Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How To: Configure External Authentication to Microsoft IAS Server (using Windows 2000 Server)



Article ID: KB6642 KB Last Updated: 06 May 2010Version: 5.0

How To: Configure External Authentication to Microsoft IAS Server (using Windows 2000 Server).



  • Remote Dialup VPN
  • Bi-Directional VPN
  • NS Remote Client
  • XAuth (Extended Authentication)
  • Real-Time Authentication
  • firewall Authentication
  • External Authentication

Symptoms & Errors:

  • Need to implement XAuth with Microsoft Radius Server (IAS)
  • Need to enforce firewall authentication with Microsoft Radius server (IAS)

In this Knowledgebase solution, the authentication of the remote VPN client is made to an external Microsoft IAS server that has the user specified in a group on the Windows Server.

Note: For instructions using a Windows 2003 Server, refer to KB17135 - How Do I Configure Microsoft IAS Server for RADIUS Server External Admin Authentication (using WINDOWS 2003 Server).


The user will be prompted to enter his username and password though a dialog box as a part of the XAuth authentication. These details are then passed on to the Windows IAS sever for authentication. If the remote user successfully logs on with the correct user name and password, Phase 2 negotiations begin.

Summary of steps:

Configuration of firewall.

  1. Add the external authentication server Configuration > Auth> Servers page.
  2. Alter the authentication method on the VPN>Xauth Settings page from local to external server.
  3. Alter the authentication method on the VPN > AutoKey Advanced > Gateway > Edit
  4. Add a group on the NS firewall that corresponds to the User-Group attribute on the Windows IAS server.

Note: CHAP is not supported on Firewall devices when configured for Windows Radius IAS as per NSKB

Configuration of Windows IAS server.

  1. Install Microsoft IAS on Windows 2000
  2. Configure IAS with settings for the firewall.
  3. Configure policy on IAS with User-Group attribute


Detailed steps

WebUI configuration of the firewall

  1. Add the external authentication server. Configuration > Auth> Auth Servers
    1. Specify name for IAS server.
    2. Specify the ip address of the windows server ( in the example)
    3. Select Auth and Xauth as the service types.
    4. Select the Radius option.
    5. Specify the password to be used between the firewall and the IAS server.
  2. Alter the authentication method. VPN>Xauth
    1. Select the created IAS server for " Default Authentication Server"
    2. Tick '"Query client settings'" if Wins and DNS selected.
    3. Do NOT select CHAP. (not supported with IAS )
  3. Alter the authentication method. VPN > AutoKey Advanced > Gateway > Edit
    1. Select the authentication method as '"default'"
    2. Do NOT select CHAP. (not supported with IAS )
  4. Add an External group on the NS firewall that corresponds to the User-Group attribute on the Windows IAS server.
    1. Object > User Group > External
    2. Create a group name that is the same as what is configured on the Windows IAS server.
    3. Select the group type as Auth and Xauth.


Configuration of Microsoft IAS server

  1. Install Microsoft IAS on Windows 2000
    1. Click on Start>Settings>Control Panel
    2. Double click on Add/Remove programs
    3. Click on Add/Remove Windows Components, in the left menu bar.
    4. Highlight Networking Services and click on Details.
    5. Click the Internet Authentication Service, then click OK and Next to install IAS.
  2. Configure IAS to talk to the Firewall Devices.
    1. Click Start>programs>Administrative Tools>Internet Authentication Service to start the IAS admin tool.
    2. Right click on Clients and select New Client
    3. Type a name for the client, set the protocol as Radius, then click Next
    4. Enter the IP address of the the firewall device.(Normally, ip address of Trusted interface of the firewall)
    5. Select the Client-Vendor as Radius Standard.
    6. Unselect the option "Client must always send the signature attribute in the request"
    7. Enter shared secret password. Used between the IAS server and the firewall. (It is case sensitive)
  3. Configure policy on IAS with User-Group attribute. (It is case sensitive)
    (This will allow users in the Windows NT Domain group named "Sales" to be authenticated.)
    1. Ensure that there is a group configured and a test member of that group under "User manager " on the Windows 2000 server.
    2. Ensure the user has dial-in permissions enabled within the Active Directory.
    3. Right click on Remote Access Policy and click New Remote Access Policy
    4. Name the Policy.
    5. Click Add for Specify Conditions to match.
    6. Under Select Attribute > click on Windows-Group and click Add.
    7. Click Add under the Groups.
    8. Select the Windows group you wish to authenticate users against and select OK
    9. Select '"Grant remote access permission'" and click Next.
    10. Select Edit to edit the remote access policy.
    11. Configure the following:
      1. Authentication tab. Select "Unencrypted authentication (PAP, SPAP)
      2. Advanced tab. Select Add and the "Vendor Specific"
      3. Enter vendor Code = 3224 and click the option "Yes, it conforms"
    12. Click "Configure Attribute".
      1. Vendor assigned attribute number = 3
      2. Attribute format = String
      3. Attribute value = Sales ( the name of the group) click OK
    13. Remove the other Parameters and click Apply and Finish.
    14. You may have to move the policy up to the top of the list as the policies are applied in a top-down order.


For a more detailed discussion, with screenshots, consult Bi-Directional Netscreen Remote VPN using xAuth and Firewall Authentication with Microsoft Internet Authentication Service [PDF]


  1. On the firewall:
    1. debug auth radius
    2. get db stream
  2. General:
    1. Ping from the firewall to the Radius server.
    2. Is the firewall sending the authentication request to the correct ip address of the radius server.
    3. Is there a response from the radius server?
    4. Check the ip address specified for the firewall on the radius server.
    5. Any error being presented back from the radius server?
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search