Configuring a Windows Server for 

RADIUS Authentication

This Help topic provides instructions for users who wish to configure a Windows
2000 Advanced Server or Windows Server 2003 to provide RADIUS authentication.
It includes steps for configuring the Internet Authentication Service (IAS), and for
creating users in Active Directory. Policy Manager has been designed to work with a
RADIUS server for authentication. The IAS implements the RADIUS protocol, and
provides authentication of users connecting to the network via LAN, virtual private
network (VPN), and dial-up technology.

It is recommended that you begin by reading the Policy Manager  Authentication

Configuration Guide for general authentication instructions prior to following the
steps here. Windows 2000 Advanced Server and Windows Server 2003 users should
follow the steps in this topic, instead of the Installing and Configuring the RADIUS
Server section in the Authentication Configuration Guide.

The recommended sequence for performing the configuration is listed below. When
you have completed these instructions, refer back to the sections  Configuring
RADIUS in Policy Manager and Testing Authentication in the Authentication
Configuration Guide for instructions on how to use Policy Manager to configure
authentication parameters on your devices, and verify that the users created in Active
Directory can authenticate to the network.

NOTE: The following instructions assume that you already have IAS installed on your
 
computer.

Instructions on:

1. Configuring Active Directory

2. Configuring Internet Authentication Service (IAS)
a. Specifying RADIUS Port Numbers
b. Adding RADIUS Client Devices
c. Adding a New Remote Access Policy
d. Registering IAS
e. Stopping and Restarting IAS
3. Creating Users in Active Directory
a. Creating a User
 b.Specifying User Permissions
4. Configuring Devices and Testing Authentication

Configuring Active Directory

When using CHAP protocol, the "password reversed encryption" option must be
enabled. You can enable this option globally for all users in the domain, or for a
specific user.

To enable this option globally:

1. Select Start > Programs > Administrative Tools > Active Directory Users
and Computers.
2. In the Active Directory Users and Computers window, right click on your
domain and select Properties.
3. In the Group Policy tab, select "Default Domain Policy" and click  Edit.
4. In the Group Policy window, navigate to Password Policy in the left-panel Tree
view: Computer Configuration > Windows Settings > Security Settings >
Account Policies > Password Policy.
5. Right-click on "Store password using reversible encryption for all users in the
domain" and select Security.
6. In the Security Policy Setting window, select the "Define this policy setting"
checkbox and the Enabled radio button. Click  OK.
7. Close all applications and restart the computer, and log into your domain.

To enable this option for a specific user:

1. Select Start > Programs > Administrative Tools > Active Directory Users
and Computers.
2. In the Active Directory Users and Computers window, right-click on the user
and select Properties.
3. In the Account tab, check "Store password using reversible encryption."
Click OK.
4. Close all applications and restart the computer, and log into your domain.

NOTE: The Windows 2000 Advanced Server Troubleshooting IAS Installation guide states:
  "After you enable reversibly-encrypted passwords in a domain, all users must change
their passwords before they will be able to authenticate against the domain."

Configuring Internet Authentication Service (IAS)

 NOTE: Install the latest service pack, which is available at the Microsoft website, before
configuring authentication for Windows 2000 Advanced Server or Windows Server
 
2003. The following instructions assume that you already have IAS installed on your
computer.

Specifying RADIUS Port Numbers

Use the following steps to specify the RADIUS authentication and accounting port
numbers.

1. Select Start > Programs > Administrative Tools > Internet Authentication

Service. The Internet Authentication Service window opens.
2. Right click on "Internet Authentication Service (Local)" and select Properties.
3. In the RADIUS Tab (for Windows 2000 Advanced Server) or the Ports Tab
(for Windows Server 2003), enter 1645 in the Authentication field
and 1646 in the Accounting field.
4. Click OK.

Adding RADIUS Client Devices

Follow these steps to add RADIUS clients (Policy Manager devices, not end users) to
the server.

1. In the Internet Authentication Service window (Start > Programs >

Administrative Tools > Internet Authentication Service), right click on the
Clients folder (for Windows 2000 Advanced Server) or the RADIUS Clients
folder (for Windows Server 2003), and select New > Client.
2. Enter a Friendly Name and Protocol and then click  Next.
3. Enter the IP address of the RADIUS client and select a Client Vendor (i.e.
RADIUS Standard).
4. Enter a shared secret. A shared secret is a string of characters that will be used
to encrypt and decrypt communications between the RADIUS server and the
device (RADIUS client). Without the shared secret, the server and client will be
unable to communicate, and authentication attempts will fail. The shared secret
must be at least 6 characters long; 16 characters is recommended. Dashes are
allowed in the string, but spaces are not. Be sure to write the shared secret
down, as you will be adding it to the RADIUS client devices later.
5. Click Finish.
6. Repeat until all of your Policy Manager devices have been added.

Adding a New Remote Access Policy

Follow these steps to add a new Remote Access Policy. A Remote Access Policy is a
set of actions which is applied to a group of users that meet a specified set of
conditions.
NOTE: For information on configuring end user VLAN ID attributes (in compliance with RFC
  3580) to be used in conjunction with VLAN to Role Mapping, refer to your device
firmware and RADIUS server documentation.

1. In the Internet Authentication Service window (Start > Programs >

Administrative Tools > Internet Authentication Service), right click on the
Remote Access Policies folder and select New > Remote Access Policy.
2. Windows 2000 Advanced Server: Enter a Policy friendly name and then
click Next. 
Windows Server 2003: Enter a Policy friendly name, select the "Set up a
Custom Policy" radio button (as opposed to selecting the Wizard), and then
click Next.
3. Follow these steps to add a condition. For example, to add a Windows Group
condition:
a. Click the Add button to open the Select Attribute window.
b. Select "Windows Groups" and click Add.
c. Click Add in the Groups window.
d. Select a domain group (i.e. Domain Users) and click  Add. Click OK.
e. Add more groups if needed in the Groups window. Otherwise, click  OK.
f. Click Next.
4. In the Permissions window, select "Grant remote access permission" and
click Next.
5. Add a User Profile for users who match the conditions you have specified:
a. Click the Edit Profile button to open the Edit Dial-in Profile window.
b. In the Authentication tab, select the appropriate authentication methods.
c. In the Advanced tab, remove all parameters, such as "Server-Type" and
"Framed-Protocol" and click Add to add a Filter-Id attribute.
d. In the Add Attributes window, select "Filter-Id" and then click  Add.
e. In the Multivalued Attribute Information window, click  Add.
f. In the Attribute Information window, enter the attribute value:  
Enterasys:version=1:mgmt=su:policy=[role]
where [role] is the role name to be applied to this user.

CAUTION: Include :mgmt=su in the string only for users who should have
administrative privileges and the ability to telnet to devices and/or
 
use local management on devices when authentication is enabled.
For other users, leave it out.

6. Click OK to proceed through the windows and Finish.

Registering the IAS

Follow these steps to register the Internet Authentication Service in the Active
Directory, which enables IAS to authenticate users in the Active Directory.

1. In the Internet Authentication Service window (Start > Programs >

Administrative Tools > Internet Authentication Service), right click on the
"Internet Authentication Service (Local)" and select Register Service in Active
Directory.
2. Click OK.

Stopping and Restarting the IAS

After completing the above steps to configure the Internet Authentication Service, you
must stop and restart the Service.

1. In the Internet Authentication Service window (Start > Programs >

Administrative Tools > Internet Authentication Service), right click on the
"Internet Authentication Service (Local)" and select "Stop Service".
2. Right click on the "Internet Authentication Service (Local)" and select "Start
Service".

Creating Users in Active Directory

Use these steps to create users and specify user permissions.

Creating a User

Create a new object for each user who will be authenticating.

1. Select Start > Programs > Administrative Tools > Active Directory Users
and Computers. The Active Directory Users and Computers window opens.
2. Right click on the left-panel Users folder and select New > User.
3. Proceed through the windows, entering the user name, password and other
relevant information. Click Finish.

Specifying User Permissions

The steps for specifying user permissions are different depending on whether you are
using Windows 2000 Advanced Server or Windows Server 2003.
Windows 2000 Advanced Server

The steps to specify user permissions depends on your domain operation mode. There
are two domain operation modes in Active Directory: Mixed Mode and Native Mode.
In Mixed Mode, user permission is specified in the User Properties window. In Native
Mode, user permission is specified in the  Remote Access Policy that is configured in
the Internet Authentication Service. To change the domain operation mode, consult
the Microsoft Windows 2000 Advanced Server documentation for guidance.

 Mixed Mode:
1. Right click on a user and select Properties. The User Properties window
opens.
2. In the Dial-In tab, select either the "Allow access" or the "Deny Access"
radio button in the Remote Access Permission (Dial-in or VPN) section.
3. Click OK.
 Native Mode:
1. Right click on a user and select Properties. The User Properties window
opens.
2. In the Dial-In tab, select the "Control access through Remote Access
Policy" radio button in the Remote Access Permission (Dial-in or VPN)
section.
3. Go to the appropriate policy configured in the Internet Authentication
Service and check either the "Grant remote access permission" or "Deny
remote access permission" radio button in the policy's Properties
window.
4. Click OK.

Windows Server 2003

For Windows Server 2003, user permission is specified in the  Remote Access
Policy that is configured in the Internet Authentication Service.

1. Right click on a user and select Properties. The User Properties window opens.
2. In the Dial-In tab, select the "Control access through Remote Access Policy"
radio button in the Remote Access Permission (Dial-in or VPN) section.
3. Go to the appropriate policy configured in the Internet Authentication Service
and check either the "Grant remote access permission" or "Deny remote access
permission" radio button in the policy's Properties window.
4. Click OK.
Configuring Devices and Testing Authentication
When you have completed the above instructions, refer to the sections  Configuring
RADIUS Devices in Policy Manager and Testing Authentication in the Authentication
Configuration Guide for instructions on how to use Policy Manager to configure
authentication parameters on your devices, and verify that the users created in Active
Directory can authenticate to the network.

Related Information

For information on related concepts:

 Authentication

For information on related tasks:

 Authentication Configuration Guide