IAS as a RADIUS proxy security considerations

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IAS as a RADIUS proxy security considerations

Consider the following security issues when deploying IAS as a RADIUS proxy:

  • Shared secrets

    Configure strong shared secrets to prevent dictionary attacks and change them frequently. Strong shared secrets are a long (more than 22 characters) sequence of random letters, numbers, and punctuation. For more information, see Shared secrets.

  • Firewall configuration

    If your IAS proxy is on a perimeter network, configure your Internet firewall (between your perimeter network and the Internet) to allow RADIUS messages to pass between your IAS proxy and RADIUS clients on the Internet. You might need to configure an additional firewall that is placed between your perimeter network and your intranet, to allow RADIUS traffic to flow between the IAS proxy on the perimeter network and an IAS server on the intranet. For more information, see IAS and firewalls.

  • Message Authenticator attribute

    You can use the RADIUS Message Authenticator attribute (also known as a digital signature or the signature attribute) to ensure that RADIUS Access-Request messages for connection requests were sent from a RADIUS client configured with the correct shared secret. The Message Authenticator attribute is always used with EAP--without having to enable it on the IAS server and access server. For the PAP, CHAP, MS-CHAP, and MS-CHAP v2 authentication protocols, you must enable the use of the Message Authenticator attribute on both the IAS server (as part of the configuration of the RADIUS client in Internet Authentication Service) and the RADIUS client (the access server or RADIUS proxy). Ensure that the RADIUS client supports the Message Authenticator attribute before enabling it. For more information, see Edit RADIUS client configuration.

    For information about enabling the RADIUS Message Authenticator attribute for your access server, see the appropriate access server documentation. For the Routing and Remote Access service, the use of the RADIUS Message Authenticator attribute is enabled from the properties of a RADIUS server when you configure RADIUS authentication. For more information, see Use RADIUS authentication.

  • Using IPSec filters to lock down IAS proxy servers

    You can configure IPSec filters to allow specific network traffic to pass through network interfaces on RADIUS servers. These filters can be applied to organizational units and stored in Active Directory, or they can be created and applied to individual servers. For more information, see Securing RADIUS traffic with IPSec.

  • Password Authentication Protocol (PAP)

    The use of Password Authentication Protocol (PAP) is strongly discouraged when using RADIUS proxies. For more information, see IAS and firewalls.

Note

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.