How to use the Microsoft Radius server IAS in a wireless or/and VPN deployment
March 16, 2004
Please note: Portions of this transcript have been edited for clarity
Introduction
Moderator: Brian_B (Microsoft)
Welcome to today’s Windows TechNet chat. Our topic today is How to use the Microsoft Radius server IAS in a wireless or/and VPN deployment.
Moderator: Brian_B (Microsoft)
We are pleased to welcome our experts for today I will have them introduce themselves now.
Host: Sam_Salhi (Microsoft)
Hi all, My name is Sam Salhi. I work in the IAS-Radius test team, and I am very happy to be here today, to answer all your questions regarding IAS to do VPN+Wireless, Bring it on :-)
Host: Wajih (Microsoft)
Hi my name is Wajih I work in the IAS team
Moderator: Brian_B (Microsoft)
...and I am your pleasant, but firm Host; Brian Boston :). I am a Community Program Manager.
Moderator: Brian_B (Microsoft)
Let’s actually begin the chat. You may begin posting your questions in the lower room. Please start your questions with a Q: as this will assist us in quickly identifying your question in the window.
Start of Chat
Host: Sam_Salhi (Microsoft)
Did you know that you can centrally authenticate your VPN and Wireless users using IAS server?
Host: Wajih (Microsoft)
Q: How do the access point know to forward authentication requests to IAS or the VPN servers?
A: The access point forward requests to radius servers only , no VPN server and the way it works, is that the AP has a RADIUS layer so when it receives the packets from the client it will forward them to the server it has in its configuration
Host: Sam_Salhi (Microsoft)
Q: Would you define WiFi logon procedures for access points with relationship to the Active Directory?
A: Yes, users of WiFi, doing 802.1x are preferred to be in Active Directory (AD) and they are granted access centrally by the Domain Administrator. This helps the admin keep an eye on who has access and who doesn't. Also, Users may be on local IAS server, but we don't recommend this setup.
Host: Wajih (Microsoft)
Q: Our Nortel VPN uses the dialin tab and a group id for authentication. Now wireless uses the dialintab for auth. but they want everyone wireless ready thus dialin set to allow. would you consider this a security risk? The VPN users still need group id
A: I am guessing you are using a mixed mode domain, in native mode domains you have the option in the user object to control through remote access policy, but in any case it is not a security risk because if it is set to allow and the user does not match the remote access policy the user will not be connected.
Host: Wajih (Microsoft)
Q: Sorry Wajih we are also using a Cicso Radius box , and the Allow is not an option...looking to see if MS can help us if this is a security risk
A: sure you cam eto the right place :). which OS is running on your AD?
Host: Wajih (Microsoft)
Q: Running Microsoft AD 2000 native mode. Running a Cisco ACS with Nortel VPn.. trying to see what Microsoft Radius would do
A: in this case you set the user dial in option to "control through remote access policy" which is by default selected when you create a new user , so in this case the users will not get access unless you allow them access through the remote access policy
Host: Sam_Salhi (Microsoft)
Q: I am in the process on implanting a RADIUS server to authenticate users logging on from my RAS server and VPNs. I have been reading about using IAS as a RADIUS server, but I was not entirely sure exactly how secure it is. What are your experiences using IAS?
A: IAS boasts easier configuration, integration with AD and other Windows subsystems, and was the first Radius server to implement the PEAP protocol. In addition to the ability to programmatically extend its functionality and tons of other features that makes it one of the best/most secure and feature packed RADIUS servers
Host: Sam_Salhi (Microsoft)
Q: Does Windows prompt for username and password when RADIUS is encountered and are their limitations with versions of windows?
A: Windows will prompt you for Username and password when you're doing a VPN/Dialup connection. It will only prompt you for username and password if you're doing PEAP-EAP-MSCHAPv2 for wireless authentication. Otherwise, you will be prompted to select a certificate if you were doing EAP-TLS
Host: Wajih (Microsoft)
Q: I thought Remote access policy would only work with Microsoft Radius though
A: Yes, I am a little confused, are you looking for a solution to work with ACS?
