Implementing ISA 2004 PPTP VPN based Smart Card EAP and RADIUS Authentication without Making the ISA Firewall a Domain Member
When we are talking about secure authentication mechanism the old fashion – "user name and password" is not relevant and out of the security scope when planning and creating a secured design.
The following article describes how to configure ISA 2004 Server PPTP VPN based EAP Authentication without the need of ISA 2004 Server to be a Member in the Domain.
In this article I choose the Aladdin eToken smart card but you can choose which smartcard you fill comfortable with.
This scenario is very simple:
- The VPN client opens a PPTP session to the ISA Server and presents a user certificate contained on the Smartcard
- The ISA firewall forwards the request to the IAS Server (RADIUS) located on the LAN; the IAS Server is a Member of the domain
- The IAS Server the following before authorizing:
- The session is PPTP
- Validate the EAP Authentication
- The user is a member in a specific group in the AD
These are the steps we need to accomplish:
After talking so much let’s start doing the interesting stuff, let’s start the journey!
- First of all we need to download and install the RTE (Run time Environment) from Aladdin web site: http://www.aladdin.com/etoken/downloads/rte.asp
- The installation is very easy and has the Microsoft "feel and look".
- To create a group in the Active Directory, on the DC go to Start->Run and enter dsa.msc and press enter.
- The MMC – Active Directory Users and Computers will open, go to the Users OU, right click->New->Group
- To enable the Dial-In option, on the DC go to Start->Run and enter dsa.msc and press enter. Go to the Users OU and select the user you want to allow access, right click on this user->Dial-In tab->Allow Access
- For configuring the CA (Certificate Authority) to enable "Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station" please follow the next steps:
The first problem:
When you surf to the CA – http://localhost/certsrv choose Request a certificate->advanced certificate request->
Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station,
then you will see the following page:
You will see that you don’t have a template for the CA and there is no Administrator Signing Certificate. To enable those options first we need to add 2 templates:
- Enrollment Agent
- SmartCard Logon
->Run and write "certsrv.msc"
Right click on the "Certificate Templates" and then select New->Certificate Template to Issue
Select "Enrollment Agent" and press OK
Repeat figure 3, then Select "Smartcard Logon" and press OK
After doing those steps surf to http://localhost/certsrv and select Request a certificate
-> advanced certificate request -> Create and submit a request to this CA
Select "Administrator" template and then select Submit and then Install this certificate
Go back 2 pages and Select "Enrollment Agent" template then select Submit
then Install this certificate
-> advanced certificate request -> Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
Next step is to create and enroll the user certificate, this is the page you need to see after doing all the above stages:
We are choosing "Smartcard Logon" because this template contain both Client Authentication and Smart card Logon. Please press on the "Select User" option and choose user from the Active Directory that you want to enroll a certificate to.
After choosing the user from the Active Directory we need to put inside our USB the eToken smart card and click Enroll
- Enable and Configuring the ISA 2004 Firewall’s VPN Server
After doing all the instructions above, we are ready to enable and configure the ISA 2004 Firewall’s VPN Server. We are going to enable VPN Clients access based on EAP and RADIUS Authentication At the Virtual Private Networks (VPN) section choose the Verify option to enable the VPN Client access.
At this section select the option "Enable VPN Client access" and a proper number of your VPN Clients that are allowed to connect, don’t choose astronomical number! This could create a security breach!
After enabling the VPN Client access, a restart is required.
Now, in the same page choose the RADIUS Server link.
Please choose the following 2 options and then select the RADIUS Servers options.
On this RADIUS Servers windows, select Add
On the Server name section, put the IP Address of the IAS server that located inside you network
For more information about Message Authenticator please see the IAS Configuration section below!
Choose a strong secret key that suitable to the secret key on the IAS server.
After applying all these changes you will see the following message, Click OK.
After configuring the RADIUS properties on the VPN Section, we need to configure the RADIUS access on the System Policy rules. Open the System Policy by selecting right clicking on the Firewall Policy node in the left pane of the console and choose Edit System Policy.
Now you need to validate that the Check box on the Enable is marked
Now go to the To tab and remove the Internal object, Instead put the internal IAS object (for security reasons)
In the Virtual Private Networks (VPN) page, select VPN Properties.
Enable just the PPTP option!
In the Virtual Private Networks (VPN) page, select Remote Access Configuration.
Select the External interface, which is where the VPN Client connections are allowed to (in this scenario)
Move to the Address Assignment tab and choose Static address pool or Dynamic Host Configuration Protocol (DHCP) which I don’t recommend in this scenario.
Go to the Authentication tub and choose Extensible authentication protocol (EAP) with smart cart or other certificate even though the ISA firewall is not a part of the domain!
After choosing the EAP option you will see the following message, click OK and continue.
After doing all the steps above, we need to create an access rule for the VPN Clients access.
Right click on the Firewall Policy, choose New
->Access Rule and follow the steps below. Always choose a meaningful rule name! Click Next.
Choose the Allow option and click Next
Always choose a specific protocol for the VPN Access, click Add and choose the proper protocol for your scenario, for this scenario I choose RDP. Click Next to continue.
Add the VPN Clients object to the source section and click Next.
Always choose a destination server in the VPN Access rules!, Click Next to continue.
From my experience almost every IT or Firewall Manager configures the VPN Access rules from Any source to Any destination in Any service Allow. This is wrong, guys!
Take a look at the following rule! VPN Access rule need to look like this.
Configuring the IAS (Internet Authentication Services)
- At the IAS Server machine, click Start and point to Administrative Tools. Click Internet Authentication Service.
- Right click on the "Internet Authentication Service (Local)" and choose Register Server in Active Directory", This option create
- When selecting this option you will see this message, press OK and continue to the next phase.
- In the Internet Authentication Service console, right click the RADIUS Clients node in the left pane of the console and click New RADIUS Client.
- On the Name and Address page, enter a Friendly name for the ISA firewall. In this example the friendly name will be ISA Firewall. Enter the IP address on the internal interface of the ISA firewall in the Client address (IP or DNS) text box. Click Next.
- On the Additional Information page, confirm that the Client-Vendor option is set to RADIUS Standard. Enter a password in the Shared secret text box and confirm the password in the Confirm shared secret text box. Make the password complex, with more than 8 characters and a mix of upper and lower case letters, numbers and symbols. Put a checkmark in the Request must contain the Message Authenticator attribute checkbox. Click Finish.
*For more information about Message Authenticator attribute please see the following link:
- Delete the 2 default policies in the IAS Remote Access Policies
- You need to create 3 policy rules. Right click on the Remote Access Policies and choose New Remote Access Policy
- Press Next and step forward
- Always choose a meaningful Policy name and press Next.
- In this window you need to select 3 attributes:
- In this window you need to see the 3 attributes you selected, click Next.
- In this window you need to select the Grant remote access permission option and press Next.
- Press Next and finish the process.
If you would like us to email you when Idan Plotnik releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.