Networking

Tech Tip: Install and configure Internet Authentication Service

Here's how to install and configure Internet Authentication Service.

By Mike Mullins

For Windows, Internet Authentication Service (IAS) is the Microsoft implementation of a RADIUS server.

Install IAS

To install IAS, follow these steps:

  1. Go to Start | Settings | Control Panel.
  2. Double-click Add/Remove Programs.
  3. Select Add/Remove Windows Components.
  4. In the Components list, select Networking Services, and click Details.
  5. Select the Internet Authentication Service check box, click OK, and click Next.

After the installation completes, you'll have a new link under Administrative Tools for Internet Authentication Service. Next, you'll need to configure a client for each device and define a remote access policy to control access.

Configure an IAS client

Client configuration is simple and straightforward. Follow these steps:

  1. Go to Start | Programs | Administrative Tools | Internet Authentication Service.
  2. Right-click the Clients folder, and select New Client.
  3. Assign a name for the client, and click Next.
  4. Specify the IP address or the DNS name of the client.
  5. Change the client vendor to match the device for which you're creating an authentication service. (Most devices use the RADIUS Standard configuration.)
  6. Enter the secret key you entered in the device configuration.
  7. Click Finish.

Define a remote access policy

To control access to the device, you must define a policy. Follow these steps.

  1. Go to Start | Programs | Administrative Tools | Internet Authentication Service.
  2. Right-click Remote Access Policies, and select New Remote Access Policy.
  3. Name the policy, and click Next to begin specifying conditions.
  4. Click Add, select Policy Friendly Name, and enter the client's name.
  5. Click Add, select Windows-Groups, and select the authorized domain group to allow access.
  6. Select Grant Remote Access Permission, and click Next.

To complete the policy, you must configure a profile for the RADIUS client. In this example, we'll use a Cisco router. Follow these steps:

  1. Click Edit Profile.
  2. On the Authentication tab, select Unencrypted Authentication (PAP, SPAP).
  3. On the Advanced tab, remove the Framed-Protocol entry, and change Service-Type entry to Login.
  4. Add a Vendor-Specific attribute, and change the vendor from RADIUS Standard to Cisco.
  5. Select Yes It Conforms, and select Configure Attribute.
  6. Enter shell:priv-lvl=15 for the attribute value.

This completes your configuration. When you Telnet to your network device using RADIUS authentication, your domain account will authenticate you and grant you exec level privileges.

After configuring your router and RADIUS server, you'll no longer need to depend on locally stored passwords on your network devices.

Final thoughts

RADIUS authentication isn't the most secure method of access control. However, it's free, and it's a good step toward securing access to your network devices.

I don't recommend using Telnet as a means of accessing your network devices. Telnet passes all of this traffic using clear text, and anyone sniffing your connection can easily read it.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox