In many cases, it may not be feasible to grant the ISA Server domain membership. In these cases, ISA can still perform authentication of VPN Users using the industry-standard Remote Access Dial-Up Service (RADIUS). Microsoft's Internet Authentication Service (IAS), which provides for RADIUS authentication against Active Directory user accounts, is included with the Windows 2000 Server and Windows Server 2003. This, in terms of a Microsoft-based network, allows stand-alone servers to authenticate domain users without requiring that they be domain members. For additional information on the RADIUS protocol, please review RFC 2865 on the IETF website as follows:
Any RADIUS-compliant software, including third-party offerings, can be used by ISA to authenticate users. This can be a useful way to extend ISA to take advantage of existing investment within an organization.
Installing the Internet Authentication Service (IAS) for Active Directory RADIUS Support
IAS can be installed on a member server or Domain Controller running on Windows 2000 Server or Windows Server 2003. The following procedure can be used to set up IAS on both a Windows 2000 server and a Windows 2003 server:
IAS should never be installed on the ISA Server itself, but rather on an internal member server or domain controller.
Open the Add or Remove Programs menu from within the Control Panel of the server designated to host IAS.
Select the Add/Remove Windows Components button.
When the Windows Components Wizard window opens, scroll down to locate the Networking Service component section.
Highlight the Networking Services component, and click the Details button. Do not click the check box beside Network Services; this installs every component.
On the Networking Service window, check the Internet Authentication Service checkbox, as shown in Figure 9.9.
Figure 9.9. Installing the Internet Authentication Service (IAS).
Click OK to close the Networking Services window. On the Windows Components Wizard window, click Next.
When the installation is complete, click Finish to close the Window.
Detailing IAS Permissions Required in Active Directory
To successfully authenticate domain users, the IAS server needs rights to read the dial-in properties of user accounts within Active Directory. The process of authorizing the IAS server adds the IAS server account to the RAS and IAS Servers group within the Users container in Active Directory. If users from different domains will authenticate against the IAS server, then the IAS server account must be added to the RAS and ISA Server group within the user's local domain. This can be done manually from within Active Directory Users and Computers or scripted with the NETSH or DSMOD utilities.
To successfully register the IAS Server by adding the server to the RAS and IAS Server group, the appropriate administrative permissions are required in each domain.
Use the following procedure to authorize the IAS server through the IAS management console:
Open the Internet Authentication Service console (Start, Administrative Tools, Internet Authentication Service).
Right-click Internet Authentication Service (Local) and select Register Service in Active Directory from the context menu, as shown in Figure 9.10.
Figure 9.10. Registering the IAS Service in Active Directory.
An information dialog box is displayed describing the event. Click the OK button.
A warning dialog box is displayed stating that the computer is now authorized to read users' dial-in properties for the domain. Click the OK button.
Setting Up the ISA Server as an IAS Client
IAS needs to be configured to allow the authentication request from the ISA VPN server. The following procedure can be used to set up IAS on both a Windows 2000 server and a Windows 2003 server. The IAS client in this case refers to the ISA VPN server, as it acts as a client for the IAS service.
Open the Internet Authentication Service console.
Right-click RADIUS Clients and select New RADIUS Client from the context menu.
On the Name and Address properties window, enter the Friendly Name and Client Address in the fields provided. The Friendly Name can be any name used to identify the ISA server. The Client Address can be either the host name or IP address of the internal interface on the ISA server, as shown in Figure 9.11. Click Next to continue.
Figure 9.11. Setting up the ISA Server as an IAS client.
On the Additional Information properties window, select Microsoft from the Client-Vendor drop-down list.
Enter and confirm a shared secret in the field provided. This shared secret is entered again at a later point to encrypt the communications between the ISA server and the IAS server.
The shared secret is used to encrypt specific information sent between the RADIUS server and RADIUS client. The shared secret is also used to verify the integrity of the data and make sure it is not modified during transmission. Because the key is used to encrypt the data between the client and server, it is highly recommended to use a shared secret key with at least 22 characters consisting of a random combination of alphanumeric and special characters, and optimal to use a key with 128 random characters.
Depending on the level of comfort desired, the shared secret should be periodically changed, more often if the network segment between the ISA VPN server and the IAS server is not completely trusted. This ensures that anyone who captures the traffic does not have enough time to crack the key by way of a brute force attack before it has been changed. As an additional level of security, IP Security (IPSec) encryption using machine certificates is recommended.
Enable the Request Must Contain the Message Authenticator Attribute option.
Click Finish to close the window. The newly configured RADIUS client is displayed in the Details pane.
