Configuring a 2003 Domain Controller for RADIUS Authentication
My firewall box (pfSense rocks!) has built-in VPN capabilities with the option to authenticate against a domain controller using RADIUS. This means that domain users can VPN into the network using the same username/password, and I don't have to maintain a separate list of credentials. Configuring the firewall to use RADIUS is simple, enter the IP of the RADIUS server and enter the pass key. Configuring your domain controller on a Windows Server 2003 box to serve RADIUS is a bit more of a process. Luckily, I found a great tutorial here. I'm copying the instructions below for future reference incase that link ever dies.
Configuring Active Directory
When using CHAP protocol, the "password reversed encryption" option must be enabled. You can enable this option globally for all users in the domain, or for a specific user.
To enable this option globally:
1.Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2.In the Active Directory Users and Computers window, right click on your domain and select Properties.
3.In the Group Policy tab, select "Default Domain Policy" and click Edit.
4.In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
5.Right-click on "Store password using reversible encryption for all users in the domain" and select Security.
6.In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK.
7.Close all applications and restart the computer, and log into your domain.
To enable this option for a specific user:
1.Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2.In the Active Directory Users and Computers window, right-click on the user and select Properties.
3.In the Account tab, check "Store password using reversible encryption." Click OK.
4.Close all applications and restart the computer, and log into your domain.
Configuring Internet Authentication Service (IAS)
NOTE: Install the latest service pack, which is available at the Microsoft website, before configuring authentication for Windows 2000 Advanced Server or Windows Server 2003. The following instructions assume that you already have IAS installed on your computer.
Specifying RADIUS Port Numbers
Use the following steps to specify the RADIUS authentication and accounting port numbers.
1.Select Start > Programs > Administrative Tools > Internet Authentication Service. The Internet Authentication Service window opens.
2.Right click on "Internet Authentication Service (Local)" and select Properties.
3.In the RADIUS Tab (for Windows 2000 Advanced Server) or the Ports Tab (for Windows Server 2003), enter 1645 in the Authentication field and 1646 in the Accounting field.
4.Click OK.
Adding RADIUS Client Devices
Follow these steps to add RADIUS clients (Policy Manager devices, not end users) to the server.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the Clients folder (for Windows 2000 Advanced Server) or the RADIUS Clients folder (for Windows Server 2003), and select New > Client.
2.Enter a Friendly Name and Protocol and then click Next.
3.Enter the IP address of the RADIUS client and select a Client Vendor (i.e. RADIUS Standard).
4.Enter a shared secret. A shared secret is a string of characters that will be used to encrypt and decrypt communications between the RADIUS server and the device (RADIUS client). Without the shared secret, the server and client will be unable to communicate, and authentication attempts will fail. The shared secret must be at least 6 characters long; 16 characters is recommended. Dashes are allowed in the string, but spaces are not. Be sure to write the shared secret down, as you will be adding it to the RADIUS client devices later.
5.Click Finish.
6.Repeat until all of your Policy Manager devices have been added.
Adding a New Remote Access Policy
Follow these steps to add a new Remote Access Policy. A Remote Access Policy is a set of actions which is applied to a group of users that meet a specified set of conditions.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the Remote Access Policies folder and select New > Remote Access Policy.
2.Windows 2000 Advanced Server: Enter a Policy friendly name and then click Next.
Windows Server 2003: Enter a Policy friendly name, select the "Set up a Custom Policy" radio button (as opposed to selecting the Wizard), and then click Next.
3.Follow these steps to add a condition. For example, to add a Windows Group condition:
1.Click the Add button to open the Select Attribute window.
2.Select "Windows Groups" and click Add.
3.Click Add in the Groups window.
4.Select a domain group (i.e. Domain Users) and click Add. Click OK.
5.Add more groups if needed in the Groups window. Otherwise, click OK.
6.Click Next.
4.In the Permissions window, select "Grant remote access permission" and click Next.
5.Add a User Profile for users who match the conditions you have specified:
1.Click the Edit Profile button to open the Edit Dial-in Profile window.
2.In the Authentication tab, select the appropriate authentication methods.
6.Click OK to proceed through the windows and Finish.
Registering the IAS
Follow these steps to register the Internet Authentication Service in the Active Directory, which enables IAS to authenticate users in the Active Directory.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the "Internet Authentication Service (Local)" and select Register Service in Active Directory.
2.Click OK.
Stopping and Restarting the IAS
After completing the above steps to configure the Internet Authentication Service, you must stop and restart the Service.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the "Internet Authentication Service (Local)" and select "Stop Service".
2.Right click on the "Internet Authentication Service (Local)" and select "Start Service".
Specifying User Permissions
Windows Server 2003
For Windows Server 2003, user permission is specified in the Remote Access Policy that is configured in the Internet Authentication Service.
1.Right click on a user and select Properties. The User Properties window opens.
2.In the Dial-In tab, select the "Control access through Remote Access Policy" radio button in the Remote Access Permission (Dial-in or VPN) section.
3.Go to the appropriate policy configured in the Internet Authentication Service and check either the "Grant remote access permission" or "Deny remote access permission" radio button in the policy's Properties window.
4.Click OK.
