Deploying Secure 802.11 Wireless Networks with Microsoft Windows

IAS

IAS in Windows 2000 Server is the Microsoft implementation of a RADIUS server. IAS in Windows Server 2003 is the Microsoft implementation of a RADIUS server and proxy. IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up, virtual private network (VPN) remote access, and site-to-site connections. IAS supports RFCs 2865 and 2866, as well as additional RFCs and Internet drafts that define RADIUS extensions.

IAS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment, and can be used with the Windows 2000 Server or Windows Server 2003 Routing and Remote Access service.

When an IAS server is a member of an Active Directory based domain, IAS uses Active Directory as its user account database and is part of a single sign-on solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network), to log on to an Active Directory-based domain, and to access secured resources in the domain.

IAS configurations can be created for the following solutions:

• Wireless access

• Organization dial-up or VPN remote access

• Outsourced dial or wireless access

• Internet access

• Authenticated access to extranet resources for business partners

More Info For detailed information about how to configure IAS for wireless access, see Chapter 8, Intranet Wireless Deployment Using EAP-TLS, Chapter 10, Intranet Wireless Deployment Using PEAP-MS-CHAP v2", and Chapter 11, Additional Intranet Wireless Deployment Configurations.

The following sections describe the global properties of IAS for Windows 2000 Server and Windows Server 2003, regardless of its role as a RADIUS server or RADIUS proxy.

More Info For more information about how IAS is used for solutions that do not involve wireless access, see Windows 2000 Server Help or Windows Server 2003 Help and Support.

Installing IAS

IAS Configuration Settings for Windows 2000 Server

The global properties of IAS consist of server properties and remote access logging properties. (The settings shown in the following screen shots reflect the default settings, unless otherwise noted.)

Server Properties

To configure the global properties of an IAS server running Windows 2000 Server in the Internet Authentication Service snap-in, right-click Internet Authentication Service and then click Properties.

Service Tab

Figure 4-2 shows the Service tab for IAS in Windows 2000 Server.

Figure 4-2. The Service tab for IAS in Windows 2000 Server.

From the Service tab, you can view and configure the following:

• Description

  Type the name of the server to distinguish it from other IAS servers.

• Log Rejected Or Discarded Authentication Requests

  Enable or disable the logging of rejected or discarded authentication requests in the Windows 2000 system event log.

• Log Successful Authentication Requests

  Enable or disable the logging of successful authentication requests in the Windows 2000 system event log.

RADIUS Tab

Figure 4-3 shows the RADIUS tab for IAS in Windows 2000 Server.

Figure 4-3. The RADIUS tab for IAS in Windows 2000 Server.

From the RADIUS tab, you can view and configure the following:

• Authentication

  Enumerate the list of UDP ports over which RADIUS authentication messages are received, separating each port with a comma. By default, IAS uses UDP ports 1812 and 1645. UDP port 1812 is the reserved RADIUS authentication port described in RFC 2865. Earlier RADIUS clients use UDP port 1645.

• Accounting

  Enumerate the list of UDP ports over which RADIUS accounting messages are received, separating each port with a comma. By default, IAS uses UDP ports 1813 and 1646. UDP port 1813 is the reserved RADIUS accounting port described in RFC 2866. Earlier RADIUS clients use UDP port 1646.

Realms Tab

Figure 4-4 shows the Realms tab for IAS in Windows 2000 Server.

Figure 4-4. The Realms tab for IAS in Windows 2000 Server.

You use the Realms tab to configure a prioritized list of find-and-replace rules to manipulate realm names before attempting to resolve the name to an account and perform authentication. The realm is the portion of the username in the authentication credentials that identifies the location of the user account. There are different forms of realm names:

• The realm name can be a prefix.

  For example, Example\user1, where Example is the name of a Windows NT 4.0 domain.

• The realm name can be a suffix.

  For example, user1@example.micro soft.com, where example.microsoft.com is either a DNS domain name or the name of an Active Directory domain.

Pattern-matching syntax is used to specify the strings to find and replace. Find-and-replace rules can be added, edited, and removed. The rules are applied to the incoming username in the order in which they are listed. Use the Move Up and Move Down buttons to specify the order.

More Info For more information about pattern matching syntax, see the topic titled Pattern Matching Syntax in Windows 2000 Server Help.

NOTE IAS for Windows Server 2003 does not include a Realms tab. Realm name manipulation for Windows Server 2003 IAS is done by using connection request policies.

Remote Access Logging-Local File Properties

Within the Remote Access Logging folder of the Internet Authentication Service snap-in, is the Local File object. This object allows IAS to log connection accounting information to a file. To configure its properties, right-click Local File in the details pane and click Properties.

Settings Tab

Figure 4-5 shows the Settings tab for the Local File object in Windows 2000 Server IAS.

Figure 4-5. The Settings tab for the Local File object in Windows 2000 Server IAS.

