Configure Windows IAS on Windows Server 2003

This section includes instructions on configuring Windows Server 2003 Internet Authentication Service (IAS) for use with Packeteer RADIUS authentication. For information on the general setup and configuration of this server, refer to the documentation included with the product. These steps assume you have already installed IAS on your Windows 2003 server.

Note: For instructions on configuring Windows IAS on a computer running Windows 2000 server, see Configure Windows IAS on Windows Server 2000

Here are the basic steps for configuring IAS for use with Packeteer RADIUS authentication:

1. Use the Computer Management tool to create access groups (look and touch) for your Packeteer devices.
   
   
2. Use IAS to create a Packeteer client.
   
   
3. Use IAS to create two remote access policies (look and touch).

Create Access Groups

Use the Computer Management tool to create two access groups for your Packeteer devices — one for touch access and the other for look:

1. Open the Computer Management tool (Start > Programs > Administrative Tools > Computer Management).
   
   
2. Open the System Tools and Local Users and Groups items, if they are not already open.
   
   
3. Right click on Group and select New Group.
   
   
4. Enter the following information for the first group:
   
   Group Name: Packeteer Touch Access
   Group Description: Touch Access to Packeteer devices
   Members: Add members as desired using the Add button
   
   
5. Click Create.
   
   
6. Enter the following information for the second group:
   
   Group Name: Packeteer Look Access
   Group Description: Look Access to Packeteer devices
   Members: Add members as desired using the Add button
   
   
7. Click Create.
   
   
8. Click Close.

Create a Packeteer Client

Use IAS to create a Packeteer client:

1. Open Internet Authentication Service (Start > Programs > Administrative Tools > Internet Authentication Service).
   
   
2. Right-click on RADIUS Clients and select New RADIUS Client.
   
   
3. Enter the following information in the New RADIUS Client dialog box:  show screen
   
   Friendly name: a useful name for your PacketShaper device, for example, packetshaper1
   Client address (IP or DNS): the IP or DNS name of your PacketShaper
   Protocol: RADIUS
   
   
4. Click Verify. The Verify Client window opens.  show screen
   
   
5. Click Resolve. The IP address associated with the Client should appear in the IP address window below.
   
   
6. Click OK to return to the New Radius Client window.
   
   
7. Click Next. The New Radius Client window opens.  show screen
   
   
8. Enter the following information in the New RADIUS Client dialog box:
   
   Client-Vendor: RADIUS Standard
   Shared secret: secret to be shared between IAS and Packeteer — you will also need to enter this into the RADIUS configuration on the PacketShaper.
   Confirm shared secret: same as above
   
   
9. Click Finish.

Create Remote Access Policies

Use IAS to create two remote access policies — one for touch access and the other for look:

1. If it's not already open, open the Internet Authentication Service.
   
   
2. To create the first remote access policy, right click on Remote Access Policies, and select New Remote Access Policy.
   
   
3. The New Remote Access Policy Wizard opens. Click Next.
   
   
4. Select Set up a custom policy.
   
   
5. Enter a name for the policy in the Policy Name field, for example, Packeteer Touch.
   
   
6. Click Next. The New Remote Access Policy window opens.
   
   
7. Click Add. The Select Attribute window opens.
   
   
8. In the Attribute types list, click Client-Friendly-Name, then click Add.
   
   
9. In the Client-Friendly-Name dialog box, enter the friendly name used to define your Packeteer device (for example, packetshaper) and click OK.
   
   
10. In the same Select Attribute window as before, click Windows-Groups, then click Add.
    
    
11. In the Groups dialog box, click Add, then click the Advanced in the Select Groups dialog box.
    
    
12. Click Find Now to identify your current list of Windows groups.
    
    
13. Select a group in the Search results window, then click OK, click OK again, then click Add to add the group to your new policy.
    
