Re: Newbe-IAS hardware configuration when authenticating web users against domain where web server is located in DMZ

Hi John --

The ISA server does not examine the RADIUS traffic -- you simply configure
an exception so that RADIUS traffic can pass through the firewall.

The IAS proxy (on the perimeter network) is configured as a RADIUS client
to the IAS server (on the intranet), and during that configuration process
you use a shared secret. The RADIUS traffic is therefore secured, and there
is no reason for ISA to reexamine the traffic. (In addition, RADIUS is the
protocol that secures traffic between your NAS and your IAS proxy.)


"John Dolinka" <jrd7_nospam@xxxxxxx> wrote in
news:OFDOz4#2FHA.2800@xxxxxxxxxxxxxxxxxxxx:

> Thanks for the explanation and the links!
>
> Some further questions (sorry, trying to get my arms around this);
>
> It would appear from article;
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
> ServerHelp/518e70a9-9e7a-422b-a13f-f3193d4fd215.mspx that the firewall
> between the intranet and the perimeter are using filters to allow
> access for radius traffic from perimiter proxy to the intranet based
> IAS server. It would also appear on reviewing my ISA 2004 Application
> Filters that there is no Application Filter for radius, and therefore
> no "deep layer 7 inspection" through the intranet/perimeter interface,
> basically ISA is acting like a packet filter for Radius traffic.
>
> Is Microsoft planning a Radius/IAS Application Filter in the future
> for ISA 2004?
>
> I was only able to find one vendor for a Radius Application filter,
> but the information was sparse and am still awaiting a call from the
> vendor on pricing info, are thier other vendors?
>
> Does a "future" ISA Application filter buy me any more security
> between my IAS server in my interal network and my IAS proxies in the
> perimeter network?
>
> Thanks,
>
> John Dolinka
>
> "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:Xns96FC9BB5C60C1jamesmcionlinemicros@xxxxxxxxxxxxxxxx
>> "John Dolinka" <noSpam@xxxxxxx> wrote in
>> news:uc3l4#y2FHA.1276@xxxxxxxxxxxxxxxxxxxx:
>>
>>> I am working on a development test network and am curious how to
>>> authenticate web users for certain pages against the domain. I am
>>> looking at a explanation at;
>>>
>>>
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar
>>> y/ServerHelp/c1c0f0bc-be2a-42a3-bc11-c3c5635dffff.mspx
>>> How is the IAS protected in the DMZ?
>>> Does the IAS have direct access to theDMZ ?
>>> Does the IAS sit on the inner firewall (say ISA) where the
>>> innerfirewall is a member of the domain?
>>>
>>> At the end of the day I am curious how to authenticate users in the
>>> DMZ
>>> against the AD of the
>>> inner network with minimum risk to the inner network but am unsure
>>> if IAS/Radius is a solution, and am unsure of it's hardware
>>> configuration in the DMZ.
>>>
>>> Thanks
>
>>> John Dolinka
>>>
>>>
>>
>> Hi there --
>>
>> If you are going to place an IAS server on a perimeter network, you
>> should configure it as an IAS proxy that forwards connection requests
>> to one or more IAS servers on the LAN through a firewall.
>>
>> Something like:
>>
>> Internet --> firewall/VPN/IAS proxy --> firewall with exceptions for
>> RADIUS
>> & authenticated VPN traffic --> LAN/IAS servers/DC's.
>>
>> You might want to review the following content, as it addresses most
>> of your questions:
>>
>> IAS as a RADIUS proxy security considerations
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
>> /Serv erHelp/6ce5d0db-716b-4c11-ace8-45a6c7468a73.mspx
>>
>> Configuring IAS as a RADIUS Proxy
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
>> /Serv erHelp/bf9e4d9a-a264-4450-87e1-f631adb4958d.mspx
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> account
>> name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>
>
>



--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: 802.1x wireless lan how to?
    ... Hi Owen - that's interesting about the logging. ... IAS was installed on a box with ISA - there's an "ISA Server Default Policy" ... RADIUS: I have RADIUS authentication configured in ISA for VPN. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA and IAS on the same box
    ... filters for your RADIUS ... >clients, and you're done. ... ISA stuff, but it ... >I have client that wants to set up IAS now and get RADIUS ...
    (microsoft.public.isa)
  • Re: Refreshing Encryption Keys with WPA
    ... troubleshooting RADIUS using IAS" ... This chat will help you resolve all of your RADIUS/IAS issues. ... >>> My Cisco AP is not honoring it ... ...
    (microsoft.public.internet.radius)
  • Re: ReasonCode=97 with netgear and intel
    ... You can ask about RADIUS, IAS, 802.1x, Active directory configuration and Certificate services, related to IAS and RADIUS ... "Ralf Laemmermeyer" wrote in message ... sometimes i get additionally the error message: ...
    (microsoft.public.internet.radius)
  • Re: SSID restriction
    ... This posting is provided "AS IS" with no warranties, and confers no rights ... This chat will help you resolve all of your RADIUS/IAS issues. ... You can ask about RADIUS, IAS, 802.1x, Active directory configuration and Certificate services, related to IAS and RADIUS ...
    (microsoft.public.internet.radius)