Using RADIUS servers to build VPN servers in ISA

Several of the VPNs we described earlier are implemented using ISA2006 server in a domain environment. Today we're going to show you how to use a VPN in a domain environment that requires an authentication server that is used by a server-------VPN: a RADIUS server.

Radius:remote authentication Dial In user Service, the remote Subscriber dialing authentication system is defined by rfc2865,rfc2866 and is currently the most widely used AAA protocol.

RADIUS is a C/S architecture protocol whose client is originally a NAS (Net Access Server) server, and now any computer running RADIUS client software can become a RADIUS client. The RADIUS protocol authentication mechanism is flexible and can be used in a number of ways, such as PAP, chap or UNIX login authentication. RADIUS is an extensible protocol in which all of the work is done based on attribute-length-value vectors. RADIUS also supports vendors to expand proprietary properties of the manufacturer.

Because the RADIUS protocol is simple and clear, extensible, it has been widely used, including ordinary telephone network, ADSL Internet, Community broadband internet access, IP telephony, VPDN (virtual Private Dialup Networks, based on dial-up user's VPN business), Mobile phone prepaid fees and other services. Recently IEEE has proposed the 802.1X standard, which is a port based standard for access authentication for wireless networks and a RADIUS protocol for authentication.

The RADIUS server's authentication process for the user usually requires the use of the proxy authentication of devices such as NAS, the message that the RADIUS client and the RADIUS server interact with each other through shared key authentication, and the user password is transmitted on the network in ciphertext mode, which enhances security. The RADIUS protocol incorporates the authentication and authorization process, where authorization information is carried in the response message.

The basic interactive steps are as follows:

(1) User input user name and password;

(2) The RADIUS client sends the authentication request package (Access-request) to the RADIUS server based on the acquired username and password.

(3) The RADIUS server compares the user information with the users database information, and if the authentication succeeds, the user's permission information is sent to the RADIUS client by the authentication Response package (access-accept); If the authentication fails, return Access-reject Response package.

(4) The RADIUS client accesses/rejects the user according to the authentication result received. If the user can be plugged in, the RADIUS client sends a billing Start Request packet (Accounting-request) to the RADIUS server, status-type the value of start;

(5) RADIUS server return billing Start response package (accounting-response);

(6) The RADIUS client sends a billing Stop request packet (Accounting-request) to the RADIUS server, and Status-type takes the value of stop;

(7) The RADIUS server returns the billing End Response Pack (Accounting-response).

The approximate topology is as follows: Beijing ISA Server, RADIUS client, Istanbul test machine for extranet. Florence is an intranet domain controller, RADIUS server.

First, install the RADIUS server

First we let the domain controller do the RADIUS server, open Control Panel on the domain controller Select interent Authentication Service in network services to install the RADIUS server