FW_H_SetRADIUS

To configure RADIUS servers

  1. In the console tree of ISA Server Management, click General.

  2. In the details pane, click Define LDAP and RADIUS Servers.

  3. On the RADIUS Servers tab, click Add.

  4. In Server name, type the name of the RADIUS server to use for authentication.

  5. Click Change and in New secret, type the shared secret that is used for secure communications between ISA Server and the RADIUS server. You must configure the same shared secret on both ISA Server and the RADIUS server for successful RADIUS communications to occur.

  6. In Port, type the User Datagram Protocol (UDP) port that is used by the RADIUS server for incoming RADIUS authentication requests. The default value of 1812 is based on RFC 2138. For older RADIUS servers, set the port value to 1645.

  7. In Time-out (seconds), type the amount of time (in seconds) that ISA Server will try to obtain responses from the RADIUS server before trying the next RADIUS server on the ordered list. Note that you can change the order in which the servers are accessed.

  8. Select Always use message authenticator if a message authenticator based on the shared secret is sent with each RADIUS message.

Note

To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration and then click General.
For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration and then click General.

Important

When configuring ISA Server for RADIUS authentication, the configuration of RADIUS servers applies to all rules or network objects that use RADIUS authentication.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret.
Be sure to change the default preshared key on the RADIUS server.
Configure strong shared secrets and change them frequently to prevent dictionary attacks. Strong shared secrets are a long (more than 22 characters) sequence of random letters, numbers, and punctuation.
If you select Always use message authenticator, make sure that your RADIUS servers are capable of receiving, and configured to receive message authenticators.
For VPN clients, Extensible Authentication Protocol (EAP) messages are always sent with a message authenticator. For Web Proxy clients, only Password Authentication Protocol (PAP) is used.
You must select Always use message authenticator if your RADIUS server is running Internet Authentication Service (IAS), and the RADIUS client that is configured for this server has the Request must contain the Message Authenticator attribute option selected.