SET-UP
RADIUS AUTH ON W2K
This paper is the
work of The Master Jedi Pimpsor AKA thehorse13, who has kindly
consented to it being hosted here on the TAZ.
The original post can be found here:
http://www.antionline.com/showthread.php?s=&threadid=239399
OK, since I had to do this, I figured that other people out there could
use this info. My doc explains how to setup RADIUS on W2K server.
How to activate radius on Windows 2000
Environment: W2K AD controller (RADIUS SERVER) and W2K server
stand-alone (no AD)
During the Windows 2000 server installation, request the
installation of "Networking Services" (in addition to the other
services installed by default). If you did not do that during
installation, you can do it anytime... "My Computer", "Control Panel",
"Add/Remove Programs", "Add/Remove Windows Components", "Networking
Services".
Run "Start", "Programs", "Administrative Tools", "Internet
Authentication Service" which is the Windows 2000 RADIUS server.
While in "Internet Authentication Service", Select "Remote Access
Policies" and right click "Allow access if dial-in permission is
enabled" and select "properties". Enable "Grant remote access
permission" and then select "Edit profile". Select "Authentication",
and then enable "Unencrypted authentication (PAP/SPAP)" Disable the
other methods.
While still in "Internet Authentication Service", Click once on
Internet Authentication Service (local) Select "Action" and "Register
Service in Active Directory"
NOTE: To specify authentication and accounting ports, right click
Internet Authentication Service (local) and choose properties. Click
the RADIUS tab and then enter the appropriate ports. By default, IAS
lists the ports for RADIUS before and after the RFC was issued
(1812,1645 and 1813,1646)
While still in "Internet Authentication Service", Select "Remote
Access Logging" and "Local File". On "Settings", enable "Log
Authentication Requests...". On "Local File", select a monthly log
file, in IAS format (or whatever you'd prefer).
Click on the "Clients" folder and choose "Action", "New Client".
Provide a "Friendly" name like "SmartGate" or whatever. Leave Protocol
as RADIUS. Click "Next". Choose either IP or an FQDN (DNS Config is
required).
Leave Client-Vendor as RADIUS Standard. Leave the checkmark out of
"Client must always send the signature attribute in the request". Enter
your shared secret and then confirm it.
Before leaving be sure the service is running by clicking once on
"Internet Authentication Service (Local)" Then chose "Action" "Start
Service"
Create a user with the MMC and be sure that you grant RAS access to
the user. This is done by right clicking on the user, then choose
properties. select the "dial-in" tab and select "Allow Access".
NOTE: Windows 2000 RADIUS uses the User Logon Name, not the name you
enter in First Name/Last Name on the "General" tab.
Drop to a command prompt and do a "netstat -an" to be sure that UDP is
listening on the proper ports.
CLIENT SETUP:
Follow the setup for RADIUS in the documentation.
NOTE:
Be sure to check the remote access accounting tab. Remove any
accounting restrictions or adjust it to meet your remote access policy.
Anyway, hope this helps someone else out too.
Original Tutorial
Submitted by
Nokia for TheTAZZone-TAZForum
Originally posted on March 4th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.