*** SETTING UP ACTIVE DIRECTORY ON WINDOWS 2000 FOR RADIUS ACCOUNTING ***


0) It is presumed that Active Directory is set up. If not, consult Windows 2000 
   Help files for information how to do that.

I) Configure User Settings in Active Directory

1. Make sure "Store password using reversible encryption" is selected for users 
   to be authenticated. Should this be done for a user group or for individual 
   users is dependent of Active Directory configuration.

2. After you enable reversibly-encrypted passwords, all users must change their 
   passwords before they will be able to authenticate against the domain.


II) Configuring Internet Authentication Service

0. Install IAS if not yet installed. Start> Settings> Control Panel> Add/Remove 
   Programs> Add/Remove Windows Components> Networking Services> Details. Make sure 
   Internet Authentication Service is checked. Select OK and Next.

1. Start> Programs> Administrative Tools> Internet Authentication Service

2. Right click on "Internet Authentication Service (Local)" and select
   Properties.

3. In the RADIUS Tab, make sure there are "1812" (without quotes) for the
   Authentication and "1813" (without quotes) for Accounting.

4. Follow these steps to add a RADIUS Client

5. Right click on the Clients folder and select New -> Client

6. Type in a Friendly Name and Protocol and then Next.

7. Type in an IP address of a RADIUS client, select a Client Vendor (i.e.
   RADIUS Standard) and type in a shared secret and then Finish.

8. Follow these steps to add a new Remote Access Policy

9. Right click on the "Remote Access Policies" folder and select New ->
   Remote Access Policy

10. Type in a Policy Friendly Name and then Next.

11. Follow these steps to add a condition. For example, to add a "Windows
    Group" condition:

12. Click on "Add" button to launch the "Select Attribute" window.

13. Select "Windows Groups" and click on "Add" button.

14. Click "Add" button in the "Groups" window.

15. Select a domain group (i.e. Domain Users) and click "Add" button.
    Click on "OK".

16. Add more groups if needed in the "Groups" window. Otherwise, click on "OK".

17. Select "Grant remote access permission" in the Permissions window and
    then Next.

18. Follow these steps to add a Profile. For example, to add a profile:

19. Click on "Edit Profile" button to launch the "Edit Dial-in Profile" window.

20. In the Authentication tab, check "Encrypted Authentication (CHAP)" and
    "Unencrypted Authentication (PAP, SPAP)" and make sure the others are
    de-selected.

21. In the Advanced tab, remove all parameters, such as "Server-Type" and
     "Framed-Protocol".

25. Click OK through the dialogs and Finish

26. To register the Internet Authentication Service in the Active Directory, 
    right click on the "Internet Authentication Service (Local)" and select 
    "Register Service in Active Directory" and click OK.

27. Follow these steps to stop and restart the Internet Authentication Service:

28. Right click on the "Internet Authentication Service (Local)" and
    select "Stop Service"

29. Right click on the "Internet Authentication Service (Local)" and select 
    "Start Service"