User Guides are our way of advising schools about any changes they may need to carry out and instructions as to how to make those changes.
Purpose of this guide
This guide details the procedure for installing and configuring the Internet Authentication Service (IAS) on Windows Server 2003 to provide RADIUS services.
The configuration in this guide details what is required to enable the Schools Broadband Juniper SSL VPN to query a locally hosted RADIUS server and successfully authenticate users against the Active Directory within your establishment.
This guide is provided to give sufficient information to successfully implement local authentication, the Schools Broadband team offers no additional support to establishments who are attempting to configure this apart from the directions contained within this document.
This guide is intended for technical staff within Schools Broadband establishments who are tasked with managing directory services and remote access.
Users who utilise the current Schools Broadband Cisco Concentrator VPN service are authenticated by two factors.
Firstly, Group Authentication takes place. The group username and password is transparently contained within the PCF file provided to you originally by the Schools Broadband Service Desk.
Once authenticated into a group, user login credentials details are required to complete the authentication process. By default the authentication request is sent to the Schools Broadband Cisco ACS RADIUS server (which establishments have delegated management of).
By following this guide, access is enabled via a SSL webpage and single factor authentication applies. Users login credentials are sent to a RADIUS server hosted within the local establishment. This means users can use a single login as opposed to managing multiple logins (one for network and one for VPN)
There are however some factors that need to be considered when implementing local authentication:
- If the server(s) that are running RADIUS fail, then you will be unable to authenticate. However, multiple RADIUS servers can be specified to ensure redundancy.
- Ensure that users enabled for remote access have strong passwords. With single factor authentication the user’s login credentials are all that is required to gain full remote access to your network.
IAS can be provisioned on any member server or domain controller within the forest; we strongly recommend that at least two instances of IAS are present to provide fault tolerance.
IAS bundled as part of the Server 2003 operating system, although it needs to be installed.
To install IAS, please follow these instructions:
- Click start > Control Panel
- Double click Add / Remove Programs
- Select Add/Remove Windows Components
- Scroll to find the category named Networking Services – highlight this and click Details
- Find the service named “Internet Authentication Service” and tick this service
- Click ok, then next. The IAS service will install (this may require you to insert your Server 2003 R2 CD)
IAS is now installed and can be accessed via Start > Administrative tools > Internet Authentication Service
IAS must be configured to meet the criteria detailed in the instructions below to be compatible with the Juniper SSL VPN.
Part of the configuration process will require you to specify a Shared Secret. This is a key that is specified on the RADIUS server and Juniper SSL VPN to secure communication.
When creating a shared secret you should adhere to general password good practise, your shared secret should meet the following requirements otherwise your request will be denied by the Schools Broadband Service Desk;
- At least 10 characters long
- Contain both uppercase and lowercase characters (at least 2 of each)
- Contain at least 1 symbol and 1 numeric character
- Not resemble a dictionary word
Make a note of the shared secret you use as this will be required by the Schools Broadband Service Desk.
To configure your IAS server correctly, please follow these instructions:
- Click Start > Administrative tools > Internet Authentication Service to launch IAS Manager
- Right click on “Internet Authentication Service (Local)” and click “Register Server in Active Directory”, select ”Yes” and click ”OK”.
- Select ”RADIUS” clients from the panel on the left
- Right click RADIUS Clients and select “New RADIUS Client”
- Specify “juniper.schools.kpsn.net” as the friendly name and enter “172.31.242.2” as the Client IP address then click “Next”
- Select “Radius Standard” from the client-vendor dropdown box and enter the Shared Secret twice then click “Finish”.
- Right click RADIUS Clients and select “New RADIUS Client”
- Specify “juniper.schools.kpsn.net1” as the friendly name and enter “172.31.242.3” as the Client IP address then click ”Next”
- Select “Radius Standard” from the client-vendor dropdown box and enter the shared Secret twice then click ”Finish”.
The Schools Broadband Juniper SSL VPN has now been specified as a RADIUS client and is able to communicate with the IAS server.
To specify the methods that the Juniper SSL VPN can communicate with the RADIUS server, a remote access policy must be configured, follow the instructions below to configure these settings.
- Right click “Remote Access Policies” in the left hand panel and select “New Remote Access Policy”
- The “New Remote Access Policy Wizard” opens, click “Next”
- On the Policy Configuration Method” page, select “Set up a custom policy” radial button. Enter “Schools Broadband Juniper VPN” as the Policy name, click “Next”
- Click “Add” on the Policy Conditions page, Select “Windows-Groups” attribute and click “Add”
- Click “Add”, enter “Domain Users” into the box and click “OK” and then click “Next” on the Policy Conditions page.
- Select “Grant remote access permission” radial button, click “Next”
- Click the “Edit Profile” button
- Select the “Encryption” tab and un untick all methods apart from “strong encryption”
- Select the “Authentication” tab and un untick all methods apart from “unencrypted authentication (PAP, SPAP)”
- Click “OK” and then “No” to the “Dial-in Settings” warning message.
- Click “Next” to the Profile page and then “Finish”.
Granting users rights to authenticate via RADIUS
Granting users rights to authenticate via RADIUS is achieved via the Dial-up tab of the user’s properties within the Active Directory Users and Computers MMC.
To enable a user to authenticate, find the user in active directory, and then double click on the username. Select the dialup tab to view remote access properties, the first option allows you to specify either “allow access” or “deny access”
Precaution should be taken when selecting users who are allowed to authenticate from outside the LAN, do not for example permit temporary accounts or service accounts to authenticate via RADIUS.
It is also strongly recommended that any user given remote access signs an enhanced AUP to ensure passwords are complex and changed on a regular basis.
Providing details to the Schools Broadband Service Desk
Additional configuration is required on the Juniper SSL VPN to enable authentication using the local RADIUS server.
This work is carried out by the Schools Broadband Service Desk who will require some information to configure this.
Please use the e-mail template below to ensure the service desk have all the information they require: (firstname.lastname@example.org)
The Service desk will confirm via email when this change is complete.
Dear Schools Broadband Service Desk
Please could you enable Juniper SSL VPN authentication against my local RADIUS server.
I have configured my IAS server as per your documentation. I understand that I must ensure user’s credentials meet security requirements, and no default accounts (service accounts, test users etc) will be permitted access to dial in.
I also understand that should the RADIUS servers I have configured fail, I will not be able to log into the VPN.
Please find RADIUS details below [copy for each server specified]
DCSF No: [XXX X]
RADIUS Server OS: [Server XXXX RX]
Shared Secret: [XXXXXXXXXX]
[Your Name] [Date]