Solution:
er uses the new Active Directory security database. This is very different to the Windows NT Domain security structure.
Currently the Perle 833's do not support authentication against the Active Directory.
If a security application is installed such as RADIUS that can interact with the Active Directory, then it would be a solution as the Perle 833's does support RADIUS authentication.
Administrators to the Perle will be looked up on the RADIUS host and not with the local database with the 833IS and 833AS.
For more detailed information: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/ias.asp
Configure the Perle to use RADIUS security
Configure a shared secret that will be matched in the IAS client configuration within IAS.
Select only PAP authentication initially as the Windows User database does not store passwords in reversible encryption by default. See note at bottom for details on CHAP support.
The example is a simple setup based on a new installation of IAS. If an there is an existing IAS setup then these instructions may not apply exactly as shown.
Using Internet Authentication Service / RADIUS for security:
Add Remove Programs
Add/Remove Windows Components
Networking Services
Internet Authentication Service
Set IAS to access the Active Directory (if using a Domain Controller)
Right click on Internet Authentication Service
Register Service in Active Directory
Add the Perle to the client list
Right click on Clients
Add New Client
Give a friendly name
Protocol = RADIUS
Set the IP address of the Perle
Client-Vendor = RADIUS Standard
Enter the Shared Secret
NOTE: Admin level user is required for the 833IS and 833AS.
Create a policy to allow Domain Admin users to administer the Perle 833AS/IS (make sure this is the first profile)...
Right click on Remote Access Policies
Add New Policy
Give a friendly name
Add a new condition
IP-Client-Address = <IP address of Perle>
Windows-Group = Administrators
Grant remote access permission
Edit Profile
Authentication (tab)
Enable PAP ... or CHAP (which will require additional configuration: see below for CHAP details)
Advanced (tab)
Remove Framed-Protocol
Edit/Add Service-Type ... change the attribute value to Administrative
Create a policy to allow access to all users
Right click on Remote Access Policies
Add New Policy
Give a friendly name
Add a new condition
IP-Client-Address = <IP address of Perle>
Grant remote access permission
Edit Profile
Authentication (tab)
Enable PAP ... or CHAP (which will require additional configuration: see below for CHAP details)
IP (tab)
Server Settings Define Policy
Ensure that the service is started.
Ensure that the Active Directory / Local account for the user has Dial In access enabled in their user profile.
Additional NOTES:
Create a Group in the Active Directory and add users to that group.
You can then add the Windows Group option as a Condition in the IAS Policy.
Reversibly Encrypted Passwords (CHAP) ...
The current user passwords are not stored in a reversibly encrypted form by default and are not automatically changed. You must either manually reset the user’s password or set the user’s passwords to be changed the next time the user logs on to the LAN. This must be done for each user who will be authenticating via IAS.
Once the password is changed, it is stored in a reversibly encrypted form. If you set user passwords to be changed the next time a user logs on, the user must log on by using a LAN connection and change the password before they attempt to log on with a remote access connection using CHAP. Users cannot change passwords during the authentication process when using CHAP. The logon attempt will fail.
If the RADIUS configuration in the Perle has CHAP enabled then it will be the preferred method.
NOTE: the Perle will always encrypt the packets that are sent to the RADIUS server even if PAP is being used on the passwords.
To enable reversibly encrypted passwords for a specific user you can modify their User Properties -> Account options -> enable Store Password using Reversible Encryption. You must then reset their password.
To enable reversibly encrypted passwords (CHAP) in a domain (Active Directory server) Group Policy:
Open Active Directory Users and Computers
In the console tree, double-click Active Directory Users and Computers, right-click the domain
name, and then click Properties.
On the Group Policy tab, click Default Domain Policy, and then click Edit.
In the console tree, click on Windows Settings
click on Security Settings
click on Accounting Policies
click Password Policy.
In the details pane, double-click "Store password using reversible encryption for all users in the domain"
Click Enabled, and then click OK.
Reset the user passwords as indicated above.
To enable reversibly encrypted passwords (CHAP) in a domain (stand-alone server) Local Security Policy
Start -> Run -> gpedit.msc
In the console tree, select Computer Configuration -> Windows Settings -> Security Settings -> Account Policy-> Password Policy
Enable "Store password using reversible encryption"
Check with the Windows Event Viewer -> System Log for troubleshooting.
example message:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/23/2001
Time: 11:30:39 AM
User: N/A
Computer: PERLE-NLHM5IKIP
Description:
User cyung was denied access.
Fully-Qualified-User-Name = W2K\cyung
NAS-IP-Address = <not present>
NAS-Identifier = PTAC 833AS
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = 833AS
Client-IP-Address = 165.154.128.188
NAS-Port-Type = Async
NAS-Port = 23
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 19
Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account.
In this example one of two problems is detected.
Reversibly encrypted passwords are not enabled in the group policy or the user’s password has not been reset after the enabling reversibly encrypted passwords policy
Note: if the shared secret is mismatched then IAS will record a "User Is Granted Access" event but the connection will fail with an unknown user message.