Welcome to Brendon Davis

Windows IAS for Telstra WAN

Autor brendon

I posted previously on information Telstra needs to configure in order for their RADIUS servers to proxy authentication attempts to a Windows IAS Server. I have been asked for the necessary configuration on the IAS server to work with Telstra.

Telstra likes to provide a 10MB document outlining how RADIUS works but not how to configure it. Here is a working example of IAS configuration for the Telstra RADIUS servers.

 Step 1: Install IAS (Internet Authentication Service) from the Add/ Remove Programs – Windows Components menu.

Step 2: In the IAS console, under remote access policies, define a new policy to permit group members dial-in access.

Note that access can be granted to all users by specifying the ‘DOMAIN\Domain Users’ group or to a select set of users by using a new group eg. ‘DOMAIN\NextG Dial-up’.

Use default configuration for all Remote Access Policy tabs, specifying the following settings:

Advanced
Name                                                Vendor                                                 Value
Ascend-Client-Primary-DNS   Ascend Communications Inc.   <DNS Server IP>
Framed-Pool                                  RADIUS Standard                            pool_001
Framed-Protocol                         RADIUS Standard                            PPP
Service-Type                                 RADIUS Standard                            Framed

Authentication
No EAP Methods
MS-CHAP v2 (Change Password after Expired)
MS-CHAP (Change Password after Expired)
CHAP

Encryption
x Basic (MPPE 40-bit)
x Strong (MPPE 56 bit)
x Strongest (MPPE 128 bit)
- No encryption

Step 3: Create the RADIUS Clients for both Telstra RADIUS proxy servers. Note that if you manage the default gateway for your site, you will need to send traffic to these IP Addresses via your Telstra WAN link. (Yes I know they are Internet IP addresses….)

Step 4: For any users that need to authenticate via Radius, you will need to enable ‘Store password using reversible encryption‘ on the account and have the user change their password. This can either be done on a per-user basis or in the default domain GPO. Note: That as reversible encrypted passwords, if a Domain Controller was ever compromised by an attacker, they can easily read the current passwords for users off the SAM.

Step 5: Test access using the <Username>@<TelstraSpecifiedDomain>. Note that access logs for IAS are stored in the System Event Log.