Configuring IAS

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To configure IAS for use with VLANs, do the following:

  1. Install Internet Authentication Service on a computer running Windows Server 2003. For more information, see “To install IAS” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20028.

  2. Register IAS in Active Directory. In order for IAS to have permission to read user accounts in Active Directory, IAS must be registered with Active Directory. For more information, see “To enable the IAS server to read user accounts in Active Directory” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20030.

  3. Add RADIUS clients. In the IAS snap-in, right-click RADIUS Clients, and then click New RADIUS Client. Use the New RADIUS Client Wizard to both add and configure your network access servers as RADIUS clients.

  4. Delete the default remote access policies. To delete the policies, open the IAS snap-in, and then click Remote Access Policies. Select each existing policy, right-click the policy, and then click Delete.

  5. Create a new remote access policy. In the console tree of the IAS snap-in, right-click Remote Access Policies, and then click New Remote Access Policy. Use the New Remote Access Policy Wizard to create a policy.

As an example policy, you can choose the following:

  • For How do you want to set up this policy? select Use the wizard to set up a typical policy for a common scenario.

  • For Policy name, type a name for your policy. For example, type Sales policy.

  • For Select the method of access for which you want to create a policy, select the appropriate type of access, such as Wireless or Ethernet.

  • For Grant access based on the following, click Group, and then click Add. In Enter the object name to select, type the name of a security group that you defined when configuring Active Directory. For example, if you created a group named Sales, type Sales, and then click OK.

  • In Authentication Methods, select the authentication method that you would like to enforce for users who will be placed on this VLAN. Your choices will differ based upon the access method you have chosen for the policy, such as Wireless or VPN. When you have completed configuring an authentication method, click Finish.

After you have completed creating the policy and have closed the wizard, you need to configure additional items for the remote access policy. In the IAS snap-in, click Remote Access Policies, and then double-click the policy you just created. Make the following configuration changes to the policy:

  1. In the policy Properties dialog box, for Policy conditions, click Add.

  2. In Attribute Types, click Day-And-Time-Restrictions, and then click Add. In Time of day restraints, select Permitted, configure the days and times that access is permitted, and then click OK.

  3. In the policy Properties dialog box, click Grant remote access permission.

  4. Click Edit Profile, and then click the Advanced tab. By default, the Service-Type attribute appears in Attributes with a value of Framed. By default, for policies with access methods of VPN and dial-up, the Framed-Protocol attribute appears in Attributes with a value of PPP. To specify additional connection attributes required for VLANs, click Add, and then add the following attributes:

    • Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made. For example, if the remote access policy you are configuring is a wireless policy, select: Value: 802 (Includes all 802 media plus Ethernet canonical format).

    • Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. For example, if your Sales VLAN is on VLAN 4, type the number 4.

    • Tunnel-Type. Select the value Virtual LANs (VLAN).

    • Tunnel-Tag. Obtain this value from your hardware documentation.

  5. Configure IAS connection request policies as you require.

Important

IAS evaluates remote access policies in the order in which they appear in the IAS snap-in under Remote Access Policies.

For more information about remote access policies, see "Elements of a remote access policy" in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=30605.

For more information about connection request processing, see “Introduction to connection request processing” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=30607.