Re: RADIUS/IAS Requests to Active Directory

=?Utf-8?B?SmVyZW15IFJldml0Y2g=?=
<JeremyRevitch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:88BD40C5-0E94-4ACF-99D5-D31359EB7EA5@xxxxxxxxxxxxx:

I am configuring a device (IPKVM) that will only work with PAP
authentication for users. As I understand it the RADIUS transmission
between the IPKVM device and IAS is transmitted MD5, therfore somewhat
secure (secure enough for my environment). I know I should probably be
using a device that supports MS-CHAP v2 but that isn't an option at
this point.

My question as about the IAS request to Active Directory for user
authentication. Does Active Directory just pass along the request (and
user credentials) using PAP with no encryption?

In my environment IAS is running on a Domin Controller so the
transmission would be within the box redusing the ability for someone
to sniff it out. Some day however we are going to need to move IAS off
of the DC and I wnat to make certian we are't locked in to an insecure
method of RADIUS Authentication.



IAS uses Kerberos to talk to AD. It definitely does not use PAP or any of
the authentication methods that are used between the access client and IAS.
How IAS communicates with AD is a totally different nonconfigurable
subsystem.

You can move the IAS server off of the DC without any concerns about
security, it's a supported and secure scenario. Depending on network
traffic, though, you might encounter longer times for authentication and
authorization to be performed, and of course if a network resource between
IAS and AD goes down, like a switch or router, authentication will fail --
so make sure you have multiple routes between IAS and the DC and/or backup
IAS servers (which is a good idea anyhow).

If you are using PAP, that is the security hole you should be concerned
about.It is not recommended and it is not secure to use this authentication
method.

Certificate-based authentication methods, such as EAP-TLS and PEAP-MS-CHAP
v2, are the most secure.

FA
.

Relevant Pages

  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... The order the radius statements in IOS will determine the order the ... IAS servers are checked. ... RADIUS client what policy to use? ... I'm not sure what this is, but if it refers to a secure authentication ...
    (microsoft.public.windows.server.active_directory)
  • RE: check group membership in Connection Request Policy
    ... The access request does not contain a valid user password, ... Authentication is done at the VPN3000, ... So what data does the VPN3000 send to the IAS? ... a custom IAS extension would be really a solution. ...
    (microsoft.public.internet.radius)
  • Re: 802.1X/EAP authentication issue with XP client
    ... I also tried adjusting the IAS remote access policy framed MTU param ... client, same scenario, is not getting a successful authentication. ... or system event logs. ...
    (microsoft.public.internet.radius)
  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... so I simple copy the settings to another IAS server and register in AD then the new one will be a failover? ... Registering IAS with AD effectively tells AD not to accept External Authentication requests from other sources. ... You can have multiple IAS servers registered at the same time, so you can tell your Concentrator to follow a chain of servers if the first one doesn't respond. ... At the bottom of the properties window, select "Grant remote access permission" and then click OK. ...
    (microsoft.public.windows.server.active_directory)
  • RE: check group membership in Connection Request Policy
    ... The access request does not contain a valid user password, ... We already do 802.1x authentication with our Enterasys switches, ... IAS is not able to do authentication, since digital certificates are used on ... I am intereseted in your custom IAS extension. ...
    (microsoft.public.internet.radius)
Loading