Using RADIUS for multiple remote access servers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using RADIUS for multiple remote access servers

If you have more than one remote access server, rather than administer the remote access policies of all the remote access servers separately, you can configure a single server with the Internet Authentication Service (IAS) as a Remote Authentication Dial-In User Service (RADIUS) server and configure the remote access servers as RADIUS clients. The IAS server provides centralized remote access authentication, authorization, accounting, and auditing.

For more information about IAS, see Features of IAS.

If you want to configure the remote access servers and the IAS server, complete the following steps:

• Configure the remote access server.

• Configure the remote access server for RADIUS authentication.

• Configure the remote access server for RADIUS accounting.

• Configure the IAS server.

Configuring the remote access server

You must configure the server running Routing and Remote Access to provide remote access to either dial-up networking clients or virtual private networking clients. For more information, see the following:

• Using the remote access server as a corporate remote access server

• Using the remote access server for Internet access

• Deploying Remote Access VPNs

• Router-to-router VPN Deployment

Configuring the remote access server for RADIUS authentication

When you configure the properties of the server running Routing and Remote Access, select RADIUS authentication as the authentication provider. For more information, see Use RADIUS authentication.

When you add a RADIUS server, you must configure the following:

• server name

  The host name or IP address of the IAS server.

• Secret

  The server running Routing and Remote Access and the IAS server share a secret that is used to encrypt messages sent between them. You must configure both the remote access server and the IAS server to use the same shared secret.

• Port

  The remote access server must send its authentication requests to the UDP port on which the IAS server is listening. The default value of 1812 is based on RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)" and does not need to be changed when you are using an IAS server.

Configuring the remote access server for RADIUS accounting

When you configure the properties of the server running Routing and Remote Access, select RADIUS accounting as the accounting provider. For more information, see Use RADIUS accounting.

When you add a RADIUS server, you must configure the following:

• server name

  The host name or IP address of the IAS server.

• Secret

  The server running Routing and Remote Access and the IAS server share a secret that is used to encrypt messages sent between them. You must configure both the remote access server and the IAS server to use the same shared secret.

• Port

  The remote access server must send its accounting requests to the UDP port on which the IAS server is listening. The default value of 1813 is based on RFC 2866, "RADIUS Accounting" and does not need to be changed when using an IAS server.

Configuring the IAS server

You need to configure the IAS server for domains and port numbers and register each of the remote access servers as clients. For more information, see Checklist: Configuring IAS for dial-up and VPN access.

Once the remote access servers are configured to use RADIUS authentication, the remote access policies stored on the remote access servers are no longer used. Instead, the remote access policies stored on the IAS server are used. Therefore, if one of the remote access servers contains the current set of remote access policies that are applied to all of the remote access servers, you can copy the remote access policies to the IAS server. For more information, see Copy the IAS configuration to another server.

Notes

• If you have servers running Windows NT 4.0 and the Routing and Remote Access Service (RRAS) and you want to use remote access policies to authenticate incoming remote access connection attempts, you must configure the server running RRAS as a RADIUS client to an IAS server. You cannot configure remote access servers running Windows NT 4.0 as RADIUS clients. You must upgrade a remote access server running Windows NT 4.0 to a server running Windows NT 4.0 and RRAS.

• To provide redundancy and fault tolerance, configure two IAS servers, a primary and a backup, and copy the remote access policies from the primary to the backup. Then configure each remote access server with two RADIUS servers that correspond to the primary and backup IAS servers. If the primary IAS server becomes unavailable, then the remote access servers automatically begin to use the secondary IAS server.

• IAS is included as a part of Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.