IAS as a RADIUS server design considerations
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
IAS as a RADIUS server design considerations
Consider the following design issues when deploying IAS as a RADIUS server:
The common uses of IAS as a RADIUS server
For more information about common ways to use IAS as a RADIUS server, see IAS as a RADIUS server.
IAS server domain membership
You must decide in which domain the IAS server computer is a member. For multiple domain environments, an IAS server can authenticate credentials for user accounts in the domain of which it is a member and all domains that trust this domain. To read the dial-in properties for user accounts, however, you must add the computer account of the IAS server to the RAS and IAS servers group for each domain. For more information, see Enable the IAS server to read user accounts in Active Directory. Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition also provide authentication across forests. For more information, see Accessing resources across forests.
You can configure the IAS server to receive RADIUS messages that are sent to UDP ports other than the default ports of 1812 and 1645 (for RADIUS authentication) and ports 1813 and 1646 (for RADIUS accounting). For more information, see Configure IAS port information.
A RADIUS client can be an access server (for example, a dial-up or VPN server, a wireless access point, or an Ethernet switch) or a RADIUS proxy. IAS supports all access servers and RADIUS proxies that comply with RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)."
Configure each access server or RADIUS proxy that sends RADIUS request messages to the IAS server as a RADIUS client on the IAS server. For each RADIUS client, you can configure a friendly name, an IP address or DNS name, the client vendor, the shared secret, and whether to use the RADIUS Message Authenticator attribute. For more information, see Configure RADIUS Clients.
You can specify IP addresses or DNS names for RADIUS clients. In most cases, it is better to specify RADIUS clients with IP addresses. When you use IP addresses, IAS is not required to resolve host names at startup and will start much more quickly as the result. This is especially beneficial if your network contains a large number of RADIUS clients. You can use DNS names to specify RADIUS clients when you require something other than administrative flexibility (for example, the ability to map multiple RADIUS client IP addresses to a single DNS name).
IAS in Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition allows you to specify a RADIUS client by using an address range. The address range for RADIUS clients is expressed in the network prefix length notation w.x.y.z/p, where w.x.y.z is the dotted decimal notation of the address prefix and p is the prefix length (the number of high order bits that define the network prefix). This is also known as Classless Inter-Domain Routing (CIDR) notation. An example is 192.168.21.0/24. To convert from subnet mask notation to network prefix length notation, p is the number of high order bits in the subnet mask that are set to 1.
Third-party access points
To determine whether a third-party access point is interoperable with IAS as a RADIUS server, refer to the third-party access point documentation for its use of RADIUS attributes and vendor-specific attributes.
To test basic interoperability for PPP connections, configure the access point and the access client to use Password Authentication Protocol (PAP). Use additional PPP authentication protocols until you have tested the ones that you are using for network access.
Connection request policy configuration
The default connection request policy named Use Windows authentication for all users is configured for IAS when it is used as a RADIUS server. For more information about the settings of the default connection request policy, see Connection request policies. Additional connection request policies can be used to define more specific conditions, manipulate attributes, and specify advanced attributes. Use the New Connection Request Policy Wizard to create either common or custom connection request policies. For more information about connection request policies and how to configure them when IAS is being used as a RADIUS server, see Introduction to connection request processing.
To correctly replace or convert realm names within the user name of a connection request, you must configure attribute manipulation rules for the User-Name attribute on the appropriate connection request policy. For more information, see Connection request policies and Configure attribute manipulation.
Remote access policy configuration
Remote access policies can be used to define specific conditions, set dial-in constraints, set allowed authentication protocols and encryption strength, and specify advanced attributes. Use the New Remote Access Policy Wizard to create either common or custom policies. For more information, see Introduction to remote access policies.
Remote access policies and authorization by user or group
In small organizations, you can manage authorization by setting the remote access permission on each user account. For a large organization, set the remote access permission on each user account to be controlled through remote access policy. Next, configure remote access policies to grant access by using group membership. For more information, see Introduction to remote access policies.
The use of additional RADIUS attributes and vendor-specific attributes
If you plan to return additional RADIUS attributes or vendor-specific attributes (VSAs) with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs to the appropriate remote access policy. For more information, see Vendor-specific attribute overview and Configure Attributes for a Profile.
The use of logging
You can enable event logging for authentication events to assist with troubleshooting and debugging connection attempts. For more information, see Event logging for IAS. For information about logging user authentication and accounting requests for analysis and connection billing, see Logging user authentication and accounting requests.
To use interim accounting, first verify that your access server supports sending interim accounting messages. Next, add the Acct-Interim-Interval RADIUS attribute from the Advanced tab on the profile settings of the appropriate remote access policy. Configure the Acct-Interim-Interval attribute with the interval (in minutes) to send periodic interim accounting messages. For more information, see Add RADIUS attributes to a remote access policy. Next, enable logging of periodic status. For more information, see Select requests to be logged.
The Routing and Remote Access service supports sending interim accounting messages and is enabled from the properties of a RADIUS server when configuring the RADIUS accounting provider. For more information, see Use RADIUS accounting.
Performance and capacity planning
For information about tuning performance and using IAS in large organizations, see IAS Best Practices.
Multiple IAS servers
To provide fault tolerance for RADIUS-based authentication and accounting, you should always use at least two IAS servers. One IAS server is used as the primary RADIUS server and the other is used as a backup. Access servers are configured for both IAS servers. They switch to using the backup IAS server when the primary IAS server becomes unavailable. For information about how to synchronize the configuration of multiple IAS servers, see Managing multiple IAS servers.
You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.