Friday, September 19, 2008

Netscreen and RADIUS

For those who have been following the blog for awhile, I'm Jim the junior Windows Sysadmin from the guest week and previously mention in other posts. Matt, has so very graciously allowed me to post blog updates so you can look forward to my experiences as I stumble my way into becoming a real sysadmin.

As noted in my previous blog post my current project has been a new PDC. Unfortunately, due to issues with third party apps and 64bit Windows, I have had to nuke the install and start over. Beyond that, implementing all the services that I had running on our old 2003 box on the new 2008 box has been almost too easy. I even got a new certificate server running on it without hitting a snag. The only thing that has really stumped me was the RADIUS configuration.

To give a little background, We have two RADIUS clients; a Netscreen firewall and a Cisco wireless access point. The guy whose job I inherited initially set up RADIUS and configured the Netscreen client and applicable policies, while my boss configured the Cisco and it's policy. However, the initial notes (if there were any) have been lost in the sands of time, so I have been flying sort of blind here. And of course, Microsoft went and redid the old Internet Authentication Service (IAS) and turned it into the Network Policy Server(NPS) on W2k8. And while NPS is actually pretty easy to set up, things are located in different places and it makes it more difficult to do a side by side comparison to set things up.

Setting up the Cisco was pretty trivial, it uses no fancy settings, I just had to tell NPS that it was authenticating 802.11 wireless clients and it was good to go. The Netscreen however caused some problems. Since I had no idea how it was originally set up I had to dig through the settings to figure out how the authentication was supposed to work. I found that there are two external groups on the netscreen that correspond to two groups within the Active Directory: Domain Admins and WebAuth. So the first thing I tried was setting up a network policy for each that had a condition where the user had to belong to the group in question. And of course, it didn't work. So off to the Juniper Knowledge Base I go. This led me to these pages here and here. And that gave me the final clue (and I only felt a little foolish for missing the setting on the old DC). I did not know I needed to specify an Vendor Specific Attribute to make it work. I set up Attribute 3 (specify an external group) and I was off and running.

And yes, I did document the process this time.

Thankfully the only things left on this project are setting up DHCP (trivial is the service will remain running) and raising the domain functional level, but I will leave that for the weekend I think.