Post by Steve RayGuys
I'd appreciate some help please, hopefully if I'm in the right NG
We've recently deployed a Cisco 3020 VPN Concentrator (OK So maybe I
should be asking this question in a Cisco NG as well!) but......
I have over 1500 users I need to authenticate and I do not want to
create the accounts "ON" the VPN Concentrator but pass this off to a
RADIUS Server
I am now aware of IAS and have had a quick look at it but got nowhere
very fast
Can some one please let me know where I start with allowing users to
authenticate to the LAN over using their internal network domain
credentials using the IAS server and how quickly this replicates with
the DC's (as I believe RADIUS is an offline process - I maybe wrong
here)
My remote users all have the Cico VPN Client installed on their PC's
Thanks
Steve
Hi Steve --
IAS authenticates users against AD, so existing user accounts work fine and
you don't have to create new ones.
The basic process, all of which is fully documented in detail in the IAS
Help, is as follows:
-- Install IAS on a domain member server
-- Register the IAS server in AD and verify that you want to use the
default RADIUS ports for RADIUS traffic. (Both the VPN concentrator and the
IAS server must use the same ports.)
-- On the VPN concentrator: configure the authenticating server/RADIUS
server as the IAS server, and configure a shared secret that you will also
use on the IAS server when you configure the VPN concentrator as a RADIUS
client. (NOTE: RADIUS clients are not client computers, they are network
access servers like your VPN device.). Also, if you are deploying EAP,
enable EAP on the concentrator.
-- In IAS, create a new RADIUS client and configure it with the IP address
of the VPN concentrator and the same shared secret you used when
configuring the VPN concentrator.
-- In IAS, create remote access policies based on Windows groups -- e.g.,
"X group can connect via this media (VPN) during these hours on these days,
and must use Y authentication method," etc. You can create one policy or
many policies; IAS processes the policies from first in the list to last.
-- Configure RADIUS accounting -- log either to a log file (database-
compatible format) or to a SQL server.
You don't need to change the default connection request policy, and don't
delete it, but you should either change or delete the default remote access
policies.
Note that IAS uses the dial-in properties of user accounts to authorize
users, so the value of the Remote Access Permission setting in the
properties for each account should be set to either "Control access through
remote access policy" or "Allow access."
Also when you create remote access policies, make sure that you are
creating a policy that allows rather than denies access. (I think "Deny
access" is the default, so you need to change that setting while creating
the policy."
If you are deploying EAP-TLS certificate-based authentication, you must
also deploy a certification authority with Certificate Services and figure
out how to get certs onto the remote clients. This topic will help you
figure out how to do that (and there are a lot of other Help topics
dedicated to this subject too):
"Network access authentication and certificates" in Windows Server 2003 IAS
or VPN Help, or on the web at
http://technet2.microsoft.com/windowsserver/en/library/9d8b61c9-a870-4627-
a8f2-148625fd7fba1033.mspx
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.