• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of the VPN server RADIUS authentication article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion of the VPN server RADIUS authentication article Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion of the VPN server RADIUS authentication article - 22.Aug.2004 5:49:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the VPN server with RADIUS authentication article at http://isaserver.org/articles/2004vpnradius.html.

Answers to questions:
1. What happens to VPN client connections when the non-domain ISA firewall uses RADIUS authentication?
A: The VPN client connection will fail if User Mapping is enabled in the ISA Management console. Network Monitor traces show that the VPN client sends a disconnect message to the ISA firewall. If User Mapping is not enabled, then VPN client connect normally using their domain credentails.

2. True or False: The RADIUS server must be on a domain controller
A: False. The RADIUS server does not need to be a domain member.

3. True or False: When the ISA firewall is on the Internet edge of the network, it should never be made a member of the domain.
A: False. In a single ISA firewall implementation, where the ISA firewall is the only firewall on the network, there are no problems with making the ISA firewall a domain member. The theoretical security risks asscociated with making the ISA firewall a member of the domain are far outweighed by the security benefits of making the ISA firewall a domian member.

4. Under what circumstances do you not need to configure Dial-in permission on a per-user basis?
A: When the domain is in Native Mode or Windows 2003 mode.

5. In this article, is the ISA firewall a RADIUS client, RADIUS server or RADIUS proxy?
A: The ISA firewall is a RADIUS client.

Thanks!
Tom

[ August 24, 2004, 02:23 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of the VPN server RADIUS authentication ... - 23.Aug.2004 2:52:00 AM   
rberger007

 

Posts: 41
Joined: 16.Mar.2004
Status: offline
Thanks so much for this article! I didn't know I needed the Message Authenticator box checked. I'm now going to test my VPN to see if I can get mapped drives to work...

-Rob

(in reply to tshinder)
Post #: 2
RE: Discussion of the VPN server RADIUS authentication ... - 23.Aug.2004 3:00:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

Thanks! Yes, you definitely need that message authenticator checkbox checked.

Let us know how it works out for you.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of the VPN server RADIUS authentication ... - 23.Aug.2004 7:18:00 PM   
Guest
Tom,

Great article, at the Microsoft Conference in San Diego, the Microsoft engineers suggested using a IAS proxy in the DMZ to connect to the internal networks Active Directory (As a RADIUS Proxy) and authenicate the VPN users for the ISA 2004 edge server. Is this nessecary? What are your thoughts? When is the book out? Looking forward to it.

Steve

(in reply to tshinder)
  Post #: 4
RE: Discussion of the VPN server RADIUS authentication ... - 23.Aug.2004 8:21:00 PM   
rberger007

 

Posts: 41
Joined: 16.Mar.2004
Status: offline
I'm still having problems w/my VPN. Tom - have you seen my email to you from last week? Any progress on my issues?

(in reply to tshinder)
Post #: 5
RE: Discussion of the VPN server RADIUS authentication ... - 23.Aug.2004 8:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <Steve>:
Tom,

Great article, at the Microsoft Conference in San Diego, the Microsoft engineers suggested using a IAS proxy in the DMZ to connect to the internal networks Active Directory (As a RADIUS Proxy) and authenicate the VPN users for the ISA 2004 edge server. Is this nessecary? What are your thoughts? When is the book out? Looking forward to it.

Steve

Hi Steve,

That would be an interesting approach! So, would it look like this:

Edge ISA firewall
|
|__RADIUS proxy
|
|
Back end ISA firewall
|
|
IAS -- DC -- etc servers

If the front-end ISA firewall we're to authenticate the users, then you could use a RADIUS proxy in the DMZ between the firewalls. Would need to either publish the RADIUS server on the back-end or create access rules (depending on the route relationship between the DMZ and the network containing the RADIUS server.

Thanks!
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion of the VPN server RADIUS authentication ... - 23.Aug.2004 8:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by rberger007:
Thanks so much for this article! I didn't know I needed the Message Authenticator box checked. I'm now going to test my VPN to see if I can get mapped drives to work...

-Rob

Hi Rob,

I just replied. Send me a note when you can.

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion of the VPN server RADIUS authentication ... - 23.Aug.2004 9:22:00 PM   
Guest
Tom,

That is close, but the Edge ISA server would allow the VPN traffic through to the Backend server and the back end server would use the IAS Proxy in the DMZ to authenicate to the IAS server behind the backend server. There would have to be specific ports open on the backend server to allow the traffic to flow between the IAS proxy and the IAS server behind the backend server. Is this too much or a good approach? I am trying to build this in my lab right now. When is the book going to be available?

Steve

(in reply to tshinder)
  Post #: 8
RE: Discussion of the VPN server RADIUS authentication ... - 24.Aug.2004 12:32:00 AM   
Guest
Hi Tom,

Great article as always.

But how can i do this in a B2B network

EXT.ISA ........DMZ.......INT. ISA SERVER......INTERNAL

The The Internal ISA is a member of the Domain and also the VPN Server. The DC is the radius Server.

Thanks fro your info.

johnson

(in reply to tshinder)
  Post #: 9
RE: Discussion of the VPN server RADIUS authentication ... - 24.Aug.2004 1:11:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Tom - could you elaborate on this? From your first post...

1. What happens to VPN client connections when the non-domain ISA firewall uses RADIUS authentication?
A: The VPN client connection will fail. Network Monitor traces show that the VPN client sends a disconnect message to the ISA firewall.

Do you mean "What happens to VPN client connections when the non-domain ISA firewall uses EAP authentication"? I don't know of anyhtng that would prevent ISA/RRAS in a standalone config to not allow RADIUS based auth, outside of EAP.

(in reply to tshinder)
Post #: 10
RE: Discussion of the VPN server RADIUS authentication ... - 24.Aug.2004 2:22:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Clint,

Good point. I need to elaborate on the answer.

Check the new edit and see if that works better.

Thanks!
Tom

[ August 24, 2004, 02:27 AM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 11
RE: Discussion of the VPN server RADIUS authentication ... - 24.Aug.2004 2:26:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <Steve>:
Tom,

That is close, but the Edge ISA server would allow the VPN traffic through to the Backend server and the back end server would use the IAS Proxy in the DMZ to authenicate to the IAS server behind the backend server. There would have to be specific ports open on the backend server to allow the traffic to flow between the IAS proxy and the IAS server behind the backend server. Is this too much or a good approach? I am trying to build this in my lab right now. When is the book going to be available?

Steve

Hi Steve,

What I'm wondering here is where does the VPN connection terminate. If it terminates on the front end ISA firewall, then you can put the RADIUS proxy in the DMZ to authenticate the connection. Once the VPN user is authenticated, you can create access rules to allow the users access to the DMZ network, or to the network behind the back-end ISA firewall. You would need to create publishing rules or access rules on the back-end ISA firewall to allow the VPN users access to resources behind the back-end ISA firewall.

Is this what you're thinking of?

Thanks!
Tom

(in reply to tshinder)
Post #: 12
RE: Discussion of the VPN server RADIUS authentication ... - 24.Aug.2004 2:29:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <johnson>:
Hi Tom,

Great article as always.

But how can i do this in a B2B network

EXT.ISA ........DMZ.......INT. ISA SERVER......INTERNAL

The The Internal ISA is a member of the Domain and also the VPN Server. The DC is the radius Server.

Thanks fro your info.

johnson

Hi Johnson,

I would publish the VPN server on the back-end ISA firewall. Another option is to terminate the VPN at the front-end ISA firewall and create access rules on the front-end to allow access to resources behind the back-end. The back-end would need to be confiugred to allow connections from the VPN clients using publishing rules or access rules, depending on your route relationships and authentication requirements.

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion of the VPN server RADIUS authentication ... - 24.Aug.2004 5:30:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Sweet - thanks for clarifying that.

(in reply to tshinder)
Post #: 14
RE: Discussion of the VPN server RADIUS authentication ... - 30.Mar.2005 11:02:00 AM   
testxyz

 

Posts: 1
Joined: 10.Mar.2005
Status: offline
Is the same approach (explained in this article) used when using a ISA server that is on the Internet edge of the network and a domain member ?

(in reply to tshinder)
Post #: 15
RE: Discussion of the VPN server RADIUS authentication ... - 28.Jun.2005 2:25:00 PM   
mfu

 

Posts: 1
Joined: 28.Jun.2005
From: Mountain View, CA
Status: offline
Hi Tom,

I have a question for you.
We're trying to run Radius authentication with a 3rd party Radius server to protect a secure website/webservices (https) on our network. The problem (or perhaps feature) is that the ISA server is issuing a new authentication request for every individual GET operation, which is unwieldy -- the user has to input their password multiple times in order to bring up the page.

How should we prevent this from happening, i.e. have one authentication request per user log-on session?

Thanks in advance,

Mike

(in reply to tshinder)
Post #: 16
RE: Discussion of the VPN server RADIUS authentication ... - 28.Jun.2005 7:25:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Wow - talk about raising a thread from the dead... [Smile]

Use the
SingleRADIUSServerAuthPerSession
attribute and see if it helps mitigate this. You'll need to set this through the script that is on that website.

[ June 28, 2005, 07:28 PM: Message edited by: ClintD ]

(in reply to tshinder)
Post #: 17
RE: Discussion of the VPN server RADIUS authentication ... - 21.Apr.2006 8:21:54 PM   
robcmk

 

Posts: 33
Joined: 21.Apr.2006
Status: offline
Tom,

That was a great article with lots of useful stuff, but I have a question.

In our environment we have ISA 2004 std back to back with a checkpoint NGAI firewall  [ Internet|----|CPNG|----|ISA|----Internal Lan] and I want to enable the VPN, no problem configuring the ports and radius that all works a dream even with L2TP, although the registry fix for XP caught me out a little!.....
but we have a multi vlan network with the lans being derived from radius and I am unsure as to how to carry the vlans out into the VPN arena such that when users in a particular department login
they will be supplied with appropriate IP and network ACL details just as though they were on our wired or wireless infrastructure.

Any help with this would be great...... or if you need more info just say!

Thanks in Advance

Rob.

(in reply to tshinder)
Post #: 18
RE: Discussion of the VPN server RADIUS authentication ... - 15.Jun.2006 4:29:27 PM   
dennhu

 

Posts: 1
Joined: 15.Jun.2006
Status: offline
Great article. Could I raise a question about the group based access control on standalone ISA server?

You mentioned that "Iím hopeful that someone from Microsoft will beat me with a cluestick that provides the key piece of information required to allow strong user/group based access control over VPN client connections when the ISA firewall is not a member of the domain and clients use RADIUS authentication to connect." Do you have any new information of that idea?

Also, theoratically, how could the RADIUS server pass the group information to the ISA?

(in reply to robcmk)
Post #: 19
What about expired passwords and "user must change... - 23.Jun.2006 9:46:48 AM   
maettu

 

Posts: 1
Joined: 23.Jun.2006
Status: offline
Hello from switzerland

Thanks for the great article.

My question is how will password issues be handled with this solution?

What happend when a user tries to connect with an expired password?

What happend when a user tries to connect with "user must change password at next logon" checkbox marked?

Because you use EAP instead of MS-CHAPv2 in the VPN Policy. Isn't MS-CHAP the only way to resolve such password issues? 

Thanks

mat


(in reply to tshinder)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion of the VPN server RADIUS authentication article Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts