Installing IAS
You can install and use IAS on both Win2K Server­ and NT Server 4.0­based systems. For Win2K, IAS comes as part of the core OS; with NT 4.0, IAS is one of several components that ships with the NT 4.0 Option Pack, which you can download from the Microsoft Web site at http://www.microsoft.com/ntserver/nts/downloads/recommended/nt4optpk/default.asp. Although the Option Pack is quite large and includes many applications, IAS installation requires the installation of only the Common Program Files and Internet Service Manager (ISM) 4.0 components. As is the case when you install core components from the NT CD-ROM, you must reinstall the appropriate service pack after you install any Option Pack components.

In Win2K, you need to select IAS as a subcomponent of Networking Services in the Windows Components section of the Control Panel Add/Remove Programs applet. After you install IAS, you use the Microsoft Management Console (MMC) Internet Authentication Service snap-in. The system adds a shortcut to this snap-in (i.e., ias.msc) in the Programs\Administrative Tools folder during installation.

One of the first tasks following the installation of IAS on Win2K is to configure IAS to interact with AD. To do so, select Register Service in Active Directory from the Action menu in the Internet Authentication Service snap-in. By registering IAS with AD, IAS can access user and group information in AD; otherwise, IAS would only be able to verify user and group membership information that the server maintains in its local accounts database.

Performing these steps will register IAS in AD in the default domain. To let IAS access AD information in another domain, simply place the computer account for the IAS server into the RAS and IAS Servers group in the target domain. The RAS and IAS Servers group must have a specific set of permissions in AD. To verify these permissions, launch the MMC Active Directory Users and Computers snap-in, and select Advanced Features from the View menu to view the RAS and IAS Servers Access Check object in the left pane, as Figure 2 shows. Right-click the object, choose Properties from the context menu, then select the Security tab to verify that the RAS and IAS Servers group has Read, Write, Create All Child Objects, and Delete All Child Objects permissions, as Figure 3 shows. If not, configure the permissions to match these settings to permit proper IAS operation.

Configuring IAS to Communicate with a Cisco NAS Device
Before IAS will accept authentication requests from a RADIUS-enabled NAS, you must use the Internet Authentication Service snap-in to define the NAS as a RADIUS client. To define the RADIUS client, right-click the Clients container, then choose New Client. An Add Client dialog box will appear and prompt you for the friendly name and protocol to use for this client (at present, the only protocol option is RADIUS). Enter a friendly name for the NAS, then click Next (the friendly name doesn't have to match the NAS hostname). The system will prompt you for the IP or DNS hostname of the NAS, as Figure 4 shows.

The Shared secret option in Figure 4 lets you enter a shared encryption key for the two-way authentication of the NAS-to-IAS server communication and to encrypt passwords as they traverse the network. You must configure this shared key identically on the IAS server and the NAS.

If your remote access solution requires Challenge Handshake Authentication Protocol (CHAP) support (such as when you require password encryption and have a NAS or remote access clients that don't support Microsoft Challenge Handshake Authentication Protocol—MSCHAP), you must store passwords in a format that the IAS server can decrypt. To properly store the passwords, open the Active Directory Users and Computers snap-in, right-click the domain, select Properties from the context menu, and edit the Default Domain Policy Group Policy under the Group Policy tab. Within this policy, enable the Store password using reversible encryption for all users in the domain option. Alternatively, you can select the user properties Account tab and set Store password using reversible encryption to store passwords on a per-user basis. To facilitate the first-time storage of passwords by using reversible encryption, each user must change his or her password after you select one of these options.

To avoid having to store passwords in reversible encryption, configure the NAS and the remote access policy that I describe a little later to use MSCHAP whenever possible. An extension to RFC 1994, MSCHAP was designed to be compatible with NT and AD, and it doesn't require you to store clear text or reversible encryption user passwords.

Prev. page     1 [2] 3 4     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Very useful

leandro.jorge- September 03, 2004

Article Rating 5 out of 5

It does not address IPSec VPN dial-in. I am having a hard time finding an article that addresses this with IAS (just with other RADIUS servers). I followed a cisco example and still get bad username or password (even when storing in reverse encryption).

robertevanmartin- January 03, 2005

Article Rating 3 out of 5

No real config examples. Too little Information.

jhenriks- May 08, 2007

Article Rating 1 out of 5

good introduction to the topic but no specific configuration commands. I am looking for somthing start to finish commands.

claudcutler- August 19, 2008

Article Rating 2 out of 5

Readers, your suggestions are good ones. We will work on publishing some follow-up articles that provide specific configuration steps as well as the request for information on configuring IPsec VPN.

AnneG_editor- August 21, 2008

Article Rating 4 out of 5

 
 

ADS BY GOOGLE