Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You cannot configure ISA Server 2004 to use different servers for RADIUS authentication and for RADIUS accounting


View products that this article applies to.

Symptoms

You cannot configure Microsoft Internet Security and Acceleration (ISA) Server 2004 to use different servers for Remote Authentication Dial-In User Service (RADIUS) authentication and for RADIUS accounting.

↑ Back to the top


Cause

This problem occurs because ISA Server 2004 does not let you configure different servers for RADIUS authentication and for RADIUS accounting.

↑ Back to the top


Resolution

To resolve this problem, install the hotfix that is described in Microsoft Knowledge Base article 919012. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
919012 Description of the ISA Server 2004 hotfix package: May 10, 2006

After you apply the hotfix that is described in the Microsoft Knowledge Base article 919012, use the following Microsoft Visual Basic script to configure the ISA Server computer to use a RADIUS server either for authentication or for accounting. To run this script, follow these steps:
  1. Click Start, point to Programs, point to Accessories, and then click Notepad.
  2. Copy the following code, and then paste it into Notepad.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    
    '
    '	Abstract:	The script sets a RADIUS server to Authentication or to Accounting
    '
    
    Sub PrintUsage
    	Wscript.Echo "Usage: SetRadius <RADIUS server name> <Au | Ac | AuAc | Print>"
    	Wscript.Quit 1
    End Sub
    
    const radiusVpsGUID = "{BF050EC3-A3B4-4806-8874-D522E02C80DF}"
    const authRadiusServerVpsAttr = "IsAuthRadiusServer"
    const acctRadiusServerVpsAttr = "IsAcctRadiusServer"
    
    Sub SetTypePerRadius(radiusName, radiusType)
    
        Dim oFPC
        Dim oVPS
        Dim isAuth, isAcct
    
        on error resume next
    
        err.Clear
    
        Set oFPC = CreateObject("FPC.Root")
    
        '
        'Get the RADIUS server object
        '
        Set oRadiusServer = oFPC.GetContainingArray.RuleElements.RadiusServers(radiusName)
        if err.Number <>0 then
        Wscript.Echo "Failed to retrieve RADIUS server object with name: " & radiusName 
    	WScript.Quit
        end if
    
        'Get the vendor parameters set object
        Set oVPS = oRadiusServer.VendorParametersSets(radiusVpsGUID)
    
        'If this vendor parameters set does not exist, create it
        if err.Number <>0 then
    		err.Clear
            Set oVPS = oRadiusServer.VendorParametersSets.Add(radiusVpsGUID)
    		if err.Number <>0 then
    			Wscript.Echo "Fail to add a Vendor Parameter Set. error code is: " & err.number & " Desc: " & err.description
    			WScript.Quit
    		End If
    
         End If
    
    	if (radiusType = "AU") then
    		oVPS.Value(authRadiusServerVpsAttr)= true
    		oVPS.Value(acctRadiusServerVpsAttr)= false
    	end if
    	if (radiusType = "AC") then
    		oVPS.Value(authRadiusServerVpsAttr)= false
    		oVPS.Value(acctRadiusServerVpsAttr)= true
    	end if
    	if (radiusType = "AUAC") then
    		oVPS.Value(authRadiusServerVpsAttr)= true
    		oVPS.Value(acctRadiusServerVpsAttr)= true
    	end if
    	if (radiusType = "PRINT") then
    		isAuth = oVPS.Value(authRadiusServerVpsAttr)
    		isAcct = oVPS.Value(acctRadiusServerVpsAttr)
    		Wscript.Echo "RADIUS server (" & radiusName & "): auth (" & isAuth & "), acct (" & isAcct & ")"
    	
    	end if
    	
    	if (radiusType <> "PRINT") then
    		if err.Number <>0 then
        		Wscript.Echo "Fail to set/get VPS value. error code is: " & err.number & " Desc: " & err.description
    		end if
    
    		'Save the changes
    		oRadiusServer.VendorParametersSets.Save
    		if err.Number <>0 then
    			Wscript.Echo "Fail to save. error code is: " & err.number & " Desc: " & err.description
    			WScript.Quit
    		End If
    	end if
    End Sub
    
    
    
    '
    ' Check the arg count, and display Help if argument is not present or contains /?
    '
    Dim argCount
    argCount = Wscript.Arguments.Count
    If argCount > 0 Then 
    	If InStr(1, Wscript.Arguments(0), "/?", vbTextCompare) > 0 Then
    		PrintUsage
    	End If
    	If InStr(1, Wscript.Arguments(0), "-?", vbTextCompare) > 0 Then
    		PrintUsage
    	End If
    End If
    
    If (argCount <> 2) Then
    	PrintUsage
    End If
    
    '
    '	Save the RADIUS server name
    '
    Dim radiusName
    radiusName = Wscript.Arguments(0)
    
    '
    '	Save the type
    '
    Dim radiusType
    radiusType = UCase(Wscript.Arguments(1))
    if (radiusType <> "AU") AND (radiusType <> "AC") AND (radiusType <> "AUAC") AND (radiusType <> "PRINT") then
    	PrintUsage
    end if
    
    SetTypePerRadius radiusName, radiusType
    
    'Inform the user of the result
    if (radiusType <> "PRINT") then
    	if (err.Number = 0) then
    		Wscript.Echo "Parameters were successfully added"
    	end if
    end if
    
  3. Save this Notepad file as SetRadius.vbs.
You can use the script to configure the following properties on the ISA Server computer:
  • IsAuthRadiusServer
    When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for authentication.
  • IsAcctRadiusServer
    When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for accounting.
Note If you set both the IsAuthRadiusServer and IsAcctRadiusServer properties to TRUE or if you do not set these properties, ISA Server adds the server that you designate to both the RADIUS authentication list and the RADIUS accounting list.

Script usage

To run the script, type the following commands at a command prompt. SetRadius is the name of the script that you saved in step 3. You must run the script from the location where you saved the script.

Note In the following commands, substitute the IP addresses of the RADIUS servers that you are using.
CommandResult
SetRadius 10.0.0.10 AUSets the IsAuthRadiusServer property value for the RADIUS server that uses IP address 10.0.0.10 to TRUE
SetRadius 10.0.0.20 ACSets the IsAcctRadiusServer property value for the RADIUS server that uses IP address 10.0.0.20 to TRUE
SetRadius 10.0.0.30 AUACSets the IsAuthRadiusServer property value and the IsAcctRadiusServer property value for the RADIUS server that uses IP address 10.0.0.30 to TRUE
SetRadius 10.0.0.10 PrintPrints the IsAuthRadiusServer property value and the IsAcctRadiusServer property value
Notes
  • Make sure that the UDP port is set to 1812 for RADIUS authentication. To configure RADIUS servers that are used only for accounting, you must leave the default authentication port number (1812) unchanged.
  • ISA Server uses the authentication port number to calculate the accounting port number. ISA Server adds a value of one (1) to the value of the authentication port. This behavior is compliant with the port configuration settings that are specified in the following Requests for Comments (RFCs):
    • RFC 2865, "Remote Authentication Dial In User Service (RADIUS)"
    • RFC 2866, "RADIUS Accounting"
    These RFCs specify the following port values.
    ConfigurationPort number
    RADIUS authentication1812 or 1645
    RADIUS accounting 1813 or 1646

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

For more information about RFC 2865 and about RFC 2866, visit the following Internet Society Web site:

↑ Back to the top


Keywords: KB915912, kbprb, kbqfe

↑ Back to the top

Article Info
Article ID : 915912
Revision : 5
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 355