Export (0) Print
Expand All

About RADIUS authentication

RADIUS is an industry standard authentication protocol used by Microsoft Forefront Threat Management Gateway to authenticate outbound Web proxy requests, incoming requests for published Web servers, and VPN client requests. Forefront TMG is configured as a RADIUS client and authenticates requests against the RADIUS server. Using RADIUS authentication, Forefront TMG does not need to be a domain member to authenticate users. This topic describes procedures for using IAS as the RADIUS server. For more information about the RADIUS authentication process in IAS, see IAS as a RADIUS server at Microsoft TechNet. Note that Windows Server 2008 uses Network Policy Server (NPS) as a RADIUS server. For more information, see Network Policy Server Infrastructure at Microsoft TechNet.

There are a number of limitations using RADIUS authentication:

  • Only unencrypted Password Authentication Protocol (PAP) can be used when authenticating outbound Web proxy requests. If you use RADIUS for VPN in addition to Web proxy authentication, you may want to split your remote access policies to prevent VPN using PAP.
  • Forefront TMG uses a basic challenge for user credentials, and a prompt is issued for users to input credentials.
  • If rules require authentication, Firewall client cannot be used.
  • A rule with RADIUS authentication can be applied to a specific user or to all users in the RADIUS namespace, but not to a specific group. As an alternative, you can configure a remote access policy for a specific group on the RADIUS server.
  • When user names are specified in any language other than English, Forefront TMG uses the current code page installed on the Forefront TMG server to translate the user data. The user can be authenticated only if the client uses the same code page.
  • Every time a rule is encountered by a client, RADIUS reauthenticates the client. This may cause heavy RADIUS traffic on busy sites. To reduce traffic, you can set the SingleRADIUSServerAuthPerSession COM setting from its default false value to true. This causes user credentials that are successfully validated to be cached. For subsequent user requests on the same TCP connection, credentials are compared with the cached credentials, rather than revalidating with the RADIUS server.
  • Forefront TMG does not include much information in the Access-Request packet (for example, NAS IP, NAS Port, Username, and Password), so differentiation between Forefront TMG and other services may occur based on extra information included by those services if they are run from the same computer. For example, Routing and Remote Access acting as a VPN server provides more information in the Access-Request packet than Forefront TMG. So if you need different VPN and Outlook Web Access authentication policies on the same Forefront TMG computer, you may need to resolve the differences between the two request types.

Security considerations

The RADIUS User-Password hiding mechanism might not provide sufficient security for passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 notes the potential need for evaluating the threat environment and determining whether additional security should be used.

You can provide additional protection for hidden attributes by using Internet Protocol security (IPsec) with Encapsulating Security Payload (ESP) and an encryption algorithm, such as Triple DES (3DES) in order to provide data confidentiality for the entire RADIUS message. Follow these guidelines:

  • Use an IPsec policy to provide additional security for RADIUS clients and servers. IPsec provides you with the ability to secure RADIUS servers against unwanted traffic by filtering specific network adapters (allowing or blocking specific protocols) and enabling you to choose source IP addresses from which traffic is allowed. For organizational units, you can create IPsec policies, which are stored in Active Directory. Or, you can create local policies on RADIUS servers and apply these policies to specific computers.
  • Require the use of strong user passwords.
  • Use authentication counting and account lockout to help prevent a dictionary attack against a user password. Enforce strong password policies on your network to make dictionary attacks more difficult.
  • Use a strong shared secret:
  • Use a random sequence of letters, numbers, and punctuation. Change it often to help protect your IAS server.
  • Use a different shared secret for each RADIUS server-RADIUS client pair. You must use the same case-sensitive shared secret on both the RADIUS server and the RADIUS client.
  • To ensure a random shared secret, generate a random sequence at least 22 characters long. You can use a shared secret of up to 128 characters in length.
  • Message authenticator. Shared secrets verify that RADIUS messages (except for the Access-Request message) are sent by a RADIUS-enabled device that is configured with the same shared secret, and shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). By default, there is no cryptographic verification of the incoming Access-Request message. The RADIUS server verifies that the message originated from an IP address for a configured RADIUS client, but source IP addresses can be spoofed. The solution is to require the message authenticator attribute in all Access-Request messages. The message authenticator attribute is the Message Digest-5 (MD5) hash of the entire Access-Request message using the shared secret as the key. Note that if you select Always use message authenticator, make sure that your RADIUS server is capable of receiving and is configured to receive message authenticators.

The following procedures walk you through the creation of an IPsec policy for RADIUS, consisting of the following steps:

  1. Export the Forefront TMG configuration
  2. Configure IPsec policy on the Forefront TMG server
  3. Configure IPsec policy on the IAS (RADIUS) server
  4. Configure Forefront TMG to allow IPsec traffic to the RADIUS Server
  5. Configure RADIUS or IAS server and remote access policy
  6. Test the configuration

Export configuration settings

  1. In Forefront TMG Management, click the computer name node.
  2. In the tasks pane, click Export (Back Up) Array Configuration.
  3. Specify a file name and location for the saved configuration.
  4. Click Export. When the export operation is complete, click OK.

