ISA Server Management, right-click the Firewall Policy node, and then click Edit System Policy.
- In the Authentication Services section of the Configuration Groups list, click RADIUS.
- On the General tab, ensure Enable is selected.
Walkthrough Procedure 8: Configure RADIUS authentication on a network object
On the network that will listen for Web proxy requests you want to authenticate with RADIUS, do the following:
- In ISA Server Management, click to expand the Configuration node, then click Networks.
- In the details pane, click the Networks tab, and then click the applicable network. For example, if client requests are coming from the Internal network, then select Internal.
- On the Tasks tab, click Edit Selected Network.
- On the Web Proxy tab, click Authentication.
- On the Authentication page, select RADIUS.
- Click OK.
- Click Apply to apply changes.
Walkthrough Procedure 9: Create a RADIUS user set for use in an access rule
RADIUS authentication does not recognize Windows security groups. Instead, create a RADIUS user set to use in the publishing rule.
In ISA Server Management, click Firewall Policy.
On the Toolbox tab, click Users, then click the New menu.
In the Welcome page of the New User Sets Wizard, type in a name for the new group. For example, RADIUS_Users.
On the Users page, click Add, and then click RADIUS.
In the Add User dialog, click All Users in Namespace.
If you wanted to add an individual user rather than all RADIUS users, then type in a specific user name. You must type in the name in exactly the same way that the user will type credentials in the authentication page (for example Domain\UserName or UserName).
Click Next, and then click Finish to complete the wizard.
Click Apply to apply changes.
If you create a set for All Users in the Namespace, and then specify it in a rule without restricting access on the remote access policy, RADIUS allows any user that it can successfully authenticate in Active Directory (if the IAS server is a domain member), or locally (if IAS is in workgroup mode).
If you want to specify an individual user rather than all RADIUS users, type in a specific user name in exactly the same way that the user will type credentials in the authentication page. For example: Domain\UserName, or UserName.
Walkthrough Procedure 10: Create an access rule to allow outgoing Web requests
This rule allows access for authenticated users from the Internal network to the Internet (External network)
- In ISA Server Management, right-click Firewall Policy, point to New, and then click Access Rule.
- In the Welcome page, type in a name for the new rule, for example WebProxy_RADIUS. Then click Next.
- On the Rule Action page, click Allow. Then click Next.
- On the Protocols page, to allow all traffic, leave the All outbound traffic default. Then click Next.
- On the Access Rule Sources page, click Add.
- In the Add Network Entitities dialog, click to expand Networks, select Internal, and click Add. Then click Close.
- Then click Next.
- On the Access Rule Destinations page, click Add.
- In the Add Network Entitities dialog, click to expand Networks, click External, click Add. Then click Close.
- Then click Next.
- On the User Sets page, select All Users, and then click Remove.
- Click Add.
- In the Add Users dialog, select the RADIUS_Users group you created. Click Add, then click Close.
- Click Next, and then click Finish to complete the wizard.
- Click Apply to apply changes.
Walkthrough Procedure 11: Test the configuration
At any time, you can monitor the RADIUS server. Create a connectivity verifier to monitor the status of the server. Configure alerts so that appropriate action is taken when the IAS server is not working.
- In ISA Server Management, click the Monitoring node.
- In the details pane, click the Connectivity tab.
- In the task pane, on the Tasks tab, click Create New Connectivity Verifier.
- On the Welcome page of the wizard, type a name for the connectivity verifier, and then click Next.
- On the Connectivity Verification Details page, do the following:
- In Monitor connectivity to this server or URL, type the name of the Radius server.
- In Verification method, select Send a Ping request.
- Click Next, and then click Finish.
- In the details pane, select the rule you just created.
- On the Tasks tab, click Edit Selected Verifier.
- On the Properties tab, verify that Trigger an alert if the server response is not within the specified timeout is selected.
Appendix A: Best Practices for RADIUS Server Configuration
There are a number of best practices guidelines to help securely and efficiently deploy RADIUS with ISA Server, including:
- Well defined shared secrets. When a password-based authentication method is used between a RADIUS client and server, the RADIUS server encrypts the passwords by using the shared secret, and sends it in the Access-Request packet. Use the following tips when creating and using a shared secret:
- You must use the same case-sensitive shared secret on both the RADIUS server and the RADIUS client.
- Use a different shared secret for each RADIUS server-RADIUS client pair.
- To ensure a random shared secret, generate a random sequence at least 22 characters long.
- You can use any standard alphanumeric and special characters.
- You can use a shared secret of up to 128 characters in length. To protect your IAS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).
- Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your IAS server and your RADIUS clients from dictionary attacks.
- Message authenticator. Shared secrets are used to verify that RADIUS messages (except for the Access-Request message) are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). By default, there is no cryptographic verification of the incoming Access-Request message. The RADIUS server verifies that the message originated from an IP address for a configured RADIUS client, but source IP addresses can be spoofed. The solution is to require the message authenticator attribute in all Access-Request messages. The message authenticator attribute is the Message Digest-5 (MD5) hash of the entire Access-Request message using the shared secret as the key. Note that if you select Always use message authenticator, make sure that your RADIUS server is capable of receiving, and is configured to receive, message authenticators.
- Internet Protocol security (IPsec). IPsec provides you with the ability to secure RADIUS servers against unwanted traffic by filtering specific network adapters (allowing or blocking specific protocols) and enabling you to choose source IP addresses from which traffic is allowed. For organizational units, you can create IPsec policies, which are stored in Active Directory. Or, you can create local policies on RADIUS servers, and apply these policies to specific computers. Use IPsec to provide additional security for RADIUS clients and servers. For more information, see Securing RADIUS traffic with IPsec.
Points to Note
Note the following:
- When user names are specified in any language other than English, ISA Server uses the current code page installed on the ISA Server computer to translate the user data. The user can be authenticated only if the client also uses the same code page.
- If you are using RADIUS for Web Proxy client authentication and VPN client authentication, you may want to split your remote access policies to prevent your VPN clients from using PAP. (Web Proxy clients support PAP only.)
- Every time a rule is encountered by a client, RADIUS reauthenticates the client. This potentially causes heavy RADIUS traffic on busy sites instead of regular domain authentications. There is an ISA Server COM setting available to reduce this traffic. SingleRADIUSServerAuthPerSession is a property of the FPCWebListener object that is valid for both network objects and Web listener objects. If you change the property from its default false value to true, user credentials sent to ISA Server and successfully validated by a RADIUS server are cached. For subsequent requests from the user on the same TCP connection, credentials sent to ISA Server are compared with credentials stored for that connection in the cache, rather than re-validating with the RADIUS server.
- ISA Server does not include much information in the Access-Request packet (for example, NAS IP, NAS Port, Username, and Password), so differentiation between ISA Server and other services may occur based on extra information included by those services, if they are run from the same computer. For example, Routing and Remote Access acting as a VPN server provides more information in the Access-Request packet than ISA Server. So if you need different VPN and Outlook Web Access authentication policies on the same ISA Server computer, you may need to resolve the differences between the two request types.
Appendix B: Authorization of ISA Server requests against IAS
The ISA Server IAS authentication process for Web proxy requests can be summarized as follows:
The user submits an access request to ISA Server.
ISA Server tries to match the request with an access rule.
If there is a match and RADIUS authentication is enabled, the browser prompts the user for a user name and password.
When ISA Server receives the credentials, it sends the authentication request to the IAS server in the form of a RADIUS Access-Request packet. The Access-Request message is submitted to the RADIUS server over the network, and any user password between the client and server is encrypted using the shared secret.
Note Each IAS server must have a shared secret for each RADIUS client, and the shared secret must be exactly the same for both server and client.
When the RADIUS server receives the request, it first validates the RADIUS client by checking the source IP address of the request. If the RADIUS client cannot be validated, the RADIUS server does not respond, not even to reject the connection request. If the RADIUS client does not receive a response within its time-out period, it retries the request. For instructions on configuring this time-out period, see To configure the RADIUS server in ISA Server Management.
If the Access-Request packet was sent by a valid RADIUS client and message authenticator (also known as the digital signature) is enabled for the RADIUS client, the digital signature in the packet is checked using the shared secret. If a digital signature is enabled and is not found, or fails, IAS silently discards the packet.
To provide protection from spoofed Access-Request messages and RADIUS message tampering, each RADIUS message can be additionally protected with the Message Authenticator attribute (a Message Digest 5 (MD5) hash of the entire RADIUS message with the shared secret as the key). Enable the use of the message authenticator on both the IAS server and on ISA Server.
The RADIUS server checks the connection request against conditions of the remote access policy (in the example used in this document, the condition is that the user belongs to the WebProxy_Users group.) If the connection attempt matches the conditions, the remote access permission of the remote access policy is checked. In an Active Directory environment, if the IAS server cannot connect to the domain controller or find the domain controller to which the user belongs, it silently discards the packet.
The RADIUS server returns a response in the form of Access-Accept or Access-Deny to the client. The RADIUS response may carry authorization information in the form of access attributes as part of the response to the client. Typically RADIUS implementations apply these returned access restrictions. ISA Server does not support this functionality, it simply acts on the accept or deny response.
If ISA Server receives an accept response, it does one of the following:
- If the access rule applies to “All users in the (RADIUS) namespace” or “All authenticated users”, ISA Server allows access.
- If the access rule applies to a “Specific User Name” and a case-insensitive string comparison between the specific user name specified in the rule and the credentials submitted succeeds, ISA Server allows access.
If ISA Server receives a deny response, it denies access. When ISA Server receives a deny response, this may indicate that the RADIUS server does not authorize the client. Even if the credentials have been authenticated, ISA Server may reject the client request based on the RADIUS server authorization policy.