This paper describes the Internet Authentication Service (IAS) in Microsoft Windows 2000, the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server. RADIUS is an industry standard protocol to authenticate, authorize, and account for access server connections. IAS can be used as a RADIUS server to any device, typically a network access server (NAS), which supports RADIUS, including the Windows 2000 Routing and Remote Access service. IAS can be used in a variety of scenarios, including centralized authentication and accounting for an organization’s remote access infrastructure, outsourced corporate access using third party dial-up service providers, and centralized authentication and accounting for an Internet service provider (ISP). This paper is written for network architects and system administrators using or considering the use of RADIUS and IAS in their network infrastructure.
On This Page
Microsoft Windows 2000 Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server. IAS performs centralized connection authentication, authorization, and accounting for dial-up and virtual private network (VPN) remote access and for router-to-router connections. It can be used in conjunction with Windows 2000 Routing and Remote Access service. IAS enables the use of a single- or multiple-vendor network of remote access or VPN equipment.
Internet service providers (ISPs) and corporations maintaining remote access for their employees are faced with the increasing challenge of managing all remote access from a single point of administration, regardless of the type of remote access equipment employed. The RADIUS standard supports this functionality in both homogeneous and heterogeneous environments. RADIUS is a client-server protocol that enables remote access equipment acting as RADIUS clients to submit authentication and accounting requests to a RADIUS server.
The RADIUS server has access to user account information and can check remote access authentication credentials. If the user’s credentials are authentic and the connection attempt is authorized, then the RADIUS server authorizes the user’s access based on specified conditions and logs the remote access connections in an accounting log.
The use of RADIUS allows the remote access user authentication, authorization, and accounting data to be maintained in a central location, rather than on each network access server (NAS). Users connect to RADIUS-compliant NASs, such as a Windows 2000-based computer that is running the Routing and Remote Access service. The NASs then forward authentication requests to the centralized IAS server.
For more information about the RADIUS protocol, see Appendix B.
With IAS, organizations can also outsource remote access infrastructure to ISPs while retaining control over user authentication, authorization, and accounting.
Different types of IAS configurations can be created for using Internet technology, such as:
Dial-up access to your network.
Outsourced corporate access through service providers.
RADIUS is an industry standard protocol, described in RFC 2138, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2139, "RADIUS Accounting," for providing authentication, authorization, and accounting services. A RADIUS client, typically a dial-up server used by an Internet service provider (ISP), sends user and connection information to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request.
The Windows 2000 Routing and Remote Access service includes a RADIUS client so that a Windows 2000 remote access server can be used by ISPs or corporate remote access users who use RADIUS for authentication or accounting.
You can configure the Windows 2000 remote access server authentication and accounting providers separately. A Windows 2000 remote access server can use Windows authentication as its authentication provider and RADIUS as its accounting provider. You can configure multiple RADIUS servers so that when the primary RADIUS server becomes unavailable, secondary RADIUS servers are automatically used.
Windows 2000 IAS features include:
Centralized PPP-based connection authentication and authorization.
Centralized administration of dial-up and VPN connections.
Centralized auditing and usage accounting.
Integration with Windows 2000 Routing and Remote Access service.
Centralized PPP-based Connection Authentication and Authorization
The authentication of users attempting connections is an important security concern. Because IAS supports a variety of authentication protocols, you can use arbitrary authentication methods to meet your authentication requirements.
The following section describes the authentication methods supported in Windows 2000.
IAS supports the authentication protocols within the Point-to-Point Protocol (PPP), such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) versions 1 and 2, and Extensible Authentication Protocol (EAP). PPP is a set of industry-standard framing and authentication protocols that enables remote access solutions to be interoperable in a multi-vendor network.
EAP is an infrastructure that allows the addition of arbitrary authentication methods such as smart cards, certificates, one-time passwords, and token cards.
Dialed Number Identification Service (DNIS) is an authorization method based on the number called by the user.
Automatic Number Identification/Calling Line Identification (ANI/CLI) is an authorization method based on the number from which the user calls. ANI is also known as caller ID.
Guest authentication is an authorization method through which the caller does not send a user name or password during the authentication process. If unauthenticated access is enabled, the Guest account is used as the identity of the caller by default.
To grant the connecting user-appropriate access to the network, IAS authenticates users in Windows 2000 Active Directory service domains, Microsoft Windows NT 4.0 domains, or the local Security Accounts Manager (SAM) in Windows 2000. IAS supports new features in Active Directory, such as user principal names and universal groups.
Remote access policies are a set of conditions that network administrators can use to get more flexibility in granting remote access. They provide flexibility in controlling who is allowed to connect to your network. Although it is simple to manage remote access permission for each user account, this approach can become unwieldy as your organization grows. Remote access policies provide a more powerful and flexible way to manage remote access permission.
You can use remote access policies to control remote access based on a variety of conditions, such as:
User membership in a Windows security group.
The connection time of day or day of the week.
The type of media through which the user is connecting (for example, ISDN, modem, or a VPN tunnel).
The type of VPN tunneling protocol used (Point-to-Point Tunneling Protocol or Layer Two Tunneling Protocol).
The phone number the user calls.
The phone number from which the user calls.
Each remote access policy contains a profile of a setting from which you can control connection parameters. For example, you can:
Permit or deny the use of certain authentication methods.