From the Settings tab, you can view and configure the following:

• Log Accounting Requests

  Enable or disable the logging of accounting requests in the IAS log file. Accounting requests include Accounting-On, Accounting-Off, Accounting-Start, and Accounting-Stop messages. IAS logs only accounting requests sent by the RADIUS client. If the RADIUS client is not configured for RADIUS accounting, accounting requests for that client are not logged.

• Log Authentication Requests

  Enable or disable the logging of authentication requests in the IAS log file.

• Log Periodic Status

  Enable or disable the logging of interim accounting requests in the IAS log file.

Local File Tab

Figure 4-6 shows the Local File tab for the Local File object in Windows 2000 Server IAS.

Figure 4-6. The Local File tab for the Local File object in Windows 2000 Server IAS.

From the Local File tab, you can view and configure the following:

• Log File Format

  Specify the log file format. The database-compatible format is Open Database Connectivity (ODBC)-compatible and is typically selected when you want to store the log file information in a database. The IAS format is an ID-value paired format that provides information on all RADIUS attributes in the RADIUS message.

• New Log Time Period

  Specify how often a new log file will be created. New log files can be created based on time or log file size.

• Log File Directory

  Specify the location of the IAS log file.

More Info For more information about log file formats, see Windows 2000 Server Help.

IAS Configuration Settings for Windows Server 2003

The IAS global properties consist of server properties and remote access logging properties. (The settings shown in the following screenshots reflect the default settings, unless otherwise noted.)

Server Properties

To configure the global properties of an IAS server running Windows Server 2003 in the Internet Authentication Service snap-in, right-click Internet Authentication Service, and then click Properties.

General Tab

Figure 4-7 shows the General tab for IAS in Windows Server 2003.

Figure 4-7. The General tab for IAS in Windows Server 2003.

From the General tab, you can view and configure the following:

• Server Description

  Type the name of the server to distinguish it from other IAS servers.

• Rejected Authentication Requests

  Enable or disable the logging of rejected or discarded authentication requests in the Windows Server 2003 system event log.

• Successful Authentication Requests

  Enable or disable the logging of successful authentication requests in the Windows Server 2003 system event log.

Ports Tab

Figure 4-8 shows the Ports tab for IAS in Windows Server 2003.

Figure 4-8. The Ports tab for IAS in Windows Server 2003.

From the Ports tab, you can view and configure the following:

• Authentication

  Enumerate the list of UDP ports over which RADIUS authentication messages are received. By default, IAS uses UDP ports 1812 and 1645. UDP port 1812 is the reserved RADIUS authentication port described in RFC 2865. Earlier RADIUS clients use UDP port 1645.

• Accounting

  Enumerate the list of UDP ports over which RADIUS accounting messages are received. By default, IAS uses UDP ports 1813 and 1646. UDP port 1813 is the reserved RADIUS accounting port described in RFC 2866. Earlier RADIUS clients use UDP port 1646.

Remote Access Logging

The Remote Access Logging folder of the Internet Authentication Service snap-in contains the Local File and SQL Server objects. These objects represent two different ways that IAS can log connection accounting information: to a file and to a structured query language (SQL) server. To configure the Local File or SQL Server object properties, right-click one of them in the details pane of the snap-in and click Properties.

Local File-Settings Tab

Figure 4-9 shows the Settings tab for the Local File object in Windows Server 2003 IAS.

Figure 4-9. The Settings tab for the Local File object in Windows Server 2003 IAS.

From the Settings tab, you can view and configure the following:

• Accounting Requests

  Enable or disable the logging of accounting requests in the IAS log file. Accounting requests include Accounting-On, Accounting-Off, Accounting-Start, and Accounting-Stop messages. IAS logs only accounting requests sent by the RADIUS client. If the RADIUS client is not configured for RADIUS accounting, accounting requests for that client are not logged.

• Authentication Requests

  Enable or disable the logging of authentication requests in the IAS log file.

• Periodic Status

  Enable or disable the logging of interim accounting requests in the IAS log file.

Local File-Log File Tab

Figure 4-10 shows the Log File tab for the Local File object in Windows Server 2003 IAS.

Figure 4-10. The Log File tab for the Local File object in Windows Server 2003 IAS.

From the Log File tab, you can view and configure the following:

• Directory

  Specify the location of the IAS log file.

• Format

  Specify the log file format. The IAS format is an ID-value paired format that provides information on all RADIUS attributes in the RADIUS message. The database-compatible format is an ODBC-compatible format that is typically selected when you want to store the log file information in a database.

• Create A New Log File

  Specify how often a new log file will be created. New log files can be created based on time or log file size.

• When Disk Is Full Delete Other Log Files

  Enable the automatic deletion of the oldest log files (as determined by the filename) when the disk becomes full.

More Info For more information about log file formats, see Windows Server 2003 Help and Support.

SQL Server-Settings Tab

Figure 4-11 shows the Settings tab for the SQL Server object in Windows Server 2003 IAS.

Figure 4-11. The Settings tab for the SQL Server object in Windows Server 2003 IAS.

