Discussion:
New to IAS/RADIUS...
(too old to reply)
lozza
2008-10-08 23:26:00 UTC
Permalink
Guys,

I appreciate anytime you experts can give me in trying to learn this
technology. I am familiar with Microsoft stuff but not in the areas of
IAS/Radius. We have a cisco environment at work and are in need of a solution
that will address AAA. I would like to use MS technology as thats what I am
accustomed to. I will be attending a CISCO Secure Access Control Server
course soon, but this will inevitably mean cost and I think MS IAS can do the
same thing and might be a bit easier to implement. So basically, because I
dont know much about any of this stuff could someone kindly help me by
answering the following:

1) Does IAS allow for AAA methodology to be followed. Specifically can I log
who has done what, run what commands at what time on switches/routers etc
etc. Can I control who can have what permissions on certain switches/routers
etc etc

2) At present we have over 100 Cisco Switches and Routers across 4
Datacentres globally (Single AD Domain)... Can IAS be used to allow AD
credentials to log into these switche/routers?

3) At each DC we have a redundant pair of CISCO VPN devices. Can IAS be used
to authenticate the VPN users using their already created AD account?

4) If I want all authentication to be backed of to AD will my IAS Servers
require a Database.... I'm not sure what I'm trying to ask here, but its
along the lines of, if I have a redundant pair of Load Balanced IAS Servers,
configured the same (as in the same devices, policies etc etc), is that all I
need in terms of providing Resilience (with the exception of a Load Balancing
mechanism in front of them), or is a Database needed as well sitting on a
cluster somewhere? Or in fact should the IAS be Clustered (in the MSCS
fashion)... confused here, as you can tell :)

5) For true redundancy sake is it feasible to put a pair of IAS Servers in
each of the 4 DC's and configure them all with the same configs and then list
all these IAS Servers in every device using RADIUS i.e. my switches and
routers.. or in fact just list the IAS servers that local to the network
device in question as its RADIUS Server, so authentication traffic stays
local?

6) If I need to add more RADIUS Servers to my 2 node clusters, is there a
simple method of replicating the config onto the newly added server?

7) When dealing with Accounting logging, should you send all this info off
to a DB somewhere that all your IAS servers point to. Is there scripts to
create such a DB in the correct format? Or should you just leave this locally
on each IAS server. Again, I am just wildly guessing here and trying to gauge
info around IAS.

Please forgive me for any daft questions. I have been reading for a few days
now, and think I have asked some half intelligent questions to help me
understand this better.

If any links to appropriate 'easy' reading can be provided that would be
excellent.

Thanks for any help
Lozz
S. Pidgorny
2008-10-09 08:27:32 UTC
Permalink
G'day:

1. Yes, MS IAS/NPS is RFC-compliant RADIUS implementation. It's not
without limitations in terms of advanced accounting and few other things
but it's sufficient for 95+% of cases. An example where IAS/NPS are
lacking features: support for Cisco wireless IP phones (authentication
protocols aren't supported);
2. Yes, for user names and passwords. That many RADIUS clients means
that you'll have to use Enterprise version of Windows though;
3. Yes - authentication will be centralised;
4. No database apart from AD is required. AD has in-built redundancy
mechanisms eg multiple DCs achieve that. You'll need two RADIUS servers,
one at each DC, to have redundancy for the AAAa;
5. Yes. You can use netsh to dump RADIUS configuration and apply same on
all servers;
6. See above;
7. Honestly, don't know, since there's very little demand for accounting
in classic sense in the enterprise environments where internal
connectivity usually is not billed or billed in a roundabout way. For
mostt purposes, loggedd access events are enough.

