Windows 2003 Radius Server vs FreeRADIUS

[debug]

Hi all,

Has anyone setup a successfull RADIUS server in 2K3 yet ? To make long story short all I want to do is make all my HP AP's to get MAC Auth info from the Radius server and it inturn should push it to my AP's. I've started researching and ended up installing IAS (Internet Authentication Services), which will be the backbone of the Radius server for 2K3 but have not gotten further.

I am also considering FreeRadius seeing that all my linux firewalls and proxies run so smoothly.

Regards
d

 

[ghalied]

In you RRAS console, if not configured, go through the wizard and select "custom configuration" and then lan routing, once the wizard completes right click the "server xxx"\properties. Tick "remote access server", then select the security tab.

Under the Authentication Provider, click the drop down list and choose "Raduis Authentication" and type the IP/name of the IAS server, and you must tick "Always use messege authenticator" do the same for Accounting provider, you have then essentially setup your raduis server.

Policies can now be set, but it's to large a task for a forum, essentially yu have left the start mark.

 

[ambo]

I would say FreeRadius!

But then i'm involved with the project - so i'm biased

I've honestly never used WinRadius but if you are comfortable with a little Linux command line stuff then FreeRadius would be my choice without a doubt.

 

[debug]

Ghalied - so in essence the Radius will use ad to auth users via the AP's/Radius clients (specified in IAS) and not MAC auth ? So you only have to add users to the "Wireless users" group in AD on any of your DC's and this will replicate to the other DC's and the AP's will match wireless users trying to connect against the wireless group created ?

d

 

[debug]

Another question - Is there a way of authentication a wireless using on radius (using WPA-TKIP enc) without using a Certificate Authority server ?

Second Question - How can one setup IAS so that once you connect to the AP the default EAP type is set tp EAP (PEAP) and not "Smart card or pther certificate" ? I have done this on group policy and IAS but it still reverts back to "smart card or other certificate"

Regards
d

 

[ghalied]

Ghalied - so in essence the Radius will use ad to auth users via the AP's/Radius clients (specified in IAS) and not MAC auth ? So you only have to add users to the "Wireless users" group in AD on any of your DC's and this will replicate to the other DC's and the AP's will match wireless users trying to connect against the wireless group created ?

d

Yes, best to set up or add a remote access policy for the specific group.
In RRAS console, expand the remote access policy, choose the 1st one,click add, scroll to the bottom, choose the last one "Windows group matches" add the group, once added move the policy to the top and before closing the window tick "grant remote access" button.

when the policies are processed the top one 1st then the next and so on.

In AD remember to also grant the users access remotely, it's in each users properties in AD, can't remember which tab.

Like I said before it's not easy via a forum.

 

[ghalied]

Another question - Is there a way of authentication a wireless using on radius (using WPA-TKIP enc) without using a Certificate Authority server ?

Second Question - How can one setup IAS so that once you connect to the AP the default EAP type is set tp EAP (PEAP) and not "Smart card or pther certificate" ? I have done this on group policy and IAS but it still reverts back to "smart card or other certificate"

Regards
d

Don't know about the wireless, as your question gets a little muddled....sorry

exclude EAP and revert to mschap v2 bearing in mind that Win98/NT machines do not support these and it quite secure............you can further expand this by changing your GPO security settings to allow only s=certain authentication protocol between clients and servers. Again to much for a forum..............."too many ways to skin a cat"