[ previous ] [ next ] [ threads ]
 
 From:  Kay Konrad <maillinglist at city dash box dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] RADIUS client PHP
 Date:  Wed, 29 Sep 2004 19:36:12 +0200
Mitch (WebCob) schrieb:

>Would be nice if anyone knows of existing how-to's - Microsofts own
>"planning and implmenting a structured...." notes are a little exhaustive.
>
>Would be a good thing to add to the wiki / doc project
>
>m/
>  
>
I'm using the Microsoft IAS "Service", it's really easy to setup.

    * First Install the IAS. (I have a german Windows, and I don't know
      the Name in english Versions of Windows :(, but I try to translate.)
          o Systemsteuerung (Control Panel) -> Software -> Windows
            Komponenten (Components) -> Netzwerkdienste (Network
            Services ?) -> Internetauthentifizierungsdinst
            (Internetauthentication Service ?)
    * Second create a new Usergroup (I have named the Group "Radius Auth")
    * Third configure the IAS
          o Start -> Verwaltung (Administration) ->
            Internetauthentifizierungsdinst (Internetauthentication
            Service ?)
                + Add under Radius Client a new Client, use following
                  Settings: Name and IP sould be clear ;), then next,
                  Radius Standart (Radius Default), set the Key and
                  disable the Checkbox (Message Authenticator)
          o Now go to RAS Richtlienien (RAS Guidelines ?) and add a new
            rule, create Userdefinied Rule (don't use the Assistent).
                + Add a new Rule, select following Type -> Windows
                  Groups you can also add NAS-Port-IP to select which IP
                  can send a request to the Radius Server, then enabe
                  the Rule.
                + Then double Click on the new created Rule and klick to
                  Edit Profile an dgo to the Tab Authentication, then
                  select there alls Checkboxes.
    * Thats als, the new generated Rule shold be the first in the Selection.


A good Authentication on a PPTP Login on m0n0wall should look in such a way:


 Vollqualifizierter Benutzername = WINSERVER\Administrator
 NAS-IP-Adresse = <nicht vorhanden>
 NAS-Kennung = firewall.lan.xxx
 Clientanzeigename = Router
 Client-IP-Adresse = 192.168.101.1
 Kennung der Anruferstation = 80.132.71.166
 NAS-Porttyp = Virtual
 NAS-Port = 0

verwenden
 Authentifizierungsanbieter = Windows
 Authentifizierungsserver = <unbestimmt>
 Richtlinienname = Radius Auth
 Authentifizierungstyp = MS-CHAPv2
 EAP-Typ = <unbestimmt>

A good Auth via Capetive Portal:


 Vollqualifizierter Benutzername = WINSERVER\Administrator
 NAS-IP-Adresse = <nicht vorhanden>
 NAS-Kennung = firewall.lan.xxx
 Clientanzeigename = Router
 Client-IP-Adresse = 192.168.101.1
 Kennung der Anruferstation = <nicht vorhanden>
 NAS-Porttyp = Ethernet
 NAS-Port = 0

verwenden
 Authentifizierungsanbieter = Windows
 Authentifizierungsserver = <unbestimmt>
 Richtlinienname = Radius Auth
 Authentifizierungstyp = PAP
 EAP-Typ = <unbestimmt>