Deploy an IAS Server for RADIUS Authentication
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
For a site-to-site only connection, you use Windows authentication and do not need to deploy an IAS server. However, if you use the same answering router for both a site-to-site connection and a remote access connection that supports mobile or home users, you might decide to use RADIUS authentication instead. If you plan to use RADIUS authentication and Windows Server 2003 IAS, you must have an IAS server available in your network. Deploying an IAS server is the same for both dial-up and VPN site-to-site connections.
To enable RADIUS authentication
Install an IAS server. To ensure that RADIUS authentication and accounting services remain available, configure both a primary IAS server and one or more backup (secondary) IAS servers to provide redundancy and fault tolerance.
Register the IAS servers in the appropriate Active Directory domain.
Configure the primary IAS server with RADIUS clients corresponding to your answering routers.
Configure each answering router with the RADIUS servers of your primary and secondary RADIUS servers.
After you enable the Routing and Remote Access service, configure remote access policies that reflect your dial-up or VPN connection requirements on the primary IAS server. For more information, see "Configure the Routing and Remote Access Service and Demand-Dial Interfaces" and "Configure a Remote Access Policy" later in this chapter.
Configure logging methods for user authentication and accounting requests.
Copy the IAS configuration (including the remote access policies) from the primary IAS server to the secondary IAS server.
For more information about installing an IAS server and using it for RADIUS authentication, see "Deploying Internet Authentication Service (IAS)" in this book, and see Checklist: Configuring IAS for dial-up and VPN access in Help and Support Center for Windows Server 2003.