03-28-2010 12:16 AM - edited 03-28-2010 02:55 AM
I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?
Nothing. Here you confgiure "return attributes" which radius server will return to the requesting Radius Client (like IVE) when radius accept message is sent to IVE. You can use this for additional features.
Good idea to use Network Monitor (Sniffer) on the Windows Server, to see whats going on.
It will help you a lot to understand how this works together. Without sniffing for testing you work as "blind", cause you dont see which radius attributes and messages travel between IVE and IAS.
This are attributes and values, which could be used for some rolemapping rules on ive.
Means - it also works, if you dont configure at "advanced" tab ANY attributes.
But i use mostly attribute "class (25)" with any value, for example value "admin".
Then on IvE rolemapping you can configure rules with "user attributes".
Means for IVE...
class (25) with value "admin"
then assign userrole
class (25) with value "user"
then assign userrole
So you can use these ias radiusattributes to configure rolemappingrules, isnt that fantastic`?
The other attributes on ias "advanced tab" are only for other purposes like dial-in callback number and stuff like that, as historically radius is a "dial-in" authentication service, but nowadays its a standard network authanticationmechanism which is supported by most network devices.
03-28-2010 02:51 AM
Authentication-Type = <not determined>
What is configured at RAS Policy Authentication Type?`
Though PAP does not encrypt authentication, the user passwords will allways be encrypted through radius protocol between IVE and Radiusserver. The strenght of radius encryption depends of the compexity of the radius secret.
So use a long and complex Radius Secret, like AGhafdsa!$Q123TRZHsl$§!!!123adfjnvuda
04-01-2010 04:11 AM
thank you spacyfreak. I think something is still wrong with the policy, but I will get back to this later. thanks for your support so far.
@LarsNielsen: Thank you, but we decided not to purchase your product, cause the support wasn't good at all (actually there was no support for implementation), so we sent the test evironment back.