    
14. In the same Add Remote Access Policy dialog box as before, click Next.
    
    
15. Select Grant remote access permission, and then Next.
    
    
16. Click Edit Profile.
    
    
17. In the Edit Dial-in Profile dialog box, select the Authentication tab. Select the type of authentication you are using: PAP, CHAP, S-CHAP or MS-CHAPv2.
    
    Note: You may select more than one authentication method, if you like. Just make sure that the authentication method you select in Packeteer is enabled in IAS.
    
    
18. Select the Advanced tab, and click Add.
    
    
19. In the RADIUS attributes list, find and double-click the line beginning with Vendor-Specific.
    
    
20. In the Multivalued Attribute Information dialog box, click Add.
    
    
21. Select Enter Vendor Code, and enter 2334.
    
    
22. Select Yes. It conforms.
    
    
23. Click Configure Attribute, and enter the following information:
    
    Vendor-assigned attribute number: 1
    Attribute format: String
    Attribute value: access=touch
    
    Note: for PolicyCenter authentication, enter the attribute value: role=PC:touch
    
    
24. Click OK for the Configure VSA, Vendor-Specific Attribute Information, Multivalued Attribute Information dialog boxes.
    
    
25. Click Close in the Add Attributes dialog box.
    
    
26. Click OK in the Edit Dial-In Profile dialog box.
    
    
27. Click Next in the New Remote Access Policy Wizard dialog box.
    
    
28. Click Finish to save your changes and close the wizard.
    
    
29. To create the second Remote Access Policy, repeat the above steps with the following changes:
    
    Policy Friendly name: Packeteer Look
    Group to add: Packeteer Look
    Attribute value: access=look
    
    Note: for PolicyCenter authentication, enter the attribute value: role=PC:look

This completes the configuration required to allow a Packeteer device to use IAS for Radius authentication.

Notes

• Many other authentication configurations are possible, depending on your particular installation. Please consult the Microsoft documentation for other possibilities. The Packeteer-specific part is simply the 'vendor-specific' attribute which must be present for Packeteer to grant appropriate access to the Packeteer device. All other names, including Group and Friendly names, are at the discretion of the operator. It is even possible to create different groups with Packeteer devices accessing different group lists for different devices. However, it is useful to follow this procedure as a confirmation that the configuration is correct before proceeding with more complex configurations. For more information, consult the Microsoft white paper, Internet Authentication Service for Windows 2000: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/ias.asp
  
  
• The particular access method configured in the Packeteer device, PAP or CHAP, must also be enabled in the Authentication tab for the remote access policy. If using the CHAP method, your Windows installation must be configured to store unencrypted passwords in the user database. Please consult the Microsoft documentation for the correct method to do this.
  
  
• When prompted for a PacketShaper/Seeker login name, you can include a Windows domain name to be entered along with the user name. (The Windows domain need not be entered if the user is in the default domain for the IAS server.) If the IAS server has subscribed to a domain, and you have used the preceding procedure to add users, then you must enter the name of the server when logging in. For example, if the name of the server is iasbox, and bobj is a local user assigned to the 'Packeteer Touch' group:
  
  Login: iasbox\bobj
  Password: ****
  RADIUS login, iasbox\bobj granted touch access.

PolicyCenter

If you are using PolicyCenter and wish to enable RADIUS authentication, follow the Create Access Groups and Create Remote Access Policies procedures above with the following changes:

Policy Friendly Name: Packeteer Super
Group to Add: Packeteer Super
Attribute value: access=super

Customer Portal

If you are using Customer Portal and wish to enable RADIUS authentication for customers accessing the Packeteer device, follow the Create Access Groups and Create Remote Access Policies procedures above with the following changes:

Policy Friendly Name: Packeteer Portal
Group to Add: Packeteer Portal
Attribute value: access=portal

You must ensure that a Windows domain name is not required to be entered. If your IAS server is subscribed to a domain, all your portal-access customers must be in the default domain for the IAS server.

PacketGuide™ for PacketWise® 8.3