Using RADIUS Proxies to Scale Authentications

Using RADIUS Proxies to Scale Authentications

When performing authentication for a large number of wireless clients using EAP-TLS and certificates, the volume of authentication traffic needed to keep wireless clients connected can be substantial. In a large deployment, it is best to attempt to spread the load of authentication traffic among multiple IAS server computers. Because you cannot rely on the wireless APs to consistently or adequately spread their authentication traffic among multiple RADIUS servers, intermediate IAS RADIUS proxies can provide this function.

Without RADIUS proxies, each wireless AP sends its RADIUS requests to one or multiple RADIUS servers and detects unavailable RADIUS servers. The wireless AP might or might not be balancing the load of RADIUS traffic across multiple RADIUS servers. By using IAS RADIUS proxies, consistent load balancing is used to spread the load of authentication, authorization, and accounting traffic across all the IAS servers in the organization. Additionally, there is a consistent scheme for failure detection and RADIUS server failover (the detection of an unavailable RADIUS server and avoidance of its use for future authentication requests) and failback (the detection that a previously unavailable RADIUS server is available).

The following configuration is for an organization that uses the following:

• Active Directory domains.

  Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate authorization.

• Multiple IAS servers.

  To balance the load of RADIUS authentication, authorization, and accounting traffic, there are multiple IAS servers.

• A wireless remote access policy.

  A wireless remote access policy is configured to authorize wireless connections based on group membership.

• Two IAS RADIUS proxies.

  Two IAS RADIUS proxies provide fault tolerance for RADIUS requests that are sent from the wireless APs.

Figure 11-2 shows the use of IAS RADIUS proxies to balance the load of RADIUS traffic from wireless APs across multiple IAS servers.

Figure 11-2. Using IAS RADIUS proxies to load balance RADIUS traffic.

To deploy the configuration just described

1. Configure the certificate infrastructure.

2. Configure the Active Directory for accounts and groups.

3. Configure IAS as a RADIUS server on multiple computers.

4. Configure the primary IAS RADIUS proxy.

5. Configure the secondary IAS RADIUS proxy.

6. Configure RADIUS authentication and accounting on wireless APs.

7. Configure wireless client computers.

This configuration requires the creation of the following RADIUS shared secrets:

• A different shared secret is needed between each wireless AP and the set of primary and secondary IAS RADIUS proxies. Because typical wireless APs allow the configuration of only a single RADIUS shared secret for both their primary and secondary RADIUS servers, and because we copy the configuration of the primary IAS proxy to the secondary IAS RADIUS proxy, we cannot use different shared secrets between a wireless AP and the primary and secondary IAS RADIUS proxies.

• A different shared secret is needed between each IAS server and the set of primary and secondary IAS RADIUS proxies. Because we copy the configuration of the primary IAS proxy to the secondary IAS RADIUS proxy, we cannot use different shared secrets between the primary and secondary IAS RADIUS proxies and each IAS RADIUS server.

Configuring the Certificate Infrastructure

For EAP-TLS authentication, follow the instructions in the Configuring the Certificate Infrastructure section of Chapter 8.

Configuring Active Directory for Accounts and Groups

Follow the steps in the Configuring Active Directory for Accounts and Groups section of Chapter 8 or Chapter 10.

Configuring IAS as a RADIUS Server on Multiple Computers

To configure IAS on each IAS server computer for EAP-TLS authentication, perform the steps in the following sections of Chapter 8 on each IAS server computer:

• Obtaining and Installing a Computer Certificate

• Installing IAS and Configuring IAS Server Properties

• Configuring Windows 2000 IAS or Configuring Windows Server 2003 IAS sections of Configuring a Wireless Remote Access Policy

To configure IAS on each IAS server computer for PEAP-MS-CHAP v2 authentication, perform the steps in the following sections of Chapter 10 on each IAS server computer:

• Obtaining and Installing a Computer Certificate

• Installing IAS and Configuring IAS Server Properties

• Configuring Windows 2000 IAS or Configuring Windows Server 2003 IAS sections of Configuring a Wireless Remote Access Policy

Next, configure each IAS server computer with the primary and secondary IAS RADIUS proxies as RADIUS clients. To do this, perform the steps in the Configuring IAS with RADIUS Clients section of Chapter 8 or Chapter 10 (instead of the wireless APs, add the primary and secondary IAS RADIUS proxies as RADIUS clients).

