January 31st, 2003, 03:22 PM
HOW TO: Setup RADIUS auth on W2K
OK, since I had to do this, I figured that other people out there could use this info. My doc explains how to setup RADIUS on W2K server.
How to activate radius on Windows 2000
Environment: W2K AD controller (RADIUS SERVER) and W2K server stand-alone (no AD)
During the Windows 2000 server installation, request the installation of "Networking Services" (in addition to the other services installed by default). If you did not do that during installation, you can do it anytime... "My Computer", "Control Panel", "Add/Remove Programs", "Add/Remove Windows Components", "Networking Services".
Run "Start", "Programs", "Administrative Tools", "Internet Authentication Service" which is the Windows 2000 RADIUS server.
While in "Internet Authentication Service", Select "Remote Access Policies" and right click "Allow access if dial-in permission is enabled" and select "properties". Enable "Grant remote access permission" and then select "Edit profile". Select "Authentication", and then enable "Unencrypted authentication (PAP/SPAP)" Disable the other methods.
While still in "Internet Authentication Service", Click once on Internet Authentication Service (local) Select "Action" and "Register Service in Active Directory"
NOTE: To specify authentication and accounting ports, right click Internet Authentication Service (local) and choose properties. Click the RADIUS tab and then enter the appropriate ports. By default, IAS lists the ports for RADIUS before and after the RFC was issued (1812,1645 and 1813,1646)
While still in "Internet Authentication Service", Select "Remote Access Logging" and "Local File". On "Settings", enable "Log Authentication Requests...". On "Local File", select a monthly log file, in IAS format (or whatever you'd prefer).
Click on the "Clients" folder and choose "Action", "New Client". Provide a "Friendly" name like "SmartGate" or whatever. Leave Protocol as RADIUS. Click "Next". Choose either IP or an FQDN (DNS Config is required). Leave Client-Vendor as RADIUS Standard. Leave the checkmark out of "Client must always send the signature attribute in the request". Enter your shared secret and then confirm it.
Before leaving be sure the service is running by clicking once on "Internet Authentication Service (Local)" Then chose "Action" "Start Service"
Create a user with the MMC and be sure that you grant RAS access to the user. This is done by right clicking on the user, then choose properties. select the "dial-in" tab and select "Allow Access".
NOTE: Windows 2000 RADIUS uses the User Logon Name, not the name you enter in First Name/Last Name on the "General" tab.
Drop to a command prompt and do a "netstat -an" to be sure that UDP is listening on the proper ports.
Follow the setup for RADIUS in the documentation.
Be sure to check the remote access accounting tab. Remove any accounting restrictions or adjust it to meet your remote access policy.
Anyway, hope this helps someone else out too.