IAS Shiva LanRover Setup Issues with Microsoft Radius

ID: Q195287

The information in this article applies to:
  • Microsoft Internet Authentication Service 1.0
  • Microsoft Windows NT 4.0

SYMPTOMS

A user dialing into (or trying to dial out from) a Shiva LanRover using Microsoft Internet Authentication Service (IAS) Radius may not be successful.


CAUSE

When IAS is initially installed, it is not automatically configured to work with the Shiva LanRover.


WORKAROUND

To work around this issue, use one of the following resolutions:

  • To allow users to dial in using only LanRover to Radius, use the following settings on the Profiles tab for default user profile in IAS:
    Framed-protocol =PPP Framed-routing = none service-type=framed


-OR-
  • To allow only dial out though the Shiva LanRover via the Shiva Extranet client software pointing to Radius (to authenticate users before being allowed to dial out), you must remove service-type=framed and add service-type =outbound user as shown below:
    framed-protocol =PPP Framed-routing=none service-type=outbound user


-OR-
  • To allow both dial-in and dial-out capabilities at the same time, you must obtain the full commercial edition of Internet Authentication Service, which currently ships with Microsoft Commercial Internet Service (MCIS).

    CIAS allows the creation of multiple user profiles and Radius realms.. The default profile is setup as described in the first resolution, where users continue to dial in as they normally would. To implement dial out ability at the same time, you would then need to create a new profile, as described in the second resolution, but tie it to a Radius realm (for example, realm2). This is done in User Authentication on the Realms tab of the IAS software.

    Users dialing out via the Shiva Extranet software need to specify the radius realm in the Username field for IAS (Radius) to use the "dial-out" profile instead of the default. For example:
    username: username@realm2.com password: password
    Shiva forwards the dial-out request to IAS Radius. IAS then uses the "dial-out" profile instead of the "default" based on the realm2.com realm. Radius then strips the realm, forward the username to Windows NT, verifies the user is allowed to dial out, and then allows dial out through the Shiva Extranet software.



MORE INFORMATION

If you modify other settings in Shiva or want to pass back additional attributes to the LanRover, you may need to specify additional attributes on the Profiles tab of the IAS software. The most common are listed below:

Sample profile:
framed-protocol=ppp
framed routing=none
framed netmask=255.255.0.0
framed compression=van jacobson TCP/IP
framed MTU =1500
framed IP =255.255.0.0
service-type=outbound use4rs
Shiva users who are still experiencing problems with Radius authentication should also verify that they have the Radius security package from Shiva installed correctly. (This is available for download on the Shiva/Intel Web site; it may require a security code from Shiva support to install.)

This problem can be identified by running a NetMon trace. If no Radius packets are being sent from Shiva, check the Shiva activity log (Sctivity.txt) for "radius licensing."

It is also recommended that Shiva customers obtain the latest firmware (version 5.7 as of 8/13/99). An EPROM update for your hardware may be needed. For more information, Shiva customers should contact Shiva/Intel.
The third-party products discussed here are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability.

Additional query words:

Keywords :
Version : winnt:1.0,4.0
Platform : winnt
Issue type : kbprb


Last Reviewed: October 28, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.