Create User Accounts for the Site-to-Site Connection
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
After a calling router is authenticated by using either Windows or RADIUS as the authentication provider, it must be authorized: that is, it must be given permission to establish a connection with the answering router. You use one of two components to authorize access by the calling router: user accounts and (optionally) groups, or remote access network policies.
You can grant or deny permission for the calling router to access the answering router at the user account level or at the remote access network policies level. If you select the Control access through NPS Network Policy option in the user account, the access permission specified on Overview page for the remote access network policy governs whether the user account of the calling router is granted or denied access. This option is available only for user accounts on stand-alone routers or members of a native mode Active Directory domain. For more information about remote access network policies, see Understanding Remote Access Network Policies.
You can configure router user accounts individually for each router or by adding router accounts to an Active Directory group: