Forum Discussion

avik_bose_1048's avatar
avik_bose_1048
Icon for Nimbostratus rankNimbostratus
Jan 25, 2009

WINDOWS 2003 RADIUS SERVER Configuration wiith Firepass

We are trying to add Windows 2003 IAS server with firepass for RADIUS authentication.

 

 

The configuration on the RADIUS server is as following:

 

 

1.On the AD we have enabled “Store Password using reversible encryption for all users in the domain” by going into

 

Computer configuration--- windows settings---Security settings---Account Policies – Password Policy.

 

2.We have installed IAS on a separate WINDOWS2003 SERVER R2 which is a part of the same domain.

 

3.We have registered the same server with AD by rightclicking on “IAS” and then selecting Register Service in AD and restarted the IAS service.

 

4.We have set the RADIUS ports 1812 for the authentication and 1646 accounting .

 

5.We have added a new RADIUS client , named it as “FirepassVPN” added the self ip of the Firepass as the Radius client ip selected the protocol as RADIUS standard and entered a shared secret.

 

6.Added a new “Remote access policy” by creating a custom policy . Added a Windows groups by adding the domain users,to the group and set the permission as “Grant remote Access permission” and selected the authentication protocols as

 

7.In the AD , made sure that for the user groups , in the dial-in tab ,”Control access through Remote Access Policy” was selected.

 

 

Made the following changes on the Firepass:

 

1.Created a new master group on the firepass called “Radius Authentication”.

 

2.Selected the Authentication method for the Master group as “Radius” and users as “External”.

 

3.In the RADIUS settings page , entered the ip of the “Windows 2003 RADIUS “ server as the Radius server ip, in the shared secret tab

 

Put in the same shared secret which was entered on the “IAS server”, the port as “1812,1645” and saved the setting

 

 

 

Now when we try to authenticate an user to firepass through the “Windows 2003 Radius server”, this is the error msg we get on the “Windows 2003 RADIUS server”.

 

User arpan was denied access.

 

Fully-Qualified-User-Name = MACROSOFTLLC\arpan

 

NAS-IP-Address = 192.168.1.99

 

NAS-Identifier =

 

Called-Station-Identifier =

 

Calling-Station-Identifier =

 

Client-Friendly-Name = vpnclient

 

Client-IP-Address = 198.162.1.50

 

NAS-Port-Type =

 

NAS-Port = 0

 

Proxy-Policy-Name = Use Windows authentication for all users

 

Authentication-Provider = Windows

 

Authentication-Server =

 

Policy-Name =

 

Authentication-Type = PAP

 

EAP-Type =

 

Reason-Code = 48

 

Reason = The connection attempt did not match any remote access policy.

 

 

Not sure why we are getting this error. Any help on this error msg will be greatly appreciated.

 

 

Avik

 

BIG-IP Access Policy Manager (APM)
remote access
security

2 Replies

Sort By
  • mal_57091's avatar
    mal_57091
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2009
    Hi Avik,

     

     

    You need to go into the config properties on the IAS server and modify the allowed authentication mechanisms. From memory, by default it only allows MSChapv2. You'll need to enable some of the other methods (not sure exactly which ones off the top of my head) but you can have a fiddle and it should be pretty easy to work out.

     

     

    Cheers,

     

    Mal
  • avik_bose_1048's avatar
    avik_bose_1048
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2009
    Hi Mal,

     

    Thanks for the prompt response. Went into the IAS server and in the remote access policy, selected "Unencrypted Protocols" for authentication and it worked. It seems Firepass sends the authentication requests in PAP.

     

     

    Thanks

     

    Avik