The questions are cool, nothing to apologise for. As long as you're
attending the Cisco course, feel free to ask Cisco folk about
differences between their product and NPS, try to filter out substantial
information from fluffy stuff. That is, if they'll answer at all.
--
Svyatoslav Pidgorny, MCSE, RHCE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by lozza
Guys,
I appreciate anytime you experts can give me in trying to learn this
technology. I am familiar with Microsoft stuff but not in the areas of
IAS/Radius. We have a cisco environment at work and are in need of a solution
that will address AAA. I would like to use MS technology as thats what I am
accustomed to. I will be attending a CISCO Secure Access Control Server
course soon, but this will inevitably mean cost and I think MS IAS can do the
same thing and might be a bit easier to implement. So basically, because I
dont know much about any of this stuff could someone kindly help me by
1) Does IAS allow for AAA methodology to be followed. Specifically can I log
who has done what, run what commands at what time on switches/routers etc
etc. Can I control who can have what permissions on certain switches/routers
etc etc
2) At present we have over 100 Cisco Switches and Routers across 4
Datacentres globally (Single AD Domain)... Can IAS be used to allow AD
credentials to log into these switche/routers?
3) At each DC we have a redundant pair of CISCO VPN devices. Can IAS be used
to authenticate the VPN users using their already created AD account?
4) If I want all authentication to be backed of to AD will my IAS Servers
require a Database.... I'm not sure what I'm trying to ask here, but its
along the lines of, if I have a redundant pair of Load Balanced IAS Servers,
configured the same (as in the same devices, policies etc etc), is that all I
need in terms of providing Resilience (with the exception of a Load Balancing
mechanism in front of them), or is a Database needed as well sitting on a
cluster somewhere? Or in fact should the IAS be Clustered (in the MSCS
fashion)... confused here, as you can tell :)
5) For true redundancy sake is it feasible to put a pair of IAS Servers in
each of the 4 DC's and configure them all with the same configs and then list
all these IAS Servers in every device using RADIUS i.e. my switches and
routers.. or in fact just list the IAS servers that local to the network
device in question as its RADIUS Server, so authentication traffic stays
local?
6) If I need to add more RADIUS Servers to my 2 node clusters, is there a
simple method of replicating the config onto the newly added server?
7) When dealing with Accounting logging, should you send all this info off
to a DB somewhere that all your IAS servers point to. Is there scripts to
create such a DB in the correct format? Or should you just leave this locally
on each IAS server. Again, I am just wildly guessing here and trying to gauge
info around IAS.
Please forgive me for any daft questions. I have been reading for a few days
now, and think I have asked some half intelligent questions to help me
understand this better.
If any links to appropriate 'easy' reading can be provided that would be
excellent.
Thanks for any help
Lozz
lozza
2008-10-09 11:58:01 UTC
Permalink
Hey Svyatoslav,

Thanks so much for your quick response. Now I feel a little more confident
that the questions I was asking where not totally daft and I am on the right
tracks. So if you dont mind I'd like to delve in a little deeper and maybe
you can point me to some config examples so I can understand how this works :

1) How would I configure the IAS and Cisco Router/Switch side to allow AD
authentication to these devices

2) How would I do the same for Cisco VPN concentrators

3) What happens when an AD password expires? How is one expected to change
this? can this be done at login point of the Network Device?

4) Is it possible to group switches/routers together for login purposes.
What I am trying to ay here is, is it possible to allow a Global AD Group to
have permissions on a common group of network switches?

5) Is it possible to even further control what privelege each AD Group has
against a specific Switch/Router

I am getting confused around the link between configuring RADIUS Clients and
how Remote Access Policies apply to certain users for accessing certain
switches/routers for adminstration but also able to authenticate against VPN
devices.

Thanks for your help so far.

