Export (0) Print
Expand All
0 out of 1 rated this helpful - Rate this topic

How to Use IAS with a Third-Party User Accounts Database

Updated: March 31, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you deploy a third-party user accounts database for use with WPS technology, you must create and install two IAS extension DLLs:

  • An authorization extension DLL that provides the URL PEAP-TLV if the customer or user account does not exist, is expired, or is disabled.

  • An authentication extension DLL that retrieves the customer’s or user’s plaintext password from the third-party user accounts database and returns the password to IAS.

You can configure IAS for use with a third-party user accounts database by:

  • Creating and installing an EAP authentication extension DLL. Because PEAP-MS-CHAP v2 is required for WPS technology, you must write an EAP authentication extension DLL to retrieve the password from the third-party user account database.

  • Creating a new user account on your IAS server.

  • Configuring a connection request policy on your IAS server that maps all user accounts to one account on the IAS server.

  • Configuring a remote access policy in IAS that authorizes accounts mapped to the new account.

Create an IAS authentication extension DLL

Your IAS authentication extension DLL can use the following attributes:

  • ratProviderName. This attribute indicates the remote RADIUS server group to which to forward the authentication request. The ratProviderType attribute is read-only. If ratProviderType is a RADIUS proxy, the extension DLL can change the value of ratProviderName to indicate the remote RADIUS server group to which the request should be forwarded.

  • ratClearTextPassword. To support third-party user database use with PEAP-MS-CHAP v2, the IAS extension authentication DLL, this attribute retrieves the user password from the third-party user accounts database and sends this information back to IAS.

The IAS authentication extension DLL must also keep track of ratUniqueId. After the password is retrieved for the ratUniqueId, you do not need to retrieve the password again. If the account does not exist, is disabled, or is expired, the reason code ratRejectReasonCode must be sent back to IAS.

For more information, see “How to Create an IAS Extension DLL and a URL PEAP-TLV” in this paper.

Install the IAS authentication extension DLL on the IAS server

After you have created your IAS extension DLL, you must install the DLL on your IAS server and configure DLL registry keys according to your needs.

To install your DLL

  1. Open Command Prompt and change directories to the folder that contains your DLL.

  2. Type the following: regsvr32DLL_name.dll, where DLL_name.dll is the name of your DLL file.

Create a user account on the IAS server

You can create user accounts and group accounts in Active Directory to manage domain users. When you are not using Active Directory as your user accounts database, you can create user accounts and group accounts on a local computer to manage users specific to that computer.

To deploy IAS with a third-party user accounts database, you must create one user account on your IAS server to which you can map all user accounts in the third-party database. Your extension DLL performs authentication against the third-party database, while IAS performs authorization with the user account you create on the IAS server.

To create a user account on the IAS server

  1. Open Computer Management. To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

  2. In Computer Management, under System Tools, click Local Users and Groups. In the details pane, double-click Users.

  3. On the Action menu, click New User. The New User dialog box opens.

  4. In User Name, type a name for the account. In Password and Confirm Password, type a strong password. Clear the User must change password at next logon check box, and then select the User cannot change password and Password never expires check boxes.

  5. Click Create, and then click Close.

noteNote
By default, user accounts created on the local computer in Windows Server 2003 have dial-in properties set to Control access through Remote Access Policy. This is the correct setting for the user account you have created and the setting should not be changed.

For more information, see “Strong passwords” in Help and Support Center for Windows Server 2003 or on the Web at http://go.microsoft.com/fwlink/?LinkId=34427.

Configure IAS connection request policy

To configure IAS connection request policy

  1. Open Internet Authentication Service.

  2. In the console tree, double-click Connection Request Processing, and then click Connection Request Policies.

  3. In the details pane, double-click the policy that you want to configure. For example, double-click the default policy, named Use Windows authentication for all users.

  4. In the Properties dialog box, click Edit Profile.

  5. On the Authentication tab, click Authenticate requests on this server.

  6. On the Attribute tab, confirm that the User-Name attribute is selected in Attribute. If it is not selected, click Attribute, select User-Name, and then click Add.

  7. The Attribute Manipulation Rule dialog box opens. In Find, type pattern matching syntax that matches all values for User-Name that are passed to IAS by your access servers. For example, if values for the User-Name attribute match the syntax user@example.com, type (.*)@.*.

  8. In Replace with, type the name of the local computer and the name of the user account you created on the IAS server in the following syntax: computer-name\user.

  9. Click OK twice.

noteNote
If you copy the IAS connection request policy described above to another IAS server, change the attribute manipulation rule by changing the computer name and user name in the rule to the computer name of the new server and the user name of an account on the new server. If you do not change the computer name and user name specified in the rule, attribute manipulation on the new server will not work.

For more information, see “Pattern Matching Syntax” in Help and Support Center for Windows Server 2003 or on the Web at http://go.microsoft.com/fwlink/?LinkId=41049.

Configure IAS remote access policy

There are two remote access policies configured for WPS technology. The Guest access policy provides network parameters and rules for users connecting as guest. The Valid users access policy provides network parameters and rules for users who have valid WISP accounts.

To configure the Guest access policy

  1. Open the Internet Authentication Service snap-in and, if necessary, double-click Internet Authentication Service.

  2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

  3. Use the New Remote Access Policy Wizard to create a policy. For the WISP guest access policy, you can choose the following:

    1. For How do you want to set up this policy? verify that Use the wizard to set up a typical policy for a common scenario is selected.

    2. For Policy name, type Guest access (or type another name for your policy that you prefer).

    3. For Select the method of access for which you want to create a policy, click Wireless.

    4. For Grant access based on the following, click User.

    5. In Select the EAP type for this policy, select Protected EAP (PEAP), and then click Configure.

    6. In Certificate issued, select the certificate that you want the IAS server to use to verify its identity to client computers. Also select the Enable Fast Reconnect check box.

After you have completed creating the policy and have closed the wizard by clicking Finish, you need to perform additional policy configuration. In the IAS console, click Remote Access Policies, and then double-click the policy you just created.

To complete configuration of the Guest access policy

  1. In the policy Properties dialog box, for Policy conditions, click Add.

  2. In Attribute Types, click Day-And-Time-Restrictions, and then click Add. In Time of day restraints, select Permitted, configure the days and times that access is permitted, and then click OK.

  3. In the policy Properties dialog box, click Grant remote access permission.

  4. Click Edit Profile. On the Authentication tab, in Unauthenticated access, click Allow clients to connect without negotiating an authentication method.

Configure the Valid users policy

To configure the Valid users remote access policy

  1. Open Internet Authentication Service.

  2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

  3. Use the New Remote Access Policy Wizard to create a policy. For the remote access policy, you can choose the following:

    1. For How do you want to set up this policy? verify that Use the wizard to set up a typical policy for a common scenario is selected.

    2. For Policy name, type Valid Users (or type another name for your policy that you prefer).

    3. For Select the method of access for which you want to create a policy, click Wireless.

    4. For Grant access based on the following, click User.

    5. In Select the EAP type for this policy, select Protected EAP (PEAP), and then click Configure.

    6. In Certificate issued, select the certificate that you want the IAS server to use to verify its identity to client computers. Also check the Enable Fast Reconnect check box.

After you have completed creating the policy and have closed the wizard by clicking Finish, you need to perform additional policy configuration.

To complete configuration of the Valid users remote access policy

  1. In the IAS console, click Remote Access Policies, and then double-click the policy you just created.

  2. In Attribute Types, click Day-And-Time-Restrictions, and then click Add. In Time of day restraints, select Permitted, configure the days and times that access is permitted, and then click OK.

  3. In the policy Properties dialog box, click Grant remote access permission.

  4. Click Edit Profile. On the Authentication tab, clear all check boxes except Strongest encryption (MPEE 128 bit).

noteNote
If you are isolating client computers by using VLANs, you must also add VLAN attributes to the Valid Users access policy. If you are isolating client computers by using IP filters, you must add IP filters to the access policy.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.