Microsoft KB Archive/915912

= You cannot configure ISA Server 2004 to use different servers for RADIUS authentication and for RADIUS accounting =

Article ID: 915912

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
You cannot configure Microsoft Internet Security and Acceleration (ISA) Server 2004 to use different servers for Remote Authentication Dial-In User Service (RADIUS) authentication and for RADIUS accounting.



CAUSE
This problem occurs because ISA Server 2004 does not let you configure different servers for RADIUS authentication and for RADIUS accounting.



RESOLUTION
To resolve this problem, install the hotfix that is described in Microsoft Knowledge Base article 919012. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

919012 Description of the ISA Server 2004 hotfix package: May 10, 2006

After you apply the hotfix that is described in the Microsoft Knowledge Base article 919012, use the following Microsoft Visual Basic script to configure the ISA Server computer to use a RADIUS server either for authentication or for accounting. To run this script, follow these steps:  Click Start, point to Programs, point to Accessories, and then click Notepad. Copy the following code, and then paste it into Notepad.

 ' ' Copyright (c) Microsoft Corporation. All rights reserved. ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS ' HEREBY PERMITTED. 



' '  Abstract:   The script sets a RADIUS server to Authentication or to Accounting '

Sub PrintUsage Wscript.Echo &quot;Usage: SetRadius  &quot; Wscript.Quit 1 End Sub

const radiusVpsGUID = &quot;{BF050EC3-A3B4-4806-8874-D522E02C80DF}&quot; const authRadiusServerVpsAttr = &quot;IsAuthRadiusServer&quot; const acctRadiusServerVpsAttr = &quot;IsAcctRadiusServer&quot;

Sub SetTypePerRadius(radiusName, radiusType)

Dim oFPC Dim oVPS Dim isAuth, isAcct

on error resume next

err.Clear

Set oFPC = CreateObject(&quot;FPC.Root&quot;)

'   'Get the RADIUS server object '   Set oRadiusServer = oFPC.GetContainingArray.RuleElements.RadiusServers(radiusName) if err.Number <>0 then Wscript.Echo &quot;Failed to retrieve RADIUS server object with name: &quot; & radiusName WScript.Quit end if

'Get the vendor parameters set object Set oVPS = oRadiusServer.VendorParametersSets(radiusVpsGUID)

'If this vendor parameters set does not exist, create it   if err.Number <>0 then err.Clear Set oVPS = oRadiusServer.VendorParametersSets.Add(radiusVpsGUID) if err.Number <>0 then Wscript.Echo &quot;Fail to add a Vendor Parameter Set. error code is: &quot; & err.number & &quot; Desc: &quot; & err.description WScript.Quit End If

End If

if (radiusType = &quot;AU&quot;) then oVPS.Value(authRadiusServerVpsAttr)= true oVPS.Value(acctRadiusServerVpsAttr)= false end if   if (radiusType = &quot;AC&quot;) then oVPS.Value(authRadiusServerVpsAttr)= false oVPS.Value(acctRadiusServerVpsAttr)= true end if   if (radiusType = &quot;AUAC&quot;) then oVPS.Value(authRadiusServerVpsAttr)= true oVPS.Value(acctRadiusServerVpsAttr)= true end if   if (radiusType = &quot;PRINT&quot;) then isAuth = oVPS.Value(authRadiusServerVpsAttr) isAcct = oVPS.Value(acctRadiusServerVpsAttr) Wscript.Echo &quot;RADIUS server (&quot; & radiusName & &quot;): auth (&quot; & isAuth & &quot;), acct (&quot; & isAcct & &quot;)&quot; end if   if (radiusType <> &quot;PRINT&quot;) then if err.Number <>0 then Wscript.Echo &quot;Fail to set/get VPS value. error code is: &quot; & err.number & &quot; Desc: &quot; & err.description end if

'Save the changes oRadiusServer.VendorParametersSets.Save if err.Number <>0 then Wscript.Echo &quot;Fail to save. error code is: &quot; & err.number & &quot; Desc: &quot; & err.description WScript.Quit End If   end if End Sub

' ' Check the arg count, and display Help if argument is not present or contains /? ' Dim argCount argCount = Wscript.Arguments.Count If argCount > 0 Then If InStr(1, Wscript.Arguments(0), &quot;/?&quot;, vbTextCompare) > 0 Then PrintUsage End If   If InStr(1, Wscript.Arguments(0), &quot;-?&quot;, vbTextCompare) > 0 Then PrintUsage End If End If

If (argCount <> 2) Then PrintUsage End If

' '  Save the RADIUS server name ' Dim radiusName radiusName = Wscript.Arguments(0)

' '  Save the type ' Dim radiusType radiusType = UCase(Wscript.Arguments(1)) if (radiusType <> &quot;AU&quot;) AND (radiusType <> &quot;AC&quot;) AND (radiusType <> &quot;AUAC&quot;) AND (radiusType <> &quot;PRINT&quot;) then PrintUsage end if

SetTypePerRadius radiusName, radiusType

'Inform the user of the result if (radiusType <> &quot;PRINT&quot;) then if (err.Number = 0) then Wscript.Echo &quot;Parameters were successfully added&quot; end if end if

 Save this Notepad file as SetRadius.vbs.

You can use the script to configure the following properties on the ISA Server computer:
 * IsAuthRadiusServer

When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for authentication.
 * IsAcctRadiusServer

When you set this property to TRUE, ISA Server adds a RADIUS server that you designate to the Routing and Remote Access list of RADIUS servers for accounting.

Note If you set both the IsAuthRadiusServer and IsAcctRadiusServer properties to TRUE or if you do not set these properties, ISA Server adds the server that you designate to both the RADIUS authentication list and the RADIUS accounting list.

Script usage
To run the script, type the following commands at a command prompt. SetRadius is the name of the script that you saved in step 3. You must run the script from the location where you saved the script.

Note In the following commands, substitute the IP addresses of the RADIUS servers that you are using.

Notes  Make sure that the UDP port is set to 1812 for RADIUS authentication. To configure RADIUS servers that are used only for accounting, you must leave the default authentication port number (1812) unchanged.</li> ISA Server uses the authentication port number to calculate the accounting port number. ISA Server adds a value of one (1) to the value of the authentication port. This behavior is compliant with the port configuration settings that are specified in the following Requests for Comments (RFCs): <ul> RFC 2865, &quot;Remote Authentication Dial In User Service (RADIUS)&quot;</li> RFC 2866, &quot;RADIUS Accounting&quot;</li></ul>

These RFCs specify the following port values. </li></ul>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For more information about RFC 2865 and about RFC 2866, visit the following Internet Society Web site:

http://www.rfc-editor.org/rfcsearch.html

Keywords: kbqfe kbprb KB915912

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.