Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How Do I Configure Microsoft IAS Server for RADIUS Server External Admin Authentication (using WINDOWS 2003 Server)

0

0

Article ID: KB17135 KB Last Updated: 19 Apr 2010Version: 2.0
Summary:

How Do I Configure Microsoft IAS Server for RADIUS Server External Admin Authentication (using WINDOWS 2003 Server)

Symptoms:

Configuring Windows 2003 IAS Server for RADIUS Server External Admin Authentication

Solution:

Perform the following steps to configure your NetScreen device for RADIUS external admin authentication using IAS and Active Directory Windows 2003.


NOTE:  For instructions using Active Directory Windows 2000, refer to KB6642 and KB4448.  The instructions in this article replace those articles and are for Active Directory Windows 2003.


Create a Global Security Group

Ensure you have a Domain Controller installed and running.  Then go to Start > Active Directory  > Select Users and Computers, and perform the following to create a Global Security Group called "Admin":
  • Create a group, and add the administrators you want in that group.  For example, create a group called “Admin”.
  • Add the users in the Admin group that you want to manage the firewall.
    • Ensure the users have Allow Access checked in the Remote Access Permission (Dial In).
    • Also, click on User Properties and click on the Dial In tab "Allow Access"

   
Install and configure IAS on the Domain Controller:

Perform the following steps to install and configure IAS on the Domain Controller:
  • Click on "Add/Remove Programs”
  • Click on “Add/Remove Components”
  • Check Network Services 
  • Check Internet Authentication Service
  • Click Start->Admin tools->Internet Authentication Service, and a MMC will open.
  • Right-click on Internet Authentication Service, and highlight Register Server with Active Directory.
  • Next right-click on Radius Clients and choose New Radius Client.  Another window will pop up.
    • Choose a Friendly name
    • Provide the IP address of the inside interface of the Netscreen’s Management IP
    • Click Next
    • Client Vendor should be RADIUS Standard
    • Pick a Shared Secret
  • On the left pane, right click on Remote Access Policy and choose New Remote Access Policy
    • Select Use wizard to set up a typical policy for common scenario
    • Choose a Policy Name and click Next
    • Select Ethernet Radio button and click Next
    • Select a  Group "ADMIN" and click Add
    • Choose the Group created above in Active Directory
    • Leave Authentication Method as default
    • Double click on the policy in the right pane
      • Remove the Ethernet value
      • Double click on Client-IP-address and enter the IP address of the Netscreen device
      • Double-click Windows Groups and choose the group created in Active Directory
      • Ensure Grant remote access permission is checked.
  • Click on the Edit Profile command button
  • In the Authentication tab ensure Unencrypted Authentication is selected.
  • In the Encryption tab, choose Strongest encryption (MPPE 128 bit)
  • In the Advanced tab, double click vendor Specific
    • Highlight the vendor and click Edit
    • The Vendor code is 3224
    • Check Yes, it conforms
      • Click Configure Attribute
      • Vendor assigned attribute number is “1”
      • Attribute format is “Decimal”
      • Attribute value is “2"
      For more information on the RADIUS attributes for Admin Privileges, refer to KB5688.

Configure the Auth Server on the NetScreen firewall:

  • Log into the WebUI of the NetScreen firewall.
  • Click Configuration->Auth->Auth Servers
    • Click New
    • Choose a name for the Radius Auth Server "Rad123"
    • In the IP field, put the IP address of the RADIUS server (IAS server)
    • In the backup1 and backup2 fields, enter the IP of any backup IAS servers
    • Check  the Admin option  
    • The Source Interface should be the interface connected to the IAS server

    • Ensure the RADIUS radio button is checked off 
    • RADIUS port is 1645
    • Enter the Shared Secret configured in the IAS server.

  • Click Configuration->Admin->Administrators
    • In the Admin Privileges, check the box  Get privilege from Radius server  
    • Admin Auth Server as LOCAL/<RADIUS SERVER NAME>        -Name of the server ("Rad123")


Troubleshooting

If the user cannot login, perform the following on the NetScreen firewall:
  1. Check the event logs in the System category. This will give you a good indication of what the problem may be.  Common reasons are as follows:
  2. - Could be a remote access privilege needed on the account in AD.
    - User may not be in the correct group
  3. Ping from the firewall to the RADIUS server.
  4. Check the IP address specified for the firewall on the RADIUS server.
  5. Run debug auth radius, attempt the login again, and the check the debug output with get db stream.  
  6. - Is the firewall sending the authentication request to the correct IP address of the RADIUS server?  
    - Is there a response from the RADIUS server?  
    - Is there an error being presented back from the RADIUS server?

If the user can login, but the account does not have the appropriate permissions to create, delete modify the rules, or other settings, perform the following on the NetScreen firewall:
  • Click on the Policy
    • Click on the Edit Profile
      • In the Authentication tab ensure Unencrypted Authentication is chosen
      • In the Encryption tab, choose Strongest encryption (MPPE 128 bit)
      • In the Advanced tab, double click vendor Specific
        • Highlight the vendor and click Edit
        • The Vendor code is 3224 ( Juniper Specific Code)
        • Check the Yes, it conforms  
          • Click Configure Attribute
          • Vendor assigned attribute number is “1”
          • Attribute format is “Decimal”
          • Attribute value is “2” ( For Read/write Access)
          For more information on the RADIUS attributes for Admin Privileges, refer to KB5688.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search