Lozz
Post by S. Pidgorny
1. Yes, MS IAS/NPS is RFC-compliant RADIUS implementation. It's not
without limitations in terms of advanced accounting and few other things
but it's sufficient for 95+% of cases. An example where IAS/NPS are
lacking features: support for Cisco wireless IP phones (authentication
protocols aren't supported);
2. Yes, for user names and passwords. That many RADIUS clients means
that you'll have to use Enterprise version of Windows though;
3. Yes - authentication will be centralised;
4. No database apart from AD is required. AD has in-built redundancy
mechanisms eg multiple DCs achieve that. You'll need two RADIUS servers,
one at each DC, to have redundancy for the AAAa;
5. Yes. You can use netsh to dump RADIUS configuration and apply same on
all servers;
6. See above;
7. Honestly, don't know, since there's very little demand for accounting
in classic sense in the enterprise environments where internal
connectivity usually is not billed or billed in a roundabout way. For
mostt purposes, loggedd access events are enough.
The questions are cool, nothing to apologise for. As long as you're
attending the Cisco course, feel free to ask Cisco folk about
differences between their product and NPS, try to filter out substantial
information from fluffy stuff. That is, if they'll answer at all.
--
Svyatoslav Pidgorny, MCSE, RHCE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by lozza
Guys,
I appreciate anytime you experts can give me in trying to learn this
technology. I am familiar with Microsoft stuff but not in the areas of
IAS/Radius. We have a cisco environment at work and are in need of a solution
that will address AAA. I would like to use MS technology as thats what I am
accustomed to. I will be attending a CISCO Secure Access Control Server
course soon, but this will inevitably mean cost and I think MS IAS can do the
same thing and might be a bit easier to implement. So basically, because I
dont know much about any of this stuff could someone kindly help me by
1) Does IAS allow for AAA methodology to be followed. Specifically can I log
who has done what, run what commands at what time on switches/routers etc
etc. Can I control who can have what permissions on certain switches/routers
etc etc
2) At present we have over 100 Cisco Switches and Routers across 4
Datacentres globally (Single AD Domain)... Can IAS be used to allow AD
credentials to log into these switche/routers?
3) At each DC we have a redundant pair of CISCO VPN devices. Can IAS be used
to authenticate the VPN users using their already created AD account?
4) If I want all authentication to be backed of to AD will my IAS Servers
require a Database.... I'm not sure what I'm trying to ask here, but its
along the lines of, if I have a redundant pair of Load Balanced IAS Servers,
configured the same (as in the same devices, policies etc etc), is that all I
need in terms of providing Resilience (with the exception of a Load Balancing
mechanism in front of them), or is a Database needed as well sitting on a
cluster somewhere? Or in fact should the IAS be Clustered (in the MSCS
fashion)... confused here, as you can tell :)
5) For true redundancy sake is it feasible to put a pair of IAS Servers in
each of the 4 DC's and configure them all with the same configs and then list
all these IAS Servers in every device using RADIUS i.e. my switches and
routers.. or in fact just list the IAS servers that local to the network
device in question as its RADIUS Server, so authentication traffic stays
local?
6) If I need to add more RADIUS Servers to my 2 node clusters, is there a
simple method of replicating the config onto the newly added server?
7) When dealing with Accounting logging, should you send all this info off
to a DB somewhere that all your IAS servers point to. Is there scripts to
create such a DB in the correct format? Or should you just leave this locally
on each IAS server. Again, I am just wildly guessing here and trying to gauge
info around IAS.
Please forgive me for any daft questions. I have been reading for a few days
now, and think I have asked some half intelligent questions to help me
understand this better.
If any links to appropriate 'easy' reading can be provided that would be
excellent.
Thanks for any help
Lozz
S. Pidgorny
2008-10-10 08:07:52 UTC
Permalink
G'day,

Now this is getting a bit complicated - I'm not really a Cisco guy,
here's the best shot at the answers:

1. Cisco IOS configuration for console access control through RADIUS is
pretty much independent of the RADIUS server. Examples:
http://wiki.freeradius.org/Cisco

2. VPN configuration is well documented by Cisco:

http://tools.cisco.com/search/JSP/search-results.get?isFormSubmit=true&strqueryid=4&websessionid=1MRfNYzt7twDvcxGcr17uSj&strCurrentSimilarSearchBreadCrumb=&strCurrentSelectedModifierValues=&strPrevQuery=%22microsoft+nps%22&strQueryText=vpn+3000+ias&country=US&language=en&profile=enushomesppublished

3. Honestly, I don't know. Presumably the users will have access to AD
other than through Cisco console to change passwords. I kinda sure that
VPN clients will get prompted - but that may depend on the client etc.

4. Yes, you'll allow access to AD groups and not individual users.
Grouping of devices is more complicated - you should use RADIUS policy
matching criteria. Distinguishing b/ween VPN and console clients is
quite easy though - VPN clients will have a different NAS_Port-Type -
"Virtual (VPN)".
--
Svyatoslav Pidgorny, MCSE, RHCE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by lozza
Hey Svyatoslav,
Thanks so much for your quick response. Now I feel a little more confident
that the questions I was asking where not totally daft and I am on the right
tracks. So if you dont mind I'd like to delve in a little deeper and maybe
1) How would I configure the IAS and Cisco Router/Switch side to allow AD
authentication to these devices
2) How would I do the same for Cisco VPN concentrators
3) What happens when an AD password expires? How is one expected to change
this? can this be done at login point of the Network Device?
4) Is it possible to group switches/routers together for login purposes.
What I am trying to ay here is, is it possible to allow a Global AD Group to
have permissions on a common group of network switches?
5) Is it possible to even further control what privelege each AD Group has
against a specific Switch/Router
I am getting confused around the link between configuring RADIUS Clients and
how Remote Access Policies apply to certain users for accessing certain
switches/routers for adminstration but also able to authenticate against VPN
devices.
Thanks for your help so far.
Lozz
Loading...