Using and troubleshooting RADIUS using IAS
November 29, 2004
Please note:* *Portions of this transcript have been edited for clarity
Introduction
Andy Q (Moderator):
Welcome to today’s chat. Our topic is Using and troubleshooting RADIUS using IAS Questions, comments, and suggestions are welcome.
Andy Q (Moderator):
We are pleased to welcome our Experts for today’s chat. I will have them introduce themselves now.
Sam Salhi [MSFT] (Expert):
Hi all, my name is Sam Salhi, and I am a member of the IAS team
Jeff [MSFT] (Expert):
Hi, my name is Jeff Singleton and I am a member of the Internet Authentication Service (IAS) test.
Tom Logan [MSFT] (Expert):
Test Engineer IAS Team - IAS Server Accounting (Logging, SQL, etc.)
Joe_MS (Expert):
I am Joe Davies, a technical writer for the Windows Network and Devices group.
Misty Azara [MSFT] (Expert):
Hi, my name is Misty Azara. I am the User-Interface Program Manager for IAS.
Mohammad[msft] (Expert):
hi, my name is mohammad shalabi and I am a member of dev and test team for IAS
Ryan Clukey (Expert):
Hi, my name is Ryan Clukey. I am a usability engineer for IAS
Sam Salhi [MSFT] (Expert):
Any body has any questions regarding RADIUS or 802.1x?
Introduction
Sam Salhi [MSFT] (Expert):
Q: Yes, is possible to setup a 2003 based PKI without active directory enabled in a NT4 Domain environment?
A: Yes it is, however, you can't use EAP-TLS to authenticate. Your only option would be to use PEAP-EAP-MSCHAPv2.
Sam Salhi [MSFT] (Expert):
I would recommend that you go ahead and do that. this way you will have centralized management and it will make your administration much simpler.
Sam Salhi [MSFT] (Expert):
Anybody here facing problems deploying IAS/Radius in their Domain? Do you use IAS as your RADIUS Server or do you use something else?
Sam Salhi [MSFT] (Expert):
Q: Also, can 2003/IAS/Radius/PKI all live on the same physical server if I setup a standaloneCA root? Or would I need to split up some of those services to get them to play nice on our network?
A: Sure, absolutely. IAS can coexist with almost all other services. it's very lightweight. so it will not take too much system resources.
When you do install IAS on the Certificate Authority. Make sure you get a proper certificate install. The Root Certificate is not a good choice in this case because it contains ALL EKU's (Enhance key usage)'s. IAS specifically looks for "Server Authentication" which is present in many certificate templates
Joe_MS (Expert):
Q: Can you point me to any relevant TechNet articles or whitepapers that illustrate PKI and Server 2003 based 802.1x/IAS/Radius scenarios in an NT4 environment please?
A: Check out the "Windows NT Server 4.0 Upgrade Guide” at https://www.microsoft.com/windowsserver2003/partners/isvs/ntmigrate.mspx for migration advice for NT 4 to Windows Server 2003. We don’t have a specific guide for Windows NT 4.0, but you can follow https://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx for PEAP-MS-CHAP v2-based user authentication. EAP-TLS and PEAP-MS-CHAP v2 computer authentication does not work in an NT 4.0 domain.
Andy Q (Moderator):
For those new to the chat - Our topic is Using and troubleshooting RADIUS using IAS.
Sam Salhi [MSFT] (Expert):
Q: Can 2003 IAS and RRAS live on the same physical server? I seem to recall reading somewhere that they could not for some obscure technical reason that I can't remember right now.
A: Yes they can live on the same physical server. Just be careful when you setup your CRP's (Connection request processing) since these will not allow you to point to the same server
Sam Salhi [MSFT] (Expert):
Q: In order to workaround this I ended up deploying a new Windows 2000 IAS box but I'd like to know why the old one failed as I'm concerned about the integrity of our NT4 domain SAM db and/or other related NTLM issues we might have on our network at present.
A: 7, 8, 9, 10 are all the same question
Sam Salhi [MSFT] (Expert):
Paul, can you bundle all of these in one question. Is IAS joined to the NT4 domain?
Sam Salhi [MSFT] (Expert):
Paul, Also which authentication method are you using?
Xuemei Bao[MSFT] (Expert):
Paul, can you provide the complete event log?