NOTE
Each IAS server is configured separately rather than configuring an initial IAS server and copying its configuration to other IAS server computers. This process is done so that different RADIUS shared secrets can be used between the IAS RADIUS proxies and the IAS server computers.

Configuring the Primary IAS RADIUS Proxy

To configure the primary IAS RADIUS proxy, do the following:

1. On a computer running Windows Server 2003, install IAS as an optional networking component.

   The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. For example, you can install IAS on a file server.

2. If needed, configure additional UDP ports for RADIUS messages that are sent by the wireless APs.

   By default, IAS uses UDP ports 1812 and 1645 for authentication and UDP ports 1813 and 1646 for accounting.

3. Add the wireless APs as RADIUS clients of the IAS RADIUS proxy using the steps described in the Configuring IAS with RADIUS Clients section of Chapter 8 or Chapter 10.

4. In the console tree of the Internet Authentication Service snap-in, open Connection Request Processing.

5. Right-click Remote RADIUS Server Groups, and then click New Remote RADIUS Server Group.

6. On the Welcome To The New Remote RADIUS Server Group Wizard page, click Next.

7. On the Group Configuration page, click Custom and type the group name for the RADIUS servers in Group Name (for example: RADIUS Servers in example.com Domain). Click Next.

8. On the Add Servers page, click Add.

9. On the Address tab, type the IP address or name of an IAS server. If you specify a name, click Verify to resolve the name to an IP address.

10. On the Authentication/Accounting tab, type the shared secret between the primary and secondary IAS RADIUS proxies and the IAS server.

11. Click OK to add the server to the list of servers in the group.

12. Repeat steps 8 through 11 for each IAS server in the domain.

13. Click Next.

14. On the Completing The New Remote RADIUS Server Group page, click Finish.

15. On the Welcome To The New Connection Request Policy Wizard page, click Next.

16. On the Policy Configuration Method page, click A Typical Policy For A Common Scenario and then type the name for the Connection Request Policy in Policy Name (for example: Forward Requests to RADIUS Servers in the example.com Domain). Click Next.

17. On the Request Authentication Page, click Forward Connection Requests To A Remote RADIUS Server For Authentication. Click Next.

18. On the Realm Name page, type the realm name for all names in the domain or forest (for example: example.com) and clear the Before Authentication, Remove Realm Name From The User Name check box. Select the newly created remote RADIUS server group for all IAS servers in the domain in Server Group. Click Next.

19. On the Completing The New Connection Request Policy Wizard page, click Finish.

Configuring the Secondary IAS RADIUS Proxy

To configure the secondary IAS RADIUS proxy on another computer, do the following:

1. On a computer running Windows Server 2003, install IAS as an optional networking component. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. For example, you can install IAS on a file server.

2. On the primary IAS RADIUS proxy computer, type netsh aaaa show config > path\file.txt at a command prompt.

   This command stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a network path.

3. Copy the file created in step 2 to the secondary IAS RADIUS proxy computer.

4. On the secondary IAS RADIUS proxy computer, type netsh exec path\file.txt at a command prompt. This command imports all the settings configured on the primary IAS RADIUS proxy into the secondary IAS RADIUS proxy.

The default load-balancing settings of the RADIUS servers in the remote RADIUS server group cause each IAS RADIUS proxy to distribute the authentication request load equally to all the IAS servers in the domain.

Configuring RADIUS Authentication on the Wireless APs

Deploy your wireless APs to provide coverage for all the areas that require access to your wireless network. (For more information, see Chapter 7.)

Configure your wireless APs to support WEP or WPA encryption and 802.1X authentication. Additionally, configure the RADIUS client on your wireless APs with the following settings:

• The IP address or name of a primary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure-detection settings.

• The IP address or name of a secondary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure-detection settings.

To balance the load of RADIUS traffic between the primary and secondary IAS RADIUS proxies, configure half of the wireless APs with the primary IAS RADIUS proxy as their primary RADIUS server and the secondary IAS RADIUS proxy as their secondary RADIUS server. Configure the other half of the wireless APs with the secondary IAS RADIUS proxy as their primary RADIUS server and the primary IAS RADIUS proxy as their secondary RADIUS server.

Configuring Wireless Client Computers

To configure the wireless client computer, follow the instructions in the Configuring Wireless Client Computers section of Chapter 8 (for EAP-TLS) or Chapter 10 (for PEAP-MS-CHAP v2).