How to configure NG-AI with MS RADIUS (IAS)

[BarryStiefel]

How to configure NG-AI with MS RADIUS (IAS)



Someone on my geeklog site contributed this, don't ask me about it.... -- PhoneBoy

STEP1 On Check Point FW-1/VPN-1 NG-AI

Also works on NG FP3 -- MichaelHuber - 02 Apr 2004

1. Create a MS_RADIUS_SRV node – e.g. 192.168.1.21 2. Create RADIUS Server Object

• Manage -> Servers and OPSEC Applications… -> New – RADIUS
• Name: MS_RADIUS
• Host: MS_RADIUS_Srv
• Service: UDP NEW-RADIUS
• Shared Secret: xxxxx
• Version: RADIUS Ver. 2.0 Compatible
• Priority: 1

3. Create a FW rule if it is necessary

• Source: FW Internal Interface (e.g. 192.168.1.1)
• Destination: MS_RADIUS_Srv
• Service: UDP NEW-RADIUS (Port 1812)

4. Create gerneric* user and Group VPN_Users

• Manage -> Users and Administrators… -> New -> User called generic*
• Belongs to VPN_Users
• Authetication
  • Authetication Scheme: RADIUS
  • Select a RADIUS Server or Group of Servers: MS_RADIUS
  • Allowed Location: internal-networks
• Add the group to Participant User Groups of your Remote Access Community
• Add the remote VPN FW if necessary

Running NG/AI R54, the usernam generic* is a reserved word. I had to use: "External User Profiles->New->Match_All_Users" to create the generic* user. -- DavidBotham? - 06 Jan 2004

This is also true for NG FP3 -- MichaelHuber - 02 Apr 2004



STEP 2 Configure MS RADIUS - IAS (Internet Authentication Service)



1. Install MS IAS on a Windows 2000 Server

2. Open IAS and right click on Internet Authentication Service (Local) -> Register Service in Active Directory

3. Create a new client

• In Client Address field, enter your FW Internal interface IP address. For Nokia IP clustering, don’t enter the cluster IP (at least, it doesn’t work for me). Instead create two clients each has its own IP address.
• Uncheck “Client must always send the signature attribute in the request”
• Enter your Shared Secret

4. Create a new Remote Access Policy

• Add Windows-Groups: Create a Windows 2000 Security Group with any user account whose Remote Access Permission (Dial-in or VPN) is allowed
• Add Service-Type -> Authenticate Only
• NAS-IP-Address: your FW external IP
• Edit Profile…
  • Advanced: add Service-Type and attribute value: Authenticate Only
  • Encryption: Strong
  • Authentication: Unencrypted Authentication (PAP, SPAP)

5. Use Active Directory Users and Computers to set Remote Access Permission

• Users (select user and open Properties)
• Select Dial-in tab
• Under Remote Access Permission (Dial-in)
  • Select Allow access

6. Add user to group created above

Note:

* Windows Group, Service-Type, and NAS-IP-Address are selected based on my Ethereal result:





** Check MS IAS document at http://www.microsoft.com/windows2000/docs/IAS.doc

* Fore troubleshooting, use Event Viewer on RADIUS server and CP SmartView? Tracker

-- PhoneBoy - 30 Dec 2003

-- MichaelHuber - 02 Apr 2004

FAQForm FAQs.Class: AuthenticationFAQs FAQs.OS: FAQs.Version: NG