Using Microsoft’s RADIUS server to secure your Network (January 29, 2007)
Chat Topic: Using Microsoft’s RADIUS server to secure your Network
Date: Monday, January 29, 2007
Please note: Portions of this transcript have been edited for clarity
kapil[MSFT] (Moderator):
Hello everyone - welcome to today’s chat!Today’s Chat topic: Using Microsoft's RADIUS server to secure your NetworkSetting up a secure Network for VPN or wireless access can be complex and challenging. Bring your questions and comments to the table and interact with experts from the Network Policy Server(NPS, formerly knows as IAS) team to get them answered. Find out how you can use NPS as the RADIUS server for Network Access Protection (NAP), or to set up your 802.1x network and how NPS interacts with underlying systems like Certification Authority and Active Directory.
kapil[MSFT] (Moderator):
I will let the experts introduce themselves now
Introductions
Ambrish [MSFT] (Expert):
Hello everyone, Welcome to NPS chat-room. I am EAP developer on NPS team.
James McIllece [MS] (Expert):
Hi everybody. I'm a technical writer for IAS and NPS.
Sam Salhi [MSFT] (Expert):
Hi all, my name is Sam Salhi and I'm a member of the EAP and IAS teams.
Arvind [MSFT] (Expert):
Hi all, I am Arvind and I'm a member of the NPS test team
Lenina [MSFT] (Expert):
Hi everyone, I am a tester in NPS Team.
kapil[MSFT] (Moderator):
Hello everyone. I am Kapil from the NPS test team
Shashwat [MSFT] (Expert):
Hello everyone, my name is Shashwat Srivastav and I am developer in NPS team.
Greg Lindsay [MSFT] (Expert):
Hi everyone, I am a technical writer for Network Access Protection.
Matt McKenzie [MSFT] (Expert):
Hello, I'm Matt from the NPS test team.
Rob Trace [MSFT] (Expert):
Hi, my name is Rob Trace. I am the Lead Program Manager for Network Policy Server (formerly known as IAS).
kapil[MSFT] (Moderator):
Please begin posting questions
kapil[MSFT] (Moderator):
Just a Reminder- remember to check the “ask the experts” box before sending. Thanks!
Start of Chat
James McIllece [MS] (Expert):
Q: Can anybody tell me if I can run radius on XP?
A: Both IAS and NPS are components of the server operating system (WS03 and Windows Code Name Longhorn server, respectively) and they can't be run on XP. There might be other RADIUS servers that allow you to run XP, I don't know.
Sam Salhi [MSFT] (Expert):
Q: What about running it on vista?
A: Same case with Vista, as James said, NPS (Microsoft Radius solution) is only available on server Skus (ie, Windows 2003 Server and future windows Servers)
Rob Trace [MSFT] (Expert):
Q: Is anyone out there using IAS currently? Are you using it for authenticating VPN? What about 802.1x?
Ambrish [MSFT] (Expert):
Q: Is integration of Msft s/w iSCSI initiator with Radius (now NPS) supported on "WS03" as well as "Longhorn"?
A: So far there are no intentions of supporting it on WS03.
Rob Trace [MSFT] (Expert):
Q: macarn, Are you doing 802.1x currnetly in your environment?
James McIllece [MS] (Expert):
Q: what are the differences between NPS and IAS?
A: The biggest difference is the introduction of Network Access Protection (NAP), which is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista™ and Windows Server® Code Name "Longhorn". With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network.
James McIllece [MS] (Expert):
Q: what are the differences between NPS and IAS?
A: For information on NAP you can go to http://www.microsoft.com/nap
Wai-O[MSFT] (Expert):
Q: I have a question on a recent change in the NAP install on LH. You are forced to import an SSL cert, but when you add the "trusted server HRA" on the client later you can use http or https. Are you planning on changing the install to not force SSL?
A: Joey, are you referring to NAP using IPSec enforcement?
James McIllece [MS] (Expert):
Here are some links to great IAS/802.1X deployment docs: "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows" at http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
"Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows" at http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-9939-47c397ffd3dd&DisplayLang=en
"Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home Office or Small Organization Networks" at http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc41-4eb1-9374-44612e64f0fb&displaylang=en
Wai-O[MSFT] (Expert):
Q: I have a question on a recent change in the NAP install on LH. You are forced to import an SSL cert, but when you add the "trusted server HRA" on the client later you can use http or https. Are you planning on changing the install to not force SSL?
A: In NAP using IPSec enforcement scenario, we encourage users to do SSL, that's why we default on the client to https.
Rob Trace [MSFT] (Expert):
Q: Is anyone out there using any RADIUS server to authenticate 802.1x? How has your experience been? Are there features missng from the current solution set?
Sam Salhi [MSFT] (Expert):
Tip: Did you know that you can use SQL logging with NPS/IAS to store all the accounting information in a SQL database for later data-mining?
Rob Trace [MSFT] (Expert):
Q: Why not just use Cisco ACS? Isn't it better than microsoft NPS/IAS?
A: First, you will find that IAS / NPS integrates seamlessly with Microsoft Active Directory. It works with all types of Cisco network gear as well as offerings from other vendors. IAS will also provide you a seamless upgrade path to Network Access Protection to provide health verification of clients when accessing a network.
James McIllece [MS] (Expert):
Sam is right -- and if you want to learn how to deploy IAS with SQL Server, see the paper "Deploying SQL Server Logging with Windows Server 2003 Internet Authentication Service (IAS)" http://www.microsoft.com/downloads/details.aspx?FamilyId=6E4357F7-4070-4902-95F1-3AD411D963B2&displaylang=en
Sam Salhi [MSFT] (Expert):
Tip: Did you know that you can use NPS/IAS to authenticate protocols like PAP/CHAP/MSCHAPv1, v2 EAP-TLS, PEAP-EAP-MSCHAPv2 and PEAP-EAP-TLS
Sam Salhi [MSFT] (Expert):
A: Both Authenticator and Peer Methods can be integrated under NPS using EAPHOST public API's for more information check this link http://msdn2.microsoft.com/en-us/library/aa363701.aspx
Sam Salhi [MSFT] (Expert):
Q: Is LH/NPS supposed to integrate the usage of 3rd party EAP methods?
A: Both Authenticator and Peer Methods can be integrated under NPS using EAPHOST public API's for more information check this link http://msdn2.microsoft.com/en-us/library/aa363701.aspx
Rob Trace [MSFT] (Expert):
BingoFuel, Also in response to your ACS comment, did you see the announcement of Microsoft and Cisco integrating NAP and NAC? You might want to look at the whitepaper at http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf.
kapil[MSFT] (Moderator):
Just a Reminder- remember to check the “ask the experts” box before sending. Thanks!We have about 30 minutes left for today’s chat.
Sam Salhi [MSFT] (Expert):
Did you know that IAS/NPS has a very powerful Radius proxy that supports enhanced redundancy, load balancing?
Rob Trace [MSFT] (Expert):
Yes we are <g>. In fact we demonstrated a working integration back in September at the Security Summit. The full solution will be available in conjunction with Longhorn Server.
Sam Salhi [MSFT] (Expert):
Q: Would NPS have the ability to iterate between various domains? e.g. Certain VPN solution will provide only a user name and password, can we search for that user in all the domains in the forest/cross forest?
A: NPS can access multiple domains and forests, By default NPS/IAS will look up the user in the domain specified either during the authentication request, or in the username (domain\user format or user@domain format). If no domain name is specified, NPS/IAS will look up the username in it's current domain. Alternatively, an Extension DLL can be used to search a select number Domains for that specific username. However that's usually not needed. This extension DLL is available for download from the platform SDK on MSDN
James McIllece [MS] (Expert):
Yes you do, zipfll. Keep in mind though that RADIUS clients are network access servers, not client computers. With Windows Server 2003 Standard Edition you can configure up to 50 RADIUS clients, while with Enterprise Edition you can configure unlimited RADIUS clients.
James McIllece [MS] (Expert):
Here are some additional links to IAS documentation for those of you who want to learn more:
James McIllece [MS] (Expert):
IAS Technical Reference: http://technet2.microsoft.com/WindowsServer/en/library/8f5c89d5-fdaf-430c-9ef4-318f8c15baf11033.mspx?mfr=true
IAS Deployment Guide: http://technet2.microsoft.com/windowsserver/en/library/784206a4-fcf5-4318-8f95-1c63f1cf38de1033.mspx?mfr=true
IAS Operations Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=27c432bf-5ed0-4763-8909-36e7c310ae3c&displaylang=en
Sam Salhi [MSFT] (Expert):
Q: How many VSA´s does support IAS by default?
A: The number of VSA's is only limited by the Radius 4096 limit.
Shashwat [MSFT] (Expert):
Q: There's one pending about the NPS moving from mdb to XML?
A: Yes, we have moved the NPS configuration to XML in Longhorn. Your configuration will be migrated from MDB to XML when you upgrade from Win2K/Win2K3 to Longhorn. Did that answer your question?
Sam Salhi [MSFT] (Expert):
Q: and how many are shiped with IAS?
A: Some are provided with NPS/IAS by default. But VSA are vendor specific, in other words you may create your own. So basically unlimited number of VSA's can be created just by knowing the right format
Shashwat [MSFT] (Expert):
Q: First, have we decided to move? Second, why the move to XML?
A: To answer the second question, Jet Blue database was depracated from the product. XML seemed to be a good choice for the new database for technical reasons.
kapil[MSFT] (Moderator):
Well that wraps it up for today’s chat. Thanks to everyone for participating, and also thanks to the Experts for being here to answer everyone’s questions
kapil[MSFT] (Moderator):
We will post the transcript from today’s chat here in the next few days: http://www.microsoft.com/technet/community/chats/trans/default.mspx#E4FAC Great attendance today and many good questions! Thanks all for attending, and please keep an eye out for more NAP/NPS/EAP-related TechNet Web Chats in the future!Have a great day everyone!
Rob Trace [MSFT] (Expert):
Thanks everyone!!
Shashwat [MSFT] (Expert):
Thanks for participating.
James McIllece [MS] (Expert):
Thanks for attending the chat!
kapil[MSFT] (Moderator):
If you have further questions please contact out team via the newsgroupmicrosoft.public.internet. radiushttp://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.internet.radius