Private Organization Configuration

Previous page
Table of content
Next page

Private Organization Configuration

The configuration of the RADIUS components in the private organization depends on whether RADIUS servers or RADIUS proxies are placed in the perimeter network.

Using IAS RADIUS Servers

The recommended configuration of IAS RADIUS servers in the perimeter network is that they have two network adapters one attached to the Internet and one attached to the intranet. This configuration is recommended because it greatly simplifies packet filter configuration on the intranet firewall. Because the IAS RADIUS servers that are already attached to the intranet send their traffic directly to the intranet domain controllers, additional packet filters on the intranet firewall are not needed.

Figure 13-3 shows the configuration of the private organization when using IAS RADIUS servers on the perimeter network.

figure 13-3 using ias radius servers on the perimeter network.

Figure 13-3. Using IAS RADIUS servers on the perimeter network.

The IAS RADIUS servers have two network adapters installed, but do not have routing enabled. It is not possible to use an IAS RADIUS server on the perimeter network as a router to reach the intranet. The RADIUS traffic that is received on the perimeter network interface of the IAS RADIUS server is sent to the destination address of the IAS RADIUS server. When it is received, the IAS RADIUS server contacts a domain controller on the intranet to verify credentials and obtain account properties.

Configuring Primary and Secondary IAS Servers on the Perimeter Network

To configure the primary and secondary IAS servers on the perimeter network to allow wireless access, see either Chapter 8 (for EAP-TLS authentication) or Chapter 10 (for PEAP-MS-CHAP v2 authentication). The RADIUS clients of the primary and secondary IAS RADIUS servers are the primary and secondary IAS RADIUS proxies of the WISP.

The primary and secondary IAS RADIUS servers on the perimeter network must be configured with additional routes to make the locations on the intranet reachable. Because the primary and secondary IAS RADIUS servers are connected to the Internet via the perimeter network interface, it must be configured with a default gateway; the IP address of the Internet firewall s perimeter network interface. The configuration of the default gateway creates a default route on the primary and secondary IAS RADIUS servers that effectively summarizes all the locations on the Internet. Because you cannot use multiple default gateways and you must be able to reach any Internet location, you cannot configure the intranet interface of the primary and secondary IAS RADIUS servers with a default gateway. Therefore, in order for the locations of the intranet to be reachable, you must configure the primary and secondary IAS RADIUS servers with a set of routes that summarizes all the locations of your intranet. For each route, use the route add destination mask netmask gateway p command to add the route to the IP routing table of both the primary and secondary IAS RADIUS servers. For more information about the route command parameters, type route add at a command prompt.

Configuring Firewall Packet Filters

The Internet firewall must be configured with the appropriate packet filters to allow traffic to be exchanged between WISP RADIUS proxies and the IAS RADIUS servers. Because the IAS RADIUS servers are using their intranet interfaces to communicate with the domain controllers of the intranet, additional intranet firewall packet filters are not needed.

Internet Firewall Packet Filters

The following packet filters must be configured on the Internet firewall:

  • For the input filters of the Internet interface and the output filters of the perimeter network interface, configure the following:

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS server and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS server and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS server and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS server and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

  • For the output filters of the Internet interface and the input filters of the perimeter network interface, configure the following:

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS server and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS server and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS server and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS server and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

Using IAS RADIUS Proxies

The configuration of the RADIUS components and firewall packet filters when using IAS RADIUS proxies in the perimeter network depends on whether the IAS RADIUS proxies have a single network adapter attached to the perimeter network or two network adapters one attached to the Internet and one attached to the intranet. Either configuration is possible because the traffic from the IAS RADIUS proxies to the IAS RADIUS servers on the intranet can be easily specified, unlike the configuration in which IAS RADIUS servers with a single network adapter are located in the perimeter network.

Figure 13-4 shows the configuration of the private organization when using IAS RADIUS proxies in the perimeter network.

figure 13-4 using ias radius proxies in the perimeter network.

Figure 13-4. Using IAS RADIUS proxies in the perimeter network.

In the latter configuration, the IAS RADIUS proxies have two network adapters, but routing is not enabled. It is not possible to use an IAS RADIUS proxy on the perimeter network as a router to reach the intranet. The RADIUS traffic that is received on the perimeter network interface of the IAS RADIUS proxy is sent to the destination address of the IAS RADIUS proxy. When it is received, the IAS RADIUS proxy creates a new RADIUS message that is sent to an IAS RADIUS server on the intranet using the intranet interface.

Configuring the Primary IAS RADIUS Proxy on the Perimeter Network

To configure the primary IAS proxy on the perimeter network, follow the steps in the Installing IAS and Configuring IAS Server Properties section of this chapter. Next, you must configure the primary IAS proxy with RADIUS clients that correspond to the WISP primary and secondary IAS RADIUS proxies.

For the steps to configure RADIUS clients, see Configuring the Primary IAS RADIUS Proxy with RADIUS Clients in this chapter. Next, you must configure a connection request policy that forwards RADIUS messages to the IAS RADIUS servers on the intranet.

To configure a connection request policy to forward RADIUS messages to the IAS RADIUS servers on the intranet

  1. In the console tree of the Internet Authentication Service snap-in, double-click Connection Request Processing, right-click Connection Request Policies, and then click New Connection Request Policy.

