Configuring a Windows Server for
RADIUS Authentication

This Help topic provides instructions for users who wish to configure a Windows 2000 Advanced Server or Windows Server 2003 to provide RADIUS authentication. It includes steps for configuring the Internet Authentication Service (IAS), and for creating users in Active Directory. Policy Manager has been designed to work with a RADIUS server for authentication. The IAS implements the RADIUS protocol, and provides authentication of users connecting to the network via LAN, virtual private network (VPN), and dial-up technology.

It is recommended that you begin by reading the Policy Manager Authentication Configuration Guide for general authentication instructions prior to following the steps here. Windows 2000 Advanced Server and Windows Server 2003 users should follow the steps in this topic, instead of the Installing and Configuring the RADIUS Server section in the Authentication Configuration Guide.

The recommended sequence for performing the configuration is listed below. When you have completed these instructions, refer back to the sections Configuring RADIUS in Policy Manager and Testing Authentication in the Authentication Configuration Guide for instructions on how to use Policy Manager to configure authentication parameters on your devices, and verify that the users created in Active Directory can authenticate to the network.
  NOTE: The following instructions assume that you already have IAS installed on your computer.

Instructions on:

  1. Configuring Active Directory
  2. Configuring Internet Authentication Service (IAS)
    1. Specifying RADIUS Port Numbers
    2. Adding RADIUS Client Devices
    3. Adding a New Remote Access Policy
    4. Registering IAS
    5. Stopping and Restarting IAS
  3. Creating Users in Active Directory
    1. Creating a User
    2. Specifying User Permissions
  4. Configuring Devices and Testing Authentication

Configuring Active Directory

When using CHAP protocol, the "password reversed encryption" option must be enabled. You can enable this option globally for all users in the domain, or for a specific user.

To enable this option globally:

  1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
  2. In the Active Directory Users and Computers window, right click on your domain and select Properties.
  3. In the Group Policy tab, select "Default Domain Policy" and click Edit.
  4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
  5. Right-click on "Store password using reversible encryption for all users in the domain" and select Security.
  6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK.
  7. Close all applications and restart the computer, and log into your domain.
To enable this option for a specific user:
  1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
  2. In the Active Directory Users and Computers window, right-click on the user and select Properties.
  3. In the Account tab, check "Store password using reversible encryption." Click OK.
  4. Close all applications and restart the computer, and log into your domain.
  NOTE: The Windows 2000 Advanced Server Troubleshooting IAS Installation guide states: "After you enable reversibly-encrypted passwords in a domain, all users must change their passwords before they will be able to authenticate against the domain."

Top

Configuring Internet Authentication Service (IAS)

  NOTE: Install the latest service pack, which is available at the Microsoft website, before configuring authentication for Windows 2000 Advanced Server or Windows Server 2003. The following instructions assume that you already have IAS installed on your computer.

Specifying RADIUS Port Numbers

Use the following steps to specify the RADIUS authentication and accounting port numbers.
  1. Select Start > Programs > Administrative Tools > Internet Authentication Service. The Internet Authentication Service window opens.
  2. Right click on "Internet Authentication Service (Local)" and select Properties.
  3. In the RADIUS Tab (for Windows 2000 Advanced Server) or the Ports Tab (for Windows Server 2003), enter 1645 in the Authentication field and 1646 in the Accounting field.
  4. Click OK.

Adding RADIUS Client Devices

Follow these steps to add RADIUS clients (Policy Manager devices, not end users) to the server.
  1. In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the Clients folder (for Windows 2000 Advanced Server) or the RADIUS Clients folder (for Windows Server 2003), and select New > Client.
  2. Enter a Friendly Name and Protocol and then click Next.
  3. Enter the IP address of the RADIUS client and select a Client Vendor (i.e. RADIUS Standard).
  4. Enter a shared secret. A shared secret is a string of characters that will be used to encrypt and decrypt communications between the RADIUS server and the device (RADIUS client). Without the shared secret, the server and client will be unable to communicate, and authentication attempts will fail. The shared secret must be at least 6 characters long; 16 characters is recommended. Dashes are allowed in the string, but spaces are not. Be sure to write the shared secret down, as you will be adding it to the RADIUS client devices later.
  5. Click Finish.
  6. Repeat until all of your Policy Manager devices have been added.

