Dial-up and VPNs with RADIUS

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dial-up and VPNs with RADIUS

In addition to VPN-based remote access, the network administrator for Electronic, Inc. wants to provide modem-based dial-up remote access for employees of the New York office. All employees of the New York office belong to a Windows Server 2003 operating system group called NY_Employees. A separate remote access server running Windows Server 2003, Standard Edition, provides dial-up remote access at the phone number 555-0111. Rather than administer the remote access policies of both the VPN server and the remote access server separately, the network administrator is using a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; with Internet Authentication Service (IAS) as a RADIUS server. The IAS server has an IP address of 172.31.0.9 on the Electronic, Inc. extranet and provides centralized remote access authentication, authorization, and accounting for both the remote access server and the VPN server.

The following illustration shows the Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server.

RADIUS authentication and accounting

Domain configuration

For each New York office employee that is allowed dial-up access, the remote access permission for the dial-in properties of the user account is set to Control access through Remote Access Policy.

Remote access policy configuration

Remote access policies must be modified in two ways:

  1. The existing remote access policies that are configured on the VPN server running Windows Server 2003 must be copied to the IAS server.

  2. A new remote access policy is added for dial-up remote access clients on the IAS server.

Copying the remote access policies

Once the VPN server running Windows Server 2003 is configured to use RADIUS authentication, the remote access policies stored on the VPN server are no longer used. Instead, the remote access policies stored on the IAS server running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition. Therefore, the current set of remote access policies is copied to the IAS server.

For more information, see Copy the IAS configuration to another server.

Creating a new remote access policy for dial-up remote access clients

To define the authentication and encryption settings for dial-up connections by employees of the New York office, the following remote access policy is created on the RADIUS server computer:

  • Policy name: Dial-Up for New York Employees

  • Conditions:

    • NAS-Port-Type is set to all types except Virtual (VPN)

    • Windows-Groups is set to NY_Employees

  • Permission is set to Grant remote access permission

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is enabled and Smartcard or other certificate (TLS) is configured to use the installed computer certificate (also known as the machine certificate). Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP) are also enabled.

    • Encryption tab: All options are selected.

RADIUS configuration

To configure RADIUS authentication and accounting, the network administrator for Electronic, Inc. configures the following:

  • The RADIUS server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; and with IAS installed. IAS is configured for two RADIUS clients; the remote access server and the VPN server. For more information, see Internet Authentication Service and Add RADIUS clients.

  • The remote access server running a member of the Windows Server 2003 family is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and a shared secret. For more information, see Use RADIUS authentication and Use RADIUS accounting.

  • The VPN server running Windows Server 2003 is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and to use a shared secret. For more information, see Use RADIUS authentication and Use RADIUS accounting.

Dial-up remote access client configuration

The New Connection Wizard is used to create a dial-up connection with the following setting:

  • Phone number: 555-0111

Note

  • The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.