Configuring RADIUS servers
Microsoft Forefront Threat Management Gateway can use a RADIUS server for client authentication. This topic describes how to set up a RADIUS server to be used by Forefront TMG. These topics describe how to configure IAS as the RADIUS server. Before setting up RADIUS, be sure to read about security considerations in About RADIUS authentication.
Setting up RADIUS authentication with IAS consists of the following steps:
- Install IAS. IAS is installed as a Windows component. Note that Windows Server 2008 uses Network Policy Server (NPS) as a RADIUS server. For more information, see Network Policy Server Infrastructure at Microsoft TechNet.
- Configure Forefront TMG as a RADIUS client in IAS.
- Configure the RADIUS server in the Forefront TMG Management console. Ensure that the settings here are the same as those you specify when configuring Forefront TMG as a RADIUS client. Note that the specified RADIUS server settings apply to all rule types using RADIUS authentication.
- Modify the Forefront TMG system policy rule if required. The rule presumes that the RADIUS server is located in the default Internal network and allows RADIUS protocols from the Local Host network (the Forefront TMG computer) to the Internal network. Modify the rule if the network location is incorrect, or if you want to specify the address of the RADIUS server rather than the entire Internal network. The rule is enabled by default.
To configure a RADIUS client in IAS
On the computer running IAS, click Start, point to Administrative Tools, and then click Internet Authentication Service.
If the RADIUS server is a domain member, ensure it is registered in Active Directory. To do this, right click the root node Internet Authentication Service, and then click Register server in Active Directory.
From the Internet Authentication Service management console, right-click the RADIUS Clients folder, and then click New RADIUS Client.
On the Name and Address page, in Friendly name, enter a name for the Forefront TMG server. In Client address (IP or DNS), enter the IP address of default IP address of the adapter through which Forefront TMG accesses the domain controller (usually the Internal adapter). Using an IP address rather than a DNS name ensures that IAS does not need to resolve client names at start-up.
On the Additional Information page, in Client-Vendor, ensure that RADIUS Standard is selected. In Shared secret, specify a password, and in Confirm shared secret, confirm the password. Note that you must specify exactly the same shared secret on the Forefront TMG server.
Optionally, select Request must contain the Message Authenticator attribute.
To configure the RADIUS server
In Forefront TMG Management, click to expand the Configuration node, and then click General.
In the details pane, click Define RADIUS Servers.
On the RADIUS Servers tab, click Add.
In Server name, type the name or IP address of the RADIUS server to be used for authentication.
Click Change, and in New secret and Confirm new secret, type the shared secret to be used for communications between the Forefront TMG server and the RADIUS server. Be sure to specify the same secret you entered when configuring Forefront TMG as a client on the RADIUS server.
In Port, specify the UDP port used by the RADIUS server for incoming RADIUS authentication requests. The default value of 1812 is based on RFC 2138.
In Time-out (seconds), specify the time (in seconds) that Forefront TMG should try to obtain a response from the RADIUS server before trying an alternate server.
To modify the RADIUS system policy rule
In Forefront TMG Management, right-click the Firewall Policy node, and then click Edit System Policy.
In the Authentication Services section of the Configuration Groups list, click RADIUS.
On the General tab, verify that Enable is selected.
On the To tab, to specify a different location, select Internal, and then Remove. Then click Add, and specify the network object that represents the RADIUS server.