IAS as a RADIUS proxy design considerations
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
IAS as a RADIUS proxy design considerations
Consider the following design issues when deploying IAS as a RADIUS proxy:
The common uses of IAS as a RADIUS proxy
For more information about common ways to use IAS as a RADIUS proxy, see IAS as a RADIUS proxy.
Connection request policy configuration
The default connection request policy named Use Windows authentication for all users is configured for IAS when it is used as a RADIUS server. To create a connection request policy to use IAS as a RADIUS proxy, you must first create a remote RADIUS server group. Next, create a connection request policy that forwards authentication requests to a remote RADIUS server group. Finally, either delete the default connection request policy or move the new connection request policy so that it is evaluated first. For more information, see Introduction to connection request processing. For an example of a connection request policy configured when IAS is being used as a RADIUS proxy, see Remote RADIUS server.
Realm replacement and attribute manipulation
To convert realm names and configure RADIUS message forwarding based on the realm name, you must configure attribute manipulation for the User-Name attribute on the appropriate connection request policy. For more information, see Connection request policies and Configure attribute manipulation. For an example of a connection request policy that forwards authentication requests based on a specific realm name, see Remote RADIUS server.
If you are using the MS-CHAP v2 authentication protocol, you cannot manipulate the User Name attribute if the connection request policy is used to forward the RADIUS message. The only exception occurs when a backslash character (\) is used and the manipulation only affects the information to the left of it. A backslash character is typically used to indicate a domain name (the information to the left of it) and a user account name within the domain (the information to the right of it). In this case, only attribute manipulation rules that modify or replace the domain name are allowed.
The use of additional RADIUS attributes and vendor-specific attributes
If you plan to return additional RADIUS attributes and vendor-specific attributes (VSAs) with RADIUS requests, you must add the RADIUS attributes and VSAs to the appropriate connection request policy. For more information, see Vendor-specific attribute overview and Configure advanced attributes.
Remote RADIUS server group configuration
To forward RADIUS requests, the connection request policy must be configured to use a remote RADIUS server group (a list of one or more RADIUS servers to which RADIUS messages are forwarded). For more information, see Remote RADIUS server groups and Configure Remote RADIUS Server Groups.
Copy logging information at the IAS proxy
The IAS proxy can record all RADIUS accounting information in the local log file. This creates a central location for all authentication and accounting information for all of the access servers of the IAS proxy. For more information, see Connection request policies.
Authentication and accounting ports
When you configure a server in a remote RADIUS server group, you can configure custom UDP ports to which RADIUS authentication and accounting messages are sent. The default UDP port for authentication requests is 1812. The default UDP port for accounting requests is 1813. For more information, see Remote RADIUS server groups and Configure the authentication and accounting settings of a group member.
Load balancing and failure detection
When you configure multiple servers in a remote RADIUS server group, you can configure settings that determine how the IAS server balances the load of authentication and accounting requests over the RADIUS servers in the group. You can use additional settings to configure IAS to detect and recover from the failure of a remote RADIUS server group member. For more information, see Configure the load balancing properties of a group member.
Multiple IAS servers
To provide fault tolerance for RADIUS-based authentication and accounting, you should always use at least two IAS servers. One IAS server is used as the primary RADIUS proxy and the other is used as a backup. Access servers or other RADIUS proxies are configured for both IAS servers. They switch to using the backup IAS proxy when the primary IAS proxy becomes unavailable. For information about how to synchronize the configuration of multiple IAS servers, see Managing multiple IAS servers.
You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.