Windows 2003 / Enhanced Configuring Internet Authentication Service on Microsoft Windows 2003 Server Introduction This technote describes how to setup the Internet Authentication service (IAS) on a Microsoft Windows 2003 Server. This document walks the user through the steps to linking the SonicWALL security appliance and the IAS server up to respond on user authentications requests, and responds back with a filter-id, which can be used in rules and to VPN clients. This document contains the following sections: Configuring the Windows 2003 Server for IAS to Support RADIUS Clients Configuring the Windows 2003 Server for RADIUS User Management Configuring the SonicWALL Security Appliance to Support the Authentication Method Tested Versions SonicOS Enhanced 3.1.0.7 Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days.
Configuring the Windows 2003 Server for IAS to Support RADIUS Clients 1. On the Windows 2003 Server, verify that you have applied the latest Service Pack and hotfixes. Also, verify that the Remote Access and Routing Service is running. 2. Open the control panel on the Windows server, find the add and remove software from the list, select windows components again find the Networking services and press details. Here you check Internet Authentication service (screen shot below) and click OK. 3. After the installation, you can find the IAS under the administration tools. Start the IAS and select New RADIUS Client.
4. Enter the Name and IP of the SonicWALL security appliance the clients request could come from. 5. Select RADIUS Standard, (also the default option), enter a Shared secret. This shared secret is needed later on the SonicWALL security appliance, so note this for future reference.
6. Setup the access criteria for the users, right click on the Remote Access Policies and select New Remote Access Policy. 7. A wizard will emerge, click Next.
8. Select Set up a custom policy and enter a description for this access policy, click Next. 9. Click Add, a window with the different authentication criteria will pop up.
10. From this list, select Windows Groups, and click OK. By selecting Windows Groups, you can authenticate a user upon which group the user s a member of in the Windows AD, or Windows user group. 11. Click Add, then select and find the Windows Group that the user should me member of, if he is to authenticate successfully. Click OK.
12. Here is how it should look. You could add more groups, but in this scenario we need to only be a member of one group, and we also need to send a specific filter-id back that represents this group on the SonicWALL security appliance. 13. Click Next.
14. This needs to be a Grant remote Access Permission policy. Click Next. 15. Click Edit Profile.
16. Select the Authentication tab, and uncheck any options except the Unencrypted authentication (PAP, SPAP). 17. Select the Advanced tab, and click Add.
18. A list of Attributes will appear, from this list we need the Filter-id option, Click Add. 19. In the subsequent windows, Add a text string that the IAS should send back to the SonicWALL security appliance along with a authentication successfully message. This text string should match a previous added User Group on the SonicWALL security appliance.
20. Enter the Group name (remark, it s case sensitive) on the SonicWALL security appliance. And click OK. 21. Click OK. That completes the IAS configuration. If you have other groups on the AD that needs different access, you can add more Remote authentication policies.
Configuring the Windows 2003 Server for RADIUS User Management 1. Navigate to the user management on the Windows 2003 Server, in here we have a few things to check and edit on the users that suppose to authenticate through the SonicWALL and IAS. 2. Select the Dial-in tab, and check the Allow access option.
3. Select the Member Of tab, and either add or check that the user is in the correct group, it should be the same group as you added in the IAS under Windows Groups. This completes the configuration for User Management on the Windows 2003 Server.
Configuring the SonicWALL Security Appliance to Support the Authentication Method 1. Select the User menu, and select the settings item. Now select RADIUS at the Authentication Method and click Configure. 2. Enter the IP address of the IAS server, and enter the Shared Secret that you previously entered on the IAS.
3. In the RADIUS Users tab check the Use RADIUS Filter-ID attribute on RADIUS Server option, click Apply. 4. Navigate to the Test tab and enter the username and password of a user belonging to the SW group. It should now report back as the screen shot indicates below. As you can see in the Returned User Attributes box below, the SW text string is returned to the SonicWALL security appliance along with a Succeeded message. The SonicWALL can now use the derived group membership or user information within Access Rules, GroupVPN Policies, or for Content Filtering policy application. So as you can see this provides a very flexible and highly controllable way of handling access rights for each user in an already existing Windows AD. Last Updated: August 2005