1. Cumbria Lancashire Education Online
Pilot Schools Technical
Autumn Term 2004
2. Cumbria Lancashire Education Online
Distributed AAA through RADIUS
As previously describe users accessing resources and services are to be
authenticated against their home institution using RADIUS. The structure of the
distributed RADIUS service is relatively straight forward, each institution
maintains a RADIUS service running on one or two of there servers, normally the
domain controllers (DC). Running Microsoft Internet Authentication Service
(IAS), which is included with the all versions of the Windows 2003 Server license
(except web server). The additional load on the DC is minimal and the security
risk is considered low. If your institution runs a MS ISA server, then install IAS
on this server instead. There are other steps specific to institutions running ISA
server, see appendix A - ISA Server. In the core CLEO maintains a number of
RADIUS proxy servers; these determine which institution a user originates from
forwards the authentication request accordingly.
For the proxy servers to be able to forward requests appropriately users provide
an authentication realm, this takes the following form:
To ensure uniqueness in the naming of authentication realms we are going use:
Lancashire Schools: .lancs.sch.uk
Cumbria Schools: .cumbria.sch.uk
CLEO office, etc… .cleo.net.uk
This realm need not match your windows 2003 domain, how to translate from
one to the other is explained in the configuring IAS section of this guide.
3. Cumbria Lancashire Education Online
Microsoft Internet Authentication Service
Microsoft Internet Authentication Service (IAS) is the Microsoft RADIUS service
and is freely available as part of the Windows 2003 Server License (except web
1. Control Panel, Add or Remove Programs, Add/Remove Windows
2. In the Windows Components Wizard, highlight Network Services in
Components list and click Details…
3. In the Networking Services dialog check Internet Authentication
Service and click OK.
4. In the Windows Components Wizard, click Next and Finish.
To manage your IAS configuration we recommend that you add the IAS snap-in
to your usual Microsoft Management Console (MMC) profile. The headings below
match groups of settings under the IAS MMC snap-in.
The three CLEO RADIUS proxies being used for the remote access pilot will need
to be configured within IAS as RADIUS clients. Under the Internet Authentication
Service (IAS) snap-in within your MMC, right click on the RADIUS Clients folder
and select new Radius Client from the pop-up menu. In the New RADIUS
Client dialog enter the following details:
Friendly name: Client Address Client-Vendor Shared secret/
(IP or DNS) Confirm shared
CLEO Radius Proxy AAA0.cleo.net.uk RADIUS
CLEO Radius Proxy AAA1.cleo.net.uk RADIUS a complex password
1 Standard See note
CLEO Radius Proxy AAA2.cleo.net.uk RADIUS
This secret should be a complex password (see Microsoft’s guidance notes on
complex passwords), once you have set it needs to be supplied to your LEA
support team with the rest of the details of your RADIUS servers.
Remote Access Logging
These settings allow you to configure how, what and where the remote access
logs are generated.
1. Unless you have a SQL server you already use for system logs, it is
recommended that Local File is selected.
4. Cumbria Lancashire Education Online
2. Right click on this setting and select Properties. On the Local File
Properties dialog, settings tab, it is recommend that the following are
selected Accounting requests and Authentication requests. The
Periodic status one is not really required.
3. On the Log File tab use the Browse button to locate a useful directory in
which to store the log files. Under Format select Database-compatible,
and under Create a new log file: selected Daily.
Remote Access Policies
It is recommended that a several different policies are created to manage
different classes of user; these are discussed later in this guide under Managing
Different Profiles. For now we will create a policy for allowing technicians and
system administrators to connect.
Using the Active Directory users and Computers MMC snap-in create a
Global group called ‘VPN Administrator Access Group’ and make any technicians
and administrators that you want to have VPN access members of the group.
1. In the Internet Authentication Service MMC snap-in, left click on the
Remote Access Policies folder and delete any default policies. Right
click on the Remote Access Policies folder and select New Remote
2. Click Next, select Use the wizard to set up a typical policy for a
common scenario, in the Policy name: box enter ‘Administrator Access’
and click Next.
3. Select VPN and click Next.
4. Select Group and click Add. In the Select Groups dialog type ‘VPN
Administrator Access Group’ and click OK.
