RADIUS and Active Directory Integration

This document kindly contributed by Nathan Whitehouse of decision:DIGITAL inc., June 2nd, 2005.

Abstract

This procedure incorporates the installation and deployment of a Sputnik server where clients wish to use Windows Active Directory as a central authentication system, negating the need to populate a Sputnik server with the same users which may already exist within a Windows domain.

This feat is accomplished using the widely accepted standard of RADIUS in conjunction with Active Directory. Once completed properly, remote users will authenticate to the Sputnik system via accounts and restrictions already established within a Windows Active Directory structure.

Important Product Links

• Sputnik Control Center
• Webmin: Handy Web-based Linux management interface
• Microsoft IAS RADIUS Server

Installing Sputnik Control Center and Webmin

Following the instructions provided by Sputnik's documentation, install your preferred flavor of Linux. Then install the Sputnik Control Center software as outlined in the Sputnik Control Center Installation Guide. We recommend adding Webmin for easy web-based administration. The best way to get webmin to your Sputnik server is to download it to a PC, place it on your own FTP or HTTP server, and download it to the Sputnik server via FTP or wget command.

To install Webmin run the following commands:

1. From the command prompt as root in the directory that you downloaded Webmin to, enter the following:

   # tar xzvf webmin-1.xxx.tar.gz

   This will untar the package to a new directory called Webmin-1.xxx.

2. Now cd to the webmin directory.

   # cd Webmin-1.xxx

3. Next run the setup script.

   # ./setup.sh

Select all the defaults unless you wish to make a change. Be sure at the end where it ask if you want to have Webmin start at bootup you say yes.

Now that webmin is installed you can go to http://yourdomain:10000 to access the webmin interface.

Install Sputnik RADIUS Module

The next step is to download and install the Sputnik RADIUS plugin. Follow the instructions located in our Downloads section for more details.

Install Microsoft IAS

Now install Microsoft IAS. It is best to install IAS on your Active Directory Primary server, however you can install in on any 2000/2003 server that is a member of your Active Directory domain:

1. Install IAS by going to Start -> Settings -> Control Panel -> Add/Remove Programs.
2. Once the Add/Remove Programs window is open click the Add/Remove Windows Components Icon in the left side window.
3. When the Windows Components Wizard window opens scroll down the list and highlight Networking Services and then click the Details button.
4. Now check the box for Internet Authentication Services. Then click OK.
5. When you get back to the Windows Components Wizard click next. IAS will then be installed. Click Finish when the installation is complete.

Configure IAS

1. Go to Start -> Programs -> Administrative Tools -> Internet Authentication Services.
2. Once IAS is open you need to first register it with Active Directory. In the Left window highlight the Root of Internet Authentication Services then click on Action at the top menu and select "Register Server in Active Directory" from the drop down.
3. Next we have to create a client for the Sputnik server:
1. In the left window, right click on the RADIUS Clients folder and select "New RADIUS Client" from the dropdown menu. This will open the New Client Wizard.
2. Now you will need to enter a friendly name for the client. We use Sputnik.
3. Enter the DNS name or IP address of the server. To verify a DNS name click the Verify button. Once verified click the Next button.
4. For Client-Vendor select RADIUS Standard.
5. Enter a pass phrase for the Shared secret and confirm it.
6. When finished click the Finish button.

Configure Remote Access Policies

1. In the left window click on Remote Access Policies. The right window will now display the default Access Policies.
2. Right click on the "Connections to other access servers" policy and select Properties.
3. Click the "Edit Profile" button.
4. Go to the Authentication Tab. Check the box for "Unencrypted authentication (PAP, SPAP)"
5. Click OK
6. At the bottom of the "Connections to other access servers" properties window change the "If a connection request matches the specified conditions:" to "Grant remote access permission" Then click OK.

Configure Sputnik RADIUS Module

1. Browse to your Sputnik server's web interface.
2. Log in and in the left menu under Authentication click on the RADIUS link.
3. Click the button to the right "Add New Authentication System."
4. From the dropdown menu select RADIUS Module.
5. Give a brief Name and a Visible Name and click Add.
   In the Authentication System Window you should see your new RADIUS Authentication System.
6. Click on the Name of your RADIUS Authentication System to configure it.
7. Once you are looking at the Properties for your RADIUS system click on the Edit Settings Link.
8. Enter the address for your RADIUS server.
   Important: This needs to be a DNS name. The Authentication and Accounting server are one and the same.
9. Set the port for the Authentication server to 1812 and the port for the Accounting server to 1813.
   Note: The authentication and accounting Secret will be the same as the Secret you setup for the RADIUS Client in IAS.
10. Set the RADIUS communications timeout to whatever you wish. We use 14000.
11. When complete click the update button.
12. Click on the Captive Portals menu selection on the left.
13. Click on the name for the captive portal you wish to use for RADIUS Authentication
14. Click on the link for "Walled Garden and Authentication"
15. Under Authentication Systems check the box next to the name for your RADIUS Authentication system.
16. When finished click the Update button.

Conclusion

Now RADIUS Authentication via Active directory is complete.

Have ideas to improve this information? Please let us know.