From the Settings tab, you can view and configure the following:

• Accounting Requests

  Enable or disable the logging of accounting requests in the SQL server database. Accounting requests include Accounting-On, Accounting-Off, Accounting-Start, and Accounting-Stop messages. IAS logs only accounting requests sent by the RADIUS client. If the RADIUS client is not configured for RADIUS accounting, then accounting requests for that client are not logged.

• Authentication Requests

  Enable or disable the logging of authentication requests in the SQL server database.

• Periodic Status

  Enable or disable the logging of interim accounting requests in the SQL server database.

• Maximum Number Of Concurrent Sessions

  Specify the maximum number of sessions that the IAS server can have with the specified SQL server.

• Data Source

  Specify the SQL server database to which the RADIUS accounting information is sent. Click Configure to specify the database and its data link properties, or click Clear to remove the current data source.

IAS as a RADIUS Server

IAS can be used as a RADIUS server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be either an access server or a RADIUS proxy. IAS as a RADIUS server is shown in Figure 4-12.

Figure 4-12. IAS as a RADIUS server.

Between the access server and IAS server, RADIUS messages are exchanged. Between the IAS server and the Active Directory domain controller, there is a secure communications channel.

When IAS is used as a RADIUS server, it provides the following:

• A central authentication and authorization service for all access requests that are sent by RADIUS clients and RADIUS proxies.

  IAS uses either a Windows NT Server 4.0 domain, an Active Directory based domain, or the local SAM to authenticate user credentials for a connection attempt. IAS uses the dial-in properties of the user account and remote access policies to authorize a connection and enforce connection constraints.

• A central accounting recording service for all accounting requests that are sent by RADIUS clients.

  For Windows 2000 Server, accounting requests are stored in a local log file for analysis. For Windows Server 2003, accounting requests can either be stored in a local log file or sent to a SQL server database for analysis.

You can use IAS as a RADIUS server in the following circumstances:

• You use a Windows NT Server 4.0 domain, an Active Directory based domain, or the local SAM as your user account database for access clients.

• You use the Windows 2000 Server or Windows Server 2003 Routing and Remote Access service on multiple dial-up servers, VPN servers, or site-to-site routers; and you want to centralize both the configuration of remote access policies and accounting of connection information.

• You outsource your dial-in, VPN, or wireless access to a service provider. The access servers use RADIUS to authenticate and authorize connections that are made by members of your organization.

• You want to centralize authentication, authorization, and accounting for a heterogeneous set of access servers.

More Info For more information about using IAS as a RADIUS server, see Windows 2000 Server Help or Windows Server 2003 Help and Support.

Configuring RADIUS Clients

As a RADIUS server, IAS must be configured with RADIUS clients that correspond to either the access servers or RADIUS proxies that will be sending RADIUS request messages. RADIUS clients are added, configured, and removed from the Clients folder in the Internet Authentication Service snap-in for Windows 2000 Server IAS and from the RADIUS Clients folder in the Internet Authentication Service snap-in for Windows Server 2003 IAS.

To add a RADIUS client for Windows 2000 Server IAS, right-click the Clients folder and click New Client. To add a RADIUS client for Windows Server 2003 IAS, right-click the RADIUS Clients folder and click New RADIUS Client. A New RADIUS Client Wizard or a set of dialog boxes guides you through the configuration of a RADIUS client.

Figure 4-13 shows the properties of a RADIUS client in Windows Server 2003 IAS.

Figure 4-13. The properties of a RADIUS client in Windows Server 2003 IAS.

From the Settings tab, you can view and configure the following:

• Friendly Name

  Specify a friendly name for the RADIUS client. This name does not have to correspond to the DNS, NetBIOS, or computer name of the RADIUS client.

• Address (IP Or DNS)

  Specify either the IP address or the DNS name of the RADIUS client. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure RADIUS clients by specifying an IP address range.

• Verify

  If you specify a DNS name in the Address (IP Or DNS) text box, you can verify that the name is being resolved to the correct address. If the DNS name is associated with multiple IP addresses, you can choose the address to use.

• Client-Vendor

  Specify the vendor of the RADIUS client. Select RADIUS standard for a vendor-independent client.

• Request Must Contain The Message Authenticator Attribute

  Specify whether the client must always include the RADIUS Message-Authenticator attribute (also known as the Signature attribute) in Access-Request messages for connection requests using the PAP, Shiva Password Authentication Protocol (SPAP), CHAP, MS-CHAP, and MS-CHAP v2 authentication protocols. With EAP, the signature attribute is always included, and this check box does not have to be enabled. If you enable this, you must ensure that the RADIUS client is configured to always send the Message-Authenticator attribute. Other wise, IAS will discard the Access-Request message upon receipt. For Windows 2000 Server IAS, this check box is titled Client Must Always Send The Signature Attribute In The Request.

