Authenticating a Lucent Portmaster 3 with Microsoft IAS and Active Directory



Similar documents
Microsoft IAS Configuration for RADIUS Authorization

Experiment # 6 Remote Access Services

Vantage RADIUS 50. Quick Start Guide Version 1.0 3/2005

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

MAX T1/E1. Quick Start Guide. VoIP Gateway. Version 1.0

How to configure MAC authentication on a ProCurve switch

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

While every effort was made to verify the following information, no warranty of accuracy or usability is expressed or implied.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Savvius Insight Initial Configuration

LifeSize Networker Installation Guide

NF1Adv VOIP Setup Guide (for Pennytel)

Prestige 310. Cable/xDSL Modem Sharing Router. User's Guide Supplement

Installing the Microsoft Network Driver Interface

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

If you have questions or find errors in the guide, please, contact us under the following address:

Chapter7 Setting the Receiving PC for Direct Upload. Setting the Receiving PC for Direct Upload For Windows For Macintosh...

Chapter 2 Preparing Your Network

Symphony Network Troubleshooting

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Internet Access Setup

Prestige 314 Read Me First

NF1Adv VOIP Setup Guide (for Generic VoIP Setup)

Prestige 202H Plus. Quick Start Guide. ISDN Internet Access Router. Version /2004

STATIC IP SET UP GUIDE VERIZON 7500 WIRELESS ROUTER/MODEM

Using Cisco UC320W with Windows Small Business Server

1 Getting Started. Before you can connect to a network

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Prestige 650R-31/33 Read Me First

Configuring Routers and Their Settings

Remote Access Technical Guide To Setting up RADIUS

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

BRI to PRI Connection Using Data Over Voice

Configuring Global Protect SSL VPN with a user-defined port

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Prestige 324. Prestige 324. Intelligent Broadband Sharing Gateway. Version 3.60 January 2003 Quick Start Guide

VPN Overview. The path for wireless VPN users

EasyServer II RADIUS authentication accounting dialin remote access

Hands-on MESH Network Exercise Workbook

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Pre-lab and In-class Laboratory Exercise 10 (L10)

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

Guideline for setting up a functional VPN

NF3ADV VoIP Setup Guide (for TPG)

D-Link DAP-1360 Repeater Mode Configuration

SIP Trunking using Optimum Business Sip Trunk Adaptor and the Zultys MX250 IP PBX

Application Note Configuring the UGate 3000 for use with ClipMail Pro and ClipExpress

Configuring the WT-4 for ftp (Ad-hoc Mode)

Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab

SnapGear VPN Router Family User Manual

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Please use only wired network connections to configure the Router.

Lesson Plans Managing a Windows 2003 Network Infrastructure

Palomar College Dial-up Remote Access

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

Linksys Gateway SPA2100-SU Manual

Basic Exchange Setup Guide

Chapter 4 Customizing Your Network Settings

1. Hardware Installation

Chapter 1 Connecting Your Router to the Internet

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Prestige 324 Quick Start Guide. Prestige 324. Intelligent Broadband Sharing Gateway. Version V3.61(JF.0) May 2004 Quick Start Guide

Figure 1 - T1/E1 Internet Access

Using LifeSize systems with Microsoft Office Communications Server Server Setup

Chapter 4 Customizing Your Network Settings

DSL-2600U. User Manual V 1.0

NF5 VOIP Setup Guide (for Generic)

P-660R-T1/T3 v2 Quick Start Guide

SATO Network Interface Card Configuration Instructions

Using RADIUS Agent for Transparent User Identification

Internet Access to a DVR365

Security Provider Integration RADIUS Server

Turn off all of your network devices, including your computer, Modem and the Router.

Sentral servers provide a wide range of services to school networks.

Prestige 2302R Series

Unified Access Point Administrator's Guide

WEB CONFIGURATION. Configuring and monitoring your VIP-101T from web browser. PLANET VIP-101T Web Configuration Guide

IP Office - Job Aid Remote Access

Mediatrix 4404 Step by Step Configuration Guide June 22, 2011

Please use only wired network connections to configure the router.

Self Help Guide IMPORTANT! Configuring Your Router With Your Modem. Please read the following carefully; This Guide refers to the following Products:

Metasys System Direct Connection and Dial-Up Connection Application Note

Basic Exchange Setup Guide

Model:BL-WDR Mbps Wireless Dual Band 11AC Router

Fasthosts Internet Parallels Plesk 10 Manual

Broadband Router ESG-103. User s Guide

Other documents in this series are available at: servernotes.wazmac.com

Setup and Configuration Guide for Pathways Mobile Estimating

Troubleshooting Remote Viewing on the. Combo DVR/Monitor System

Mobility System Software Quick Start Guide

Innominate mguard Version 6

Internet Access Setup

Installing Novell Client Software (Windows 95/98)

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

LAN TCP/IP and DHCP Setup

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Chapter 3 Connecting the Router to the Internet

Transcription:

Authenticating a Lucent Portmaster 3 with Microsoft IAS and Active Directory The following tutorial will help you to setup a Portmaster 3 to authenticate your dial in users to Active Directory using IAS (Internet Authentication Service). IAS is Windows 2000 s solution to authenticating RADIUS clients. You will need a Windows 2000 Domain Controller running IAS to proceed. Setting up the Portmaster You will need to predetermine some information before setting up the Portmaster. Before proceeding, decide what information will be used for the following: Hostname System Password IAS server IP address and secret DNS server IP address Line Type (T1/PRI) DHCP Address Range for dial in For this example I used the following setup: Subnet: 172.16.0.0 Mask: 255.255.0.0 Gateway: 172.16.254.254 Hostname: Host IP: 172.16.254.253 DHCP Pool: 172.16.1.1 172.16.1.16 DNS: 172.16.254.14 172.16.254.13 SYSLOG Server: 172.16.254.4 RADIUS Server: 172.16.254.10 RADIUS Secret: radpass myportmaster.mysite.domain.com 1) Connect to the Portmaster via Null Modem Cable. a. I am not sure of the exact needed configuration but, 9600 8-N-1 works. 2) Login to the Portmaster as root by entering a. Username:!root b. Password: nopassword / blank 3) First set the System Name. This is the hostname of the Portmaster. a. set sysname myportmaster 4) Set the Password.

a. set password mypass 5) Set the IP Address of the Radius Host. This is the IP address that the Portmaster will use when communicating with the RADIUS Server. This IP Address can be the same as the IP address that you set for the first Ethernet port. a. set host 172.16.254.253 6) Set your Default Gateway. This can be your Gateway to the Internet or a local router. a. set gateway 172.16.254.254 7) Turn off RIP advertisements. a. set default off 8) Set up the name services to be either DNS or NS. a. set namesvc dns 9) Set the first name server IP address. a. set nameserver 172.16.254.14 10) set the second name server IP address (if available). a. set nameserver 2 172.16.254.13 11) Now you will need to set the domain name of the Portmaster. This is the just the name of the domain the Portmaster resides in. For example: If your Portmaster is named myportmaster.mysite.domain.com, then your domain name is mysite.domain.com a. set domain mysite.domain.com 12) If you have a SYSLOG server running on your network then set the IP address of the SYSLOG server. It is good to use a SYSLOG Server at least in the initial setup to help troubleshoot problems with the Portmaster. If you don t know how to setup SYSLOG in Unix, then you should check out Kiwi Syslog. Kiwi Syslog has a free lite version that will run under Win32. http://www.kiwisyslog.com/ a. set loghost 172.16.254.4 b. You can also change the terminology it will use to log on the syslog server. If you don t change the terminology the Portmaster will default to kernel.emerg i. set termin port.authent 13) Now DHCP. To setup the address pool the Portmaster will give to dial in users, enter the following with your own values. a. Enter the first address of the DHCP pool. set assigned 172.16.1.1 b. Now enter how many addresses to use. set pool 15 This will give me an address pool of 172.16.1.1 172.16.1.16

14) Now set the Address of the IAS / RADIUS Server the Portmaster will authenticate to. Remember this is your Active Directory Domain Controller that is running IAS. a. set auth 172.16.254.10 Now you will need to establish a secret (or password). This password is used by the RADIUS Client (Portmaster) to authenticate itself before authenticating your users. b. set secret radpass 15) Now after all of these configurations have been made you will need to save them to the Portmaster. a. save all Now that the Portmaster is setup we will need to configure the Ethernet port on the Portmaster. In this example I am only going through setting up the first Ethernet port. You can repeat this process for the second Ethernet port by replacing 0 with 1 in the commands. 16) Give the Ethernet port a IP address. I made this the same as my host address that was used in Step #5. a. set ether0 172.16.254.253 17) Set the Subnet mask of the Ethernet port. a. set ether0 netmask 255.255.0.0 18) Set the broadcast address. If you want to use a broadcast address of all ones (172.16.255.255) the use high and if you should choose to use a broadcast address of all zeros (172.16.0.0) then use low. If you are unsure the just choose high, this is the most commonly used. a. set ether0 broadcast high 19) For a basic setup you will not need routing. If you should choose to enable this feature after learning more about the Portmaster s functions then you can do that as well. Disable routing. a. set ether0 routing off 20) Now we need to set the Portmaster to use CHAP instead of PAP. CHAP stands for Challenged Handshake Authentication Protocol. This will provide a secure transmission of your user s passwords and allow the Portmaster to work with Active Directory. I have also found that in testing the two authentication methods, CHAP works the best with MAC OS 10.2.6. There seemed to be a couple problems authenticating MAC OS 10.2.6 to the Portmaster using PAP. a. set chap on

b. set pap off 21) Now save all your configurations a. save all The final thing to configure on the Portmaster is the Telco line. You will need to contact your telephone provider if you are unsure of the line type, framing, encoding, or signal. It will be helpful to have the reference guide from www.portmasters.com. 22) Set the Line type. The line can be setup as isdn, t1, e1, fractional, isdnfractional, inband. If you are unsure what you should use then you should look at the command reference from Portmaster (Page 303-304 in the PDF). In this setup we will use isdn. You should also use isdn if your line is a PRI circuit. a. set line0 isdn 23) Set the Framing Format. The framing format can be esf, d4, crc4, and fas. Probably the most commonly used is going to be esf or d4. In our example we used esf. a. set line0 framing esf 24) Set the Encoding method. This can be b8zs, AMI, or hdb3. a. set line0 enc B8ZS 25) If you have a channelized T1 then you will need to set the signal to either wink, immediate, or fxs. a. set line0 sig wink Your Portmaster should be ready to go now. To view all the configurations you just made you can type: show global. If you slip up somewhere along this process or want to just start over you can delete all the configurations. See the last page of this document. Otherwise proceed to Setting up IAS. Setting up IAS First we need to add the Portmaster to IAS as a RADIUS client. Here you will need to recall the Portmaster host address and the secret that was setup in the earlier steps. 1) Open IAS and click the Clients folder. 2) Right-Click the Clients folder then choose New Client. 3) For Friendly Name, name your Portmaster in IAS. I will just use my Portmaster s hostname. a. Friendly Name: myportmaster 4) Choose Protocol: RADIUS 5) Click Next.

6) For the Client Address (IP or DNS) enter the IP address of your Portmaster. a. 172.16.254.253 7) For Vendor choose: Livingston Enterprise s 8) Click Client must always send signature attribute. Now enter the secret you used in Step #14. a. Secret: radpass b. Confirm: radpass c. Click Ok/Finish 9) Now your Portmaster will be listed in the clients folder. 10) Now Click Remote Access Policies in the left pane. Then right click the Policy Allow access if dialin permission is enabled and choose properties. 11) Check under If a user matches a condition that Grant Permission is selected.\ 12) Click Edit Profile. 13) Select the IP tab. Now choose Server must supply an IP address. 14) Select the Authentication Tab. The only thing that should be checked under this tab is: Encrypted Authentication (CHAP) 15) Click the Advanced Tab. 16) You should add the following Parameters to match what is below. a. Frame-Compression: Van Jacobson b. Framed-Protocol: PPP The Portmaster is now setup to communicate with IAS and authenticate your users. There are a couple of things that need to be setup in Active Directory and IAS to allow your users to login.

Active Directory The first thing to setup in Active Directory is Reverse Encryption. We need to tell Active Directory to store its user s passwords in an encrypted form instead of plain text. Active Directory defaults to store the passwords in plain text. When you change to Reverse Encryption, then all the current users that are in Active Directory will remain to have there passwords stored in plain text. The passwords for current users will not begin to be stored in Reverse Encryption until the password is reset for the user. After changing to Reverse Encryption I found myself having to reset the password on 300 user accounts. Keep in mind you can just reset the password to the same password without changing it. Any new users added after going to Reverse Encryption will have their passwords stored in Reverse Encryption. * Using Reverse Encryption will not affect the functionality of your Active Directory domain, and you are also not required to change the password on every user in the domain for them to continue logging in to the domain. 1) Open the Active Directory Users and Computers snap-in. 2) Right click your domain name in the left pane of the snap-in. Now choose Properties. 3) Click the Group Policy Tab. 4) If you do not already have a Group Policy Object Link listed. Then click New and name it. Now Double-click the Group Policy to edit it. 5) Now navigate to the following group policy key. 6) Now double-click the Key Store passwords using reversible encryption for all users in domain and enable it. Click OK to save it. 7) Close Group Policy and Click OK to the Domain Properties. Now if you will need to reset account passwords, then I suggest going ahead and resetting the password on any account that you will be using for testing you dialup setup. You could also just add a new account to Active Directory for testing the dial up.

Now all you need to do is dial in and authenticate as username and password. The username doesn t need to include the domain (domain\user). There are a couple GUI Tools you can download to help you with configuring the Portmaster. PMVision is available at www.portmasters.com which will add a GUI feel to those who fear the terminal. created by: Forrest Beck forrest.beck@verizon.net

Resetting the Configurations on the Portmaster Terminal or telnet into the Portmaster. 1. Set the console and the debug value. Command> set console Setting CONSOLE to port S0 Command> set debug 0x72 Setting debug value to 0x72 2. Enter the erase configuration command. Command> erase configuration Erasing FLASH cell 2-28F010... Succeeded in 82 tries Successfully erased FLASH configuration 3. Reboot the PortMaster. Command> reboot

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information