Configure IPsec policy on the Forefront TMG computer

Configuring IPsec includes creating a policy, creating a filter list and adding filters to it, creating filter actions, configuring rules that contain the filter lists and action, and placing the rules in the IPsec policy. The following sample names are used in the procedures below:

  • Policy: "RADIUS Policy"
  • Filter List: "RADIUS Traffic"
  • Filter action name: "Require Strong Encryption"
  • Rule name: "Encrypt traffic to RADIUS servers"
  1. On the Forefront TMG server, open the MMC and add the IPsec Policy Management snap-in.
  2. To create the IPsec policy, open a command prompt, and type the following in a single line:
    netsh                               
    netsh> IPsec static add policy name=”RADIUS Policy” 
    qmpermm=0 mmlifetime=480 activatedefaultrule=no mmsecmethods=
    ”3DES-SHA1-2 3DES-MD5-2”
    
  3. To create the filter list, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static add filterlist name=”RADIUS Traffic” 
    description=”Matches all RADIUS traffic to RADIUS Server”
    
  4. In the IPSec Policy Management console, right-click the IP Security Policies on Local Computer node, and then click Manage IP filter lists and filter actions.
  5. On the Manage IP filter lists and filter actions dialog box, click the Manage IP Filter Lists tab. The empty filter list is displayed.
  6. To create a filter, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static add filter filterlist=”RADIUS Traffic” srcaddr=me  
    dstaddr=172.10.10.10 dstmask=32 protocol=udp mirrored=yes srcport=0 
    dstport=1812
    
  7. To create a filter action, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static add filteraction name=”Require Strong Encryption” 
    qmpfs=yes inpass=no soft=no action=negotiate 
    qmsecmethods=”ESP[3DES,SHA1]:3600s”
    
  8. On the Filter Action tab, double-click the filter action, and check that the Security Methods tab displays the properties that you typed at the command line.
  9. To create a rule, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static add rule name=”Encrypt traffic to RADIUS Servers” policy=”RADIUS policy” 
    filterlist=”RADIUS Traffic” filteraction=”Require Strong Encryption” 
    psk=123456789
    
  10. In the IPSec Policy Management console, right-click the policy you have created, and then click Properties. Check that the rule you created is displayed on the Rules tab.
  11. To assign a policy, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static set policy name=”RADIUS policy” 
    assign=yes
    
  12. In the IPsec Policy Management console, verify that the policy is assigned a Yes status.

Configure IPsec policy on the IAS Server

  1. To create the IPsec policy, open a command prompt, and type the following in a single line:
    netsh                                   
    netsh> IPsec static add policy name=”TMG Policy” 
    qmpermm=0 mmlifetime=480 activatedefaultrule=no mmsecmethods=
    ”3DES-SHA1-2 3DES-MD5-2”
    
  2. To create the filter list, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static add filterlist name=”RADIUS Traffic” 
    
  3. To create a filter and add it to the filter list, open a command prompt, and type the following in a single line:
    netsh
    netsh> IPsec static add filter filterlist=”RADIUS Traffic” srcaddr=me  
    dstaddr=172.10.10.10 dstmask=32 protocol=udp mirrored=yes srcport=0 
    dstport=1812
    
    The filter will be displayed in the IP Filter List tab.
  4. To create the filter list, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static add filteraction name=”Require Strong Encryption” 
    qmpfs=yes inpass=no soft=no action=negotiate 
    qmsecmethods=”ESP[3DES,SHA1]:3600s”
    
    The action is displayed on the Filter Action tab.
  5. On the Filter Action tab, double-click the filter action, and check that the Security Methods tab displays the properties that you typed at the command line.
  6. To create a rule, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static add rule name=”Encrypt traffic to RADIUS Servers” policy=”RADIUS policy” 
    filterlist=”RADIUS Traffic” filteraction=”Require Strong Encryption” 
    psk=123456789
    
  7. In the IPSec Policy Management console, right-click the policy you have created, and then click Properties. Check that the rule you created is displayed on the Rules tab.
  8. To assign a policy, open a command prompt and type the following in a single line:
    netsh
    netsh> IPsec static set policy name=”RADIUS policy” 
    assign=yes
    
  9. In the IPsec Policy Management console, verify that the policy is assigned a Yes status.

Configure Forefront TMG to allow IPsec traffic to RADIUS

  1. Right-click Firewall Policy in the Forefront TMG Management console tree.
  2. Point to New, and then click Access Rule.
  3. In the Welcome page of the access rule wizard, specify a name for the rule: Allow IKE and ESP to RADIUS server. Then click Next.
  4. On the Rule Action page, select Allow, and then click Next.
  5. On the Protocols page, select Selected protocols from the drop-down list box, and then click Add. Expand the VPN and IPsec protocol group and add IKE Client and IPsec ESP. Click Close, and then click Next.
  6. On the Access Rule Sources page, click Add. Expand Networks, click Local Host, click Add, and then click Close. Click Next.
  7. On the Access Rule Destinations page, click Add. Click New and select Computer. In the dialog box that appears, specify the RADIUS server’s IP address and a name for the server. Click OK. Expand Computers, select the RADIUS server, click Add, and then click Close. Click Next.
  8. On the User Sets page, leave the default All Users, and then click Next.
  9. On the summary page, review the configuration, and click Finish.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft