Comments on: Playing with Radius Authentication and ISA Server 2006

by: ynwa

Wed, 09 May 2007 19:10:48 +0000

Great article

But what if i was hosting the ISA 2006 for 2 different domains who have 2 make VPN connections.
ISA not domain member.
In your scenario, LAN and Perimeter repecent 2 different domains. Is it then possible install IAS on both domain/subnet and have the RADIUS authenticate useres on there own domain and route the client to there owe network.

Or is there another way to do it ?

/ynwa

by: Mylo

Fri, 27 Apr 2007 17:22:41 +0000

Hi Stefaan,

FWIW, this approach that you’ve described also works great with ActiveSync and PDAs, albeit using RADIUS BASIC rather than RADIUS OTP. Granted, it’s not quite up there with true two-factor (lacking the ’something I have’ element), but it avoids all the weaknesses associated with exposing say domain usernames/pw’s to DoS and I find it more convenient than deploying user x509 certs. The fact that separate RAS policies can be also be used for applying user account lockout is another boon. It’s a shame IAS doesn’t integrate with ADAM .. now that would be cool

Cheers,
Mylo

by: Stefaan Pouseele

Sat, 03 Mar 2007 11:43:31 +0000

Hi Mylo,

the goal was to avoid that users have to enter domain credentials on non-trusted, read unmanaged, computers. Therefore the use of Kerberos constrained delegation was a key element. So, ‘double authentication’ was out of the question because that requires domain credentials.

Also, I opted to do the realm stripping on each IAS server itself, not on the IAS proxy server, so that I was sure that the IAS server would use his default realm.

HTH,
Stefaan

by: Mylo

Wed, 28 Feb 2007 00:25:58 +0000

Stefaan,

Digressing slightly in the above post.. back to your article.. have web published OWA thru ISA using the RADIUS OTP approach on a stand-alone IAS (in a perimeter) and then using KBD between ISA->FE>BE .. setup credential stripping on the IAS proxy (thru the connection restriction policy)… if I look at the subsequent credentials sent by ISA it passes the details as described in your article (UPN).. and I didn’t have to setup the realm stripping on anywhere but the ISA (IAS Proxy).. was the domain issue something particular to the VPN element you described?

Regards,
Mylo

by: Mylo

Mon, 26 Feb 2007 22:32:24 +0000

Hi Stefaan,

Great article… don’t know whether you tried this but was wondering whether it’s possible to chain an authentication request in this manner so that the user DOES authenticate twice, once against the stand-alone DMZ IAS (a la RADIUS OTP) and then via a second form to do domain username/password… e.g. to OWA

i.e… you have to go thru RADIUS OTP Form before Username/Password form (hence the term chained)

Thanks
Mylo

by: Stefaan Pouseele Blog » Blog Archive » A Quest for Strong User Authentication with RPC over HTTP services and ISA Server 2006

Tue, 06 Feb 2007 19:25:25 +0000

[...] In my blog Playing with Radius Authentication and ISA Server 2006 I created the necessary environment to test out in a generic way, that means independent of any real hardware token system, the use of a two-factor authentication system with ISA Server 2006. That test environment is based on a non-domain joined Radius OTP service (IAS) as authentication provider for the users and on the capability of the ISA Server 2006 to use Kerberos constrained delegation for authentication on behalf of the users to the published service. [...]