Skip to main content

Internet Authentication Service: Frequently Asked Questions

Published: July 11, 2005 | Updated: January 4, 2008

This FAQ answers commonly asked questions about Internet Authentication Service (IAS) and related technologies in Microsoft Windows Server 2003. Click a question to view its answer. To view all the answers at one time, select the View all answers check box.

In Windows Server 2008, IAS has been replaced with Network Policy Server (NPS).


 



Background Information

Q. What is IAS?
A.IAS is the Windows implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2003.

In Windows Server 2008, the RADIUS server and proxy implementation is known as Network Policy Server (NPS).

Q. What is RADIUS and what is it used for?
A.RADIUS is a widely deployed protocol that enables centralized authentication, authorization, and accounting (AAA) for network access. Originally developed for dial-up remote access, RADIUS is now supported by wireless access points (APs), authenticating Ethernet switches, virtual private network (VPN) servers, Digital Subscriber Line (DSL) access servers, and other types of network access servers.

Q. Where is the Microsoft IAS documentation?
A.IAS documentation is included with Windows Server 2003 (click Start, then click Help and Support). There are also IAS sections of the Windows Server 2003 Deployment Guide and Windows Server 2003 Technical Reference.

For the product documentation resources available for IAS in Windows Server 2003, see the Windows Server 2003 Internet Authentication Service (IAS) TechCenter.

For a list of all the resources for IAS in Windows Server 2003, see the Windows Server 2003 Internet Authentication Service Web site.

Q. How is IAS typically used on private and public networks?
A.

For private networks, IAS is used to provide centralized authentication, authorization, and accounting (AAA) for the following types of network access:

  • IEEE 802.11 wireless LAN
  • Authenticating switch (IEEE 802.1X)
  • Remote access (individual computers obtaining logical connections to a private network over a dial-up line or a virtual private network [VPN] connection)
  • Site-to-site access (routers obtaining logical connections between sites of a private network over a dial-up line or a VPN connection)

For public networks, IAS is used to provide AAA for Internet access for dial-up, broadband, or wireless connections.

Q. Why should I use IAS over other RADIUS servers?
A.IAS and its integration with the Active Directory directory service allows your Windows-based client computer to take advantage of single sign-on, in which Active Directory domain credentials are used to access the network for dial-up, VPN, or IEEE 802.1X-based access. IEEE 802.1X authentication is typically used for IEEE 802.11 wireless LAN access and for authenticating switches. A user does not need to remember different sets of credentials for accessing the network and accessing the resources of the network.

IAS provides the flexibility to define granular access control through remote access policies, which allow you to define security policy customized to address the security concerns of the type of connection. For example, IAS remote access policies allow you to differentiate between employees and vendors and provide different levels of access through the configuration of IP packet filters and virtual LAN identifiers (VLAN IDs).

IAS supports strong standards-based authentication methods. For more information, see the "IAS Authentication Protocols" section of this FAQ.

Q. What are the differences in IAS in different versions of Windows?
A.IAS in Windows Server 2003 is a RADIUS server and proxy. For a detailed description of the new features of IAS in Windows Server 2003, see New features for IAS.

You can configure IAS in Windows Server 2003 Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. With IAS in Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.

Q. How do I extend IAS?
A.

You can extend IAS in the following ways:



IAS Authentication Protocols

Q. Which authentication protocols does IAS support?
A.

IAS supports the following authentication protocols:

  • Password Authentication Protocol (PAP)
  • Shiva Password Authentication Protocol (SPAP)
  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
  • Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
  • Extensible Authentication Protocol-Message Digest 5 CHAP (EAP-MD5 CHAP)
  • EAP-Transport Layer Security (EAP-TLS)
  • Protected EAP-MS-CHAP v2 (PEAP-MS-CHAP v2) (also known as PEAPv0/EAP-MSCHAPv2)
  • PEAP-TLS

For more information, see Authentication Methods for use with IAS.

