Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

ISA 2004: Publishing a RADIUS Server

Newsgroup question: I don’t want ISA to actually do the RADIUS stuff, but I want to publish a RADIUS server (in Microsoft land, that’s called IAS – Internet Authentication Service – if you’re running Windows Server) behind ISA so that we can authenticate remote RADIUS clients.

Poking around through the ISA 2004 Protocol Definitions, there’s no RADIUS Server protocol out of the box. RADIUS client and Accounting protocols are included, but they’re not Server Publishing protocols – they’re defined as outbound.

Outbound Protocol Definition - Send then Receive

I’m going to assume that you’re using a server on an Internal network as the RADIUS Server, but this applies equally if it’s on any network that has a NAT relationship with the RADIUS clients (in this case, via an ISP, so they’ll be on the the External network). So if you have a screened subnet/DMZ that hosts the RADIUS server that also NATs to the Internet, this still applies.

Note the relationship from Internal to External is NAT

In a non-Routed relationship, we need to Server Publish a server to present it to our External clients, and to Server Publish, we’ll first need a set of Inbound protocol definitions for the job.

I made a couple to test with, and have exported them to an XML file – there’s one not shown here called “RADIUS Server – Conglomerated”, that contains both ports in a single server protocol definition, as in my experience most people just want to publish both ports. The other two do a single UDP port each. With ISA 2000, you’d absolutely need two protocol definitions and server publishing rules; 2004 is cooler.

Quick aside: with a Route relationship on a fully routed network, I’d usually suggest creating an Access Rule rather than a publishing rule, Source External, destination your RADIUS Server, protocol RADIUS (the default Outbound one, just in an inbound direction).

If you’re going to use this – and as a general best practice – please back up your configuration (right-click the topmost node in ISA management, and choose Back Up) before importing any definitions ever, so you can restore if something goes wrong. Just in case. No, I don’t anticipate a problem, but I won’t be held responsible either! Okay, just give me the file

Import Protocol

To import the definitions, you can use the Toolbox (right-click All Protocols, choose Import All, then pick the XML file), or a script like this one or, well, anything, really.

Once they’re there, just create a regular Server Publishing rule, pick RADIUS Server – Conglomerated as the protocol (or be more specific and use two rules if you’d like) and you’re done.

Completed Server Publishing Rule