Chapter 3: Installing and Configuring Microsoft Internet Authentication Service

  • Article

The Microsoft Internet Authentication Server (IAS) is an industry standard RADIUS server that can be used to authenticate users connecting to the ISA Server 2004 firewall machine. You can use IAS to authenticate Web Proxy clients on the internal network and VPN clients and VPN gateways calling in from an external network location. In addition, you can use RADIUS authentication to remote users who connect to Web servers published using ISA Server 2004 Web Publishing rules.

The major advantage of using RADIUS authentication for Web proxy and VPN connections is that the ISA Server 2004 firewall computer does not need to be a member of the domain to authenticate users whose accounts are contained in the Active Directory on the internal network. Many firewall administrators recommend that the firewall not be a member of the user domain. This prevents attackers who may compromise the firewall from taking advantage of the firewall’s domain member status to amplify an attack against the internal network.

One major drawback to not making the ISA Server 2004 firewall a member of the internal network domain is that you cannot use the Firewall client to provide authenticated access to all TCP and UDP protocols. For this reason, we make the ISA Server 2004 firewall computer a member of the domain in this ISA Server 2004 Configuration Guide series. However, if you choose to not join the firewall to the domain, you can still use IAS to authenticate your VPN and Web Proxy clients.

We will discuss the following procedures in this document:

  • Installing the Microsoft Internet Authentication Service
  • Configuring the Microsoft Internet Authentication Service

Installing the Microsoft Internet Authentication Service

The Microsoft Internet Authentication Service server is a RADIUS server. We will use the RADIUS server later in this ISA Server 2004 Configuration Guide to enable RADIUS authentication for Web Publishing Rules and investigate how RADIUS authentication can be used to authenticate VPN clients.

Perform the following steps to install the Microsoft Internet Authentication Server on the domain controller EXCHANGE2003BE on the internal network:

  1. Click Start and point to Control Panel. Click Add or Remove Programs.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button in the left pane of the console.
  3. On the Windows Components page, scroll through the Components list and select the Networking Services entry. Click Details.
  4. Place a check mark in the Internet Authentication Service check box and click OK.
    Cc302613.8a12b3a4-5708-4d18-ad02-cd81b469392f(en-us,TechNet.10).gif
  5. Click Next on the Windows Components page.
  6. Click Finish on the Completing the Windows Components Wizard page.
  7. Close the Add or Remove Programs window.

The next step is to configure the Internet Authentication Service.

Configuring the Microsoft Internet Authentication Service

You need to configure the IAS server to work together with the ISA Server 2004 firewall computer so that they can communicate properly. At this time, we will configure the IAS Server to work with the ISA Server 2004 firewall. Later we will configure the firewall to communicate with the IAS server.

Perform the following steps on the domain controller on the internal network to configure the IAS server:

  1. Click Start and point to Administrative Tools. Click Internet Authentication Service.
  2. In the Internet Authentication Service console, expand the Internet Authentication Service (Local) node. Right-click the RADIUS Clients node and click New RADIUS Client.
    Cc302613.37b6fd08-b2f7-41fd-b44b-e49443454472(en-us,TechNet.10).gif
  3. On the Name and Address page of the New RADIUS Client Wizard, enter a friendly name for the ISA Server 2004 firewall computer in the Friendly name text box. This name is used to identify the RADIUS client and not used for operational purposes. Enter the fully qualified domain name of the ISA Server 2004 firewall computer in the Client address (IP or DNS) text box.
    Cc302613.1b1c9694-4c10-4f8a-bb78-609a374e7399(en-us,TechNet.10).gif
  4. Click the Verify button. In the Verify Client dialog box, the fully qualified domain name of the ISA Server 2004 firewall computer will appear in the Client text box. Click the Resolve button. If the RADIUS server is able to resolve the name, the IP address will appear in the IP address frame. If the RADIUS server is not able to resolve the name, this indicates that the ISA Server 2004 firewall’s name has not been entered into the DNS. In that case, you can choose to enter the name of the ISA Server 2004 firewall computer into the DNS server on the domain controller, or you can use the IP address on the internal interface of the ISA Server 2004 firewall in the Client address (IP and DNS) text box on the Name or Address page (as seen previously). Click OK in the Verify Client dialog box.
    Cc302613.9c1896ed-36f5-4120-82ea-c1498343dd1a(en-us,TechNet.10).gif
  5. Click Next on the Name and Address page of the New RADIUS Client Wizard.
  6. On the Additional Information page of the wizard, use the default Client-Vendor entry, which is RADIUS Standard. Enter a password in the Shared secret text box and confirm the password in the Confirm shared secret text box. This shared secret will allow the ISA Server 2004 firewall and the RADIUS server to confirm each other’s identities. The shared secret should contain at least 8 characters and include mixed case letters, numbers and symbols. Place a check mark in the Request must contain the Message Authenticator attribute check box. Click Finish.
    Cc302613.3c51c4d3-a5e2-422e-b8b0-d2acb79c574c(en-us,TechNet.10).gif
  7. The new RADIUS client entry appears in the right pane of the console.
    Cc302613.4802e8ca-2ec3-4fc1-9594-5c3a32ab7643(en-us,TechNet.10).gif
  8. Close the Internet Authentication Service console.

Later in this ISA Server 2004 Configuration Guide series we will configure a RADIUS server entry in the Microsoft Internet Security and Acceleration Server 2004 management console and use that entry for Web and VPN client requests.

Conclusion

In this ISA Server 2004 Configuration Guide document we discussed the uses of a Microsoft Internet Authentication Server and how to install and configure the IAS server on the domain controller on the internal network. Later in this guide we will use this IAS server to authenticate incoming Web and VPN client connections.