Q. Does IAS support Cisco's LEAP?
A.No. There are no plans to support Cisco Systems' Lightweight Extended Authentication Protocol (LEAP) (also known as EAP-Cisco in version 11.21 of the Cisco Aironet AP firmware).

Q. Why does Microsoft support and recommend PEAP over LEAP?
A.

Microsoft supports and recommends PEAP over LEAP for the following reasons:

  • PEAP is a standards-based protocol. LEAP is a proprietary protocol.
  • PEAP uses a digital certificate and public-key cryptography to create a strong encrypted channel. LEAP is a simple challenge-handshake authentication protocol that is susceptible to offline dictionary and brute force attacks. LEAP's vulnerabilities have lead to the development of a number of LEAP cracking tools that are available on the Internet.
  • PEAP provides support for EAP authentication methods such as EAP-TLS and EAP-MS-CHAP v2 that can perform computer authentication. LEAP does not support EAP authentication methods or computer authentication.

For more information, see The Advantages of Protected Extensible Authentication Protocol (PEAP).

Q. Does IAS support TTLS?
A.

No. PEAP has broader market presence and is the direction shared by Microsoft, Cisco, and RSA. Microsoft does not plan to support Tunneled TTLS. PEAP is available on many platforms and works with existing domains, which makes it easier for customers to deploy. Most vendors have announced that they plan to support PEAP.

TTLS is similar to PEAP in that both use a TLS exchange to create a secure channel for authentication. Some of the technical differences are the following:

  • EAP-TTLS promotes a model to secure authentication protocols between an access client and a RADIUS proxy, which means that the authentication may be compromised between a RADIUS proxy and a RADIUS server. In roaming scenarios, in which an employee uses their corporate credentials to connect to wireless hotspots, the corporate credentials could be compromised.
  • PEAP is much simpler and more flexible. Compared to PEAP, EAP-TTLS is complex. In addition to using EAP over TLS, TTLS defines ways to carry RADIUS attributes, perform cryptographic negotiation, and use insecure protocols like PAP and CHAP. The various options and protocols inside TTLS (other than EAP) add complexity, introducing potential security and interoperability issues.



Q. Does IAS support authentication with a SQL or ODBC-based accounts database?
A.

IAS in Windows Server 2003 does not support authentication of user accounts in a Structured Query Language (SQL) or open database connectivity (ODBC) database. If you must authenticate against these types of databases, you can do one of the following:

  • Write an IAS extension to authenticate with a SQL or ODBC database.
  • Replicate your user accounts from your SQL or ODBC database to Active Directory.



Remote Access Policies

Q. What are remote access policies?
A.

Remote access policies provide the authorization of connection attempts. After the credentials have been authenticated, IAS evaluates the parameters of the connection attempt against the set of configured remote access policies. The connection attempt is authorized if it:

  • Matches a remote access policy (meets all of the conditions of the policy)
  • Has remote access permission
  • Meets all of the conditions the dial-in properties of the account and the remote access policy-profile settings

If the connection attempt does not match any remote access policy or matches a remote access policy and either does not have remote access permission or fails to meet all of the conditions of the dial-in properties of the account and the remote access policy profile settings, the connection attempt is rejected.

A connection attempt must be both authenticated and authorized before it is accepted.

Q. How do remote access policies work to determine authorization?
A.

Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each remote access policy, there are one or more conditions, a set of profile settings, and a remote access permission setting.

When an IAS server receives a connection attempt, it compares the attributes of the connection attempt to the conditions of the first policy in the ordered list.

  • If the attributes of the connection attempt match all of the conditions of the policy (a logical AND comparison), the remote access policy settings are applied to the connection attempt. A connection attempt is only matched with a single remote access policy.
  • If the attributes of the connection attempt do not match all of the conditions of the first policy, the additional policies are processed in order until a match is found. If none of the policies match the attributes of the connection attempt, the connection attempt is rejected.

