Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Trusted Contributor
Posts: 154
Registered: ‎07-04-2008
0 Kudos

How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Hi there,

 

has anyone managed to get the IVE working with a microsoft RADIUS server (IAS - Internetauthentication Service)?

 

I really dont get it working, i have a realm that should prompt for a pin first and after this one was entered correct, the user is getting sent an SMS on his mobile with another token he has to enter. on that microsoft server is another software installed, that sends the SMS and maintains the userdatabase and the PINs. we dont want to use activedirectory users for that!

 

i dont know what exactly has to be configured on that IAS server, i dont even get the ports open and i think thats the main problem right now. the RADIUS-service is running and OK, but when i nmap that machine, i cant see the open port 1812 or 1813, which the IVE connects to.

 

when connecting with a user, the user access log shows "destination 10.10.10.10:1812 not reachable" which is correct. the logfile at the IAS shows under systemlogs something like: "A RADIUS message was received from the invalid. RADIUS client IP address xxx.xxx.xxx.xxx"

 

i dont know which rules i have to setup, but not even the port is open, so there seem to be many problems. i also dont know how to connect the IAS with the user-database that holds all the users and PIN's...

 

maybe anyone has a suggestion or tipp that could help me!

 

thanks in advance!

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Howdy - yes- the IVE and MS Radius (IAS) do work well together. The first step is to get Radius working properly under IAS. For Radius troubleshooting and setup at my customer sites I carry around a tool on my laptop called Radutils - http://www.radutils.com/ - It is not freeware but it just establishes Radius sessions and lets you test.

 

As you are not even getting to the ports do the following: Bring up IAS through the Admin Tools menu.  

If you right click on THE IAS Service you will have TWO tabs where you can enable additional logging (quite helpful) and setup your ports that will be used. This is where you can validate that the box is indeed using 1812 or 1813. It does sound like the server may have been configured with different ports.

 

You also always keep an eye on the Windows Event log. This is very helpful in allowing you to see if the remote requester is even talking to the box, and then when it is what happens to the authentication request.

 

As you said you can't even see the ports I won't talk about the rest of the IAS setup for now. Feel free to post more questions and I can give you more information if you need it! You will need to setup a Radius client for each remote request machine, and a Remote Access Policy.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
Posts: 154
Registered: ‎07-04-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

hi kevin, thanks a lot for your support!

 

i've already configured the service to log rejected and accepted authentication-requests, and i've also ensured that the ports tab shows 1812 for auth and 1813 for accounting. the windows eventlog shows only the following message:

"A RADIUS message was received from the invalid RADIUS client IP address xxx.xxx.xxx.xxx".

 

i can exclude the possibility that its listening on different ports. only the following ones are opened on this machine:

80/tcp
135/tcp
139/tcp 
445/tcp 
1043/tcp
2000/tcp
3389/tcp

 

windows firewall is disabled, no other firewall running.

does routing and RAS service has to be started? does it have something to do with it?

 

when i netstat the IAS i can see for example:

  UDP    IAS-Server:1812  *:*

  UDP    IAS-Server:1813  *:*

 

but from another machine (without firewalls in between) i dont see it as open. i'm not sure if its listening or not but i dont think so.

 

thanks again!

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Ok - the message you are receiving is because you have not defined the remote requestor in IAS. Go to Admin - IAS - Radius clients - setup an entry for the requestor there. IP address, shared secret - This is the first thing you must do to get connectivity between the remote Radius requestor and the IAS box. This will eliminate the error message you got about invalid client. You will also need to define a Remote Access Policy.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
Posts: 154
Registered: ‎07-04-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

[ Edited ]

Hi Kevin,

 

I alreay setup a RADIUS-client with the following config:

 

Friendly Name: SSL VPN

Address: Tried IP and DNS-Name here

Client-Vendor: RADIUS Standard

"Request must contain..." -> Unchecked

shared secret added

 

So that one already exists. I've also defined a Policy but there are so much options (NAS-Identifier) where i have no clue which one to chose. I tried different combinations for the rule (eg: VPN, ethernet, then different NAS-Identifier, but i dont really get what IAS wants/needs to accept a connection by SSL VPN gateways.

 

i tried with multiple combinations of rulesets and get always the same message at the eventlog.

 

thanks in advance

Visitor
Posts: 5
Registered: ‎03-09-2010
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

I also had this issue and was badly stuck for several days. I was using dynamic vpn connecting to an SRX240. After calls to JTAC I finally got a hold of a guy there who sent me a step-by-step config for using Windows IAS as your RADIUS server. Once I took that and followed it, bam everything started working. I'm attaching it here for you to look at. It really should be available for all but apparently this was from a customer and not a Juniper approved doc but who cares? It works. Take a look and hope it helps.

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

[ Edited ]

The document that was posted is very helpful for the specifics of the authorization policy setup. However the invalid client message that you posted is one that IAS returns when the 1st level communication between the IVE and IAS fails. If you had an incorrect shared password you would get a different message.

 

If your port was wrong you would not see anything in the event log as the request would never reach the server. You would see a bad packet error of some time on the sender machine but the IAS server would have no record of the request at all.

