Windows Server 2003 comes with a Radius server called Internet Authentication Service, IAS.
This server can listen for radius authentication attempts, and authenticate users against the active directory.
Go to Control Panel --> Add/Remove Programs.
Add or Remove Windows Components. Networking Services. Add: Internet Authentication Service.
When the installation is done, go to Administrative Tools --> Internet Authentication Service.
Right-click the service, and Register Server in Active Directory.
Right-click Radius Clients, and add a radius client (dns name or ip address) as follows:
Create a secret shared key, which will prove that the radius client is really the radius client, and not somebody spoofing. In other words, this is a secret known only to IAS radius server and the radius client.
Expand "Remote Access Policies"
Right-click "connections to Microsoft Routing" and go to properties.Hit ok until you're out of there completely, back to desktop.
Click "Grant access" and "Edit Profile."
Go to the Encryption tab. Ensure it has all the encryption types set, and (initially) include "no encryption"
Go to the Authentication tab. Ensure it has all the encryption types set, and (initially) include unencrypted and unauthenticated.
Right-click "connections to other access servers" and go to properties.
Click "Grant access" and "Edit Profile."
Go to the Encryption tab. Ensure it has all the encryption types set, and (initially) include "no encryption"
Go to the Authentication tab. Ensure it has all the encryption types set, and (initially) include unencrypted and unauthenticated.
Open Active Directory users and computers.
Create a test user with a stupid password. Because for the moment, that password will be unencrypted on the network, and displayed on your screen.
Right-click that test user, Go to propterites. Go to Dial-in. Allow access.
Now, here's how to test the config.
Go get radius test from radutils.com (Don't be a cheap bastard. Pay them $30 to buy it.) If your download is slow, you can also get it from tucows or download.com, or something like that.
Open up radius test. This will be your radius client for the time being. (Be sure you've configured an appropriate Radius Client inside IAS)
Under the sample group, there is a sample authtest for chap.
Right-click it, and edit task.
Enter the ip address of the radius server.
Enter the secret shared key that you chose earlier.
Click on Packet1, and Modify.
Remove the example User-Name and Password. Add your own test user's User-Name and Password.Hit Ok and Ok to get back to the main screen for Radius Test.
Username correct form:
user (recommended format)
or
user@domain
or
DOMAIN\user (Note: When you type this in to radius test, you have to type DOMAIN\\user )
Be aware that radiustest needs access through your client-side firewall.
Right-click AuthTest(Chap) and click "Run"
If all has gone well so far, you will see
Total approved auths: 1
Total denied auths: 0
Now it's time to secure this thing up a bit.
I don't think I'm going to write that segment.