When a connection attempt matches a remote access policy, the result of applying the remote access permission, the policy profile settings, and the group membership and the dial-in properties of a user or computer account is the following:

  • The connection attempt is rejected.
  • The connection attempt is authorized subject to conditions of the remote access policy profile and the dial-in properties of the user or computer account.

For the details of remote access policy processing, see Accepting a connection attempt. For additional information about the elements of a remote access policy, see the Elements of a remote access policy.

Q. Which is the recommended administrative model for managing access with remote access policies?
A.

There are two ways to use remote access policies to grant authorization:

  • By account—If you are managing authorization by account, set the remote access permission on the Dial-in tab of your user or computer accounts to either Grant access or Deny access and, optionally, create different remote access policies based on different types of connections. For example, you might want to have one remote access policy that is used for VPN-based remote access connections and a different remote access policy for wireless connections. Managing authorization by account is recommended only when you have a small number of user or computer accounts to manage.
  • By group—If you are managing authorization by group, set the remote access permission on your user or computer accounts to Control access through Remote Access Policy and create remote access policies that are based on different types of connections and group membership. For example, you might want to have one remote access policy for VPN connections for employees (members of the Employees group) and a different remote access policy for VPN connections for contractors (members of the Contractors group).



Q. How do I configure remote access policies?
A.

You can create remote access policies from the Internet Authentication Service snap-in. Right-click Remote Access Policies, and then click New Remote Access Policy.

For IAS in Windows Server 2003, the New Remote Access Policy Wizard guides you through a common or custom policy. For a common policy, you choose from the following:

  • An access method (VPN, dial-up, wireless, Ethernet)
  • Whether to grant access permissions by account or by group (and the names of groups)
  • Authentication methods
  • Levels of allowed encryption (depending on the access method selected)

For an example of configuring a remote access policy, see Step-by-Step Guide for Configuring Remote Access Policies Using Routing and Remote Access.

Q. What are some examples of configured remote access policies?
A.For examples of remote access policies with IAS in Windows Server 2003, see Remote Access Policies Examples.

Q. How many remote access policies do I need?
A.IAS supports the configuration of many remote access policies. However, in most cases you only need a small number. The exact number depends on the different types of network access (for example, VPN and wireless) and how you want to control that access (for example, you want to specify different connection conditions for different groups of users for VPN access). If you are using Windows groups to grant access and determine connection parameters, use universal groups and group nesting to reduce the number of remote access policies.

Q. How do I ignore the dial-in properties of user and computer accounts?
A.IAS in Windows Server 2003 allows you to ignore the dial-in properties of user and computer accounts during connection attempt processing. To enable this feature, set the Ignore-User-Dialin-Properties RADIUS attribute to True. For more information, see Add RADIUS attributes to a remote access policy.

Q. Why are some dial-in properties for accounts in Active Directory not available?
A.

When Active Directory is in running in mixed mode, the Dial-in tab allows you to configure only those dial-in properties that are available in Windows NT 4.0 domains. Only the Remote Access Permission (Dial-in or VPN) (Allow access and Deny access options) and Callback Options settings are available.

When Active Directory is running in native mode, the Dial-in tab allows you to configure the following additional properties:

  • Control access through Remote Access Policy remote access permission setting
  • Verify Caller ID
  • Assign a Static IP Address
  • Apply Static Routes

For more information, see the Dial-in properties of a user account.

Q. How can I determine which remote access policy matched a connection attempt?
A.Enable event logging for IAS, attempt the connection, and then check the system event log for events with the Source set to "IAS." The text of the event corresponding to the connection attempt lists the name of the matching remote access policy.

For more information, see Event logging for IAS.

