Today I have be working on publishing Microsoft Exchange Outlook WebAccess and Active Sync to the Internet. We had some discussions with some Microsoft Consultants about a secure way to publish Outlook Web Access to the Internet, especially the authentication part of such a solution.
Some people are talking about publishing OWA directly to the Internet. In my opinion, this results in a major security thread, because you directly publish a TCP/80 and TCP/443 connection from the Exchange server to the Internet. An vulnerability or exploit in these services could end up in an hacker who takes over the Exchange server.
A second solution is placing a front-end server in a DMZ segment, but making the server a domain member for authentication. In my opinion still a security leak, because somebody who hacks the DMZ server has maybe the ability to hack or corrupt the Active Directory.
The third solution, and the solution we advise, is using a Microsoft ISA 2006 server as a front-end server in the DMZ. We configure a RADIUS or LDAPS (if you would like the option to change the password) connection to a RADIUS server or a domain member on the internal LAN segment. This ensures a secure way of authenticating users and even if somebody hacks the ISA server, he still hasn’t hacked a domain member server or a vulnerability in TCP/80 or TCP/443 of the Exchange server.
I have had a lot of help of an article on isaserver.org from Thomas Shinder while configuring the solution. I had some problems with publishing Active Sync. Ended up with enabling Basic Authentication on the Active Sync virtual directory (Microsoft-Server-ActiveSync).
I am sure that many of you would like to do the same thing and many of you successfully configured it. I am trying to configure RADIUS Authentication on my Cisco 877W. I have two different RADIUS policies, the first for privilege level 1 and the second for privilege level 15. I am using Microsoft IAS as RADIUS server.
I configured two policies and the second policy has the following Advanced Options set.
This means that the user should get privilege level 15, when logging in. I configured the following on the Cisco877W router.
aaa authentication login AD group radius local none
aaa authorization exec AD group radius
radius-server host 10.10.1.1 auth-port 1812 acct-port 1813 key 7 KEY
radius-server retry method reorder
radius-server transaction max-tries 2
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication
line vty 0 4
access-class 10 in
exec-timeout 5 0
login authentication AD
transport preferred none
transport input ssh
transport output telnet ssh
The user doesn’t get the privilege level 15, but comes in privilege level 1 and has to enter enable to get into privilege level 15. I turned on RADIUS debugging and I see the shell code coming by, as the debug output below shows.
%SSH-5-SSH2_SESSION: SSH2 Session request from 10.10.1.103 (tty = 1)
using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ Succeeded
RADIUS/ENCODE(00000716): ask “Password: ”
RADIUS/ENCODE(00000716): send packet; GET_PASSWORD
RADIUS/ENCODE(00000716):Orig. component type = EXEC
RADIUS/ENCODE(00000716): dropping service type,
“radius-server attribute 6 on-for-login-auth” is off
RADIUS(00000716): Config NAS IP: 0.0.0.0
RADIUS/ENCODE(00000716): acct_session_id: 1814
RADIUS/ENCODE: Best Local IP-Address 10.10.1.1 for Radius-Server 10.10.1.5
RADIUS(00000716): Send Access-Request to 10.10.1.5:1812 id 1645/31, len 81
RADIUS: authenticator 72 D9 B5 F1 76 72 9A D1 – 73 D7 E8 AF 21 F3 B5 0F
RADIUS: User-Name  6 “rene”
RADIUS: User-Password  18 *
RADIUS: NAS-Port  6 3
RADIUS: NAS-Port-Id  6 “tty3”
RADIUS: NAS-Port-Type  6 Virtual 
RADIUS: Calling-Station-Id  13 “10.10.1.103”
RADIUS: NAS-IP-Address  6 10.10.1.1
RADIUS: Received from id 1645/31 10.10.1.5:1812, Access-Accept, len 83
RADIUS: authenticator BB BF B5 FD 1D 36 67 9B – FE 5A EE 5A 6C 42 5E B9
RADIUS: Vendor, Cisco  25
RADIUS: Cisco AVpair 
RADIUS: Service-Type 
6 Login 
RADIUS: Class  32
RADIUS: 3C 09 04 AE 00 00 01 37
00 01 0A 0A 01 05 01 C8 [< ??????7????????]
RADIUS: A6 C0 C2 0D FD 4C 00
00 00 00 00 00 00 13 [?????L????????]
RADIUS(00000716): Received from id 1645/31
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success
[user: rene] [Source: 10.10.1.103] [localport: 22]
I am running out of options. I have tried to use the Cisco-AVpair in IAS, but no success. I tried using only Telnet, but no success. Maybe someone has an option to try…