Radius Server Configuration Domain Controller Or Application Server? 1

[zoeythecat]

Hi All,

We have a Windows2003 domain. I need to install and configure Radius services to allow secure communication from our wireless clients that connect to our Active Directory domain. I thought I could install a Windows2008 R2 Application server and set this up (this is what I would love to do). Is this possible? Or do I need to configure Radius on one of our Windows2003 Domain Controllers to make this work? What is the best practice for this scenario?

I would great appreciate any guidance anyone could give me on this.

Thanks in advance

 

[ADB100]

One thing to remember regarding IAS on Windows 2003 (& 2008) is the differences between Standard & Enterprise. With Standard you have a maximum of 50 Radius clients and each one has to be individually added - i.e. AP #1 (192.168.1.1), AP #2 (192.168.1.2) etc. With Enterprise edition you can have unlimited clients and you can also add wildcard clients - i.e. APs (192.168.1.0/24). This is the same with 2008.
As for whether its better to install the role on a DC or a Member server it appears there is a marginal performance increase with it on a DC as the server doesn't need to physically contact a separate DC to perform the user/machine authentication against the Domain. Personally I have two member servers running IAS with the configuration replicated every day via a script and I don't experience any delays or performance issues with WiFi clients (or other Radius logons).

Andy

 

[zoeythecat]

Thanks for the reply Andy. I've deployed Windows2008 R2 (Standard) as an application server. So, i'm assuming this means I have a max of 50 clients I can configure?

Are you confirming that this can be configured as an NPS Radius server in a Windows2003 domain?

Thanks

 

[ADB100]

You can use an NPS Server in a 2003 domain. In effect all it does is proxy the authentication - i.e. Radius client sends authention to the Radius Server, Radius server checks in AD (obviously its not that simple if you are doing CHAP or an EAPs varient as there will be challenges with keys etc but fundamentally thats all that happens). I have a 2003 Domain (some 2003 DCs still left..) and I have both 2003 IAS & 2008 NPS working.

Andy

 

[zoeythecat]

I have configured IAS before in our Windows2003 domain. We will be upgrading our domain to windows2008 this summer, but I need to get the Radius working on the Windows2008 server. It appears that you are confirming that I can get this authentication working in either scenario.

Thanks

 

[zoeythecat]

Andy,

I have this setup on a Windows2008 Standard R2....So, you are saying I will be limited to 50 Radius clients?

 

[ADB100]

Standard server is limited to 50 Radius clients with both 2003 & 2008. Enterprise server is unlimited and you can add wildcard clients - i.e. 192.168.1.0/24 to cover all hosts on the network (192.168.1.1 - 254).
Clients are obviously each 'NAS' device - so each router, AP, etc that will send the authentication request - NOT each PC that accesses the NAS.

Andy