You cannot configure ISA Server 2004 to use different servers for RADIUS authentication and for RADIUS accounting (915912)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
- Microsoft Internet Security and Acceleration Server 2004, Standard Edition
SYMPTOMSYou cannot configure Microsoft Internet Security and Acceleration (ISA) Server 2004 to use different servers for Remote Authentication Dial-In User Service (RADIUS) authentication and for RADIUS accounting.CAUSEThis problem occurs because ISA Server 2004 does not let you configure different servers for RADIUS authentication and for RADIUS accounting.RESOLUTIONTo resolve this problem, install the hotfix that is described in Microsoft Knowledge Base article 919012.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
919012
Description of the ISA Server 2004 hotfix package: May 10, 2006
After you apply the hotfix that is described in the Microsoft Knowledge Base article 919012, use the following Microsoft Visual Basic script to configure the ISA Server computer to use a RADIUS server either for authentication or for accounting. To run this script, follow these steps: - Click Start, point to Programs, point to Accessories, and then click Notepad.
- Copy the following code, and then paste it into Notepad.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Abstract: The script sets a RADIUS server to Authentication or to Accounting
'
Sub PrintUsage
Wscript.Echo "Usage: SetRadius <RADIUS server name> <Au | Ac | AuAc | Print>"
Wscript.Quit 1
End Sub
const radiusVpsGUID = "{BF050EC3-A3B4-4806-8874-D522E02C80DF}"
const authRadiusServerVpsAttr = "IsAuthRadiusServer"
const acctRadiusServerVpsAttr = "IsAcctRadiusServer"
Sub SetTypePerRadius(radiusName, radiusType)
Dim oFPC
Dim oVPS
Dim isAuth, isAcct
on error resume next
err.Clear
Set oFPC = CreateObject("FPC.Root")
'
'Get the RADIUS server object
'
Set oRadiusServer = oFPC.GetContainingArray.RuleElements.RadiusServers(radiusName)
if err.Number <>0 then
Wscript.Echo "Failed to retrieve RADIUS server object with name: " & radiusName
WScript.Quit
end if
'Get the vendor parameters set object
Set oVPS = oRadiusServer.VendorParametersSets(radiusVpsGUID)
'If this vendor parameters set does not exist, create it
if err.Number <>0 then
err.Clear
Set oVPS = oRadiusServer.VendorParametersSets.Add(radiusVpsGUID)
if err.Number <>0 then
Wscript.Echo "Fail to add a Vendor Parameter Set. error code is: " & err.number & " Desc: " & err.description
WScript.Quit
End If
End If
if (radiusType = "AU") then
oVPS.Value(authRadiusServerVpsAttr)= true
oVPS.Value(acctRadiusServerVpsAttr)= false
end if
if (radiusType = "AC") then
oVPS.Value(authRadiusServerVpsAttr)= false
oVPS.Value(acctRadiusServerVpsAttr)= true
end if
if (radiusType = "AUAC") then
oVPS.Value(authRadiusServerVpsAttr)= true
oVPS.Value(acctRadiusServerVpsAttr)= true
end if
if (radiusType = "PRINT") then
isAuth = oVPS.Value(authRadiusServerVpsAttr)
isAcct = oVPS.Value(acctRadiusServerVpsAttr)
Wscript.Echo "RADIUS server (" & radiusName & "): auth (" & isAuth & "), acct (" & isAcct & ")"
end if
if (radiusType <> "PRINT") then
if err.Number <>0 then
Wscript.Echo "Fail to set/get VPS value. error code is: " & err.number & " Desc: " & err.description
end if
'Save the changes
oRadiusServer.VendorParametersSets.Save
if err.Number <>0 then
Wscript.Echo "Fail to save. error code is: " & err.number & " Desc: " & err.description
WScript.Quit
End If
end if
End Sub
'
' Check the arg count, and display Help if argument is not present or contains /?
'
Dim argCount
argCount = Wscript.Arguments.Count
If argCount > 0 Then
If InStr(1, Wscript.Arguments(0), "/?", vbTextCompare) > 0 Then
PrintUsage
End If
If InStr(1, Wscript.Arguments(0), "-?", vbTextCompare) > 0 Then
PrintUsage
End If
End If
If (argCount <> 2) Then
PrintUsage
End If
'
' Save the RADIUS server name
'
Dim radiusName
radiusName = Wscript.Arguments(0)
'
' Save the type
'
Dim radiusType
radiusType = UCase(Wscript.Arguments(1))
if (radiusType <> "AU") AND (radiusType <> "AC") AND (radiusType <> "AUAC") AND (radiusType <> "PRINT") then
PrintUsage
end if
SetTypePerRadius radiusName, radiusType
'Inform the user of the result
if (radiusType <> "PRINT") then
if (err.Number = 0) then
Wscript.Echo "Parameters were successfully added"
end if
end if
- Save this Notepad file as SetRadius.vbs.
You can use the script to configure the following properties on the ISA Server computer: - IsAuthRadiusServer
When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for authentication. - IsAcctRadiusServer
When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for accounting. Note If you set both the IsAuthRadiusServer and IsAcctRadiusServer properties to TRUE or if you do not set these properties, ISA Server adds the server that you designate to both the RADIUS authentication list and the RADIUS accounting list. Script usageTo run the script, type the following commands at a command prompt. SetRadius is the name of the script that you saved in step 3. You must run the script from the location where you saved the script. Note In the following commands, substitute the IP addresses of the RADIUS servers that you are using. Command | Result | SetRadius 10.0.0.10 AU | Sets the IsAuthRadiusServer property value for the RADIUS server that uses IP address 10.0.0.10 to TRUE | SetRadius 10.0.0.20 AC | Sets the IsAcctRadiusServer property value for the RADIUS server that uses IP address 10.0.0.20 to TRUE
| SetRadius 10.0.0.30 AUAC | Sets the IsAuthRadiusServer property value and the IsAcctRadiusServer property value for
the RADIUS server that uses IP address 10.0.0.30 to TRUE
| SetRadius 10.0.0.10 Print | Prints the IsAuthRadiusServer property value and the IsAcctRadiusServer property value | Notes- Make sure that the UDP port is set to 1812 for RADIUS authentication. To configure RADIUS servers that are used only for accounting, you must leave the default authentication port number (1812) unchanged.
- ISA Server uses the authentication port number to calculate the accounting port number. ISA Server adds a value of one (1) to the value of the authentication port. This behavior is compliant with the port configuration settings that are specified in the following Requests for Comments (RFCs):
- RFC 2865, "Remote Authentication Dial In User Service (RADIUS)"
- RFC 2866, "RADIUS Accounting"
These RFCs specify the following port values.Configuration | Port number | RADIUS authentication | 1812 or 1645 | RADIUS accounting | 1813 or 1646 |
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type: | Minor | Last Reviewed: | 9/6/2006 |
---|
Keywords: | kbQFE kbprb KB915912 kbAudITPRO |
---|
|