Design IAS as a RADIUS Proxy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Designing IAS as a RADIUS proxy involves some or all of the following tasks:

• Planning the connection request policy

• Adding RADIUS and VSA attributes

• Planning for load balancing and failure detection

• Installing backup IAS proxies

For more information about configuring IAS as a RADIUS proxy, see "Deploy IAS as a RADIUS Proxy" later in this chapter and "Deploy IAS as a RADIUS Proxy" in Help and Support Center for Windows Server 2003.

Plan the connection request policy

The default connection request policy Use Windows authentication for all users is configured for IAS when it is used as a RADIUS server. To create a connection request policy to use IAS as a RADIUS proxy, complete the following steps:

1. Create a remote RADIUS server group on the domain that will authenticate the users.

2. Create a connection request policy that forwards authentication requests to the remote RADIUS server group.

3. Either delete the default connection request policy, or set the new connection request policy first in the order before the default connection request policy so that it is evaluated first.

Add RADIUS attributes and VSAs

If you plan to return additional RADIUS attributes and VSAs with RADIUS requests, you must add the RADIUS attributes and VSAs to the appropriate connection request policy.

Plan for load balancing and failure detection

When you configure multiple servers in a remote RADIUS server group, you can configure settings that determine how the IAS proxy server balances the load of authentication and accounting requests over the RADIUS servers in the group. You can use additional settings to configure IAS to detect and recover from the failure of a remote RADIUS server group member.

For more information about load balancing for remote RADIUS server group members, see "Configure the load balancing properties of a group member" in Help and Support Center for Windows Server 2003.

Install backup RADIUS proxies

To provide fault tolerance for RADIUS-based authentication and accounting, you must always use at least two IAS proxy servers. One IAS server is used as the primary RADIUS proxy, and the other is used as a backup. RADIUS clients (access servers or other RADIUS proxies) are configured on both IAS proxy servers. In addition, configure both the primary and backup IAS proxy servers on each RADIUS client. When the primary IAS proxy becomes unavailable, the access servers automatically use the backup RADIUS server instead.

For more information about synchronizing the configuration of multiple IAS servers, see "Managing multiple IAS servers" in Help and Support Center for Windows Server 2003.