Host: Wajih (Microsoft)
Q: No not looking for a solution have 1, just concerned about wireless/vpn both using dialin...if we go to MS radius then we have the policies available. but not in current config, just looking for option on security risk that's all
A: Ah ok, if you are using IAS, there should not be any security issues
Host: Sam_Salhi (Microsoft)
Q: Can non-Intel devices such as Symbol RF scanners authenticate against IAS?
A: If they can play as an 801.1x client, then yes they can be used against IAS.
Host: Sam_Salhi (Microsoft)
Q: I got one for you. We have set up IAS between the wireless users and the domain, not between the firewall and the domain. This is because as a Community College we don't always know who attempts to connect. We would like to know if there is a easy way send the default web page to an instruction page, instead of immediately asking for their credentials.
A: IAS doesn't send any pages to the client
Host: Sam_Salhi (Microsoft)
Q: Follow-up, IAS sends an authentication request that if failed goes to an error page, we would like to change that behavior to send the client immediately to an "instruction page", then if the user agrees, clicks on a button and authenticates through IAS
A: What you are describing is what is commonly referred to as "Http Hijacking" and this has nothing to do with IAS -currently-, IAS does the initial authentication, and doesn't send any additional pages.
Host: Sam_Salhi (Microsoft)
Q: What versions of windows support PEAP-EAP-MSCHAPv2?
A: Windows 2000 W2k SP4 and Windows XPSP1
Host: Sam_Salhi (Microsoft)
Q: Is there any way of doing username and password authentication for wireless for versions of windows preceding windows 2000?
A: Additional Microsoft 802.1X Authentication Client packages for Windows 98/Windows Millennium Edition and Windows NT 4.0 Workstation are available through the Microsoft Premier and Alliance Support organizations to customers with Premier and Alliance support contracts. Microsoft 802.1X Authentication Client packages for Windows 98/Windows Millennium Edition and Windows NT 4.0 Workstation are not available for redistribution.
For details about obtaining the clients, please contact your technical account manager. For more information go to https://www.microsoft.com/wifi
Moderator: Brian_B (Microsoft)
FYI : Information on Premiere, Alliance, and other support programs are available at https://support.microsoft.com/default.aspx?scid=fh;[ln];msservices
Host: Sam_Salhi (Microsoft)
Q: Ok, Is there any way to get ISA/IAS to perform like what is found in broadband hotels?
A: Yes there is, with future releases of IAS, you will be able to redirect the user to a specific signup page where he will get information and signup.
Host: Sam_Salhi (Microsoft)
Q: So these packages will allow the older versions of windows to respond to the radius requests and authenticate?
A: Yes, they're supposed to allow users to access wireless network securely
Moderator: Brian_B (Microsoft)
I like to thank Wajih and Sam from the Windows Secure Network Services product team for joining us today for this TechNet Chat.
Moderator: Brian_B (Microsoft)
...and the rest of you for your questions and comments.
Moderator: Brian_B (Microsoft)
Also look for our next IAS Chat in April at https://www.microsoft.com/technet/community/chats/default.mspx.
Moderator: Brian_B (Microsoft)
If you would like further information on these technologies, check out the following locations:
Moderator: Brian_B (Microsoft)
Windows 2003 WIFI Technology Center: https://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx
Windows XP Wireless Deployment Technology and Component Overview: https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.mspx
Deploying a Secure Mobile Network Access Infrastructure (VPN/Wireless): https://www.microsoft.com/seminar/shared/asp/view.asp?url=/seminar/en/20030424vcon18/manifest.xml
Moderator: Brian_B (Microsoft)
Thanks for your interest and feedback! We are going to leave now.
For further information on this topic or about ISA Server, please visit the following:
Newsgroups: Microsoft.public.isa
ISA Transcripts: Read the archive of past ISA chats.
Website: Visit the Microsoft ISA Website