About RADIUS authentication

Article
09/26/2008

RADIUS is an industry standard authentication protocol used by Microsoft Forefront Threat Management Gateway to authenticate outbound Web proxy requests, incoming requests for published Web servers, and VPN client requests. Forefront TMG is configured as a RADIUS client and authenticates requests against the RADIUS server. Using RADIUS authentication, Forefront TMG does not need to be a domain member to authenticate users. This topic describes procedures for using IAS as the RADIUS server. For more information about the RADIUS authentication process in IAS, see IAS as a RADIUS server at Microsoft TechNet. Note that Windows Server 2008 uses Network Policy Server (NPS) as a RADIUS server. For more information, see Network Policy Server Infrastructure at Microsoft TechNet.

Limitations

There are a number of limitations using RADIUS authentication:

Only unencrypted Password Authentication Protocol (PAP) can be used when authenticating outbound Web proxy requests. If you use RADIUS for VPN in addition to Web proxy authentication, you may want to split your remote access policies to prevent VPN using PAP.
Forefront TMG uses a basic challenge for user credentials, and a prompt is issued for users to input credentials.
If rules require authentication, Firewall client cannot be used.
A rule with RADIUS authentication can be applied to a specific user or to all users in the RADIUS namespace, but not to a specific group. As an alternative, you can configure a remote access policy for a specific group on the RADIUS server.
When user names are specified in any language other than English, Forefront TMG uses the current code page installed on the Forefront TMG server to translate the user data. The user can be authenticated only if the client uses the same code page.
Every time a rule is encountered by a client, RADIUS reauthenticates the client. This may cause heavy RADIUS traffic on busy sites. To reduce traffic, you can set the SingleRADIUSServerAuthPerSession COM setting from its default false value to true. This causes user credentials that are successfully validated to be cached. For subsequent user requests on the same TCP connection, credentials are compared with the cached credentials, rather than revalidating with the RADIUS server.
Forefront TMG does not include much information in the Access-Request packet (for example, NAS IP, NAS Port, Username, and Password), so differentiation between Forefront TMG and other services may occur based on extra information included by those services if they are run from the same computer. For example, Routing and Remote Access acting as a VPN server provides more information in the Access-Request packet than Forefront TMG. So if you need different VPN and Outlook Web Access authentication policies on the same Forefront TMG computer, you may need to resolve the differences between the two request types.

Security considerations

The RADIUS User-Password hiding mechanism might not provide sufficient security for passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 notes the potential need for evaluating the threat environment and determining whether additional security should be used.

You can provide additional protection for hidden attributes by using Internet Protocol security (IPsec) with Encapsulating Security Payload (ESP) and an encryption algorithm, such as Triple DES (3DES) in order to provide data confidentiality for the entire RADIUS message. Follow these guidelines:

Use an IPsec policy to provide additional security for RADIUS clients and servers. IPsec provides you with the ability to secure RADIUS servers against unwanted traffic by filtering specific network adapters (allowing or blocking specific protocols) and enabling you to choose source IP addresses from which traffic is allowed. For organizational units, you can create IPsec policies, which are stored in Active Directory. Or, you can create local policies on RADIUS servers and apply these policies to specific computers.
Require the use of strong user passwords.
Use authentication counting and account lockout to help prevent a dictionary attack against a user password. Enforce strong password policies on your network to make dictionary attacks more difficult.
Use a strong shared secret:
Use a random sequence of letters, numbers, and punctuation. Change it often to help protect your IAS server.
Use a different shared secret for each RADIUS server-RADIUS client pair. You must use the same case-sensitive shared secret on both the RADIUS server and the RADIUS client.
To ensure a random shared secret, generate a random sequence at least 22 characters long. You can use a shared secret of up to 128 characters in length.
Message authenticator. Shared secrets verify that RADIUS messages (except for the Access-Request message) are sent by a RADIUS-enabled device that is configured with the same shared secret, and shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). By default, there is no cryptographic verification of the incoming Access-Request message. The RADIUS server verifies that the message originated from an IP address for a configured RADIUS client, but source IP addresses can be spoofed. The solution is to require the message authenticator attribute in all Access-Request messages. The message authenticator attribute is the Message Digest-5 (MD5) hash of the entire Access-Request message using the shared secret as the key. Note that if you select Always use message authenticator, make sure that your RADIUS server is capable of receiving and is configured to receive message authenticators.