5. On the New Remote Access Policy Wizard, click Next.
6. On the Authentication Methods page check that Microsoft Encrypted
Authentication version 2 (MS-CHAPv2) is selected and click Next.
7. On the Policy Encryption Level page ensure all three encryption options
are selected and click Next.
8. Click Finish.
Connection Request Policies
Only one policy is normally necessary for this option, by default it is name Use
Windows authentication for all users. Right click on the policy, and click
1. Policy conditions these are rules that will apply to any connection,
regardless of the specific Remote Access Policy they have already been
a. Click Add and select ‘NAS-Port-Type’ from the list on then click Add
from list on the left select ‘Virtual (VPN)’, click Add >>, and then
NB If you wish to impose time based restrictions to ensure resources are
not being accessed during network backups or similar they should be
2. Now click Edit Profile, edit the settings:
5. Cumbria Lancashire Education Online
3. Authentication tab, Authenticate requests on this server should be
4. Accounting tab, Nothing to set
5. Attribute tab, In the drop down list named Attribute select User-Name.
Click Add in the Find box type the @<school>.<LEA>.sch.uk assigned as
the RADIUS realm and in the Replace With box type the Windows Active
Directory domain name. e.g. @office.cleo.net.uk and @office.cleo.local.
6. Advanced tab
a. Click Add select ‘Class’ and then click Add, in the Add Attribute
dialog that appears.
b. In the Attribute Information dialog select String and enter
‘CLEO-VPN’ in box, then click OK.
7. Repeat the process for the Attribute ‘Framed-Pool’ again selecting String
and specifying the Remote Access Network address for your site.
Remote RADIUS Server Groups
This set of options is used for proxying RADIUS requests to other servers for the
remote access pilot this set of options should not be necessary.
6. Cumbria Lancashire Education Online
If you have IP based Network or server security in place (typically a firewall or
IPSEC) then you will probably need to consider changing the trusted IP ranges to
include your newly assigned Remote Access Network. This is the range of IPs
assigned to remote access client that have successfully authenticated against
your institution. The CLEO boundary routers ACLs are configured with a trust
rule for that institution’s remote access network and for the CLEO RADIUS
proxies to pass request to your institutions RADIUS (IAS) server(s).
All CLEO RADIUS servers are within IP subnet of 10.64.134.0/24, for the remote
access service pilot, the servers will be 10.64.134.11, 10.64.134.12 and
10.64.134.13. Any access control lists (ACLs) for the servers running ACL will
need to be configured to allow UDP packets to ports 1812 and 1813 from the
above IP addresses.
allow UDP 1823,1813 10.64.134.0/24 inbound & outbound
For remote access clients to be able to access services and resources on your
network you will need to configure your network and server firewalls to trust the
remote access network IP address range provide for you site. The level of a trust
you give to this subnet is entirely up your institution but it is worth bearing in
mind that restricting access to certain service such as local DNS, Kerberos,
LDAP, WINS, etc... may create problems for clients connecting remotely.
7. Cumbria Lancashire Education Online
Ancillary Network Services
For a remote user to be able find resources on the institution’s internal network
a services need to be set-up and configured within the remote access profile
(see Connection Manager Administration Kit later in this guide). These are as
DNS Required for domain log and locating essential
WINS Required to support NetBIOS Recommend for all
applications institutions where
NetBIOS of TCP/IP has
not been disabled
In Windows network services are now heavily reliant on DNS, Active Directory
(AD) in particular is entirely dependant on it for correct operation. So any client
(local or remote) on your network needs to refer to your institutions local DNS
In a LAN NetBIOS names can be resolve using a number of methods including
broadcast, local host file and Windows Internet Name Service (WINS). However
within a routed network the only option for NetBIOS name resolution is
1. Using the Manage Your Server tool, click Add or remove a role.
2. On the Preliminary Steps page, select WINS server, and then click
3. On the Server Role page, select WINS server, and then click Next.
4. On the Summary of Selections page, click Next.
5. If prompted for the Windows Server 2003 CD, insert it.
6. On the This Server is Now a WINS Server page, click Finish.
Start your MMC and the WINS snap-in, this allows you to monitor both the
service and also the registrations.