Connection Request Processing

Q. What is connection request processing?
A.

Because IAS in Windows Server 2003 can act as a RADIUS server, a RADIUS proxy, or both at the same time, you must configure IAS with rules so that it can determine how to handle an incoming connection request or accounting message. To determine whether a specific connection attempt request or an accounting message received from a RADIUS client should be processed locally (IAS is acting as a RADIUS server) or forwarded to another RADIUS server (IAS is acting as a RADIUS proxy), the IAS server uses connection request processing. Connection request processing is a combination of:

  • Connection request policies—An ordered set of rules that determine, for any incoming RADIUS request message, whether the message is processed locally or forwarded to another RADIUS server.
  • Remote RADIUS server groups—A set of RADIUS servers to which RADIUS request messages are forwarded.



Q. How do connection request policies work to determine connection request processing?
A.

Each connection request policy consists of a set of conditions and a set of profile settings. When an IAS server receives a RADIUS request message (either a connection attempt or an accounting message), it compares the attributes of the message to the conditions of the first policy in the ordered list of connection request policies.

  • If the attributes of the RADIUS request message match the conditions of the policy (a logical AND comparison), the connection request policy settings are applied to the message. A RADIUS request message is only matched with a single connection request policy.
  • If the attributes of the RADIUS request message do not match all of the conditions of the first policy, the additional connection request policies are processed in order until a match is found. If none of the connection request policies match the attributes of the RADIUS request message, IAS either rejects the connection attempt or discards the accounting message.

When a RADIUS request message matches a connection request policy, the result of applying the connection request policy profile settings is the following:

  • IAS processes the RADIUS request message, subject to the profile settings. In this case, IAS is acting as a RADIUS server.
  • IAS forwards the RADIUS request message to another RADIUS server, subject to the profile settings. In this case, IAS is acting as a RADIUS proxy.

For the details of connection request policy processing, see Processing a connection request. For additional information about the elements of a connection request policy, see Connection request policies.

Q. How do I configure connection request policies?
A.You can create connection request policies from the Internet Authentication Service snap-in in Windows Server 2003. Right-click Connection Request Policies, and then click New Connection Request Policy. The New Connection Request Policy Wizard will guide you through the configuration of the policy name, the policy conditions, profile settings, and the configuration of a remote RADIUS server group (if needed).

Q. How many connection request policies do I need?
A.IAS supports the configuration of many connection request policies. However, in most cases you only need a small number. The exact number depends on the different roles of the IAS server (as a RADIUS server or RADIUS proxy) and how you want to change the attributes of RADIUS request messages before they are either processed locally or forwarded to another RADIUS server.

IAS Deployment

Q. How does IAS work in an Active Directory environment?
A.When IAS is a member of an Active Directory domain infrastructure, it uses an Active Directory global catalog server to resolve the name in the connection attempt to an Active Directory account and an Active Directory domain controller to verify the credentials of the user or computer requesting network access and to obtain the dial-in properties and group membership of the user or computer account.

In order to obtain dial-in properties and group membership for user and computer accounts, the IAS server must be made a member of the RAS and IAS Servers group in the domain in which it is a member and other domains as needed. For more information, see Enable the IAS server to read user accounts in Active Directory.

Q. How do I configure my firewalls to allow traffic to and from an IAS server?
A.You must configure your firewall to allow traffic to and from the IP address of the IAS server and UDP port 1812 for connection attempt (authentication) traffic and 1813 for accounting traffic. UDP ports 1812 and 1813 are defined for RADIUS traffic in RFCs 2865 and 2866. For more details, see IAS and firewalls.

Q. What are the certificate requirements when using EAP-TLS and PEAP-MS-CHAP v2?
A.See the "Certificate requirements for EAP" section of Network access authentication and certificates.

Q. How do I manipulate the UserName RADIUS attribute?
A.The UserName RADIUS attribute contains a name identifying the user or computer account, such as user1@domain.example.com. In some cases, you must change the UserName attribute contents from one form of an account name to another. To change the UserName RADIUS attribute, you must configure realm manipulation rules.

For IAS in Windows Server 2003, you must configure realm manipulation rules from the properties of a connection request policy. For more information, see Configure attribute manipulation.

For information on the syntax used to configure realm manipulation rules with examples, see Pattern matching syntax.

Q. Can I delegate administration to user accounts that are not a Domain Administrator or a local administrator on the IAS server?
A.

No. Following is an unsupported workaround:

  1. Create an IAS Admin local group on the IAS server computer.
  2. Grant read and write permission on the Ias.mdb file in the %windir%\System32\Ias folder to the IAS Admin local group.

User accounts in the IAS Admin group are able to use the Internet Authentication Service snap-in to manage the local IAS server. Members of the IAS Admin group cannot administer IAS remotely. They must use Terminal Server or Remote Desktop functionality.

Q. How does network access server RADIUS failover and failback work?
A.Most network access servers (RADIUS clients) support the configuration of a primary and secondary RADIUS server. The exact behavior of a specific network access server for RADIUS failover (switching to the secondary RADIUS server when the primary server becomes unavailable) and failback (switching back to the primary RADIUS server when it becomes available again) depends on the network access server. For more information, consult your network access server's documentation.

Q. How does IAS failover and failback work?
A.When IAS in Windows Server 2003 is configured to forward RADIUS request messages to a remote RADIUS server group, it uses failover and failback settings as configured on the Load Balancing tab for the properties of a RADIUS server in a remote RADIUS server group.

Settings on the Load Balancing tab configure the way in which the IAS server detects when a group member first becomes unavailable (failover) and when it becomes available after it has been determined to be unavailable (failback).

Q. Can I configure IAS to limit the number of simultaneous sessions with the same set of credentials?
A.. IAS does not support the capability to limit the number of simultaneous sessions or connections that can be made with the same set of credentials. Controlling simultaneous sessions with the same set of credentials is important for Internet service providers (ISPs) who want to prevent their customers from sharing their Internet sign-on credentials with others.

Q. How can I configure IAS for use with virtual LANs?
A.Virtual LANs (VLANs) allow network architects and administrators to logically group network resources (such as servers, printers, and client computers) even when they are not on the same physical subnet. When you configure the profile of an IAS remote access policy for use with VLANs, you must configure the Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-Tag attributes. For more information, see Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs).

Q. Can I configure IAS to use any RADIUS vendor specific attribute (VSA)?
A.Yes. IAS has a built-in dictionary of many RADIUS VSAs. For additional VSAs, you can add them to a specific remote access policy. For more information, see Configure vendor-specific attributes for a remote access policy.

Q. How can I force remote access clients to run scripts to check system health prior to allowing them full access?
A.Network Access Quarantine Control, a feature of Windows Server 2003, allows you to configure IAS and other components of a Windows-based remote access infrastructure to force remote access clients to run customized scripts to check system health (such as the state of antivirus software) prior to allowing them full access to a private intranet. For more information, see Network Access Quarantine Control in Windows Server 2003.

Q. How do I configure IAS for the best performance?
A.If possible, install IAS on an Active Directory domain controller. To provide authentication and authorization of wireless connection attempts, an IAS server acting as a RADIUS server must contact a domain controller to verify authentication credentials and obtain the properties of user and computer accounts. By installing IAS on a domain controller computer, the delay associated with exchanging network traffic with a domain controller is eliminated. For increased performance, configure the domain controller on which IAS is installed to be an Active Directory global catalog. IAS uses the global catalog to resolve the contents of the UserName RADIUS attribute to an Active Directory user or computer account.

For more information about optimizing performance for IAS, see the "Performance-tuning IAS" section of IAS Best Practices.

Q. How do I collect and use IAS accounting data?
A.

You can use IAS to create log files based on the authentication and accounting requests received from network access servers (RADIUS clients), and collect this information in a central location. By setting up and using log files to track authentication information, such as each connection acceptance and rejection, you can simplify administration. You can set up and use logs to track accounting information (such as logon and logoff records) to maintain records for billing purposes.

