You cannot configure ISA Server 2004 to use different servers for RADIUS authentication and for RADIUS accounting

You cannot configure Microsoft Internet Security and Acceleration (ISA) Server 2004 to use different servers for Remote Authentication Dial-In User Service (RADIUS) authentication and for RADIUS accounting.

This problem occurs because ISA Server 2004 does not let you configure different servers for RADIUS authentication and for RADIUS accounting.

To resolve this problem, install the hotfix that is described in Microsoft Knowledge Base article 919012. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
After you apply the hotfix that is described in the Microsoft Knowledge Base article 919012, use the following Microsoft Visual Basic script to configure the ISA Server computer to use a RADIUS server either for authentication or for accounting. To run this script, follow these steps:

1. Click Start, point to Programs, point to Accessories, and then click Notepad.
2. Copy the following code, and then paste it into Notepad.

   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   '
   ' Copyright (c) Microsoft Corporation. All rights reserved.
   ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
   ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
   ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
   ' HEREBY PERMITTED.
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   
   
   '
   '	Abstract:	The script sets a RADIUS server to Authentication or to Accounting
   '
   
   Sub PrintUsage
   	Wscript.Echo "Usage: SetRadius <RADIUS server name> <Au | Ac | AuAc | Print>"
   	Wscript.Quit 1
   End Sub
   
   const radiusVpsGUID = "{BF050EC3-A3B4-4806-8874-D522E02C80DF}"
   const authRadiusServerVpsAttr = "IsAuthRadiusServer"
   const acctRadiusServerVpsAttr = "IsAcctRadiusServer"
   
   Sub SetTypePerRadius(radiusName, radiusType)
   
       Dim oFPC
       Dim oVPS
       Dim isAuth, isAcct
   
       on error resume next
   
       err.Clear
   
       Set oFPC = CreateObject("FPC.Root")
   
       '
       'Get the RADIUS server object
       '
       Set oRadiusServer = oFPC.GetContainingArray.RuleElements.RadiusServers(radiusName)
       if err.Number <>0 then
       Wscript.Echo "Failed to retrieve RADIUS server object with name: " & radiusName 
   	WScript.Quit
       end if
   
       'Get the vendor parameters set object
       Set oVPS = oRadiusServer.VendorParametersSets(radiusVpsGUID)
   
       'If this vendor parameters set does not exist, create it
       if err.Number <>0 then
   		err.Clear
           Set oVPS = oRadiusServer.VendorParametersSets.Add(radiusVpsGUID)
   		if err.Number <>0 then
   			Wscript.Echo "Fail to add a Vendor Parameter Set. error code is: " & err.number & " Desc: " & err.description
   			WScript.Quit
   		End If
   
        End If
   
   	if (radiusType = "AU") then
   		oVPS.Value(authRadiusServerVpsAttr)= true
   		oVPS.Value(acctRadiusServerVpsAttr)= false
   	end if
   	if (radiusType = "AC") then
   		oVPS.Value(authRadiusServerVpsAttr)= false
   		oVPS.Value(acctRadiusServerVpsAttr)= true
   	end if
   	if (radiusType = "AUAC") then
   		oVPS.Value(authRadiusServerVpsAttr)= true
   		oVPS.Value(acctRadiusServerVpsAttr)= true
   	end if
   	if (radiusType = "PRINT") then
   		isAuth = oVPS.Value(authRadiusServerVpsAttr)
   		isAcct = oVPS.Value(acctRadiusServerVpsAttr)
   		Wscript.Echo "RADIUS server (" & radiusName & "): auth (" & isAuth & "), acct (" & isAcct & ")"
   	
   	end if
   	
   	if (radiusType <> "PRINT") then
   		if err.Number <>0 then
       		Wscript.Echo "Fail to set/get VPS value. error code is: " & err.number & " Desc: " & err.description
   		end if
   
   		'Save the changes
   		oRadiusServer.VendorParametersSets.Save
   		if err.Number <>0 then
   			Wscript.Echo "Fail to save. error code is: " & err.number & " Desc: " & err.description
   			WScript.Quit
   		End If
   	end if
   End Sub
   
   
   
   '
   ' Check the arg count, and display Help if argument is not present or contains /?
   '
   Dim argCount
   argCount = Wscript.Arguments.Count
   If argCount > 0 Then 
   	If InStr(1, Wscript.Arguments(0), "/?", vbTextCompare) > 0 Then
   		PrintUsage
   	End If
   	If InStr(1, Wscript.Arguments(0), "-?", vbTextCompare) > 0 Then
   		PrintUsage
   	End If
   End If
   
   If (argCount <> 2) Then
   	PrintUsage
   End If
   
   '
   '	Save the RADIUS server name
   '
   Dim radiusName
   radiusName = Wscript.Arguments(0)
   
   '
   '	Save the type
   '
   Dim radiusType
   radiusType = UCase(Wscript.Arguments(1))
   if (radiusType <> "AU") AND (radiusType <> "AC") AND (radiusType <> "AUAC") AND (radiusType <> "PRINT") then
   	PrintUsage
   end if
   
   SetTypePerRadius radiusName, radiusType
   
   'Inform the user of the result
   if (radiusType <> "PRINT") then
   	if (err.Number = 0) then
   		Wscript.Echo "Parameters were successfully added"
   	end if
   end if
   

3. Save this Notepad file as SetRadius.vbs.

You can use the script to configure the following properties on the ISA Server computer:

• IsAuthRadiusServer
  When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for authentication.
• IsAcctRadiusServer
  When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for accounting.

Note If you set both the IsAuthRadiusServer and IsAcctRadiusServer properties to TRUE or if you do not set these properties, ISA Server adds the server that you designate to both the RADIUS authentication list and the RADIUS accounting list.

Script usage

To run the script, type the following commands at a command prompt. SetRadius is the name of the script that you saved in step 3. You must run the script from the location where you saved the script.

Note In the following commands, substitute the IP addresses of the RADIUS servers that you are using.Notes

• Make sure that the UDP port is set to 1812 for RADIUS authentication. To configure RADIUS servers that are used only for accounting, you must leave the default authentication port number (1812) unchanged.
• ISA Server uses the authentication port number to calculate the accounting port number. ISA Server adds a value of one (1) to the value of the authentication port. This behavior is compliant with the port configuration settings that are specified in the following Requests for Comments (RFCs):
  • RFC 2865, "Remote Authentication Dial In User Service (RADIUS)"
  • RFC 2866, "RADIUS Accounting"
  These RFCs specify the following port values.

  Configuration	Port number
  RADIUS authentication	1812 or 1645
  RADIUS accounting	1813 or 1646

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about RFC 2865 and about RFC 2866, visit the following Internet Society Web site: