Microsoft KB Archive/195287

= IAS Shiva LanRover Setup Issues with Microsoft RADIUS =

Article ID: 195287

Article Last Modified on 8/18/2005

-

APPLIES TO


 * Microsoft Open Enterprise Information System Pack 1.1
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q195287



SYMPTOMS
A user dialing into (or trying to dial out from) a Shiva LanRover using Microsoft Internet Authentication Service (IAS) Remote Authentication Dial-In User Service (RADIUS) may not be successful.



CAUSE
When IAS is initially installed, it is not automatically configured to work with the Shiva LanRover.



WORKAROUND
To work around this issue, use one of the following resolutions:  To allow users to dial in using only LanRover to RADIUS, use the following settings on the Profiles tab for default user profile in IAS:

Framed-protocol = PPP

Framed-routing = none

service-type = framed



-OR-

 To allow only dial out though the Shiva LanRover via the Shiva Extranet client software pointing to RADIUS (to authenticate users before being allowed to dial out), you must remove service-type=framed and add service-type =outbound user as shown below:

framed-protocol = PPP

Framed-routing = none

service-type = outbound user



-OR-

 To allow both dial-in and dial-out capabilities at the same time, you must obtain the full commercial edition of IAS, which currently ships with Microsoft Commercial Internet Service (MCIS).

CIAS allows the creation of multiple user profiles and RADIUS realms. The default profile is setup as described in the first resolution, where users continue to dial in as they normally would. To implement dial out ability at the same time, you would then need to create a new profile, as described in the second resolution, but tie it to a RADIUS realm (for example, realm2). This is done in User Authentication on the Realms tab of the IAS software.

Users dialing out via the Shiva Extranet software need to specify the RADIUS realm in the Username field for IAS (RADIUS) to use the "dial-out" profile instead of the default. For example:

username: username@realm2.com

password: password

Shiva forwards the dial-out request to IAS RADIUS. IAS then uses the "dial-out" profile instead of the "default" based on the realm2.com realm. RADIUS then strips the realm, forward the username to Windows NT, verifies the user is allowed to dial out, and then allows dial out through the Shiva Extranet software.

<div class="moreinformation_section">

MORE INFORMATION
If you modify other settings in Shiva or want to pass back additional attributes to the LanRover, you may need to specify additional attributes on the Profiles tab of the IAS software. The most common are listed below:

Sample profile:

framed-protocol=ppp

framed routing=none

framed netmask=255.255.0.0

framed compression=van jacobson TCP/IP

framed MTU =1500

framed IP =255.255.0.0

service-type=outbound use4rs

Shiva users who are still experiencing problems with RADIUS authentication should also verify that they have the RADIUS security package from Shiva installed correctly. (This is available for download on the Shiva/Intel Web site; it may require a security code from Shiva support to install.)

This problem can be identified by running a NetMon trace. If no RADIUS packets are being sent from Shiva, check the Shiva activity log (Sctivity.txt) for "RADIUS licensing."

It is also recommended that Shiva customers obtain the latest firmware (version 5.7 as of 8/13/99). An EPROM update for your hardware may be needed. For more information, Shiva customers should contact Shiva/Intel.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Keywords: kbprb kbpending KB195287

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.