• Shared Secret

  Specify the shared secret. Both IAS and the RADIUS client must be configured with the same shared secret for successful communication to occur. The shared secret can be up to 128 bytes long, is case-sensitive, and can contain alphanumeric and special characters. To protect your RADIUS traffic from an offline dictionary and shared secret compromise, make the shared secret a long (22 characters or longer) sequence of random letters, numbers, and punctuation.

• Confirm Shared Secret

  Specify the shared secret again.

Remote Access Policy Overview

For a connection attempt to be accepted, it must be both authenticated and authorized. Authentication is done by verifying the credentials of the access client. Authorization is granted on the basis of user account dial-in properties and remote access policies. Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting.

When a connection is authorized, the remote access policy profile specifies a set of connection restrictions. The dial-in properties of the user account also provide a set of restrictions. Where applicable, user account connection restrictions override the remote access policy profile connection restrictions.

Remote Access Policy Conditions and Restrictions

Before authorizing the connection, remote access policies can validate a number of connection settings, including the following:

• Group membership

• Type of connection

• Time of day

• Authentication method

• Identity of the access server

• Whether unauthenticated access is allowed

After authorizing the connection, remote access policies can specify connection restrictions, including the following:

• Idle timeout time

• Maximum session time

• Encryption strength

• Authentication method

• IP packet filters

For example, you can have policies that specify different maximum session times for different types of connections or groups. Additionally, you can have policies that specify restricted access for business partners or unauthenticated connections.

Remote Access Policy Configuration

A remote access policy is a named rule that consists of the following elements:

• Conditions

• Remote access permission

• Profile

Remote access policies are configured from the Remote Access Policies object in the tree pane of the Internet Authentication Service snap-in. In Windows 2000 Server IAS, the Add Remote Access Policy Wizard guides you through the configuration of the elements of a remote access policy. In Windows Server 2003 IAS, the New Remote Access Policy Wizard greatly simplifies remote access policy creation.

Figure 4-14 shows the properties of a remote access policy named Wireless Access that was created for wireless connections.

Figure 4-14. Properties of a remote access policy.

Remote Access Policy Conditions

Remote access policy conditions are one or more attributes that are compared with the properties of the connection attempt. If there are multiple conditions, all conditions must be met in order for the connection attempt to match the policy.

More Info For a list of all the conditions and a description of each one, see Windows 2000 Server Help or Windows Server 2003 Help and Support.

Remote Access Permission

If all the conditions of a remote access policy are met, remote access permission is either granted or denied. Use the Grant Remote Access Permission option or the Deny Remote Access Permission option to set remote access permission for a policy.

Remote access permission is also configured on each account. When the remote access permission on the account is set to either Allow Access or Deny Access, the account remote access permission overrides the policy remote access permission. When remote access permission on an account is set to Control Access Through Remote Access Policy, the policy remote access permission determines whether the connection has remote access permission.

Granting access through the Account Remote Access Permission setting or the Policy Remote Access Permission setting is only the first step of accepting a connection. The connection attempt is then subjected to the settings of the account properties and the policy profile properties. If the connection attempt does not match the conditions or constraints of the account properties or the profile properties, the connection attempt is rejected.

NOTE By default, the New Remote Access Policy Wizard for Windows Server 2003 configures Grant Remote Access Permission.

Remote Access Policy Profile Settings

The remote access policy profile is a set of properties that is applied to a connection when the connection is granted remote access permission either through the account remote access permission setting or the policy permission setting. A profile consists of the following groups of properties:

• Dial-In Constraints

• IP

• Multilink

• Authentication

• Encryption

• Advanced

These groups of properties are configured from tabs in the Edit Dial-In Profile dialog box. (The settings shown in the following screen shots reflect the default settings, unless otherwise noted.)

NOTE Because the remote access policy configuration dialog boxes are so similar between Windows 2000 Server and Windows Server 2003, only the dialog boxes for Windows Server 2003 are shown. Differences between Windows Server 2003 and Windows 2000 Server are noted as needed.

Dial-In Constraints Tab

Figure 4-15 shows the Dial-In Constraints tab for a remote access policy in Windows Server 2003 IAS.

Figure 4-15. The Dial-In Constraints tab for a remote access policy.

From the Dial-In Constraints tab, you can view and configure the following:

• Minutes Server Can Remain Idle Before It Is Disconnected

  The amount of time after which the access server disconnects a connection when there is no activity on the connection. By default, this property is not set, and there is no idle disconnect. This constraint corresponds to the RADIUS Idle-Timeout attribute.

• Minutes Client Can Be Connected

  The maximum amount of time that a connection can remain connected. The access server disconnects the connection after the maximum session length. By default, this property is not set, and the connection has no maximum session limit. This constraint corresponds to the RADIUS Session-Timeout attribute.

• Allow Access Only On These Days And At These Times

  The days of the week and hours of each day that a connection is allowed. If the day and time of the connection attempt do not match the configured day and time limits, the connection attempt is rejected. By default, this property is not set, and the access server has no day or time limits. The access server does not disconnect active connections that are connected at a time when connection attempts are not allowed.

• Allow Access Only To This Number

  The specific phone number that a caller must call for a connection to be allowed. If the dial-in number of the connection attempt does not match the configured dial-in number, the connection attempt is rejected. By default, this property is not set and the remote access server allows all dial-in numbers. This constraint corresponds to the RADIUS Calling-Station-Id attribute.

• Allow Access Only Through These Media

  The specific types of media such as wireless, dial-up, or VPN that a client must use for a connection to be allowed. If the dial-in medium of the connection attempt does not match the configured dial-in media, the connection attempt is rejected. By default, this property is not set and all dial-in media types are allowed. This constraint corresponds to the RADIUS NAS-Port-Type attribute.

IP Tab

Figure 4-16 shows the IP tab for a remote access policy in Windows Server 2003 IAS.

Figure 4-16. The IP tab for a remote access policy.

From the IP tab, you can view and configure the following:

• IP Address Assignment

  You can set IP properties to specify whether the access client can request a specific IP address for a connection. By default, IAS allows the access server to determine the IP address assigned to the access client. This setting corresponds to the Framed-IP-Address RADIUS attribute.

• IP Filters

  To define the allowed traffic across the connection after the connection has been made, you can configure IP packet filters for remote access policy profiles. You can use profile packet filters to configure IP traffic that the access server allows out of the connection to the access client (Output Filters) or into the connection from the access client (Input Filters) on an exception basis: either all traffic except traffic specified by filters or no traffic except traffic specified by filters. These filters are used by the Routing and Remote Access service for remote access connections. Output Filters correspond to the To Client filters, and Input Filters correspond to the From Client filters in Windows 2000 Server IAS.

Multilink Tab

Figure 4-17 shows the Multilink tab for a remote access policy in Windows Server 2003 IAS.

Figure 4-17. The Multilink tab for a remote access policy.

From the Multilink tab, you can set properties that enable multilink and determine the maximum number of ports that a multilink connection can use. Additionally, you can set Bandwidth Allocation Protocol (BAP) policies that determine BAP usage and when extra BAP lines are dropped. The multilink and BAP properties are specific to Windows dial-up remote access.

Authentication Tab

Figure 4-18 shows the Authentication tab for a remote access policy in Windows Server 2003 IAS.

Figure 4-18. The Authentication tab for a remote access policy.

From the Authentication tab, you can set properties to enable the types of authentication that are allowed for a connection and specify the list of EAP types and their order of negotiation that must be used. For Windows Server 2003 IAS, the default authentication methods depend on your choices in the New Remote Access Policy Wizard.

For Windows 2000 Server IAS, you can select only a single EAP type for use with EAP-based authentication.

Encryption Tab

Figure 4-19 shows the Encryption tab for a remote access policy in Windows Server 2003 IAS.

Figure 4-19. The Encryption tab for a remote access policy.

From the Encryption tab, you can view and configure the following:

• Basic Encryption

  For dial-up and PPTP-based VPN connections, Microsoft Point-to-Point Encryption (MPPE) with a 40-bit key is used. For L2TP/IPSec based VPN connections, 56-bit Data Encryption Standard (DES) encryption is used.

• Strong Encryption

  For dial-up and PPTP-based VPN connections, MPPE with a 56-bit key is used. For L2TP/IPSec based VPN connections, 56-bit DES encryption is used.

• Strongest Encryption

  For dial-up and PPTP-based VPN connections, MPPE with a 128-bit key is used. For L2TP/IPSec based VPN connections, 3DES encryption is used. For Windows 2000 Server IAS, this option is available only after the Windows 2000 High Encryption Pack or Service Pack 2 or later is installed.

• No Encryption

  When selected, this option allows a non-encrypted connection. To require encryption, clear the No encryption check box.

These encryption settings correspond to the MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types RADIUS attributes (RFC 2548). For Windows Server 2003 IAS, the default encryption strengths depend on your choices in the New Remote Access Policy Wizard.

Advanced Tab

Figure 4-20 shows the Advanced tab for a remote access policy in Windows Server 2003 IAS.

Figure 4-20. The Advanced tab for a remote access policy.

From the Advanced tab, you can set properties to specify the series of additional RADIUS attributes that are sent back to the RADIUS client by the IAS server. To add RADIUS attributes, click Add. You can select from the list of RADIUS attributes or select the Vendor-Specific attribute to configure RADIUS VSAs. The VSAs are saved with the profile settings for each policy.

For Windows Server 2003 IAS, the default attributes depend on your choices in the New Remote Access Policy Wizard. For wireless connections, the Service-Type attribute is set to Framed by default.

Authorizing Access with Remote Access Policy

There are two ways to use remote access policies to grant authorization, as described in the following sections.

• By user

• By group

Authorization by User

If you are managing authorization by user, set the remote access permission on the user or computer account to either Grant Access or Deny Access, and (optionally) create different remote access policies based on different types of connections. For example, you might want to have one remote access policy that is used for dial-up connections and a different remote access policy that is used for wireless connections. Managing authorization by user is recommended only when you have a small number of user or computer accounts to manage.

If you are managing authorization by user, the basic process for authorizing a connection attempt occurs as follows:

• If the connection attempt matches all policy conditions, check the remote access permission setting of the account.

• If the remote access permission is set to Grant Access, apply the connection settings of the policy profile and account.

• If the remote access permission is set to Deny Access, reject the connection attempt.

• If the connection attempt does not match all policy conditions, process the next remote access policy.

• If the connection attempt does not match all conditions of any remote access policy, reject the connection attempt.

Authorization by Group

If you are managing authorization by group, set the remote access permission on the user account to Control Access Through Remote Access Policy, and create remote access policies that are based on different types of connections and group membership. For example, you might want to have one remote access policy for dial-up connections for employees (members of the Employees group) and a different remote access policy for dial-up connections for contractors (members of the Contractors group).

If you are managing authorization by group, the basic process for authorizing a connection attempt occurs as follows:

• If the connection attempt matches all policy conditions, check the remote access permission of the remote access policy.

• If the remote access permission is set to Grant Remote Access Permission, apply the connection settings of the policy profile and account.

• If the remote access permission is set to Deny Remote Access Permission, reject the connection attempt.

• If the connection attempt does not match all policy conditions, process the next remote access policy.

• If the connection attempt does not match all conditions of any remote access policy, reject the connection attempt.

NOTE The Control Access Through Remote Access Policy remote access permission setting is available only on accounts that are members of a Windows 2000 native-mode Active Directory domain or a Windows Server 2003, Windows 2000 native, or Windows Server 2003 functional level domain.

IAS as a RADIUS Proxy

IAS can be used as a RADIUS proxy to provide the routing of RADIUS messages between RADIUS clients (access servers) and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt. When used as a RADIUS proxy, IAS is a central switching or routing point through which RADIUS access and accounting messages flow. IAS records information in an accounting log about the messages that are forwarded. Figure 4-21 shows IAS as a RADIUS proxy.

Figure 4-21. IAS as a RADIUS proxy.

When IAS is used as a RADIUS proxy between a RADIUS client and a RADIUS server, RADIUS messages for network access connection attempts are forwarded in the following way:

1. Access servers such as dial-up network access servers, VPN servers, and wireless access points receive connection requests from access clients.

2. The access server configured to use RADIUS as the authentication, authorization, and accounting protocol creates an Access-Request message and sends it to the IAS server that is being used as a RADIUS proxy.

3. The IAS RADIUS proxy receives the Access-Request message and, based on the locally configured connection request policies, determines where to forward the Access-Request message.

4. The IAS RADIUS proxy forwards the Access-Request message to the appropriate RADIUS server.

5. The RADIUS server evaluates the Access-Request message.

6. If required, the RADIUS server sends an Access-Challenge message to the IAS RADIUS proxy, where it is forwarded to the access server.

7. The access server processes the challenge with the access client and sends an updated Access-Request to the IAS RADIUS proxy, where it is forwarded to the RADIUS server.

8. The RADIUS server authenticates and authorizes the connection attempt.

9. If the connection attempt is both authenticated and authorized, the RADIUS server sends an Access-Accept message to the IAS RADIUS proxy, where it is forwarded to the access server.

   If the connection attempt is either not authenticated or not authorized, the RADIUS server sends an Access-Reject message to the IAS RADIUS proxy, where it is forwarded to the access server.

10. The access server completes the connection process with the access client and sends an Accounting-Request message to the IAS RADIUS proxy. The IAS RADIUS proxy logs the accounting data and forwards the message to the RADIUS server.

11. The RADIUS server sends an Accounting-Response to the IAS RADIUS proxy, where it is forwarded to the access server.

You can use IAS as a RADIUS proxy under the following circumstances:

• You are a service provider that offers outsourced dial, VPN, or wireless network access services to multiple customers.

• You want to provide authentication and authorization for accounts that are not members of either the domain in which the IAS server is a member or another domain that has a two-way trust with the domain in which the IAS server is a member.

• You want to perform authentication and authorization by using a database that is not a Windows account database.

• You want to process a large number of connection requests. The IAS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers and increases the processing of large numbers of RADIUS clients and authentications per second.

• You want to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration.

More Info For more information about using Windows Server 2003 IAS as a RADIUS proxy, see Windows Server 2003 Help and Support.

Connection Request Processing

To determine if a RADIUS client message should be processed locally or forwarded to another RADIUS server, a Windows Server 2003 IAS server uses connection request processing. Connection request processing is a combination of the following:

• Connection request policies

  For any incoming RADIUS request message, connection request policies determine whether the message is processed locally or forwarded to another RADIUS server.

• Remote RADIUS server groups

  When forwarding RADIUS messages, remote RADIUS server groups specify the set of RADIUS servers to which the messages are forwarded.

Connection Request Policies

Connection request policies are rules specifying conditions and profile settings that give you flexibility to configure how the IAS server handles incoming authentication and accounting request messages. With connection request policies, you can create a series of policies so that some RADIUS request messages are processed locally (IAS is being used as a RADIUS server), and other types of messages are forwarded to another RADIUS server (IAS is being used as a RADIUS proxy).

Connection request policies allow you to use IAS as a RADIUS server or as a RADIUS proxy, based on the time of day and day of the week, the realm name in the request, the type of connection being requested, the IP address of the RADIUS client, and so on.

It is important to remember that with connection request policies, a RADIUS request message is processed only if the settings of the incoming RADIUS request message match at least one of the connection request policies. For example, if the attributes of an incoming RADIUS Access-Request message do not match at least one of the connection request policies, an Access-Reject message is sent.

A connection request policy is a combination of the following:

• Conditions

  Connection request policy conditions are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS request message. If there are multiple conditions, all of the conditions must match the attributes of the incoming RADIUS message in order for the RADIUS request message to match the policy.

• Profile settings

  A connection request policy profile is a set of properties that are applied to an incoming RADIUS message once it has matched all the conditions. A connection request policy profile consists of the following groups of properties:

  • Authentication

  • Accounting

  • Attribute

  • Advanced

Figure 4-22 shows the connection request policy properties for the default policy named Use Windows Authentication For All Users.

Figure 4-22. Properties of a connection request policy.

More Info For a complete list of conditions and their descriptions, see Windows Server 2003 Help and Support.

Authentication Tab

Figure 4-23 shows the Authentication tab for a connection request policy in Windows Server 2003 IAS.

Figure 4-23. The Authentication tab for a connection request policy.

From the Authentication tab, you can view and configure the following:

• Authenticate Requests On This Server

  Use a Windows NT 4.0 domain or Active Directory, or the local SAM for both authentication database and the matching remote access policy and account dial-in properties for authorization. In this case, the IAS server is being used as a RADIUS server.

• Forward Requests To The Following Remote RADIUS Server Group For Authentication

  Forward the Access-Request message to another RADIUS server in a specified remote RADIUS server group. In this case, the IAS server is being used as a RADIUS proxy. When you select this option, you must also select a remote RADIUS server group.

• Accept Users Without Authenticating Credentials

  Do not check authentication of the user credentials and authorization of the connection attempt. An Access-Accept message is immediately sent to the RADIUS client.

  This authentication option cannot be used when the access client s authentication protocol is MS-CHAP v2 or EAP-Transport Level Security (EAP-TLS), both of which provide mutual authentication. In mutual authentication, the access client proves that it is a valid access client to the authenticating server (the IAS server), and the authenticating server proves that it is a valid authenticating server to the access client. When this authentication option is used, the Access-Accept message is returned. However, the authenticating server does not provide validation to the access client, and mutual authentication fails.

Accounting Tab

Figure 4-24 shows the Accounting tab for a connection request policy in Windows Server 2003 IAS, which determines how IAS handles RADIUS Accounting-Request messages.

Figure 4-24. The Accounting tab for a connection request policy.

From the Accounting tab, you can specify that RADIUS Accounting-Request messages are forwarded to another RADIUS server in a specified remote RADIUS server group. In this case, the IAS server is acting as a RADIUS proxy. IAS always records the accounting information for Accounting-Request messages based on remote access logging settings.

Attribute Tab

Figure 4-25 shows the Attribute tab for a connection request policy in Windows Server 2003 IAS.

Figure 4-25. The Attribute tab for a connection request policy.

From the Attribute tab, you can configure a set of find-and-replace rules that manipulate the text strings of one of the following attributes:

• User-Name

• Called-Station-ID

• Calling-Station-ID

Find-and-replace rule processing occurs for one of the preceding attributes before the RADIUS message is subject to authentication and accounting settings. Configuring attribute manipulation for the User-Name attribute is equivalent to configuring realm replacement rules for Windows 2000 Server IAS.

If you use the MS-CHAP v2 authentication protocol, you cannot manipulate the User-Name attribute if the connection request policy is used to forward the RADIUS message. The only exception occurs when a backslash (\) character is used, and then the manipulation affects only the information to the left of it. A backslash character is typically used to indicate a domain name (the information to the left of the backslash character) and a user account name within the domain (the information to the right of the backslash character). In this case, only attribute manipulation rules that modify or replace the domain name are allowed.

NOTE Find-and-replace rules apply only to a single attribute. You cannot configure find-and-replace rules for each attribute, and you cannot add to the list of attributes available for manipulation.

Advanced Tab

Figure 4-26 shows the Advanced tab for a connection request policy in Windows Server 2003 IAS.

Figure 4-26. The Advanced tab for a connection request policy.

From the Advanced tab, you can set properties to specify the series of RADIUS attributes that are

• Added to the RADIUS response message when the IAS server is being used as a RADIUS authentication or accounting server.

