How to configure Microsoft IAS for use with the Symantec LAN Enforcer
Last Updated March 16, 2012
This article covers the steps required for configuring the Microsoft Internet Authentication Service (IAS) for use with the Symantec LAN Enforcer.
The Symantec LAN Enforcer in Symantec Network Access Control can forward RADIUS requests from an 802.1x enabled switch for optional user authentication. This configuration is called Basic Mode - for details please see the following article:
The RADIUS user authentication in LAN Enforcer Basic mode can be provided by IAS. The steps below will help enable this configuration in PEAP (Protected EAP) mode.
In the Symantec Endpoint Protection Manager (SEPM) console:
Configure the Client Group supplicant settings:
Navigate to Policies - General Settings - Security Settings.
Check the "Enable 802.1x authentication" option, but do not check "Use Symantec Transparent Mode".
Configure the LAN Enforcer to use the IAS as RADIUS server:
Navigate to Admin - Servers.
Select Edit Group Properties for the LAN Enforcer group.
On the RADIUS Server Group tab create a new group with the IP address of the IAS server and a shared secret.
On the Switch tab edit the Switch Policy and select the new RADIUS Server Group in the dropdown list.
In the Active Directory Users and Computers MMC snapin:
Allow Remote Access for the user account that is to be authenticated via the LAN Enforcer and IAS server.
In the user account properties dialog, select the Dial-in tab and pick the option to allow access under Remote Access Permissions.
Create a certificate to use for PEAP:
Make sure Certificate Services are installed on the server (in Control Panel - add/remove Windows components).
Create a new certificate on http://localhost/certsrv/ following the steps in Microsoft article KB871222.
Visit http://localhost/certsrv/ and click Request a certificate.
Select Advanced certificate request.
Select Create and submit a request to this CA.
Select Microsoft RSA SChannel Cryptographic Provider in the CSP dropdown.
Check the Store Certificate in the local computer certificate store check box.
Leave the default options of 1024 for Key Size, and "Create a new key set" and "Automatic container name" selected.
Enter Identifying Information as appropriate.
In the Microsoft Internet Authentication Service (IAS) MMC snapin:
Configure a new RADIUS Client using the LAN Enforcer IP address:
Under RADIUS Clients, select New RADIUS Client and enter the LAN Enforcer IP address.
Press Next, and fill in the same shared secret entered in the LAN Enforcer group policy RADIUS Server Group created earlier.
Create a new Remote Access Policy:
Under Remote Access Policies, select New Remote Access Policy.
Using either the wizard option or the custom policy option, create policy conditions and a profile to control network access.
Use conditions matching the client requests (for example "Ethernet" or "Domain Users" for an initial test granting access).
For the Profile, select Protected EAP (PEAP) as the EAP type.
Further edit the Protected EAP (PEAP) method, and select the certificate created earlier from the dropdown list.
To access the certificate selection after saving the policy (or if not using the wizard):
Click Edit Profile.
Select the Authentication tab.
Click EAP Methods.
Click Add and select PEAP if it is not in the EAP types list already.
Select PEAP and click Edit.
Pick the correct certificate from the dropdown.
If any part of the configuration is missing the IAS server will write an entry to the standard Windows System Event Log. The event log entries contain a text description with useful hints to which step has not been configured correctly (such as "invalid RADIUS client IP address" if the LAN Enforcer has not been entered as a trusted client of the IAS).
Capturing the traffic and filtering on the RADIUS traffic will also indicate if the requests were received on the server and if any reply was sent. When capturing on the client side a useful filter would be EAP to view the communication between the switch and the local supplicant.
The IAS server listens on the RADIUS 1812 UDP port, which is also used by the SEPM. If both are installed on the same machine the IAS needs to be configured to use a separate port.
It is recommended that the less complex Transparent mode is configured first with the LAN Enforcer, before the environment is changed to Basic mode with user authentication.
Imported Document ID: HOWTO74612
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe