Installing
and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including
Support for EAP/TLS Authentication
Some
organizations may prefer to not join the ISA Server firewall/VPN server to their
internal network domain. The primary reason for not joining the ISA Server
firewall/VPN server to the internal network domain is to prevent potential
intruders from using the firewall as a launch point for an attack on the
internal network domain. While the probability of the firewall being compromised is very small, it is a fact that the ISA
Server firewall is a bastion host and it is exposed to direct attack from the
Internet.
The only
user accounts available to the machine are those configured in the local user
database when the ISA Server firewall/VPN server is not joined to the internal
network domain,. In this scenario, all user accounts
need to be input into the local user database on the
ISA Server firewall/VPN server machine. There is a lot administrative overhead
when you mirror your internal network user database, including both user names
and passwords, onto the ISA Server firewall/VPN server’s local SAM database.
A better
solution is to use the Microsoft Windows Server 2003 Internet Authentication Service (IAS). The Microsoft IAS Server is
a Remote Authentication Dial In User Service (RADIUS)
server. A RADIUS server accepts authentication requests from the ISA Server
firewall/VPN server and forwards them to an authentication server. In a Windows
Server 2003 domain, the domain controller represents the authentication server.
The authentication server confirms or denies the authentication request and
forwards the result to the RADIUS server. The RADIUS server forwards it to the
ISA Server firewall/VPN server.
The
Microsoft IAS Server can also be used to centralize
the management of Routing and Remote Access Policy. You may wish to apply the
same remote access policies to each server if you have two or more ISA Server
firewall/VPN servers. You could manually configure Remote Access Policy on each
server using the graphical interface or the netsh
command. A better way is to the Microsoft IAS Server. You create Remote Access
Policy on the IAS Server and then configure the ISA Server firewall/VPN servers
to use the IAS Server of your choice. The policies configured on the IAS Server
are applied to incoming VPN connections to the ISA Server firewall/VPN server.
You can
also use the IAS Server to support advanced authentication, such as EAP-TLS
authentication for PPTP and L2TP/IPSec clients. Advanced authentication methods
using EAP enhance the security of your ISA Server firewall/VPN server
configuration.
We discuss
the following procedures in this ISA
Server 2000 VPN Deployment Kit Document:
Installing and Configuring the Windows Server 2003 IAS Server
Perform the
following steps to install and configure the IAS Server:
1.
Click Start, point to Control
Panel and click on Add or Remove
Programs.
2.
Click the Add/Remove Windows Components button in the Add or Remove Programs window.
3.
In the Windows Components dialog box (figure 1), select the Networking Services entry and click the
Details button.
Figure 1
(1712)
4.
In the Networking Services dialog box (figure 2), put a checkmark in the Internet Authentication Service checkbox
and then click OK. Click Next in the Windows Components dialog box.
Figure 2
(1713)
5.
Click the Finish button on the Completing
the Windows Components Wizard page.
Now we’ll
make some basic configuration changes to the IAS Server.
1.
Click Start, point to Administrative
Tools and click on Internet
Authentication Services.
2.
In the Internet Authentication Services console, right click on the Internet Authentication Service (Local)
node in the left pane of the console. Click the Register Server in Active Directory command (figure 3).
This setting allows the IAS Server to authenticate users in
the Active Directory domain. Click OK
in the Register Internet Authentication
Server in Active Directory dialog box (figure 4).
Click OK in the Server registered: dialog box (figure
5). This dialog box informs you that the IAS Server was
registered in a specific domain and if you want this IAS Server to read
users’ dial-in properties from other domains, you’ll need to enter this server
into the RAS/IAS Server Group in
that domain.
Figure 3
(1714)
Figure 4
(1715)
Figure 5
(1716)
3.
Right click on the RADIUS Clients node in the left pane of
the console and click the New RADIUS
Client command (figure 6).
Figure 6
(1717)
4.
In the New RADIUS Client dialog box, type in a Friendly name for the the ISA Server
firewall/VPN server (figure 7). You can use any name you like. In this example
we’ll use the DNS host name of the ISA Server firewall/VPN server, which is MSFIREWALL1.
Type in either the FQDN or the IP address of the ISA Server
firewall/VPN server in the Client
address (IP or DNS) dialog box. Do not enter a FQDN if your ISA Server
firewall/VPN server has not registered its internal
interface IP address with your internal DNS server. You can use the Verify button to test whether the IAS
Server can resolve the FQDN (figure 8). Click Next.
Figure 7
(1718)
Figure 8
(1719)
5.
On the Addition Information page (figure 9), leave the RADIUS Standard entry in the Client-Vendor drop down list box. Your
ISA Server firewall/VPN server will use this setting. Type in a complex shared
secret in the Shared secret text
both and confirm it in the Confirm
shared secret text box.
