IAS Shiva LanRover Setup Issues with Microsoft RADIUS (195287)


The information in this article applies to:

  • Microsoft Internet Authentication Service
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
This article was previously published under Q195287

SYMPTOMS

A user dialing into (or trying to dial out from) a Shiva LanRover using Microsoft Internet Authentication Service (IAS) Remote Authentication Dial-In User Service (RADIUS) may not be successful.

CAUSE

When IAS is initially installed, it is not automatically configured to work with the Shiva LanRover.

WORKAROUND

To work around this issue, use one of the following resolutions:
  • To allow users to dial in using only LanRover to RADIUS, use the following settings on the Profiles tab for default user profile in IAS:

    Framed-protocol = PPP
    Framed-routing = none
    service-type = framed

-OR-

  • To allow only dial out though the Shiva LanRover via the Shiva Extranet client software pointing to RADIUS (to authenticate users before being allowed to dial out), you must remove service-type=framed and add service-type =outbound user as shown below:

    framed-protocol = PPP
    Framed-routing = none
    service-type = outbound user

-OR-

  • To allow both dial-in and dial-out capabilities at the same time, you must obtain the full commercial edition of IAS, which currently ships with Microsoft Commercial Internet Service (MCIS).

    CIAS allows the creation of multiple user profiles and RADIUS realms. The default profile is setup as described in the first resolution, where users continue to dial in as they normally would. To implement dial out ability at the same time, you would then need to create a new profile, as described in the second resolution, but tie it to a RADIUS realm (for example, realm2). This is done in User Authentication on the Realms tab of the IAS software.

    Users dialing out via the Shiva Extranet software need to specify the RADIUS realm in the Username field for IAS (RADIUS) to use the "dial-out" profile instead of the default. For example:

    username: username@realm2.com
    password: password

    Shiva forwards the dial-out request to IAS RADIUS. IAS then uses the "dial-out" profile instead of the "default" based on the realm2.com realm. RADIUS then strips the realm, forward the username to Windows NT, verifies the user is allowed to dial out, and then allows dial out through the Shiva Extranet software.

MORE INFORMATION

If you modify other settings in Shiva or want to pass back additional attributes to the LanRover, you may need to specify additional attributes on the Profiles tab of the IAS software. The most common are listed below:

Sample profile:

framed-protocol=ppp
framed routing=none
framed netmask=255.255.0.0
framed compression=van jacobson TCP/IP
framed MTU =1500
framed IP =255.255.0.0
service-type=outbound use4rs

Shiva users who are still experiencing problems with RADIUS authentication should also verify that they have the RADIUS security package from Shiva installed correctly. (This is available for download on the Shiva/Intel Web site; it may require a security code from Shiva support to install.)

This problem can be identified by running a NetMon trace. If no RADIUS packets are being sent from Shiva, check the Shiva activity log (Sctivity.txt) for "RADIUS licensing."

It is also recommended that Shiva customers obtain the latest firmware (version 5.7 as of 8/13/99). An EPROM update for your hardware may be needed. For more information, Shiva customers should contact Shiva/Intel.
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Modification Type:MinorLast Reviewed:8/18/2005
Keywords:kbpending kbprb KB195287
©2004 Microsoft Corporation. All rights reserved.