  When there are attributes specified on both a remote access policy and the connection request policy, the attributes that are sent in the RADIUS response message are the combination of the two sets of attributes.

• Added to the RADIUS message when the IAS server is being used as a RADIUS authentication or accounting proxy.

  If the attribute already exists in the message that is forwarded, it is replaced with the value of the attribute specified in the connection request policy.

Remote RADIUS Server Groups

A remote RADIUS server group is a named group that contains one or more RADIUS servers. When IAS is being used as a RADIUS proxy for RADIUS request messages, a remote RADIUS server group must be specified. This group is used to facilitate the common configuration of both a primary and at least one backup RADIUS server. You can specify various settings to either determine the order in which the servers are used or distribute the RADIUS messages across all servers in the group.

Figure 4-27 shows the properties of a remote RADIUS server group named RAD1.

Figure 4-27. The properties of a remote RADIUS server group.

After a remote RADIUS server group is configured, it can be specified in the authentication and accounting settings of a connection request policy; so you should configure a remote RADIUS server group first. Next, you can configure the connection request policy to use the newly configured remote RADIUS server group. Alternately, you can use the New Connection Request Policy Wizard to create a new remote RADIUS server group while you are creating the connection request policy.

NOTE Remote RADIUS server groups are separate from Windows groups.

Each server in a remote RADIUS server group has the following groups of properties:

• Address

• Authentication/Accounting

• Load Balancing

Address Tab

Figure 4-28 shows the Address tab for a RADIUS server in a remote RADIUS server group in Windows Server 2003 IAS.

Figure 4-28. The Address tab for a RADIUS server in a remote RADIUS server group.

On the Address tab, you can configure the name or address of the RADIUS server. If you specify a name, you can click Verify to resolve the name and select the correct resolved address.

Authentication/Accounting Tab

Figure 4-29 shows the Authentication/Accounting tab for a RADIUS server in a remote RADIUS server group in Windows Server 2003 IAS.

From the Authentication/Accounting tab, you can view and configure the following:

• Authentication Port

  Type the destination UDP port for RADIUS Access-Request messages sent to this RADIUS server. By default, the authentication port is 1812.

• Shared Secret

  Type the shared secret between the IAS server (acting as a RADIUS proxy) and this RADIUS server for connection request traffic. Within a chain of RADIUS entities, the shared secret between a RADIUS proxy and an access client (or another RADIUS proxy) can and should be different from the shared secret between the RADIUS proxy and the RADIUS server (or another RADIUS proxy). For best protection of your RADIUS traffic, use a shared secret at least 22 characters long and consisting of a random sequence of upper- and lowercase letters, numbers, and punctuation.

• Confirm Shared Secret

  Type the authentication shared secret again.

• Accounting Port

  Type the destination UDP port for Accounting-Request messages sent to this RADIUS server. By default, the accounting port is 1813.

• Use The Same Shared Secret For Authentication And Accounting

  Enable the same shared secret for both authentication (connection requests) and accounting messages. In many cases, including IAS, RADIUS servers provide only the configuration of a single shared secret per RADIUS client that is used for both authentication and accounting messages.

• Shared Secret

  If Use The Same Shared Secret For Authentication And Accounting is disabled, type the shared secret between the IAS server (acting as a RADIUS proxy) and this RADIUS server for accounting traffic; that is, configured separately from the shared secret for authentication traffic.

• Confirm Shared Secret

  If Use The Same Shared Secret For Authentication And Accounting is disabled, type the accounting shared secret again.

• Forward Network Access Server Start And Stop Notifications To This Server

  Enable to forward accounting start and stop messages to this RADIUS server.

Figure 4-29. The Authentication/Accounting tab for a RADIUS server in a remote RADIUS server group.

Load Balancing Tab

Figure 4-30 shows the Load Balancing tab for a RADIUS server in a remote RADIUS server group in Windows Server 2003 IAS.

Figure 4-30. The Load Balancing tab for a RADIUS server in a remote RADIUS server group.

From the Load Balancing tab, you can view and configure the following:

• Priority

  Type the priority of this RADIUS server in the remote RADIUS server group. IAS uses the priority value to determine which server in the RADIUS server group is the most favored when forwarding RADIUS messages. The primary RADIUS server has a priority value of 1.

• Weight

  Type the weight of this RADIUS server in the remote RADIUS server group. For group members that have the same priority, the weight setting is used to calculate how often RADIUS messages are sent to each of them.

• Number Of Seconds Without Response Before Request Is Considered Dropped

  Type the number of seconds after which a response is not received that IAS can consider the request dropped. This is the response time out value.

• Maximum Number Of Dropped Requests Before Server Is Identified As Unavailable

  Type the maximum number of unanswered requests after which the server is considered unavailable.

• Number Of Seconds Between Requests When Server Is Identified As Unavailable

  Type the number of seconds after which an authentication request is sent when the server is considered unavailable. In order to detect when a RADIUS server has become available again, IAS sends RADIUS messages periodically to attempt to get a response. When a response is received, the server is considered available.