Configuring RADIUS authentication for Web requests

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Forefront TMG can use RADIUS servers to authenticate outbound Web proxy requests from internal clients located in networks protected by Forefront TMG. This topic describes the steps required to configure RADIUS authentication in this scenario:

  1. Install the RADIUS server, configure Forefront TMG as a RADIUS client, and specify RADIUS server settings in Forefront TMG. For instructions on these steps, see Configuring RADIUS servers. The procedures use Internet Authentication Service (IAS) as a RADIUS server. IAS is the RADIUS server implementation included in Windows Server 2003. Windows Server 2008 uses Network Policy Server (NPS). For more information, see Network Policy Server Infrastructure at Microsoft TechNet.

  2. Configure the RADIUS server remote access policy to accept Forefront TMG authentication requests. For RADIUS Web proxy authentication, only Password Authentication Protocol (PAP) is supported. For more information on remote access policy types, see Choosing a remote access policy type in Windows Server 2003 online Help.

  3. Optionally, apply the remote access policy to a specific Active Directory group. When you create an access rule authenticated by RADIUS, the rule can be applied to a specific user or to all users in the RADIUS namespace (when the RADIUS server belongs to a domain, this is any user who can successfully authenticate in Active Directory). This is a limitation if you want to apply the rule to a particular group. As a workaround, you can create an Active Directory group, and then apply a RADIUS remote access policy to the group.

  4. On the network from which client requests are received, configure RADIUS authentication for Web proxy requests.

  5. Create a RADIUS user set for use in the access rule.

  6. Create an access rule based on RADIUS authentication.

Configuring PAP authentication

Depending upon the operating system, IAS has a number of default remote access policies. In the case of IAS running on Windows Server 2003, you can modify the Connections to other access servers policy.

To configure PAP authentication

  1. In the Internet Authentication Service console, click Remote Access Policies, and then, in the details pane, double-click Connections to other access servers.

  2. On the Settings tab, click Edit Profile.

  3. On the Authentication tab, click Unencrypted authentication (PAP, SPAP), and then click OK.

  4. Click OK to close the dialog box.

To create a user group for use in the remote access policy (optional)

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, click to expand the domain name.

  3. Right-click Users, click New, and then click Group.

  4. Type a name for the new group. For example: WebProxy_Clients

  5. Click to select Global Domain for the Group Scope, and then click to select Security for the Group Type.

  6. In the Users list, for each user you want to add to the group, double-click the user name to display its properties. Then on the Dial-in tab, verify that Control access through Remote Access Policy is selected, and then click OK.

To add the user group to the remote access policy (optional)

  1. In the Internet Authentication Service console, click the Remote Access Policies node, and then in the details pane, double-click the Connections to other access servers remote access policy.

  2. On the Settings tab, select Grant remote access permission, and then, in Policy conditions, click Add.

  3. In the Attribute types list, click Windows-Groups, and then click Add.

  4. On the Groups dialog box, click Add.

  5. On the Select Groups dialog box, specify the groups to be allowed access (in our example, the WebProxy_Clients group, and then click OK.

  6. Click OK to close the Groups dialog box, and then click OK to close the remote access policy properties.

    Note

    You can also select Deny remote access permission to deny access to specified Windows groups. For example, you can set the Forefront TMG access rule to allow access to all users in the RADIUS namespace, and then set the remote access policy to exclude specific groups.

Configuring RADIUS authentication for Web proxy requests

Before configuring RADIUS as the authentication method, ensure that the network is enabled for Web proxy requests. For instructions, see Enabling a network to receive Web proxy requests.

To configure RADIUS authentication for Web proxy requests

  1. On the Web Proxy tab of the required network properties, click Authentication.

  2. In the authentication methods list, select RADIUS.

Important

You cannot select another method of authentication with RADIUS. Authentication against the RADIUS server uses Basic authentication.

  1. Click Select Domain to specify the domain in which the RADIUS server will authenticate clients.

  2. Click RADIUS servers to view RADIUS server details. If a RADIUS server is not configured, see Configuring RADIUS servers for instructions.

Creating a RADIUS user set

RADIUS authentication does not recognize Windows security groups. Instead, create a RADIUS user set to use in the publishing rule.

To create a RADIUS user set

  1. In Forefront TMG Management, click Firewall Policy.

  2. On the Toolbox tab, click Users, then click the New menu.

  3. On the Welcome page of the New User Sets Wizard, type in a name for the new group. For example: RADIUS_Users

  4. On the Users page, click Add, and then click RADIUS.

  5. On the Add User dialog box, click All Users in Namespace. To specify an individual user, type the user name in exactly the same way that the user will type credentials on the authentication page, and then click OK.

  6. On the Users page, click Next.

  7. Click Finish to complete the wizard.

Create an access rule to allow outbound Web requests

This procedure allows access from the default Internal network to the Internet. Replace the Sources and Destinations as required.

To create an access rule to allow outbound Web requests

  1. In Forefront TMG Management, right-click Firewall Policy, point to New, and then click Access Rule.

  2. On the Welcome page, type in a name for the new rule (for example: WebProxy_RADIUS), and then click Next.

  3. On the Rule Action page, click Allow, and then click Next.

  4. On the Protocols page, do one the following, and then click Next:

    • To specify Web traffic only, leave the default Selected protocols setting, and then click Add. On the Add Protocols dialog box, expand Web, select HTTP, and then click Add. Add HTTPS and FTP if required. Click Close to close the Add Protocols dialog box.

    • Alternatively, to allow all traffic, leave the All outbound traffic default.

  5. On the Access Rule Sources page, click Add.

  6. On the Add Network Entities dialog box, click to expand Networks, select Internal, and click Add. Click Close to close the dialog box, and then click Next.

  7. On the Access Rule Destinations page, click Add.

  8. On the Add Network Entities dialog box, click to expand Networks, click External, and click Add. Click Close to close the dialog box, and then click Next.

  9. On the User Sets page, select All Users, and then click Remove.

  10. Click Add, and then on the Add Users dialog box, select the RADIUS user set. Click Add, click Close, and then click Next.

  11. Click Finish to complete the wizard.

This rule will allow access to all users that can be authenticated on the domain for which the RADIUS server provides authentication. If you have created a remote access policy on the RADIUS server for a specific user group, then access will be limited to that group.

Copyright © 2009 by Microsoft Corporation. All rights reserved.