Securing RADIUS traffic with IPSec

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing RADIUS traffic with IPSec

Internet Protocol security (IPSec) provides you with the ability to secure RADIUS servers against unwanted traffic by filtering on specific network adapters (allowing or blocking specific protocols) and enabling you to choose source IP addresses from which traffic is allowed. For organizational units, you can create IPSec policies, which are stored in Active Directory. Or, you can create local policies on RADIUS servers, and apply these policies to specific computers. If you create IPSec policies for an organizational unit, the policy is applied through Group Policy.

For more information about organizational units and Group Policy, see Organizational units, Group Policy integration, and Create a new organizational unit.

Before you create IPSec filters, determine the type of traffic that you want to allow for each RADIUS server. Filters that are too strict might block acceptable network traffic. For example, if IAS is installed on a domain controller and all IP traffic, except RADIUS traffic, is blocked on all ports, user queries for Active Directory objects (such as printers) on default global catalog port 3268 will fail. Conversely, IP filters that are too general expose the RADIUS server to unwanted traffic. For more information, see Special IPSec considerations and Filter list.

RADIUS messages are sent with the User Datagram Protocol (UDP). UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. When you create inbound and outbound filters with IPSec, UDP traffic must be allowed on these ports. However, some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, IAS supports both sets of ports. If your network access servers use UDP ports 1645 and 1646, you can create IPSec filters that allow traffic on these ports. For information about changing the UDP ports that IAS uses, see Configure IAS port information. For more information about defining IP filter lists, see Internet Protocol Security (IPSec) and Define IP Filter Lists.

You can use the IP Security Policies snap-in and Group Policy to configure IPSec policy for organizational units. For more information, see Group Policy.

You can use the Local Security Policy console to configure IPSec policy for individual RADIUS servers. For more information, see Local Security Policy.

For information about how to create IP filters for remote access clients, see IAS Network Access Quarantine Control.

Note

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.