Appendix D – User Authentication Methods
Multi-Tech RouteFinder RF650VPN User Guide
213
than NT4 IAS; however the NT4 version is also sufficient for a typical RouteFinder authentication setup.
Below are some generic IAS step-by-step instructions.
1. Check if the IAS service is installed. If not, install it.
2. Using NT/2000 User Manager, edit the user profiles of all Users who should use proxy services and
set the "Dial-In Permission" flag. This is necessary since IAS uses this as the "master flag" to respond
to requests positively.
3. Create a new user group for each proxy service you wish to provide to your users. For clarity, name
the groups accordingly (for example, call the group "multitech _http_users").
4. Put the users in the newly-created groups that should be able to use the respective proxy services.
5. Enter the IAS administration interface at
(Start->Programs->Administrative Tools->Internet Authentication Service), and add a new client
using these settings:
Friendly Name:
routefinder
Protocol:
RADIUS
Client Address:
Use the address of the RouteFinder's interface pointing "towards" the
RADIUS server (this will be the "internal" interface for most people).
Client Vendor:
RADIUS Standard
Uncheck the Client must always send signature attribute ... box.
Select a shared secret. You will need this later in RouteFinder configuration.
6. Go to the policies list. There is one pre-defined entry. Delete it. Add a new Policy for each proxy
service you wish to provide to your users. Choose the "Friendly Name" accordingly ("SOCKS
access" for example).
7. On the next screen, add two conditions:
·
NAS-Identifier matches <string> (where <string> is the proxy identifier, currently "socks" or "http")
·
Windows-Groups matches <yourgroup> (where <yourgroup> is one of the new user groups you
created in step 3).
Note: you can add groups from the local machine or from Domains in which the RADIUS server is a
member. User may have to specify their user name as <DOMAIN>\<USER> for authentication to
succeed.
8. Choose
Grant Remote Access Permission in the next screen.
9. Edit the profile on the next screen. Select the Authentication Tab. Check Unencrypted Authentication
(PAP).
10. Click OK and Finish. Remember, you need one policy for each proxy service, so you may need to
add another policy now.
11. Configure the RADIUS authentication method on the RouteFinder (you will need the IP of the IAS
server and the shared secret), and use the Radius authentication method in the WebAdmin Proxies
settings.
12. Check the System Log in the NT/2000 Event Viewer; thats where NT/2000 puts information about
RADIUS authentication requests.
Setting Up NT SAM (SMB) Authentication
For using Windows NT/2000 SAM Authentication, you need a NT/2000 machine on your network that
holds the user accounts. This can be a domain controller (PDC) or a simple standalone server. This
server has a NETBIOS name (the NT/2000 server name) and an IP address.
Put these values in the configuration of the NT SAM method in WebAdmin as PDC Name and PDC
address. If you have a Backup domain controller, also enter its corresponding values in WebAdmin.
Finally, you need the default domain to authenticate against. This will be overridden if users specify their
user name as <DOMAIN>\<USERNAME>, otherwise it will be filled in as the <DOMAIN> part.
Caution: disable the Guest account of your NT domain, since this one will allow Any
username/password combination to pass !
