RADIUS Proxy in Perimeter Network (ISA server 2006)

RADIUS Proxy in Perimeter Network (ISA server)

Scenario

======

 

You have RADIUS Proxy server in perimeter network and you have RADIUS server on intranet. Internet clients connect to ISA server extranet and ISA passes the credentials to RADIUS proxy. Now RADIUS proxy should contact RADIUS sever in order to have connection established.

 

Solution

======

 

FE = Front End Firewall

BE = Back End Firewall

 

Configure the RADIUS Proxy with the RADIUS Client as the IP address of the FE Firewall facing perimeter network. Also, configure the Default Gateway of the RADIUS proxy as the IP address of BE Firewall facing the perimeter network. Note: You can have the DG as the IP address of FE firewall in that case you have to give the following ciommand on your RADIUS proxy server

 

route add <BE Internal Network> MASK <Subnet Mask> <IP address of the BE firewall perimeter NIC>

 

Now, you need to configure the RADIUS access policy and RADIUS Server group on RADIUS proxy server. Once its done, move to the RADIUS Server and put the RADIUS Proxy IP address as its RADIUS client. Also, make the access policy allowing VPN port and Windows User groups. 

 

Configuring Firewalls:

 

1. Enable the Client VPN on FE firewall. Give the RADIUS Server address as the IP address of the RADIUS Proxy.

2. (Optional) You should have inbound and outbound traffic allow from internet to perimeter network (RADIUS PROXY SERVER) on port 1812 & 1813

3. On the BE firewall create a network rule from RADIUS Proxy in Perimeter to RADIUS Server(s) in Internal Network

4. Allow traffic from perimeter to Intranet (RADIUS SERVER) and Intranet to Perimeter

 

 These steps assume that you have already checked your RADIUS Proxy and RADIUS Server for communication in internal network.