Compulsory tunnels

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Compulsory tunnels

In this example, a network administrator wants to enable the use of compulsory tunnels for organization employees when they dial an outsourced Internet vendor.

To provide RADIUS authentication, authorization, and accounting for the outsourced dial-up and Internet vendor, an IAS server computer, used as a RADIUS proxy, is placed on the organization's perimeter network. A connection request policy is configured on the IAS server computer to forward RADIUS request messages, where the User-Name attribute contains the realm name example.microsoft.com, to a remote RADIUS server group that corresponds to primary and backup IAS servers inside an organization intranet. The policy is also configured to add the set of attributes required in creating a compulsory tunnel to a VPN server with the Layer Two Tunneling Protocol (L2TP). The VPN server has the IP address of 131.107.9.41 and uses the example tunnel password of og*37y#cW@95?4xT.

To implement this connection request policy example, complete the following steps:

1. Use the New Remote RADIUS Server Wizard to create a new remote RADIUS server group named Intranet IAS servers. Configure the group with primary and backup servers that correspond to the two IAS server computers in the organization intranet.

   For more information, see Add a remote RADIUS server group.

2. Use the New Connection Request Policy Wizard to create a new connection request policy named Forward to intranet IAS servers. Configure the policy to forward RADIUS requests and the realm name of example.microsoft.com, and then select the remote RADIUS server group named Intranet IAS servers. Do not remove the realm name before authentication.

   For more information, see Add a connection request policy.

3. Configure the advanced properties for the profile of the connection request policy named Forward to intranet IAS servers with the following:

   • Add the Framed-Protocol attribute with the value set to PPP.

   • Add the Service-Type attribute with the value set to Outbound-User.

   • Add the Tunnel-Medium-Type attribute with the value set to IP.

   • Add the Tunnel-Password attribute with the value set to og*37y#cW@95?4xT.

   • Add the Tunnel-Server-Endpt attribute with the value set to 131.107.9.41.

   • Add the Tunnel-Type attribute with the value set to Layer Two Tunneling Protocol (L2TP).

     For more information, see Configure advanced attributes.

4. Delete the default policy named Use Windows authentication for all users.

   For more information, see Delete a connection request policy.

Based on this connection request policy, all RADIUS request messages that contain the realm name example.microsoft.com in the User-Name attribute are forwarded to an IAS server in the organization intranet. When the Access-Accept message is sent back to the IAS server computer in the perimeter network, the set of attributes that are used to create a compulsory tunnel are added to the message before they are returned to the outsourced vendor's Front End Processor (FEP).

For more information about compulsory tunneling, see IAS and tunnels.