Dial-up and VPNs with RADIUS Authentication (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In addition to VPN-based remote access, the network administrator for Electronic, Inc. wants to provide modem-based dial-up remote access for employees of the New York office. All employees of the New York office belong to an Active Directory group called NY_Employees. A separate remote access server running Windows Server 2003 provides dial-up remote access at the phone number 555-0111. Rather than administer the remote access policies of both the VPN server and the remote access server separately, the network administrator is using a computer running Windows Server 2003 with the Internet Authentication Service (IAS) as a RADIUS server. The IAS server has an IP address of 172.31.0.9 on the Electronic, Inc. extranet and provides centralized remote access authentication, authorization, and accounting for both the remote access server and the VPN server.
Figure 6 shows the Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server.
Figure 6: The Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server
For each New York office employee that is allowed dial-up access, the remote access permission for the dial-in properties of the user account is set to Control access through Remote Access Policy.
Remote Access Policy Configuration
Remote access policies must be modified in two ways:
The existing remote access policies that are configured on the VPN server must be copied to the IAS server.
A new remote access policy is added for dial-up remote access clients on the IAS server.
Copying the Remote Access Policies
Once the VPN server is configured to use RADIUS authentication, the remote access policies stored on the VPN server are no longer used. Instead, the remote access policies stored on the IAS server are used. Therefore, the current set of remote access policies is copied to the IAS server.
For more information, see the topic titled Copying the IAS Configuration to Another Server in Windows Server 2003 Help and Support.
Creating a New Remote Access Policy for Dial-up Remote Access Clients
To define the authentication and encryption settings for dial-up connections by employees of the New York office, the following remote access policy is created on the RADIUS server computer:
Policy name: Dial-Up for New York Employees
Access method: Dial-up
User or Group Access: Group with the EXAMPLE\NY_Employees group selected
Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type, Microsoft Encrypted Authentication (MS-CHAP), and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) are selected
Policy Encryption Level: All options selected
To configure RADIUS authentication and accounting, the network administrator for Electronic, Inc. configures the following:
The RADIUS server is a computer running Windows Server 2003 with the Internet Authentication Service networking component installed. The Internet Authentication Service is configured for two RADIUS clients: the remote access server and the VPN server. For more information, see the topic titled Registering RADIUS Clients in Windows Server 2003 Help and Support.
The remote access server is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and a shared secret. For more information, see the topics titled Configuring RADIUS authentication and Configuring RADIUS accounting in Windows Server 2003 Help and Support.
The VPN server is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and a shared secret.
Dial-up Remote Access Client Configuration
On the Windows XP remote access client computers, the New Connection Wizard is used to create a dial-up connection with the following settings:
Network Connection Type: Connect to the network at my workplace
Network Connection: Dial-up connection
Connection Name: Electronic, Inc.
Phone Number: 555-0111
Connection Availability: Anyone's use