Re: Dicussion on where RADIUS server should be

From: Imhotep (NoSpam_at_NoThanks.com)
Date: 06/16/05

• Next message: ray: "windows media player 9"
• Previous message: Doug Neal [MSFT]: "New MSSecure.XML Version 2005.06.15.0 Now Available"
• In reply to: Marlon: "Dicussion on where RADIUS server should be"
• Next in thread: Marlon: "Re: Dicussion on where RADIUS server should be"
• Reply: Marlon: "Re: Dicussion on where RADIUS server should be"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 16 Jun 2005 11:06:24 -0700

Marlon wrote:

> All network diagrams I've seen so far indicates that a RADIUS server
> (Windows IAS, ACS, or whatever) should be placed in the 'internal' network
> and establish communications with DC's there. Then if an external user
> attempts to connect via VPN (DMZ), then I would allow only the ports
> necessary from the VPN concentrator to the RADIUS server and
> pre-authenticate users at that point.
>
> I have a security guy fellow here that tells me that the RADIUS server
> should be placed in the "DMZ" instead. Does this make sense at all ?

As a general rule your authentication server (Radius, Tacacs, etc) SHOULD be
internal. Why? Because you really want to protect (and tightly restrict
control) this server from being hacked....Losing your Radius server would
be a disaster!

Now if your security guy is saying something like "we will put the Radius
server in it's own DMZ (ie by itself) and strictly control access to it,
this is not a bad idea.

Remember a couple of things about Radius, communications (sessions) are NOT
encrypted (ie can be sniffed). I would highly recommend using TACACS++
instead of Radius...I would also suggest not using the domain passwords for
your external (VPN) access. I would suggest using keyfobs instead. Why?
Because this would give multiple layers of security and force a
hacker/cracker to crack two accounts per person before getting full access.
This also allows you to protect your self from weak user passwords, etc,
etc....

-Imhotep

---

• Next message: ray: "windows media player 9"
• Previous message: Doug Neal [MSFT]: "New MSSecure.XML Version 2005.06.15.0 Now Available"
• In reply to: Marlon: "Dicussion on where RADIUS server should be"
• Next in thread: Marlon: "Re: Dicussion on where RADIUS server should be"
• Reply: Marlon: "Re: Dicussion on where RADIUS server should be"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Publishing RADIUS server for external authentication ... > You should be able to Server Publish the RADIUS server you're using. ... > If your DMZ uses private IP addresses, you should also have a NAT ... > This post is provided "AS-IS", and confers no warranty. ... (microsoft.public.isaserver) Re: Publishing RADIUS server for external authentication ... You should be able to Server Publish the RADIUS server you're using. ... If your DMZ uses private IP addresses, you should also have a NAT ... We have ISA server 2004 installed on Windows 2003 with a private IP DMZ. ... sell off dial ups so we need external RADIUS clients to connect with our ... (microsoft.public.isaserver) Re: Vasco Radius ... you can use a third party RADIUS server for authenticating VPN users ... invoming VPN connections in the Using RADIUS Authentication for ISA Server ... > or use Configure VPN Client Access on the isa 2004 server with IAS on the ... (microsoft.public.isa.vpn) Re: Freeware Radius for Windows XP ... VPN user needs to be authenticated on Radius running on Windows ... XP (the only system behind the pix). ... any freeware Radius server for Windows XP that can do it? ... (microsoft.public.windowsxp.general) IAS and SonicWall ... RADIUS server is for Dialup access. ... VPN is for access VIA ... internet connection. ... IAS will only handle authentication ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)