Executive Summary:
Learn how to set up Remote Authentication Dial-In User Service (RADIUS) authentication without altering your current VPN setup, so your users don’t have to remember as many passwords. |
Wouldn’t it be cool if your users had to remember only one username and password? Just think how many fewer Help desk tickets you would receive.
As we've moved from Workgroups to NT Domains, Active Directory (AD), and “integrated services” such as Microsoft Exchange and SQL Server, the number of user accounts and passwords has declined. But many non-Microsoft technologies have authentication mechanisms that are separate from AD. One example is a virtual private network (VPN) connection using Cisco’s PIX/ASA firewall; these user accounts and passwords are stored locally on the firewall by default.
However, you can add Microsoft's free Remote Authentication Dial-In User Service (RADIUS) authentication to your firewall without altering your current VPN setup and give your users at least one less password to remember. Here's how.
Setting up the VPN Gateway
For this article, I used a Cisco PIX 515 with 64M of memory and16M of Flash running Cisco PIX Security Appliance Software 8.0(3) though Netgear and SonicWall, among others, also offer VPN gateways. I installed and used Cisco’s free Adaptive Security Device Manager (ASDM) 6.0(2), which gives you anytime-anywhere access to manage Cisco security appliances and firewalls.
Cisco is discontinuing the PIX 500 series and recommends moving to its ASA 5500 series instead. (See Cisco’s website for more information.) Since the ASA is nearly identical to the PIX, except with more bells and whistles, the RADIUS setup is the same as it is with the PIX setup. To authenticate other brands of VPN devices, you’ll need to check out the documentation of your specific model, but the RADIUS configuration that I describe below should be similar.
Just like a medical doctor, I live by the mantra “Do No Harm.” So it’s important that I add RADIUS authentication to my firewall without breaking or altering the current VPN setup. I want users to be able to continue using the current setup while I add new functionality. To simplify the RADIUS setup, I highly recommend using the GUI instead of the command line. I also recommend documenting every setting, IP address, and Secret Key—this will help you if you need to troubleshoot in the future.
To keep track of the settings, I created a document called Radius Settings (see the PDF titled “Radius Settings.”) The top half of the document shows you how the Tunnel Group and Pre-shared key values relate to the Cisco VPN Client. The bottom half shows how to configure PIX/ASA and Server 2008/Windows 2003 to point to each other for RADIUS authentication.
If you find that your setup isn’t working correctly, refer to this document and verify that you are referencing the correct Pre-Shared Key, Password, Server Secret Key, and Shared Secret. Just by looking at the names, you can see how it would be easy to accidentally use the wrong information.
The first step in setting up your VPN gateway is to log on to ASDM as a privileged user. For this example, I simply used the “Enable” password. ASDM takes a few seconds to read the configuration from the firewall, then it's ready to go.
Click Wizards, IPsec VPN Wizard, which Figure 1 shows, to get the process started. Click Remote Access on the screen that follows, then click Next. I prefer the free Cisco VPN client over the built-in Windows client, so I leave the default setting as is on step 2.
When you get to step 3, be sure to take notes as you will need this information for the VPN client later. It doesn’t matter what you enter for the Tunnel Group Name, so just keep it simple and easy to remember. The Pre-shared key however, should be a complex password. For the examples in this article, I'm using simple passwords and keys, which is fine for testing but not for a production environment.
Step 4 is the fork in the road and will send you down the RADIUS path for VPN authentication. Select the option Authenticate using an AAA server group. Click New and fill out the screen as Figure 2 shows. This screen contains information that you will need later, so be sure to take good notes.
Because we will be using RADIUS to authenticate to Active Directory (AD), I call my Server Group name “ActiveDirectory.” The Server IP Address is the address of the server that will host the RADIUS service. The Server Secret Key is a password of sorts that the firewall will use to access the RADIUS server and ask for authentication confirmation.
Note that while ADSM uses the term “Server Secret Key,” Windows 2003 calls the same thing a “Shared Secret,” which you can see if you check the screenshots in Radius Settings mentioned above.
Be sure to write this Server Secret Key down. As I mentioned above, my three-character Server Secret Key is just for testing; be sure to use a complex password in a production environment. We’ll discuss the Server Secret Key in further detail a little later.
Continue with the wizard, taking care to create a DHCP Pool (or use an existing one) in step 6. Assign DHCP details such as DNS and WINS in step 7. Be absolutely sure to use 3DES in step 8—not only because it's much more secure than single DES but also because the Cisco VPN client doesn’t seem to want to work with anything except 3DES. Trust me.
Leave the defaults for step 10 unless your company lets users “split tunnel” (access the secure VPN network while simultaneously accessing the unsecure Internet). The last step should allow you to click Finish and apply the configuration to the firewall. You are now done with the firewall and can move on to the RADIUS setup in Windows Server.
IAS/RADIUS Setup
Now that the firewall is set up, it’s time to configure Windows Server. You can use either Windows Server 2008 or 2003, Standard or Enterprise Edition.
There is a limit of 50 RADIUS clients in Standard Edition, but the client in this instance is the firewall, not the individual users. If you have fewer than 50 VPN devices (or other devices that you want to authenticate via RADIUS), then you can use Standard Edition. If you have 51 or more, you need to use Enterprise Edition. Let's look at how to configure Windows 2003 first, then Server 2008.
Windows 2003
If Internet Authentication Service (IAS) isn't already installed, you’ll have to do that first. IAS is the Microsoft implementation of RADIUS. Open Add/Remove Programs in the Control Panel and click Add/Remove Windows Components. You’ll find IAS in the Details of Networking Services. After it's installed, you’ll find a shortcut to IAS in Administrative Tools.
In researching this article, the technical editors and I had an interesting discussion about whether you should or shouldn't install IAS directly on a domain controller (DC). Experience tells us that it's always best to reduce the attack surface and keep the IAS/RADIUS services on a separate server from AD. At the same time, we couldn't find any Microsoft documentation to back up our rule-of-thumb.
In fact, we found two Microsoft articles that explain how to install IAS onto a DC (see "IAS Best Practices" and "Configure the Primary IAS Server on a Domain Controller"), with no mention of the potential risk. My recommendation stays the same: Keep those services on separate servers. You will have to make your own assessment.