ProductsDownloadInfoSupportAbout UsHome

 

Configuring RADIUS in Win2000 Server IIS for Cisco Authentication.

 

RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

RADIUS is a fully open protocol, distributed in source code format that can be modified to work with any security system currently available. RADIUS is widely used in part because the protocol permits vendors to extend the AV pairs beyond those specified in RFC 2865.

The version of RADIUS we discuss how to implemented is Internet Authentication Service (IAS) for Microsoft Windows 2000.


Required Windows elements.

       Windows 2000 Server.
       Windows Internet Authentication Services.

Windows 2000 Server.
Install windows 2000 selecting Internet Authentication Services.

Server must be Primary Domain Controller for its own domain. Remove any non-required services/packages that may introduce a security risk. Eg. telnet, ftp. Also insure general security measures and server "hardening".

Disable any services that may introduce a security risk.
         · Simple TCP/IP Services.
         · Terminal Services.
         · Windows Time.
         · DNS Server.
         · DHCP Server/Client.
         · Etc.

Remove any users that may introduce a security risk:
         · Guest
         · Anonymous
         · Rename administrator. 
         · Etc.

Add two groups used for IAS. 
         · IAS-ADMIN-GROUP
         · IAS-LOGIN-GROUP
Add users to both groups. The ADMIN group will be granted enable rights, and the LOGIN group will gain basic rights.

 

Configuring Windows Internet Authentication Services.

Windows Internet Authentication Services (IAS) implements the RADIUS standard and can be used to perform authentication for access to routers and switches.

 

  • First Register IAS Service with the Active Directory. Right click IAS.

  • Add all clients (switches/routers/etc).

    • Leave Client-Vendor as "Radius Standard”.

    • Add the shared secret password. - Remember this for later.

  • Remove default Remote Access Policy.

  • Add a policy called “Allow admin access if member of IAS-ADMIN-GROUP”

  • Specify the conditions to match should read:

    • “Windows-Group matches “<Server Name>\IAS-ADMIN-GROUP

  • Select “Grant remote access permission”

  • Click Edit Profile.

  • In Authentication tab, ONLY select “Unencrypted Authentication (PAP, SPAP)."

  • In Advanced tab, there should be 2 parameters. 

         NAME            Vendor     Value
         Cisco-AV-Pair   Cisco      shell:priv-lvl=15
         Service-Type    RADIUS     Standard Login

    Notice the Cisco-AV-Pair RADIUS attribute. This attribute in conjunction with the "aaa authorization" command enables the use of privilege access levels.

    Now for the Login only group that has restricted access.

     

  • Add another policy called “Allow admin access if member of TELCO-LOGIN-GROUP”

  • Specify the conditions to match should read: “Windows-Group matches “<Server Name>\IAS-LOGIN-GROUP”

  • Select “Grant remote access permission”

  • Click Edit Profile.

  • In Authentication tab, ONLY select “Unencrypted Authentication (PAP, SPAP)."

  • In Advanced tab, there should be 1 parameter.

             NAME            Vendor     Value

         Service-Type    RADIUS     Standard Login

       

 

Configuring RADIUS on Cisco routers.

This configuration will configure the cisco router to use the radius server as its authentication method. If the radius server is down, it will use the local database (username <name> password <password>), if no users are configured it will use the local line password.

To ensure your router uses the ip address you specified at the server, use the "ip radius source-interface" command that points to the interface with the specified address. If the router responds with a different ip address it will not work.


The required cisco configuration for RADIUS authentication is as follows: 

(! Denotes a comment)
!AAA RADIUS setup. Login and enable setup.


 aaa new-model
 aaa authentication login default group radius local line
 aaa authorization exec default group radius if_authenticated


!try RADIUS, if unavailable then local database, then line.
! loopback 0 interface MUST be the address entered into the 
! client settings on the RADIUS Server
 ip radius source-interface Loopback0
!RADIUS Server information.. secret key MUST match client config 
!on RADIUS Server.
 radius-server host <ip address> auth-port 1812 acct-port 1813
 radius-server retransmit 3
 radius-server key secret-key

 

And thats it! Now all thats left is to try it out.

 

David Treacy
Vector Communications.
dave@vectorcomms.com

 
 !  What is it?

Remote Authentication Dial in User Service (RADIUS) is a distributed client/server protocol that secures networks against unauthorised access. RADIUS combines authentication and authorisation rather than treating them separately, as it does with accounting. RADIUS also provides a central point of administration.

The RADIUS protocol is specified in RFC 2865 and RADIUS accounting in RFC 2866.