Beruflich Dokumente
Kultur Dokumente
RADIUS Authentication
This Help topic provides instructions for users who wish to configure a Windows
2000 Advanced Server or Windows Server 2003 to provide RADIUS authentication.
It includes steps for configuring the Internet Authentication Service (IAS), and for
creating users in Active Directory. Policy Manager has been designed to work with a
RADIUS server for authentication. The IAS implements the RADIUS protocol, and
provides authentication of users connecting to the network via LAN, virtual private
network (VPN), and dial-up technology.
The recommended sequence for performing the configuration is listed below. When
you have completed these instructions, refer back to the sections Configuring
RADIUS in Policy Manager and Testing Authentication in the Authentication
Configuration Guide for instructions on how to use Policy Manager to configure
authentication parameters on your devices, and verify that the users created in Active
Directory can authenticate to the network.
NOTE: The following instructions assume that you already have IAS installed on your
computer.
Instructions on:
1. Select Start > Programs > Administrative Tools > Active Directory Users
and Computers.
2. In the Active Directory Users and Computers window, right click on your
domain and select Properties.
3. In the Group Policy tab, select "Default Domain Policy" and click Edit.
4. In the Group Policy window, navigate to Password Policy in the left-panel Tree
view: Computer Configuration > Windows Settings > Security Settings >
Account Policies > Password Policy.
5. Right-click on "Store password using reversible encryption for all users in the
domain" and select Security.
6. In the Security Policy Setting window, select the "Define this policy setting"
checkbox and the Enabled radio button. Click OK.
7. Close all applications and restart the computer, and log into your domain.
1. Select Start > Programs > Administrative Tools > Active Directory Users
and Computers.
2. In the Active Directory Users and Computers window, right-click on the user
and select Properties.
3. In the Account tab, check "Store password using reversible encryption."
Click OK.
4. Close all applications and restart the computer, and log into your domain.
NOTE: The Windows 2000 Advanced Server Troubleshooting IAS Installation guide states:
"After you enable reversibly-encrypted passwords in a domain, all users must change
their passwords before they will be able to authenticate against the domain."
Use the following steps to specify the RADIUS authentication and accounting port
numbers.
Follow these steps to add RADIUS clients (Policy Manager devices, not end users) to
the server.
CAUTION: Include :mgmt=su in the string only for users who should have
administrative privileges and the ability to telnet to devices and/or
use local management on devices when authentication is enabled.
For other users, leave it out.
Follow these steps to register the Internet Authentication Service in the Active
Directory, which enables IAS to authenticate users in the Active Directory.
After completing the above steps to configure the Internet Authentication Service, you
must stop and restart the Service.
Creating a User
1. Select Start > Programs > Administrative Tools > Active Directory Users
and Computers. The Active Directory Users and Computers window opens.
2. Right click on the left-panel Users folder and select New > User.
3. Proceed through the windows, entering the user name, password and other
relevant information. Click Finish.
The steps for specifying user permissions are different depending on whether you are
using Windows 2000 Advanced Server or Windows Server 2003.
Windows 2000 Advanced Server
The steps to specify user permissions depends on your domain operation mode. There
are two domain operation modes in Active Directory: Mixed Mode and Native Mode.
In Mixed Mode, user permission is specified in the User Properties window. In Native
Mode, user permission is specified in the Remote Access Policy that is configured in
the Internet Authentication Service. To change the domain operation mode, consult
the Microsoft Windows 2000 Advanced Server documentation for guidance.
Mixed Mode:
1. Right click on a user and select Properties. The User Properties window
opens.
2. In the Dial-In tab, select either the "Allow access" or the "Deny Access"
radio button in the Remote Access Permission (Dial-in or VPN) section.
3. Click OK.
Native Mode:
1. Right click on a user and select Properties. The User Properties window
opens.
2. In the Dial-In tab, select the "Control access through Remote Access
Policy" radio button in the Remote Access Permission (Dial-in or VPN)
section.
3. Go to the appropriate policy configured in the Internet Authentication
Service and check either the "Grant remote access permission" or "Deny
remote access permission" radio button in the policy's Properties
window.
4. Click OK.
For Windows Server 2003, user permission is specified in the Remote Access
Policy that is configured in the Internet Authentication Service.
1. Right click on a user and select Properties. The User Properties window opens.
2. In the Dial-In tab, select the "Control access through Remote Access Policy"
radio button in the Remote Access Permission (Dial-in or VPN) section.
3. Go to the appropriate policy configured in the Internet Authentication Service
and check either the "Grant remote access permission" or "Deny remote access
permission" radio button in the policy's Properties window.
4. Click OK.
Configuring Devices and Testing Authentication
When you have completed the above instructions, refer to the sections Configuring
RADIUS Devices in Policy Manager and Testing Authentication in the Authentication
Configuration Guide for instructions on how to use Policy Manager to configure
authentication parameters on your devices, and verify that the users created in Active
Directory can authenticate to the network.
Related Information
Authentication