8. Cumbria Lancashire Education Online
Monitoring usage & performance
An important part of the pilot is to evaluate the level of use, periods of high
demand, how the service is used, etc… This will hopefully provided meaning full
data to evaluate the likely impact of providing this sort of service across CLEO.
Use of the service will be monitored for security and performance purposes. All
statistical information developed from monitoring will not identify individuals and
will be made available to the pilot group via the pilot’s web site.
The level of monitoring will be as follows:
Recorded Purpose Stats
Successful authentications Determine usage
Unsuccessful authentications Aid support groups, security
Client information (OS, etc…) Aid support groups
Duration, start, end of Determine usage
Key: recorded not recorded
Careful consideration should be made of which users are provided with at a
given stage in the pilot. For ease of support both within individual institutions
and within the pilot as a whole it is recommended that access is provided in a
stage fashion. This sort of rollout should allow any issues to be resolved with end
users, who are have the motivation and experience to work through them with
those providing technical support.
A typical rollout might be as follows:
a. School ICT Technicians and Network/System Administrators
b. ICT Coordinators, IT motivated and experienced users
c. Staff issued with machines maintained/managed by school
d. Other staff, possibly using their own equipment
NB Please consider this to be a recommendation not an instruction.
Managing different profiles
It is suggested that a separate remote access policy is used for different user
groups, typically these might be:
Technicians/Administrators For network/system administrative purpose,
Teacher Staff Access out of hours but not during system
Students/Pupils (out of Access out of hours but not during system
hours) downtime but not during vacations.
9. Cumbria Lancashire Education Online
Students/Pupils (any time) As above but also with access during school
These are examples of logical remote access groups and it is recommended that
a global user group is created to represent each group and a remote access
policy is created associated with this group (see earlier example). However for
the pilot remote access is NOT to be made available to students/pupils, this
restriction is for support, security and capacity reasons.
10. Cumbria Lancashire Education Online
Preparing a client PC
Having prepared the servers within your institution to support remote access
then the remote client PC need also to be prepared.
Recommended PC/OS Specs
It is recommended for this pilot project that PC should be broadband connected
and be running Windows 98, 2000 or XP. To protect your institutions network
and that of CLEO any PC being used for remote access must have comply with
These requirements will be defined within the CLEO Remote Access Acceptable
Use Policy which is to be developed along side this pilot. How to in force such
requirements when the PC in question is not on the premises of an institution is
an added complication. As part of the pilot, methods for quarantining and
inspecting remote PCs are to be examined, these are assist institution in
enforcing these requirements. Quarantine and inspecting methods work by
heavily restricting the access a remote PC has to the institutions network will a
program or script is run that verifies that a predetermined set of conditions have
been meet. If the remote PC passes this inspection then full access to an
institutions network is given. However it fails the inspection then a browser is
launched providing information on why it failed the inspection and recommended
actions to take. The VPN connection is then dropped. Unfortunately quarantine
solutions for RAS/VPNs are very currently very proprietary, often developed for
specific client operating systems and VPN servers.
Operating system updates
Its operating system being patched and updated (Windows Update and Windows
Software Update Service), to ensure it is protected against known exploits and
ensure the most stable platform possible. See Windows Software Update
Anti-virus (installed and updated)
Both LEAs have licensing deals with Sophos that allow teachers and support staff
to install Sophos Anti-virus on the home PC at no additional cost. An install
package configured to automatically update from outside of the CLEO network
will be made available. See the Installing Sophos Anti-virus on a
standalone PC guide.
Personal Firewall (installed and active)
It is recommend that all PC connecting to the internet through and ISP have a
personal firewall installed. For Windows XP users this can be easily be achieved
by apply Service Pack 2 and configuring the Windows Firewall. However the
Windows Firewall is quite basic, it only inspects inbound packets and determines
whether they are solicited or unsolicited. Solicited packets are allowed through,
unsolicited are dropped. This is fine for protecting a system that is clean but if a
Trojan or virus has already established itself on the system then it will still allow
11. Cumbria Lancashire Education Online
the virus to broadcast itself. There are many other firewall solutions available,
with much more sophisticated features. Often these are available from Anti-virus
vendors such as Symantec.