Control the amount of time the connection can be idle.
Control the maximum time of a single session.
Control the number of links in a Multilink session.
Control encryption settings.
Add packet filters, controlling what the user can access when connected to the network. For example, you can use filters to control from which IP addresses, hosts, and ports the user is allowed to send or receive packets.
Create a mandatory tunnel that forces all packets from that connection to be securely tunneled through the Internet and terminated in a private network.
Allow users to request a specific IP address or specify that the remote access server must assign an IP address.
Centralized Administration of Dial-up and VPN Connections
Support for the RADIUS standard allows IAS to control connection parameters for any network access server that implements that standard. The RADIUS standard also allows individual remote access vendors to create proprietary extensions called vendor-specific attributes. IAS has the extensions from a number of vendors incorporated into its multi-vendor dictionary.
Centralized Auditing and Usage Accounting
Support for the RADIUS standard allows IAS to collect the usage (accounting) records sent by a NAS at a single point. IAS logs audit information (for example, authentication Accepts and Rejects) and usage information (for example, logon and logoff records) to log files. IAS supports a log file format that can be directly imported into a database. The data in the database can be analyzed by using other data-analysis software.
Integration with Windows 2000 Routing and Remote Access Service
The Windows 2000 Routing and Remote Access service is configured to use Windows authentication and accounting or to use RADIUS authentication and accounting. When RADIUS authentication or accounting is selected, any RFC-compliant RADIUS server can be used. However, using an IAS server is recommended to take advantage of centralized remote access policies.
For example, in a small network environment or in branch offices with a small number of remote access servers and no requirements for centralized management of remote access, the Routing and Remote Access service can be configured to use Windows authentication and accounting.
In a global enterprise with large numbers or remote access servers deployed worldwide, centralized authentication and accounting using IAS can be beneficial. However, if a small branch office has a high latency connection to the global enterprise with the centralized IAS server, the Windows authentication and accounting configuration can be copied from a central location to the remote access servers of the branch office.
IAS and the Routing and Remote Access service share the same remote access policies, authentication, and accounting-logging capabilities. When the Routing and Remote Access service is configured for Windows authentication, local policies and logging are used. When the Routing and Remote Access service is configured as a RADIUS client to an IAS server, the policies and logging of the IAS server are used.
This integration provides consistent implementation across IAS and the Routing and Remote Access service. You can deploy the Routing and Remote Access service in small sites without the need for a separate, centralized IAS server. It also provides the capability to scale up to a centralized remote access management model when you have multiple remote access servers in your organization. In this case, IAS, in conjunction with remote access servers, implements a single point of administration for remote access to your network for outsourced-dial, demand-dial, and VPN access. The policies within IAS at a central large site can be exported to the independent remote access server in a small site.
Outsourced dialing involves a contract between an organization or private company and an ISP in which the ISP allows the organization's employees to connect to the ISP’s network before establishing the VPN tunnel to the organization’s private network. When an employee connects to the ISP’s remote access server, the authentication and usage records are forwarded to the IAS server at the organization. The IAS server allows the organization to control user authentication, track usage, and manage which employees are allowed to gain access to the ISP’s network.
The advantage of outsourcing is the potential savings. For example, by using an ISP’s routers, network access servers, and T1 lines, you can save a great deal on hardware and other costs related to infrastructure. You can also decrease the cost of your long-distance phone bill by dialing into a local ISP with worldwide connections. By handing off support to the provider, you can eliminate a large amount of your administrative budget.
IAS is easy to administer with the following tools:
Graphical User Interface.
IAS provides a graphical user interface snap-in that enables you to configure local or remote IAS servers.
The Internet Authentication Service administrative tool can be used to administer local or remote IAS servers from a central location.
You can monitor IAS by using Windows 2000-based tools, such as Event Viewer or System Monitor, or by using Simple Network Management Protocol (SNMP).
Import/Export of Configuration to Manage Multiple IAS Servers.
IAS server configuration settings can be exported to a file and then imported to another IAS server. For more information, see the section on Remote Access Policy Management.
You can use IAS in a variety of network configurations of varying size, from stand-alone servers for small networks to large corporate and ISP networks.
To provide fault tolerance for RADIUS authentication and accounting, two IAS servers-a primary server and a backup server-are used. The primary IAS server handles all RADIUS requests until it becomes unavailable. When the primary server becomes unavailable, the RADIUS client automatically uses the backup IAS server.
In very high volume configurations, multiple servers running IAS using an IP load-balancing scheme act as the primary IAS server. An IP load-balancing cluster dynamically balances the load of RADIUS requests across the multiple servers in the cluster.
IAS functionality can be extended through the IAS Software Development Kit (SDK) and the EAP Software Development Kit, available in the Windows 2000 Software Development Kit.
IAS SDK can be used to implement additional features. You can extend IAS functionality to:
Return custom attributes to the network access server (NAS) in addition to those returned by IAS, enabling you to build your own plug-in for assigning IP addresses.
Control the number of simultaneous end-user network sessions.
Extend the remote access authorizations currently provided by IAS.
Import usage and audit data directly into an Open Database Connectivity (ODBC)-compliant database.
Create custom (non-EAP) authentication methods for IAS.
The EAP SDK provides the capability to implement arbitrary authentication methods. For more information on the IAS and EAP SDKs, see the Windows 2000 Software Development Kit.