Secure RADIUS Traffic with IPsec

Applies To: Windows Server 2008

Secure RADIUS traffic with IPsec

Internet Protocol security (IPsec) provides you with the ability to secure RADIUS servers against unwanted traffic by filtering on network adapters (allowing or blocking specified protocols) and enabling you to choose source IP addresses from which traffic is allowed. For organizational units, you can create IPsec policies, which are stored in Active Directory® Domain Services (AD DS). Or, you can create local policies on RADIUS servers, and apply these policies to specified computers. If you create IPsec policies for an organizational unit, the policy is applied through Group Policy.

Before you create IPsec filters, determine the type of traffic that you want to allow for each RADIUS server. Filters that are too strict might block acceptable network traffic. For example, if Network Policy Server (NPS) is installed on a domain controller and all IP traffic, except RADIUS traffic, is blocked on all ports, user queries for Active Directory objects on default global catalog port 3268 will fail. Conversely, IP filters that are too general expose the RADIUS server to unwanted traffic.

RADIUS messages are sent with the User Datagram Protocol (UDP). UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. When you create inbound and outbound filters with IPsec, UDP traffic must be allowed on these ports. However, some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, NPS supports both sets of ports. If your network access servers use UDP ports 1645 and 1646, you can create IPsec filters that allow traffic on these ports.