12. Cumbria Lancashire Education Online
Connection Manager Administration Kit
The connection manager administration kit (CMAK) allows you to create a self
installing VPN connection profile, which will add itself to target PC’s network
connections (or equivalent) list. It is limited to Microsoft operating systems but
does allow you to pre-configure most aspects of the connection and its behavior
including reconfiguration of web caches within internet explorer (IE) and
updating the routing table.
1. Control Panel, Add or Remove Programs, click Add/Remove
2. In the Windows Components Wizard select Management and
Monitoring Tools and click Details…
3. In the Management and Monitoring Tools dialog select Connection
Manager Administration Kit, click OK.
4. In the Windows Components Wizard click Next and then Finish.
These instructions provide a very basic connection profile, below is how to
customize the connection further.
1. Control Panel, Administrative Tools, click Connection Manager
Administration Kit, click Next.
2. Select New profile, click Next.
3. Type ‘Remote Access for <school name>’ in the Service name box.
4. type ‘<school name>’ in the file box.
5. On the Realm Name page, select Add a realm name to the user
name, select Suffix (for example, @Microsoft.com) and in the Realm
Name (include separator character); box type ‘@<authentication
realm>. e.g. ‘@office.cleo.net.uk’.
6. On the Merge Profile Information page, click Next.
7. On the VPN Support page, select Phone book from this profile, select
Always use the same VPN server, type the <Remote Access Server
FQDN> in the VPN Server name or IP Address box and click Next.
8. On the VPN Entries page, click Next.
9. On the Phone Book page, deselect the Automatically download phone
book updates and click Next.
10.On the Dial-up Networking Entries page, click Next.
11.On the Routing Table Update page, Next.
12.On the Automatic Proxy Configuration page, provide the click Next.
13.On the Logon Bitmap page, click Next.
14.On the Phone Book Bitmap page, click Next.
15.On the Icons page, click Next.
16.On the Notification Area Shortcut Menu page, click Next.
17.On the Help File page, click Next.
18.On the Support Information page, enter your support contact details,
19.On the Connection Manager Software page, click Next.
13. Cumbria Lancashire Education Online
20.On the License Agreement page, browse to your institution’s remote
access policy, where your institution has yet to develop their please use
the CLEO remote access policy, click Next.
21.On the Additional Files page, click Next.
22.On the Ready to Build the Service Profile page, click Next.
23.Make a note of where the service profile has been stored and then click
To make changes to your profile re-run CMAK but instead of selecting New
profile, select Existing profile and click Next.
Dial-up Networking Entries page
1. In the Dial-up networking entries: list on this page will be listed the
Service name you specified in step 3. Highlight this and click Edit.
2. On the General tab, check the Enable clients to log on to a network
option and where required use the Browse button to locate a logon script.
3. On the TCP/IP Setting tab, select All clients use these addresses:
and proved the details of your servers (at least one DNS and one WINS
server must be provided).
4. Uncheck the Make this connection the client’s default gateway.
5. Click OK
Routing Table Update page
On this page you can add a URL to a file on your web server, containing any
routing table updates. This allows you to specify that only traffic relating to CLEO
services and/or services maintained by your institution are directed through the
VPN connection. In this way access to the remote users ISP service (email, etc…)
are not effect when they have a remote access session open. By default all
traffic is directed through the VPN connection.
ADD 10.0.0.0 MASK 255.0.0.0 default METRIC default IF default
ADD 188.8.131.52 MASK 255.255.255.240 default METRIC default IF default
The above would set a route that directs all CLEO private traffic and Cumbria
web cache traffic to use the VPN connection and the default gateway will still
point to the gateway defined by the end user’s ISP. Thus only CLEO traffic is
directed down the VPN tunnel all other traffic will take the usual route out via the
Automatic Proxy Configuration page
On this page a can add a URL to a file on your web server, containing any web
proxy configuration changes. This should be used in combination with the
routing table updates and Dial-up Networking Entries as described above.
14. Cumbria Lancashire Education Online
License Agreement page
This allows a license agreement to be displayed to the end user as part of the
installation process (which they must agreed to) so the connection can be
installed. For the remote access service this should be either the institutions
remote access acceptable use policy or the CLEO schools remote access
acceptable use policy. This is statically included within the installer but should
include a reference to where the latest version may be found (i.e. a URL).