UTM: How to setup RADIUS authentication with Microsoft IAS in SonicOS Standard Answer/Article Article Applies To:
Affected SonicWALL Security Appliance Platforms: Gen4: PRO series: PRO 3060, PRO 2040, PRO 1260 Gen4: TZ series: TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB) Firmware/Software Version: All SonicOS Standard versions. Services: Radius authentication
This article illustrates the method to setup RADIUS authentication on the Sonicwall with SonicOS Standard firmware, using Internet Authentication Service (IAS) Server on Microsoft Windows 2003 Server.
This article contains the following sections: • • •
Configuring the IAS Server to Support Radius Clients Configuring User Management for Radius Authentication in the Active Directory . Configuring the SonicWALL Security Appliance to Support the Authentication Method.
Procedure: Configuring the IAS Server to Support RADIUS Clients
Step 1 – On the Windows 2003 Server, verify that you have applied the latest Service Pack and hotfixes. Also, verify that the “Remote Access and Routing Service” is running. Step 2 – Open Control Panel > Add or Remove Programs > Add/Remove Windows Components and find Networking Services. Press Details and check Internet Authentication Services and click OK.
Step 3 – Launch the IAS Console by clicking on Start > All Program> Administrative Tools > Internet Authentication Service. The following IAS console will appear.
Step 4 – Right click the RADIUS Clients folder in the left pane and select New RADIUS Client from the menu. Step 5 – Enter a Name for the new Radius client and enter the LAN IP Address of the SonicWALL.
Step 6 – Select RADIUS Standard, (also the default option), enter a Shared Secret. This shared secret is needed later on the SonicWALL security appliance, so note this for future reference.
Step 7 – Click Finish. The new client will appear as following:
Step 8 – To setup the access criteria for users, right click on the Remote Access Policies and select New Remote Access Policy.
Step 9 – Click Next on New Policy Wizard. Select “Set up a custom policy” radio button and then enter a name for this policy.
Step 10 – Click Add on the Policy Conditions window.
Step 11 – From this list, select Windows Groups, and click OK. By selecting Windows Groups, you can authenticate a user who is a member of a User Group in the Windows AD.
Step 12 – Click Add, then enter the Windows User Group that users should be member of. Click OK.
Step 13 – Here is how it should look. You could add more groups, but in this scenario we need to only be a member of one group. Click OK.
Step 14 – Back on the New Remote Access Policy window, click Next.
Step 15 – Select the Grant remote access permission radio button under the option If a connection request
matches the specified conditions.
Step 16 – On the Profile window click on the Edit Profile button
Step 17 – The Edit Dial-in Profile window will appear. Click on the Authentication tab.
Step 18 – Under the Authentication tab select MS-CHAP-V2, MS-CHAP and PAP as authentication method.
Step 19 – The following message box appears, Click No on the help message box
Step 20 – Click Next on the Policy Window and then click Finish to complete. The console show the new Remote Access Policy. Ensure that the new oolicy has Order 1.
This completes the IAS configuration. If you have other groups on the AD that needs different access, you can add more Remote authentication policies.
Configuring User Management for Radius Authentication in the Active Directory
Step 1 – Open Active Directory Users and Computers and create the following user in the Users folder.
Step 2 – Select the Dial-in tab, and check the Allow access option.
Step 3 – Select the Member Of tab, and either add or check that the user is in the correct group, it should be the same group as you added in the IAS under Windows Groups.
This completes the configuration for User Management in the Active Directory.
Configuring the SonicWALL Security Appliance to Support the Radius Authentication Method
Step 1 – Now we need to setup the SonicWALL for RADIUS authentication. Login to the SonicWALL Managemt interface. Go to the Users tab and click on Settings. Select Use RADIUS for user authentication radio button and click Configure. Step 2 – Type in the IP address and the Shared Secret for the RADIUS server. The Shared Secret has to be identical to the one entered in the Radius Client in IAS.
Step 3 – Click on the Radius Users tab. Here select the appropriate check box to assign privileges to Radius users. For eg., if Radius authentication is required for GVC connection, check Access from VPN client with XAUTH. If Radius authentication is required for Internet Access check Allow Internet access (when access is restricted). This box would be greyed out unless Allow only authenticated users to access the Internet option is check under Users > Settings.
Step 4 – Click Apply and then click on the Test tab. Type in the domain user name and password and test the authentication.
KBID 7783 Date Modified2/25/2010 Date Created 2/25/2010