Establishing IAS Remote Access Policies
After the RADIUS client information has been created, the RADIUS server must be configured to allow VPN connections. IAS allows for the creation of Remote Access Policies that allow specific types of VPN connections to be made. These Remote Access Policies also allow for specific users or groups to be granted access.
Whether using domain-based or RADIUS authentication, it is best practice to create an Active Directory group that will be used to grant access to VPN. Granting VPN access then becomes as simple as adding a user as a member of that group.
To create a Remote Access Policy, perform the following from the server running IAS (not the ISA Server):
Open the IAS Console (Start, All Programs, Administrative Tools, Internet Authentication Service).
Right-click the Remote Access Policies node and click New Remote Access Policy.
At the Wizard welcome screen, click Next to continue.
At the subsequent dialog box, shown in Figure 9.12, select Use the Wizard to Set Up a Typical Policy for a Common Scenario.
Figure 9.12. Creating a Remote Access Policy for RADIUS VPN authentication.
Enter a name for the policy, and click Next to continue.
From the list of access methods, select VPN and click Next.
Under the User or Group Access dialog box, select Group, and then click the Add button.
Enter a name of an Active Directory Group whose members will have VPN access and then click OK and then Next to continue.
Select the authentication protocols that the policy will support. For security reasons, it is often best to only allow MS-CHAP v2. Click Next to continue.
Select the various levels of IPSec encryption that will be supported. Allowing weaker levels of encryption can be a security threat, but can allow for greater compatibility. Click Next to continue.
Review the settings and click Finish.
After the Remote Access Policy has been put into place, advanced settings and other modifications can be made to it by double-clicking on the policy itself, enabling the options shown in Figure 9.13 to be displayed.
Figure 9.13. Reviewing an IAS Remote Access Policy.
Examining RADIUS Message Authentication
The RADIUS server and the RADIUS client communicate only with the designated IP addresses set during the configuring of each device. To prevent IP address spoofing of the client or server during authentication, the message authentication option is enabled. The Message Authenticator attribute specifies that a MD5 hash of the entire authentication message needs to be created, using the shared secret as the key. If the client or server does not calculate the correct value of the Message Authenticator, communication is dropped. For additional information, please review RFC 2869, detailing RADIUS extensions.
Be careful when configuring the RADIUS client address with the hostname of the ISA VPN server. Verifying the IAS server can resolve this name to the internal interface of the ISA VPN server. If the ISA server is a member of the domain, it may have already registered its IP address with the internal Active Directory DNS server. If the ISA server is a stand-alone system, then either a host record needs to be added to the internal DNS server or a record needs to be added to the host file located on the IAS server.
Configuring ISA to Use IAS for Authentication
The first step in the process is to define a list of RADIUS servers available to ISA for authentication. Use the following process to define one or more RADIUS servers. It is recommended to have at least two RADIUS systems for redundancy.
Open the ISA Server Management console.
From within the scope pane, expand Configuration, and select the General menu item.
Select Define RADIUS Servers from the Details pane.
On the RADIUS Servers page, click the Add button.
Enter the hostname or IP address of the RADIUS server in the Server Name field.
Enter a description in the Server Description field.
Click the Change button, and enter and confirm the shared secret as shown in Figure 9.14. This key must match the key entered on the IAS (RADIUS) server. Click the OK button when complete.
Figure 9.14. Defining a RADIUS server shared-key in ISA.
The default Port and Time-out values are appropriate in most scenarios and can be left as default.
Enable the Always Use Message Authenticator check box. Click the OK button to close the Add RADIUS Servers window.
Click the OK button to close the RADIUS servers window, then click the Apply button to save and apply the new changes.
After the list of RADIUS servers has been defined, the VPN configuration can be modified to use RADIUS for authentication. The following process can be used to set the IAS server VPN users will use for authentication:
Open the ISA Server Management console.
Select the Virtual Private Networks (VPN) menu item from the Scope pane.
Make sure the VPN Clients tab is active in the Details pane, and then select Specify RADIUS Configuration from the Task pane.
Enable the Use RADIUS for Authentication check box.
Click the RADIUS Servers button.
From the list of RADIUS servers shown in Figure 9.15, select the RADIUS server created in the previous steps and then press the OK button.
Figure 9.15. Modifying RADIUS server settings for VPN client access.
Click the OK button, and a warning dialog box then states that if the current setting is applied all active VPN sessions will be disconnected. Click the OK button to acknowledge the warning.
Click the OK button to close the Virtual Private Networks (VPN) Properties window.
Click the Apply button to save and apply the configuration.
The effect of the previous steps grays out the Groups option within the VPN configuration. Remote access is now controlled through the Active Directory dial-in policy configuration. From this point, all VPN authentication will use RADIUS unless otherwise reconfigured.