Configuring Internet Authentication Service on Microsoft Windows 2003 Server

7/30/2019 Configuring Internet Authentication Service on Microsoft Windows 2003 Server

1/15

Configuring Internet Authentication Service on Microsoft Windows 2003 ServWindows 2003 / Enhanced

IntroductionThis technote describes how to setup the Internet Authentication service (IAS) on a Microsoft Windows 2003 Server. Thdocument walks the user through the steps to linking the SonicWALL security appliance and the IAS server up to responon user authentications requests, and responds back with a filter-id, which can be used in rules and to VPN clients.

This document contains the following sections :

Configuring the Windows 2003 Server for IAS to Support RADIUS Clients

Configuring the Windows 2003 Server for RADIUS User Management

Configuring the SonicWALL Security Appliance to Support the Authentication Method

Tested VersionsSonicOS Enhanced 3.1.0.7Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from thMySonicWALL customer portal athttps://www.mysonicwall.com. Updated firmware is also freely available to customerswho have registered the SonicWALL device on MySonicWALL for the first 90 days.


2/15

Configuring the Windows 2003 Server for IAS to Support RADIUS Clients

1. On the Windows 2003 Server, verify that you have applied the latest Service Pack and hotfixes. Also, verify that th

Remote Access and Routing Service is running.2. Open the control panel on the Windows server, find the add and remove software from the list , select windows

components again find theNetworking services and press details. Here you check Internet Authenticationservice (screen shot below) and click OK.

3. After the installation, you can find the IAS under the administration tools. Start the IAS and selectNew RADIUClient.


3/15

4. Enter the Name and IP of the SonicWALL security appliance the clients request could come from.

5. Select RADIUS Standard, (also the default option), enter a Shared secret. This shared secret is needed later othe SonicWALL security appliance, so note this for future reference.


4/15

6. Setup the access criteria for the users, right click on theRemote Access Policies and select New RemoteAccess Policy.

7. A wizard will emerge, click Next.


5/15

8. Select Set up a custom policy and enter a description for this access policy, click Next.

9. ClickAdd, a window with the different authentication criteria will pop up.


6/15

10. From this list, select Windows Groups, and click OK. By selecting Windows Groups, you can authenticate auser upon which group the users a member of in the Windows AD, or Windows user group.

11. ClickAdd, then select and find the Windows Group that the user should me member of, if he is to authenticatesuccessfully. Click OK.


7/15

12. Here is how it should look. You could add more groups, but in this scenario we need to only be a member of ongroup, and we also need to send a specific filter-id back that represents this group on the SonicWALL securityappliance.

13. Click Next.


8/15

14. This needs to be a Grant remote Access Permission policy. Click Next.

15. Click Edit Profile.


9/15

16. Select theAuthent ication tab, and uncheck any options except the Unencrypted authent ication (PAP, SPAP

17. Select theAdvanced tab, and clickAdd.


10/15

18. A list of Attributes will appear, from this list we need theFilter-id option, ClickAdd.

19. In the subsequent windows,Add a text string that the IAS should send back to the SonicWALL security appliancalong with a authentication successfully message. This text string should match a previous added User Groupthe SonicWALL security appliance.


11/15

20. Enter the Group name (remark, its case sensitive) on the SonicWALL security appliance. And click OK.

21. Click OK.

That completes the IAS configuration. If you have other groups on the AD that needs different access, you can add mor

Remote authentication policies.


12/15

Configuring the Windows 2003 Server for RADIUS User Management

1. Navigate to the user management on the Windows 2003 Server, in here we have a few things to check and editon the users that suppose to authenticate through the SonicWALL and IAS.

2. Select the Dial-in tab, and check theAl low access option.


13/15

3. Select the Member Oftab, and either add or check that the user is in the correct group, it should be the samegroup as you added in the IAS under Windows Groups.

This completes the configuration for User Management on the Windows 2003 Server.


14/15

Configuring the SonicWALL Security Appliance to Support the Authentication Method

1. Select the Usermenu, and select the settings item. Now select RADIUS at theAuthent ication Method andclick Configure.

2. Enter the IP address of the IAS server, and enter theShared Secret that you previously entered on the IAS.


15/15

3. In the RADIUS Users tab check the Use RADIUS Filter-ID attribute on RADIUS Serveroption, clickApply.

4. Navigate to the Test tab and enter the username and password of a user belonging to the SW group. It shouldnow report back as the screen shot indicates below. As you can see in the Returned User At tributes box belowthe SW text string is returned to the SonicWALL security appliance along with a Succeeded message.

The SonicWALL can now use the derived group membership or user information within Access Rules, GroupVPNPolicies, or for Content Filtering policy application. So as you can see this provides a very flexible and highly controllablway of handling access rights for each user in an already existing Windows AD.

Last Updated: August 2005

Documents

Configuring Internet Authentication Service on Microsoft Windows 2003 Server