Sam Salhi [MSFT] (Expert):
Q: I am trying to troubleshoot why our IAS server running on a member server Windows 2000 Server Standard Edition + SP4 with all the latest MS critical updates, in our NT4 Domain has stopped authenticating RADIUS clients?
A: Enable LM authentication on your IAS server: HKLM\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication
Dword=1
Andy Q (Moderator):
For those new to the chat - Our topic is Using and troubleshooting RADIUS using IAS. We’re a little over halfway in, so keep those questions coming!
Joe_MS (Expert):
Q: Thanks Andy! Again, What will happen if I install and configure a windows 2003 server as a domain controller and it's AD in a NT 4.0 domain? Will it screw up anything?
A: If you install a Windows Server 2003-based computer as a domain controller in a Windows NT 4.0 domain, it will become a backup Windows NT 4.0 domain controller. It will not implement AD. This should work fine.
Sam Salhi [MSFT] (Expert):
Did you know you can use SQL logging for all your authentications?
Sam Salhi [MSFT] (Expert):
Q: Does this registry key and DWORD value get added by default when you configure an IAS server? Enable LM authentication on your IAS server HKLM\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication Dword=1
A: No it doesn't exist by default
Xuemei Bao[MSFT] (Expert):
Q: I have a ISA server with RRAS on it as well, can I use IAS to authenticate my VPN users to the domain
A: Yes, you can.
Sam Salhi [MSFT] (Expert):
Q: I have a ISA server with RRAS on it as well, can I use IAS to authenticate my VPN users to the domain?
A: Yes you can, Make sure to open ports 1812 and 1813 on your ISA for out bound UDP traffic
Sam Salhi [MSFT] (Expert):
Q: Can I use 2000 or 2003 IAS/Radius to setup a policy (?) for MAC based authentication for Proximal AP-600 wireless access points and it's Windows XP Pro or 2000 Pro wireless clients?
A: We normally don't recommend using MAC authentication due to the fact that it is easy to spoof MAC addresses. Additionally most vendor implementations have a very poor password associated with it like (Same MAC, or PASSWORD, or pre-assigned string)
Sam Salhi [MSFT] (Expert):
Q: Can I use 2000 or 2003 IAS/Radius to setup a policy (?) for MAC based authentication for Proximal AP-600 wireless access points and it's Windows XP Pro or 2000 Pro wireless clients?
A: We normally don't recommend using MAC authentication due to the fact that it is easy to spoof MAC addresses. Additionally most vendor implementations have a very poor password associated with it like (Same MAC, or PASSWORD, or pre-assigned string)
With that said, you still can do MAC authentication with PAP, by creating an account with the same name as the MAC address.
Sam Salhi [MSFT] (Expert):
Paul, a better option (than using MAC authentication) would be doing Machine authentication with EAP-TLS or PEAP. But you will need to be in a Windows 2000+ domain to do this, and machines need to be joined to the domain
Andy Q (Moderator):
Q: Can you point me to a good white paper on setting up IAS for VPN client authentication?
A: Try this: https://www.microsoft.com/vpn/
Joe_MS (Expert):
Q: Can you point me to a good white paper on setting up IAS for VPN client authentication?
A: See: https://technet2.microsoft.com/WindowsServer/en/Library/7159a5cd-530b-4b8f-b54a-9a8adfdeac1b1033.mspx.
Xuemei Bao[MSFT] (Expert):
https://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx
Andy Q (Moderator):
Well that's time folks!
Sam Salhi [MSFT] (Expert):
Q: So I'd have to create matching accounts in our NT4 domain for each MAC address of each wireless NIC then? Can these be consolidated any further into one NT4 security group?
A: Yes, they can be joined to a specific group. But you really can't do much more (can't bundle all these as one user)
Andy Q (Moderator):
Thanks to our experts and guests for their participation today, for more information on TechNet chats see: https://www.microsoft.com/technet/community/chats/default.mspx
Joe_MS (Expert):
Q: Can you point me to a good white paper on setting up IAS for VPN client authentication?
A: Also see: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx.
Sam Salhi [MSFT] (Expert):
Thanks everyone for joining us today, please continue to ask your questions through our newsgroups, everyone here would be happy to answer and help
Andy Q (Moderator):
Here's a link to the newsgroup for further questions! Newsgroups
Andy Q (Moderator):
bye all