Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Radius server in a DMZ, how to authenticate AD users ?

1,076 views
Skip to first unread message

Pascal

unread,
Jun 12, 2007, 4:35:40 AM6/12/07
to
Hello,

we have a wifi project and we would like to authenticate Active
Directory users.

Is there a way to add the Radius server in a DMZ without being member
of the AD domain and authenticate the wifi users ?

Do you know basic secure infrastructure for such a situation ?

Thank you

--
Pascal


jwgoe...@gmail.com

unread,
Jun 12, 2007, 6:05:04 PM6/12/07
to
You can make the Radius/IAS server a domain member on a DMZ. See if
these two articles help:

Windows Server 2003 Technical Library > Planning for IAS as a RADIUS
Server
IAS as a RADIUS server security considerations
http://technet2.microsoft.com/windowsserver/en/library/bfa1451a-6f53-4792-98a0-00d10977fd2c1033.mspx?mfr=true

Securing IAS: IAS and firewalls
http://technet2.microsoft.com/windowsserver/en/library/bfa1451a-6f53-4792-98a0-00d10977fd2c1033.mspx?mfr=true

Regards,

J Wolfgang Goerlich

S. Pidgorny <MVP>

unread,
Jun 13, 2007, 5:27:33 AM6/13/07
to
I must stress the fact that domain membership of the IAS server will be a
requirement - the firewall considerations part of TechNet concerns a
firewall between RADIUS clients (wireless APs and controllers) and IAS.

There's no need to host IAS on DMZ.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

<jwgoe...@gmail.com> wrote in message
news:1181685904....@z28g2000prd.googlegroups.com...

Pascal

unread,
Jun 13, 2007, 6:18:38 AM6/13/07
to

Thank you for your answers.

But is it really secure to join the radius to the domain ?

--
Pascal


jwgoe...@gmail.com

unread,
Jun 13, 2007, 7:34:42 AM6/13/07
to
Svyatoslav Pidgorny wrote:
> There's no need to host IAS on DMZ.

That depends upon ones risk tolerance and the cost of the DMZ, doesn't
it? If I were deploying an IAS server and had a spare interface on my
firewall, I would definitely put it in a DMZ.

J Wolfgang Goerlich

S. Pidgorny <MVP>

unread,
Jun 14, 2007, 9:12:14 AM6/14/07
to
G'day:

"Pascal" <pasc...@nospam.hotmail.com> wrote in message
news:mn.6ae27d767...@nospam.hotmail.com...


> Thank you for your answers.
>
> But is it really secure to join the radius to the domain ?

Basically you have to. The risk is that somebody will attempt to
authenticate against the domain.

S. Pidgorny <MVP>

unread,
Jun 14, 2007, 9:14:46 AM6/14/07
to
G'day:

<jwgoe...@gmail.com> wrote in message
news:1181734482.6...@g37g2000prf.googlegroups.com...

Overengineering, in my opinion. Do basic threat modeling: identify a
scenario when a firewall between IAS and the rest of the domain will prevent
successful attack. I struggle figuring out such scenario.

Leythos

unread,
Jun 14, 2007, 10:48:07 AM6/14/07
to
In article <#bBPAYor...@TK2MSFTNGP04.phx.gbl>, slav...@yahoo.com
says...

> G'day:
>
> <jwgoe...@gmail.com> wrote in message
> news:1181734482.6...@g37g2000prf.googlegroups.com...
> > Svyatoslav Pidgorny wrote:
> >> There's no need to host IAS on DMZ.
> >
> > That depends upon ones risk tolerance and the cost of the DMZ, doesn't
> > it? If I were deploying an IAS server and had a spare interface on my
> > firewall, I would definitely put it in a DMZ.
> >
>
> Overengineering, in my opinion. Do basic threat modeling: identify a
> scenario when a firewall between IAS and the rest of the domain will prevent
> successful attack. I struggle figuring out such scenario.

The idea of putting an authentication box, attached to the domain for
authentication, in the DMZ to expose LAN resources is just plain wrong
and the model needs to be rethought.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)

jwgoe...@gmail.com

unread,
Jun 15, 2007, 8:58:00 AM6/15/07
to
Hello,

I find it difficult to believe that putting an IAS in a DMZ or
perimeter network is an altogether outrageous idea. Note that the
Technet article says that in "the most common configuration, the
firewall is connected to the Internet and the IAS server is another
intranet resource that is connected to the perimeter network." In
addition, the Windows 2003 Security exam also describes this IAS/
Radius configuration.

The point of a putting a firewall between the client and the IAS
server is that one suspects the IAS server might be compromised. A
possible scenario includes an attacker compromising the IAS server and
then using it as a beachhead to compromise further systems. If cost is
not a significant issue, I would argue placing a second firewall
between the IAS server and the production network makes sense. This
gives an administrator greater control over the IAS environment.

Regards,

J Wolfgang Goerlich

Leythos

unread,
Jun 15, 2007, 1:31:45 PM6/15/07
to
In article <1181912280.6...@q66g2000hsg.googlegroups.com>,
jwgoe...@gmail.com says...

If a server in the DMZ has the ability to authenticate with the LAN
network services then there is little point in having a DMZ. If you open
any common ports between DMZ and LAN, and the DMZ node is a member of
the LAN domain/authentication, then you've just eliminated the security
of the DMZ.

ganjan...@gmail.com

unread,
May 5, 2019, 11:46:58 AM5/5/19
to
Any one can tell me

Which redious server better for ISP

https://www.ttalkss.com
0 new messages