Configuring a RADIUS IPsec policy

The following procedures walk you through the creation of an IPsec policy for RADIUS, consisting of the following steps:

Export the Forefront TMG configuration
Configure IPsec policy on the Forefront TMG server
Configure IPsec policy on the IAS (RADIUS) server
Configure Forefront TMG to allow IPsec traffic to the RADIUS Server
Configure RADIUS or IAS server and remote access policy
Test the configuration

Export configuration settings

In Forefront TMG Management, click the computer name node.
In the tasks pane, click Export (Back Up) Array Configuration.
Specify a file name and location for the saved configuration.
Click Export. When the export operation is complete, click OK.

Configure IPsec policy on the Forefront TMG computer

Configuring IPsec includes creating a policy, creating a filter list and adding filters to it, creating filter actions, configuring rules that contain the filter lists and action, and placing the rules in the IPsec policy. The following sample names are used in the procedures below:

Policy: "RADIUS Policy"
Filter List: "RADIUS Traffic"
Filter action name: "Require Strong Encryption"
Rule name: "Encrypt traffic to RADIUS servers"

On the Forefront TMG server, open the MMC and add the IPsec Policy Management snap-in.

To create the IPsec policy, open a command prompt, and type the following in a single line:

netsh                               
netsh> IPsec static add policy name=”RADIUS Policy” 
qmpermm=0 mmlifetime=480 activatedefaultrule=no mmsecmethods=
”3DES-SHA1-2 3DES-MD5-2”

To create the filter list, open a command prompt and type the following in a single line:

netsh
netsh> IPsec static add filterlist name=”RADIUS Traffic” 
description=”Matches all RADIUS traffic to RADIUS Server”

In the IPSec Policy Management console, right-click the IP Security Policies on Local Computer node, and then click Manage IP filter lists and filter actions.
On the Manage IP filter lists and filter actions dialog box, click the Manage IP Filter Lists tab. The empty filter list is displayed.

To create a filter, open a command prompt and type the following in a single line:

netsh
netsh> IPsec static add filter filterlist=”RADIUS Traffic” srcaddr=me  
dstaddr=172.10.10.10 dstmask=32 protocol=udp mirrored=yes srcport=0 
dstport=1812

To create a filter action, open a command prompt and type the following in a single line:

netsh
netsh> IPsec static add filteraction name=”Require Strong Encryption” 
qmpfs=yes inpass=no soft=no action=negotiate 
qmsecmethods=”ESP[3DES,SHA1]:3600s”

On the Filter Action tab, double-click the filter action, and check that the Security Methods tab displays the properties that you typed at the command line.

To create a rule, open a command prompt and type the following in a single line:

netsh
netsh> IPsec static add rule name=”Encrypt traffic to RADIUS Servers” policy=”RADIUS policy” 
filterlist=”RADIUS Traffic” filteraction=”Require Strong Encryption” 
psk=123456789

In the IPSec Policy Management console, right-click the policy you have created, and then click Properties. Check that the rule you created is displayed on the Rules tab.
To assign a policy, open a command prompt and type the following in a single line:
```
netsh
netsh> IPsec static set policy name=”RADIUS policy” 
assign=yes
```
In the IPsec Policy Management console, verify that the policy is assigned a Yes status.

Configure IPsec policy on the IAS Server

To create the IPsec policy, open a command prompt, and type the following in a single line:

netsh                                   
netsh> IPsec static add policy name=”TMG Policy” 
qmpermm=0 mmlifetime=480 activatedefaultrule=no mmsecmethods=
”3DES-SHA1-2 3DES-MD5-2”

To create the filter list, open a command prompt and type the following in a single line:
```
netsh
netsh> IPsec static add filterlist name=”RADIUS Traffic” 
```

To create a filter and add it to the filter list, open a command prompt, and type the following in a single line:

netsh
netsh> IPsec static add filter filterlist=”RADIUS Traffic” srcaddr=me  
dstaddr=172.10.10.10 dstmask=32 protocol=udp mirrored=yes srcport=0 
dstport=1812

The filter will be displayed in the IP Filter List tab.