 

RAS / routing does NOT need to be enabled. Did you try using another tool or device against the IAS server to just verify basic Radius functionality. The tool I mentioned yesterday works really well.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
Posts: 154
Registered: ‎07-04-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

[ Edited ]

I followed the steps from the PDF, but not the step that says: "Under a VPN user account, set..." because I dont want to authenticate against LDAP / AD. Theres another software (SMS Passcode) on that RADIUS server installed and it holds its own userdatabase and passwords for the users. those users should be uses to authenticate. i also want to use the NetworkConnect IP Pool and dont want to assign static IP addresses. all the other steps were followed as documented.

 

now my problem is - i have no clue how to tell IAS, that it should use this local userdatabase, not LDAP or sth else. the documentation of SMS Passcode is really weak and we dont get any further support, seems to be "our problem".

 

well, back to topic...i was able to see that 1812 is listening (at the logs), as it should be (but why dont I see the open port when i run nmap from another machine?). so as you said before, that should be fine, otherwise i wouldnt see the logfile-entry - check.

 

i think it has sth to do with the policy...as mentioned before - I followed the steps of the PDF, but i dont know which policy-conditions to choose. i tried Client-IP-Adress equals "*" (as wildcard) and "grant remote access" but that doenst help. I always see the same errors at the eventlog.

 

some questions for clarification:

-at the IVE-Config: do i have to check: "Users authenticate using tokens or one-time passwords"?

-at the IVE-Config: do i have to add a "NAS-IP-Address"? (what is it about?)

-at the IVE-Config: do i have to add "Custom Radius Auth Rules"?

 

jepp i tried the tool you mentioned and got this:

 

--------------------22.03.2010 10:04:11 Test started  [AcctTest(Start Alive Stop)]-------------------------
Error: no response from server for ID 165 socket 1920
Sending Access-Request of id 165 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Start
	Acct-Session-Id = "0001"
Sending Access-Request of id 165 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Start
	Acct-Session-Id = "0001"
Sending Access-Request of id 165 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Start
	Acct-Session-Id = "0001"
Sending Access-Request of id 60 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Interim-Update
	Error: no response from server for ID 60 socket 1920
Acct-Session-Id = "0001"
Sending Access-Request of id 60 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Interim-Update
	Acct-Session-Id = "0001"
Sending Access-Request of id 60 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Interim-Update
	Acct-Session-Id = "0001"
Sending Access-Request of id 182 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Stop
	Acct-Session-Id = "0001"
Sending Access-Request of id 182 to 10.10.2.10 port 1812
	User-Name = "test1"
Error: no response from server for ID 182 socket 1920
	Acct-Status-Type = Stop
	Acct-Session-Id = "0001"
Sending Access-Request of id 182 to 10.10.2.10 port 1812
	User-Name = "test1"
	Acct-Status-Type = Stop
	Acct-Session-Id = "0001"

	   Total approved auths:  0
	     Total denied auths:  0
	       Total lost auths:  3
	       Total time(secs):  27
--------------------22.03.2010 10:04:38 Test finished [AcctTest(Start Alive Stop)]-------------------------

 

 

thanks for your time&support muttbarker and thanks for the PDF Drozymandias

 

Contributor
Posts: 70
Registered: ‎02-27-2009
0 Kudos

Re: How do i configure a RAdfDIUS Authentication Server (Microsoft IAS)?

  • Do you have proper radius secret on IVE and IAS set?
  • What about using sniffers like Network Monitor in IAS to check if Radius Packets arrive there?
  • Do you have an eye on IAS Server System Eventlog? Very helpfull for Radius Errors
  • Have you configured RAS Policies on IAS?
  • Insert Attribute "Ignore User Dial-in Properties - true" on Advanced Tab on Profile so that ias ras policy can take control
  • Insert some RAS Policy like "Windows Groups" / "Domain Users" for first tests
  • Do you have realm role mapping rule configured properly? You can also use "Username" is "*" for first tests
  • is the client correctly configured on IAS radius client part?
  • restart IAS service each time you modify the config
  • Does your Server Windows Firewall block UDP1812 (or UDP1645)
  • Do you have an eye on IVE user access log?
  • Use IVE tcpdump to watch radius returning packets from IAS (can read them unencrypted, only password is encrypted)
  • use policytrace on IVE for troubleshooting

I find configuration of IVE and IAS for Radius Support dead easy, done in a snatch.

Try to understand how this two work together, and troubleshoot step by step the whole line till you got it.

Contributor
Posts: 70
Registered: ‎02-27-2009
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

It should also work with local SAM Users if IAS is not in a AD Domain.

But i never tried this out, i allways authenticate users from Active Directory via IAS.

 

http://technet.microsoft.com/en-us/library/cc773343(WS.10).aspx#w2k3tr_ias_how_qmlj

Contributor
Posts: 70
Registered: ‎02-27-2009
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

"A RADIUS message was received from the invalid. RADIUS client IP address xxx.xxx.xxx.xxx"

 

Do you use the internal IP of the IVE System as Radius Client on IVE?

