In the console tree of ISA Server Management, click
In the details pane, click Define LDAP and RADIUS
On the RADIUS Servers tab, click Add.
In Server name, type the name of the RADIUS server to
use for authentication.
Click Change and in New secret, type the shared
secret that is used for secure communications between ISA Server
and the RADIUS server. You must configure the same shared secret on
both ISA Server and the RADIUS server for successful RADIUS
communications to occur.
In Port, type the User Datagram Protocol (UDP) port that
is used by the RADIUS server for incoming RADIUS authentication
requests. The default value of 1812 is based on RFC 2138. For
older RADIUS servers, set the port value to 1645.
In Time-out (seconds), type the amount of time (in
seconds) that ISA Server will try to obtain responses from the
RADIUS server before trying the next RADIUS server on the ordered
list. Note that you can change the order in which the servers are
Select Always use message authenticator if a message
authenticator based on the shared secret is sent with each RADIUS
To open ISA Server Management, click Start, point to
All Programs, point to Microsoft ISA Server, and then
click ISA Server Management.
For ISA Server 2006 Enterprise Edition, expand
Microsoft Internet Security and Acceleration
Server 2006, expand Arrays, expand
Array_Name, expand Configuration, and then
For ISA Server 2006 Standard Edition, expand Microsoft
Internet Security and Acceleration Server 2006, expand
Server_Name, expand Configuration, and then
When configuring ISA Server for RADIUS authentication, the
configuration of RADIUS servers applies to all rules or network
objects that use RADIUS authentication.
Shared secrets are used to verify that RADIUS messages, with
the exception of the Access-Request message, are sent by a
RADIUS-enabled device that is configured with the same shared
Be sure to change the default preshared key on the RADIUS
Configure strong shared secrets and change them frequently to
prevent dictionary attacks. Strong shared secrets are a long (more
than 22 characters) sequence of random letters, numbers, and
If you select Always use message authenticator, make
sure that your RADIUS servers are capable of receiving, and
configured to receive message authenticators.
For VPN clients, Extensible Authentication Protocol (EAP)
messages are always sent with a message authenticator. For Web
Proxy clients, only Password Authentication Protocol (PAP) is
You must select Always use message authenticator if your
RADIUS server is running Internet Authentication Service (IAS), and
the RADIUS client that is configured for this server has the
Request must contain the Message Authenticator attribute