The shared secret should be a complex string consisting of
upper and lower case letters, numbers and symbols. Put a checkmark in the Request must contain the Message
Authenticator attribute checkbox. This option enhances the security of the
RADIUS messages passed between the ISA Server firewall/VPN and IAS servers.
Click Finish.
Figure 9
(1720)
Configuring a VPN Client Remote
Access Policy on the IAS Server
You are
ready to create a Remote Access Policy on the IAS Server. Remote Access
Policies configured on the IAS Server are enforced
against VPN clients calling the ISA Server firewall/VPN server. The Windows
Server 2003 IAS server has a Remote Access Policy Wizard that makes it easy to
create a secure VPN client Remote Access Policy.
Perform the
following steps to create a VPN client Remote Access Policy on the IAS Server:
1.
In the Internet Authentication Service console, right click on the Remote Access Policies node and click
the New Remote Access Policy command
(figure 10).
Figure 10
(1721)
2.
Click Next on the Welcome to the New Remote Access Policy Wizard page (figure 11).
Figure 11
(1722)
3.
On the Policy Configuration Method page (figure 12), select the Use the wizard to set up a typical policy
for a common scenario option. In the Policy
name text box, type in a name for the policy. In this example, we’ll call it
VPN Access Policy. Click Next.
Figure 12
(1723)
4.
Select the VPN option on the Access
Method page (figure 13). This policy is used for
all VPN connections. You also have the option to create separate policies for
PPTP and L2TP/IPSec VPN links. However, to create separate policies for PPTP
and L2TP/IPSec connections, you need to go backwards in the Wizard and create
two custom policies. In this example we apply the same policy to all VPN
connections. Click Next.
Figure 13
(1724)
5.
You can grant access to the VPN
server based on user or group (figure 14). The best access control method is on
a per-group basis because it confers less administrative overhead. You can
create a group such as VPN Users and
allow them access, or all your users access. It depends on who you want to give
VPN access to the network.
In this example, we will select the Group option and click the Add
button. This brings up the Select Groups
dialog box. Type in the name of the group in the Enter the object name to select text box and click the Check names button to confirm that you
entered the name correctly. Click OK
in the Select Groups dialog box and
then click Next in the User or Group Access dialog box.
Figure 14
(1725)
6.
You can select the user
authentication methods to allow on the Authentication
Methods page (figure 15).
You may wish to allow both Microsoft Encrypted Authentication version 2 and Extensible Authentication Protocol (EAP).
Both EAP and MS-CHAP version 2 authentication are secure, so we’ll select both
the Extensible Authentication Protocol
(EAP) and Microsoft Encrypted
Authentication version 2 (MS-CHAPv2) checkboxes.
Click the down arrow in the Type (based on method of access and network configuration) drop
down list box and select the Smart Card
or other certificate option then click the Configure button. In the Smart
Card or other Certificate Properties dialog box, select the certificate you
want the server to use to identify itself to VPN
clients. The self-signed certificate appears in the Certificate issued to drop down list box. This certificate is used to identify the server when VPN client are
configured to confirm the server’s validity. Click OK in the Smart Card or
other Certificate Properties dialog box and then click Next.
Note:
If you do not see the certificate in the Smart
Card or other Certificate Properties dialog box, then restart the RADIUS
server and start over. The certificate will then appear in the dialog box after
the restart.
Figure 15
(1726)
7.
Select the level(s) of encryption
you want to enforce on VPN connections (figure 17). All Microsoft clients
support the strongest level of encryption. If you have clients that don’t
support 128 bit encryption, select lower levels, but realize that you lower the
level of security provided by the encryption method used by the VPN protocol.
In this example we’ll select only the Strongest encryption
(IPSec Triple DES or MPPE 128-bit) Click Next.
Figure 16
(1727)
8.
Review your settings on the Completing the New Remote Access Policy
Wizard page and click Finish.
Figure 17
(1728)
Configuring Remote Access
Permissions
The new
Remote Access Policy requires the connection be a “virtual” or VPN connection.
The VPN protocol can be either PPTP or L2TP/IPSec. MS-CHAP v2 or EAP-TLS must be used to authenticate and the client must support the
highest level of encryption available for the VPN protocol they use to connect.
The user must belong to the Domain Users
group in the domain specified in the Remote Access Policy.
The next step
is to configure Remote Access Permissions. Remote Access Permissions are
different than Remote Access Policies. When a user calls the ISA Server
firewall/VPN server, the parameters of the connection are
compared against Remote Access Policy or Policies defined on the IAS
Server. Remote Access Policies are a hierarchical list The policy on top of the
list is evaluated first, then the second listed policy is applied, then the
third and so forth.