  2. On the Welcome To The New Connection Request Policy Wizard page, click Next.

  3. On the Policy Configuration Method page, select A Typical Policy For A Common Scenario and type the name of the policy in Policy Name.

  4. Click Next. On the Request Authentication page, click Forward Connection Requests to a Remote RADIUS Server for Authentication.

  5. Click Next. On the Realm Name page, type the realm name for the private organization in Realm Name and clear the Before Authentication, Remove Realm Name From The User Name check box.

  6. Click New Group.

  7. On the Welcome To The New Remote RADIUS Server Group Wizard page, click Next.

  8. On the Group Configuration Method Page, type the name of the remote RADIUS server group in Group Name.

  9. Click Next. On the Add Servers page, type the IP address or DNS domain name of the primary IAS RADIUS server on the intranet in Primary Server, the IP address or DNS domain name of the secondary IAS RADIUS server on the intranet in Backup Server, and the RADIUS shared secret in both Shared Secret and Confirm Shared Secret. Click Next.

  10. On the Completing The New Remote RADIUS Server Group Wizard page, click Finish.

  11. On the Realm Name page, click Next.

  12. On the Completing the New Connection Request Processing Policy Wizard, click Finish.

  13. In the details pane, right-click the connection request policy named Use Windows Authentication For All Users and then click Delete. In Delete Connection Request Policy, click Yes.

The primary IAS RADIUS proxy on the perimeter network must be configured with additional routes to make the locations on the intranet reachable. For the set of routes that summarizes all of the locations of your intranet, use the route add destination mask netmask gateway p command to add each route to the IP routing table of the primary IAS RADIUS proxy.

Configuring the Secondary IAS RADIUS Proxy on the Perimeter Network

After the primary IAS RADIUS server is configured, install IAS on the secondary IAS RADIUS proxy computer and copy the configuration of the primary IAS RADIUS proxy by using the steps described in the Configuring the Secondary IAS RADIUS Proxy section of this chapter.

For the set of routes that summarizes all the locations of your intranet, use the route add destination mask netmask gateway p command to add each route to the IP routing table of the secondary IAS RADIUS proxy.

Configuring Primary and Secondary IAS Servers on the Intranet

To configure the primary and secondary IAS servers on the intranet to allow wireless access, see either Chapter 8 (for EAP-TLS authentication) or Chapter 10 (for PEAP-MS-CHAP v2 authentication). This configuration is the same regardless of whether the IAS RADIUS proxies on the perimeter network have one or two network adapters.

Configuring Firewall Packet Filters

The Internet and intranet firewalls must be configured with the correct packet filters that allow traffic to be exchanged between:

  • The WISP IAS RADIUS proxies and the private organization s IAS RADIUS proxies (the Internet firewall) in the perimeter network.

  • The private organization s IAS RADIUS proxies in the perimeter network and the IAS RADIUS servers located on the intranet (the intranet firewall).

Internet Firewall Packet Filters

Regardless of whether the IAS RADIUS proxies have one or two network adapters, the following packet filters must be configured on the Internet firewall:

  • For the input filters of the Internet interface and the output filters of the perimeter network interface, configure the following:

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS proxy and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS proxy and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

  • For the output filters of the Internet interface and the input filters of the perimeter network interface, configure the following:

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS proxy and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS proxy and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

Intranet Firewall Packet Filters

The configuration of packet filters on the intranet firewall depends on whether the IAS RADIUS proxies have one network adapter or two. If the IAS RADIUS proxies have two network adapters, the intranet firewall does not need to be configured with additional packet filters because the RADIUS traffic is sent directly to the intranet IAS RADIUS server by the IAS RADIUS proxies using their intranet interfaces.

If the IAS RADIUS proxies have only a single network adapter, the intranet firewall must be configured with the following packet filters:

  • For the input filters of the perimeter network interface and the output filters of the intranet interface, configure the following:

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the destination IP address set to the primary IAS RADIUS server, and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the destination IP address set to the secondary IAS RADIUS server, and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the destination IP address set to the primary IAS RADIUS server, and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the destination IP address set to the secondary IAS RADIUS server, and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the destination IP address set to the primary IAS RADIUS server, and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the destination IP address set to the secondary IAS RADIUS server, and the destination UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the destination IP address set to the primary IAS RADIUS server, and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the source IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the destination IP address set to the secondary IAS RADIUS server, and the destination UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

  • For the output filters of the perimeter network interface and the input filters of the intranet interface, configure the following:

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the source IP address set to the primary IAS RADIUS server, and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the source IP address set to the secondary IAS RADIUS server, and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the source IP address set to the primary IAS RADIUS server, and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the primary IAS RADIUS proxy, the source IP address set to the secondary IAS RADIUS server, and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the source IP address set to the primary IAS RADIUS server, and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the source IP address set to the secondary IAS RADIUS server, and the source UDP port set to 1812 (or an alternate UDP port used for RADIUS authentication traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the source IP address set to the primary IAS RADIUS server, and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).

    • A packet filter that allows packets with the destination IP address set to the perimeter network IP address of the secondary IAS RADIUS proxy, the source IP address set to the secondary IAS RADIUS server, and the source UDP port set to 1813 (or an alternate UDP port used for RADIUS accounting traffic).


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
WebLogic: The Definitive Guide
Building Web Applications with UML (2nd Edition)
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Information Dashboard Design: The Effective Visual Communication of Data
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy