Does anyone has the experience using IAS (internet authentication service) server?

[Zhe-Min Lin]

Hi there,
Does anyone has the experience using IAS (internet authentication
service) server?

The microsoft provides a total soluation for dial-in connection (or
VPN), with RAS, IAS, and active directory controller. Now I want
to take use of the function of IAS and active directory controller,
as the backend authentication, and my RAS implementation. Of
course I obey the standard RADIUS protocol between my RAS and
microsoft IAS. But the testing results show that, two-handshaking
RADIUS transaction (PAP, SPAP) is ok, but EAP-MD5 is not ok.
The IAS will do challenge but always reject connection at last.
My testing client is XP, with EAP-MD5 on. All transaction packets
have no packet format error. The challenage response bytes is correct
too. But IAS always reject me.
The testing environment is like:

EAP RADIUS
XP <--------------> my RAS <---------------> IAS (win2000 server)

Why it happens? All the settings are just the same, until authentication
method. But PAP, SPAP will work, whlie EAP-MD5 won't.
Has anyone any idea? Thx.

 

[aschroeder]

Yep, that makes sense. You will need to implement a PKI in order to do what you are trying to do.

You could start by installing certificate services onto that server and then picking a certificate for IAS authentication in the policy.

Also, I recommend once you have it all working, to deploy some sort of VPN monitoring tool to monitor your connections and rejections (IAS doesn't have much to offer in that field).

One example is: FactotumNOW IAS Reporting: http://www.factotumnow.com/index.pl/Products/IAS Reporting which will monitor your logfiles.