Adding a New Remote Access Policy

Follow these steps to add a new Remote Access Policy. A Remote Access Policy is a set of actions which is applied to a group of users that meet a specified set of conditions.
  NOTE: For information on configuring end user VLAN ID attributes (in compliance with RFC 3580) to be used in conjunction with VLAN to Role Mapping, refer to your device firmware and RADIUS server documentation.
  1. In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the Remote Access Policies folder and select New > Remote Access Policy.
  2. Windows 2000 Advanced Server: Enter a Policy friendly name and then click Next.
    Windows Server 2003: Enter a Policy friendly name, select the "Set up a Custom Policy" radio button (as opposed to selecting the Wizard), and then click Next.
  3. Follow these steps to add a condition. For example, to add a Windows Group condition:
    1. Click the Add button to open the Select Attribute window.
    2. Select "Windows Groups" and click Add.
    3. Click Add in the Groups window.
    4. Select a domain group (i.e. Domain Users) and click Add. Click OK.
    5. Add more groups if needed in the Groups window. Otherwise, click OK.
    6. Click Next.
  4. In the Permissions window, select "Grant remote access permission" and click Next.
  5. Add a User Profile for users who match the conditions you have specified:
    1. Click the Edit Profile button to open the Edit Dial-in Profile window.
    2. In the Authentication tab, select the appropriate authentication methods.
    3. In the Advanced tab, remove all parameters, such as "Server-Type" and "Framed-Protocol" and click Add to add a Filter-Id attribute.
    4. In the Add Attributes window, select "Filter-Id" and then click Add.
    5. In the Multivalued Attribute Information window, click Add.
    6. In the Attribute Information window, enter the attribute value:
      Enterasys:version=1:mgmt=su:policy=[role]
      where [role] is the role name to be applied to this user.
        CAUTION: Include :mgmt=su in the string only for users who should have administrative privileges and the ability to telnet to devices and/or use local management on devices when authentication is enabled. For other users, leave it out.
  6. Click OK to proceed through the windows and Finish.

Registering the IAS

Follow these steps to register the Internet Authentication Service in the Active Directory, which enables IAS to authenticate users in the Active Directory.
  1. In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the "Internet Authentication Service (Local)" and select Register Service in Active Directory.
  2. Click OK.

Stopping and Restarting the IAS

After completing the above steps to configure the Internet Authentication Service, you must stop and restart the Service.
  1. In the Internet Authentication Service window (Start > Programs > Administrative Tools > Internet Authentication Service), right click on the "Internet Authentication Service (Local)" and select "Stop Service".
  2. Right click on the "Internet Authentication Service (Local)" and select "Start Service".

Top

Creating Users in Active Directory

Use these steps to create users and specify user permissions.

Creating a User

Create a new object for each user who will be authenticating.
  1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window opens.
  2. Right click on the left-panel Users folder and select New > User.
  3. Proceed through the windows, entering the user name, password and other relevant information. Click Finish.

Specifying User Permissions

The steps for specifying user permissions are different depending on whether you are using Windows 2000 Advanced Server or Windows Server 2003.

Windows 2000 Advanced Server

The steps to specify user permissions depends on your domain operation mode. There are two domain operation modes in Active Directory: Mixed Mode and Native Mode. In Mixed Mode, user permission is specified in the User Properties window. In Native Mode, user permission is specified in the Remote Access Policy that is configured in the Internet Authentication Service. To change the domain operation mode, consult the Microsoft Windows 2000 Advanced Server documentation for guidance.

Windows Server 2003

For Windows Server 2003, user permission is specified in the Remote Access Policy that is configured in the Internet Authentication Service.

  1. Right click on a user and select Properties. The User Properties window opens.
  2. In the Dial-In tab, select the "Control access through Remote Access Policy" radio button in the Remote Access Permission (Dial-in or VPN) section.
  3. Go to the appropriate policy configured in the Internet Authentication Service and check either the "Grant remote access permission" or "Deny remote access permission" radio button in the policy's Properties window.
  4. Click OK.

Top

Configuring Devices and Testing Authentication

When you have completed the above instructions, refer to the sections Configuring RADIUS Devices in Policy Manager and Testing Authentication in the Authentication Configuration Guide for instructions on how to use Policy Manager to configure authentication parameters on your devices, and verify that the users created in Active Directory can authenticate to the network.

Top

Related Information

For information on related concepts:

For information on related tasks: top