You're all done, go test it!
My firewall box (pfSense rocks!) has built-in VPN capabilities with the option to authenticate against a domain controller using RADIUS. This means that domain users can VPN into the network using the same username/password, and I don't have to maintain a separate list of credentials. Configuring the firewall to use RADIUS is simple, enter the IP of the RADIUS server and enter the pass key. Configuring your domain controller on a Windows Server 2003 box to serve RADIUS is a bit more of a process. Luckily, I found a great tutorial here. I'm copying the instructions below for future reference incase that link ever dies.
Configuring Active Directory
When using CHAP protocol, the "password reversed encryption" option must be enabled. You can enable this option globally for all users in the domain, or for a specific user.
To enable this option globally:
1.Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2.In the Active Directory Users and Computers window, right click on your domain and select Properties.
3.In the Group Policy tab, select "Default Domain Policy" and click Edit.
4.In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
5.Right-click on "Store password using reversible encryption for all users in the domain" and select Security.
6.In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK.
7.Close all applications and restart the computer, and log into your domain.
To enable this option for a specific user:
1.Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2.In the Active Directory Users and Computers window, right-click on the user and select Properties.
3.In the Account tab, check "Store password using reversible encryption." Click OK.
4.Close all applications and restart the computer, and log into your domain.
Configuring Internet Authentication Service (IAS)
NOTE: Install the latest service pack, which is available at the Microsoft website, before configuring authentication for Windows 2000 Advanced Server or Windows Server 2003. The following instructions assume that you already have IAS installed on your computer.
Specifying RADIUS Port Numbers
Use the following steps to specify the RADIUS authentication and accounting port numbers.
1.Select Start > Programs > Administrative Tools > Internet Authentication Service. The Internet Authentication Service window opens.
2.Right click on "Internet Authentication Service (Local)" and select Properties.
3.In the RADIUS Tab (for Windows 2000 Advanced Server) or the Ports Tab (for Windows Server 2003), enter 1645 in the Authentication field and 1646 in the Accounting field.
4.Click OK.
Adding RADIUS Client Devices
Follow these steps to add RADIUS clients (Policy Manager devices, not end users) to the server.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the Clients folder (for Windows 2000 Advanced Server) or the RADIUS Clients folder (for Windows Server 2003), and select New > Client.
2.Enter a Friendly Name and Protocol and then click Next.
3.Enter the IP address of the RADIUS client and select a Client Vendor (i.e. RADIUS Standard).
4.Enter a shared secret. A shared secret is a string of characters that will be used to encrypt and decrypt communications between the RADIUS server and the device (RADIUS client). Without the shared secret, the server and client will be unable to communicate, and authentication attempts will fail. The shared secret must be at least 6 characters long; 16 characters is recommended. Dashes are allowed in the string, but spaces are not. Be sure to write the shared secret down, as you will be adding it to the RADIUS client devices later.
5.Click Finish.
6.Repeat until all of your Policy Manager devices have been added.
Adding a New Remote Access Policy
Follow these steps to add a new Remote Access Policy. A Remote Access Policy is a set of actions which is applied to a group of users that meet a specified set of conditions.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the Remote Access Policies folder and select New > Remote Access Policy.
2.Windows 2000 Advanced Server: Enter a Policy friendly name and then click Next.
Windows Server 2003: Enter a Policy friendly name, select the "Set up a Custom Policy" radio button (as opposed to selecting the Wizard), and then click Next.
3.Follow these steps to add a condition. For example, to add a Windows Group condition:
1.Click the Add button to open the Select Attribute window.
2.Select "Windows Groups" and click Add.
3.Click Add in the Groups window.
4.Select a domain group (i.e. Domain Users) and click Add. Click OK.
5.Add more groups if needed in the Groups window. Otherwise, click OK.
6.Click Next.
4.In the Permissions window, select "Grant remote access permission" and click Next.
5.Add a User Profile for users who match the conditions you have specified:
1.Click the Edit Profile button to open the Edit Dial-in Profile window.
2.In the Authentication tab, select the appropriate authentication methods.
6.Click OK to proceed through the windows and Finish.
Registering the IAS
Follow these steps to register the Internet Authentication Service in the Active Directory, which enables IAS to authenticate users in the Active Directory.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the "Internet Authentication Service (Local)" and select Register Service in Active Directory.
2.Click OK.
Stopping and Restarting the IAS
After completing the above steps to configure the Internet Authentication Service, you must stop and restart the Service.
1.In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the "Internet Authentication Service (Local)" and select "Stop Service".
2.Right click on the "Internet Authentication Service (Local)" and select "Start Service".
Specifying User Permissions
Windows Server 2003
For Windows Server 2003, user permission is specified in the Remote Access Policy that is configured in the Internet Authentication Service.
1.Right click on a user and select Properties. The User Properties window opens.
2.In the Dial-In tab, select the "Control access through Remote Access Policy" radio button in the Remote Access Permission (Dial-in or VPN) section.
3.Go to the appropriate policy configured in the Internet Authentication Service and check either the "Grant remote access permission" or "Deny remote access permission" radio button in the policy's Properties window.
4.Click OK.
You're all done, go test it!
No comments:
Post a Comment