Using Common vs. Custom Policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You must decide whether to use common or custom policies:

  • A common policy includes typical settings for a particular access method.

  • A custom policy includes a detailed configuration of a particular access method.

Create Specifications for a Common Policy

To create a common or custom policy, you must specify the following:

  • An access method. The access method is used to configure the access server Port Type condition automatically. You can choose one of the following four access methods:

    • VPN access

    • Dial-up access

    • Wireless access

    • Ethernet switch access

  • Whether to grant access permissions by user or by group. If you choose to grant access by group, the Windows-Groups condition is automatically set to the chosen groups.

  • Authentication methods. For more information about how to configure authentication methods, see "Configure authentication" in Help and Support Center for Windows Server 2003.

  • Levels of allowed encryption (depending on the access method chosen). For more information about how to configure encryption, see "Configure encryption" in Help and Support Center for Windows Server 2003.

When you create a common policy, the remote access permission is always set to Grant remote access permission.

Create Specifications for a Custom Policy

For each custom policy, create detailed specifications for the following elements:

  • Conditions. Remote access policy conditions are one or more attributes that are compared to the settings of the connection attempt.

  • Remote access permission. Specify whether the permission is granted or denied if the conditions of a remote access policy are met.

  • Profile. Specify the remote access policy profile properties to set dial-in constraints and other restrictions.

For specific information about settings for each element, see Help and Support for Windows Server 2003 or the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).

Note

  • Not all network access servers send all of the RADIUS attributes. Consult the documentation for your network access server to see which attributes it sends.

Conditions

Specify the remote access conditions for each policy. Remote access policy conditions are one or more attributes that are compared to the settings of the connection attempt. In order for the connection attempt to match the policy, all conditions must match the settings of the connection attempt. Remote access policy profile settings are applied only if the connection attempt matches the policy. Thus, remote access policies are applied only if the connection attempt matches all of the conditions of the policy.

Permission

Specify whether the permission is granted or denied if the conditions of a remote access policy are met. You use the Grant remote access permission option or the Deny remote access permission option to set remote access permission for a policy.

During the authorization process, the dial-in properties of user accounts are evaluated before remote access policy is applied. If the dial-in properties for the user account are set to Deny access, the connection attempt is rejected and remote access policies are not evaluated. When dial-in properties for the user account are set to Control access through Remote Access Policy, the remote access policy alone determines whether the user is granted access.

When the dial-in properties for the user account are set to Grant access, remote access policies are evaluated next. In this circumstance it is possible for the user to be denied access by settings in the remote access policy. For example, if the remote access policy is configured to allow the user to connect only between the hours of 8 AM and 5 PM and the user is attempting to connect at 6 PM, the connection attempt fails due to the settings in the remote access policy.

Profile

Specify the remote access policy profile properties to set dial-in constraints and other restrictions. These properties are applied to a connection after the connection is authorized, whether the connection has been authorized through the user account permission setting or the remote access policy.

You can use these properties to specify the series of RADIUS attributes that are sent back to the RADIUS client by the IAS server, including any vendor-specific attributes you are using. For more information about VSAs, see "Configuring IAS for Compatibility with Third-Party Access Servers" later in this chapter.

Note

  • Elements of a remote access policy correspond to RADIUS attributes that are used during RADIUS-based authentication. For an IAS server, verify that the network access servers that you use are sending the RADIUS attributes that correspond to the configured remote access policy conditions and profile settings. If an access server does not send a RADIUS attribute that corresponds to a remote access policy condition or profile setting, then all RADIUS authentications from that access server are denied.