| Author |
VPN access using Radius to trusted domain Windows 2003
|
|
| David Sack 2006-02-05, 7:47 am |
| We have a watchguard firewall that is using Radius to authenticate users
using radius at our main facility. Everything is working well. We have a
second office connected to the first via a T-1. I would like to
authenticate to be able to have users use the firebox to be able to
authenticate to the second trusted domain.
Is there a way to have the radius at the first site query the second sites
Radius and authenticate the user? We are using Windows 2003 SP1 at both
facilities.
Thanks
Dave
| |
| prueconsulting@gmail.com 2006-02-06, 5:55 pm |
| Do you have both domains set up with Trust Relationships at all ?
If so then you can proxy it through to the other domain without issue
Because if therer
David Sack wrote:
> We have a watchguard firewall that is using Radius to authenticate users
> using radius at our main facility. Everything is working well. We have a
> second office connected to the first via a T-1. I would like to
> authenticate to be able to have users use the firebox to be able to
> authenticate to the second trusted domain.
>
> Is there a way to have the radius at the first site query the second sites
> Radius and authenticate the user? We are using Windows 2003 SP1 at both
> facilities.
>
> Thanks
> Dave
| |
| David Sack 2006-02-08, 9:05 pm |
| There is a trust in place between the domains. Where do I look for the
proxy settings? On the client or the server?
Thanks
Dave
<prueconsulting@gmail.com> wrote in message
news:1139241529.787821.15700@z14g2000cwz.googlegroups.com...
> Do you have both domains set up with Trust Relationships at all ?
>
> If so then you can proxy it through to the other domain without issue
>
> Because if therer
> David Sack wrote:
>
| |
| James McIllece [MS] 2006-03-01, 8:01 am |
| Hi Dave --
If you are using Windows Server 2003 IAS as your RADIUS server, all you
need to do to enable it to proxy connection requests to other RADIUS
servers is configure a new connection request policy in IAS.(See the Help
section "Connection Request Processing" for more info at
http://technet2.microsoft.com/Windo...3e36-2ca8-4b8e-
8251-8dfa1b587c6d1033.mspx)
In the CRP, you configure two basic things (in addition to whatever other
settings you want to apply in the policy):
-- A remote RADIUS server group. This tells the IAS server where to send
messages that meet the criteria of being from a user whose user account is
in Domain 2.
(http://technet2.microsoft.com/Windo...7ee3-aeaa-4fb7-
a7ba-cf808e2e99801033.mspx)
-- A realm name configured in the policy that tells the IAS server which
messages to forward based on the user account location (e.g. the domain
where the user account is located), which is contained in the User-Name
attribute of the Access-Request message that IAS receives from the
NAS/RADIUS client.
(http://technet2.microsoft.com/Windo...e48d-e662-435c-
a74e-0dce305914ce1033.mspx)
Note that you must also configure the IAS server that will be proxying
messages to the remote RADIUS server group AS a RADIUS client on remote
RADIUS server group members that will be receiving and processing the
connection requests.
Thus the proxy side of the setup looks like this:
NAS/RADIUS client sends message to --> IAS proxy/RADIUS client that sends
message to --> IAS server in remote RADIUS server group.
"David Sack" <dsack@nospam--wp-int.com> wrote in
news:uSPQa$QLGHA.360@TK2MSFTNGP12.phx.gbl:
> There is a trust in place between the domains. Where do I look for
> the
> proxy settings? On the client or the server?
>
> Thanks
> Dave
> <prueconsulting@gmail.com> wrote in message
> news:1139241529.787821.15700@z14g2000cwz.googlegroups.com...
>
>
>
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|