If you have a cluster, enter the physical IVE IPs as radius clients on IAS, as i remember IVE sends the physical IP of the active IvE node to the Radius Server as source IP.

 

Highlighted
Contributor
Posts: 70
Registered: ‎02-27-2009

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

NAS Idenifier can be let at the defaults.

What about Encryption Tab on IAS Ras Policies .. Profile i think?

Unmark this all, as IVE does not support that.

 

But i think your actual problem is that IAS wont accept radius requests from you IVE ip address, as you configurd wrong IP on IAS client tab,  means check with which IP the radius request packets arrive at the IAS, with network monitor sniffing.

Trusted Contributor
Posts: 154
Registered: ‎07-04-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Do you use the internal IP of the IVE System as Radius Client on IVE?

 

-> oh hell, how could I miss that??? surely, it needs to be entered the physical IP. after doing so, the eventlog message changed. thanks a lot for that tip!

now its not an error at the eventlog anymore, its the following warning now (translated into english):

 

access denied for user "bla"
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = IP of IVE-Master
NAS-Identifier = FQDN of IVE
Client-Friendly-Name = SA4000 Master
Client-IP-Address = IP of IVE-Master
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = 0
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>

 so it seems as the policy is just wrong. and the other problem is that i dont know how the IAS recognizes the local users.

 

  • i've disabled all encryption settings from the profile, as you said
  • well, the users are no local SAM, they are hold by an application. its just a little webinterface where you can create users and assign a PIN to them - thats it (it also sends SMS to the users mobile then, but that works already and has nothing todo with IAS).
  • proper secret was setup
  • I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?
  • userrealm and roles are configured correctly
  • log at IVE: "Login failed using auth server SMS-Passcode (Radius Server). Reason: Failed"
  • policy trace:
    InfoPTR233702010/03/25 10:21:16 - Tmaster - Root::hallo(SMS-Passcode)[] - Attempting to authenticate user "hallo" with auth server "SMS-Passcode"
    InfoPTR233342010/03/25 10:21:16 - Tmaster - [10.10.10.10] - Root::hallo(SMS-Passcode)[] - Sign-in rejected using auth server SMS-Passcode (Radius Server). Reason: Failed

So I think now my problem is about the RAS-Policy configuration and the connection to that local userstore.

 

thanks a lot for your time and support!!! you already helped alot!

New User
Posts: 1
Registered: ‎03-26-2010
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

I noticed the SMS PASSCODE server and wanted to make you aware of the support page for our product where you are welcome to get live support. http://www.smspasscode.com/support. We would be happy to assist.

 

Rgds

Lars Nielsen

 

 

Contributor
Posts: 70
Registered: ‎02-27-2009
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Proxy-Policy-Name = NOne

 

Check your RAdius Proxy Policy, enter minimum the policy "allow authentication for windows users" or something like that. its the default policy when you instaled ias radius. maybe you deleted it?

Its under i think "connection request policies". When you dont have there any policy, radius requests will allways be denied.

Contributor
Posts: 70
Registered: ‎02-27-2009
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

[ Edited ]

I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?

 

Nothing. Here you confgiure "return attributes" which radius server will return to the requesting Radius Client (like IVE) when radius accept message is sent to IVE. You can use this for additional features.

Good idea to use Network Monitor (Sniffer) on the Windows Server, to see whats going on.

It will help you a lot to understand how this works together. Without sniffing for testing you work as "blind", cause you dont see which radius attributes and messages travel between IVE and IAS.

 

This are attributes and values, which could be used for some rolemapping rules on ive.

Means - it also works, if you dont configure at "advanced" tab ANY attributes.

 

But i use mostly attribute "class (25)" with any value, for example value "admin".

Then on IvE rolemapping you can configure rules with "user attributes".

 

Means for IVE...

 

 

IF

userattribute

class (25) with value "admin"

then assign userrole

admin

 

 

IF

userattribute

class (25) with value "user"

then assign userrole

vpnuser

 

 

So you can use these ias radiusattributes to configure rolemappingrules, isnt that fantastic`?

The other attributes on ias "advanced tab" are only for other purposes like dial-in callback number and stuff like that, as historically radius is a "dial-in" authentication service, but nowadays its a standard network authanticationmechanism which is supported by most network devices.

 

Contributor
Posts: 70
Registered: ‎02-27-2009
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Authentication-Type = <not determined>

 

What is configured at RAS Policy Authentication Type?`

Mark PAP.

Though PAP does not encrypt authentication, the user passwords will allways be encrypted through radius protocol between IVE and Radiusserver. The strenght of radius encryption depends of the compexity of the radius secret.

So use a long and complex Radius Secret, like AGhafdsa!$Q123TRZHsl$§!!!123adfjnvuda

Trusted Contributor
Posts: 154
Registered: ‎07-04-2008
0 Kudos

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

thank you spacyfreak. I think something is still wrong with the policy, but I will get back to this later. thanks for your support so far.

 

@LarsNielsen: Thank you, but we decided not to purchase your product, cause the support wasn't good at all (actually there was no support for implementation), so we sent the test evironment back.