VPN
connection parameters are compared to the conditions of the policy. In the policy
we created above, there were two conditions: the connection type is a virtual
connection and the user is a member of the Domain
Users group. If the connection request matches both of those conditions,
then the Remote Access Permission of the account logging in is determined.
Remote access permissions are determined differently depending on the type of
domain the user account belongs to.
Windows
Server 2003 domains do not use the Mixed and Native Mode designations you might
be familiar with in Windows 2000 domains. Windows Server 2003 supports domains
of varying functional levels. If all
the domain controllers in your domain run Windows Server 2003, the default
functional level is Windows 2000 mixed. All user accounts are
denied VPN (Dial up) access by default in Windows 2000 Mixed Mode
functional level. In Windows 2000 Mixed Mode, you must configure each user
account to have permission to log on to the VPN server. The reason is that user
account permissions override Remote Access Policy permissions in Mixed Mode
domains.
If you want
to control Remote Access Permissions via Remote Access Policy, you must raise
the domain functional level of Windows 2000 Native or Windows Server 2003. The
default Remote Access Permission in Windows 2000 and Windows Server 2003
domains is Control access through Remote
Access Policy. Once you are able to use Remote Access Policy to assign VPN
access permission, you can take advantage of group membership to allow or deny
access to the VPN server.
When a
connection request matches the conditions
in the Remote Access Policy and the user is granted
access via either the user account Dial-in settings or Remote Access Policy,
the connection parameters are compared a number of settings defined by the Remote Access Profile. If the incoming
connection does not comply with the settings in the Remote Access Profile, then
the next Remote Access Policy is applied to the
connection. If no policy matches the incoming connection’s parameters, the
connection request to the ISA Server firewall/VPN server is
dropped.
The VPN
Remote Access Policy you created earlier includes all the parameters required
for a secure VPN connection. Your decision now centers on how you want to
control Remote Access Permissions:
Procedures
required to allow per user and per group access include:
Changing the User
Account Dial-in Permissions
Perform the
following steps if you want to control access on a per user basis:
Figure 18
(1729)
Figure 19
(1730)
Changing the Domain
Functional Level
If you want
to control access on a per group basis, then you will need to change the
default domain functional level. Perform the following steps to change the
domain functional level:
Figure 20
(1731)
Figure 21
(1732)
Figure 22
(1733)
Figure 23
(1734)
Figure 24
(1735)
Figure 25
(1736)
Controlling Remote
Access Permission via Remote Access Policy
Now that
you have the option to control access via Remote Access Policy, let’s see how
VPN access control via Remote Access Policy is performed:
Figure 26
(1737)
·
Deny remote access permission
·
Grant remote access permission
Notice that this dialog box does inform you that the user
account settings override the Remote Access Permission settings: Unless individual access permissions are
specified in the user profile, this policy controls access to the network.
Select the Grant remote access
permission to allow members of the Domain
Users group access to the VPN server.
Figure 27
(1738)
Configuring the ISA Server
firewall/VPN Server to Support RADIUS and EAP-TLS Authentication for PPTP and
L2TP/IPSec VPN Clients
The next
step is to configure the ISA Server firewall/VPN server to support RADIUS and
EAP/TLS authentication. Perform the following steps to configure the ISA Server
firewall/VPN server:
Click the Configure
button that lies to the right of the Authentication
provider drop down list box. In the RADIUS
Authentication dialog box (figure 28), click the Add button.
In the Add RADIUS
Server dialog box, type in the FQDN or IP address of your IAS Server. Make
sure that your ISA Server firewall/VPN server can resolve the FQDN of the IAS
Server to the correct IP address. If you are not sure if the ISA Server
firewall/VPN server can correctly resolve the FQDN of the IAS Server, use the
IP address instead. Click the Change
button.
Type in the shared secret you configured on the IAS Server
and then confirm the shared secret. Put a checkmark in the Always use message authenticator checkbox. Click OK
in the Change Secret dialog box,
then click OK in the Add RADIUS Server dialog box, then
click OK in the RADIUS Authentication dialog box. Click Apply in the server’s Properties
dialog box.
Note
You do not need to click on the Authentication
Methods button that lies just under the Authentication Provider drop down list. This button allows you to
configure authentication methods used by the ISA Server firewall/VPN server
when using Windows Authentication
instead of RADIUS Authentication.
Figure 28
(1739)
Figure 29
(1740)
Figure 30
(1741)
The ISA
Server firewall/VPN server is now ready to support VPN PPTP VPN connections
using either MS-CHAP version 2 or certificate based EAP/TLS authentication.
Note that while we have configured RADIUS policy to support certificate based
EAP/TLS authentication, the certificate used in this policy does not support
L2TP/IPSec. You must assign a machine certificate to the ISA Server
firewall/VPN server, and the VPN client making the L2TP/IPSec connection
request must trust that certificate.