When you set up logging, you can specify:

  • The requests that are logged.
  • The log-file format.
  • How often new logs are started.
  • Automatic deletion of the oldest log file when the disk is full.
  • Where log files are stored.
  • What the log file records contain.

IAS activity can be written to local files or, for Windows Server 2003, to a SQL Server database. For more information, see Remote Access Logging and Deploying SQL Server Logging with Windows Server 2003 Internet Authentication Service (IAS).

Q. How do I make IAS listen for RADIUS traffic on only one IP address when the IAS server has multiple IP addresses?
A.By default, IAS listens for incoming RADIUS traffic on all configured IP addresses. For IAS in Windows Server 2003, you can specify an IP address on which IAS listens for RADIUS messages from the Properties dialog box of the Internet Authentication Service node in the Internet Authentication Service snap-in. In the Authentication or Accounting fields, use the following syntax: IPAddress:UDPPort. For example, if you have multiple network adapters and you only want to receive RADIUS authentication messages sent to the IP address of 10.0.0.99 and UDP port 1812, you would type 10.0.0.99:1812 in Authentication.

Q. How can I automate adding a large number of RADIUS clients?
A.If you must add a large number of individual RADIUS clients, you can use the Addradiusclient.exe tool that is available with the Securing Wireless LANs with PEAP and Passwords solution guide.

IAS Security

Q. What is the RADIUS shared secret and what does it protect?
A.

The RADIUS shared secret is a text string configured on a RADIUS client (a network access server or a RADIUS proxy) and its RADIUS server that provides security for RADIUS messages. The RADIUS shared secret is used for the following:

  • To provide authentication that RADIUS response messages from RADIUS servers or proxies has originated from a computer that has been configured with the shared secret.
  • To provide authentication that RADIUS request messages from RADIUS clients or proxies has originated from a computer that has been configured with the shared secret when the Message-Authenticator attribute is included in the RADIUS request message.
  • To provide cryptographic protection of sensitive attributes in RADIUS messages, such as user passwords or encryption keys.

For more information, see Shared secrets.

Q. How do I protect against denial of service attacks on accounts or online password guessing attacks on VPN or dial-up connections?
A.You can use the remote access account lockout feature to specify how many times a remote access authentication fails against a valid user account before the account is locked out for remote access. Remote access account lockout is especially important for remote access VPN connections over the Internet. With remote access account lockout enabled, a dictionary attack or a denial of service attack against a specific account is thwarted after a specified number of authentication failures.

For more information, see Remote access account lockout.

IAS and IEEE 802.1X Authentication for Wireless or Wired Networks

Q. What are the benefits of using IEEE 802.1X computer authentication?
A.Without computer authentication, a computer using IEEE 802.1X to obtain network access does not have connectivity when starting their computer. This causes the computer to skip logon scripts and Computer Configuration Group Policy updates. When you use computer authentication, 802.1X authentication occurs during computer startup and the computer receives Computer Configuration Group Policy updates. When the user logs on to the computer, the computer already has access to Active Directory resources and logon scripts run successfully.

Q. How can I easily configure multiple wireless access points as RADIUS clients with IAS?
A.If you have a number of wireless APs on the same subnet in an extended service set (ESS) configuration, IAS in Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition allows you to specify a RADIUS client by using an IP address range. All of the RADIUS clients in the range must use the same configuration and shared secret.

Maintaining and Troubleshooting IAS

Q. How do I monitor IAS?
A.You can use IAS event logs and performance counters for typical operations such as monitoring and troubleshooting. IAS also supports Simple Network Management Protocol (SNMP) and Performance Management Information Bases (MIBs).

Microsoft Operations Manager (MOM) can read IAS events. IAS events contain embedded insertion strings and MOM can separate insertion strings into individual fields. Other monitoring products do not support this capability.

Q. How do I troubleshoot common problems with IAS?
A.For information about troubleshooting the most common problems with IAS in Windows Server 2003, see Troubleshooting IAS as a RADIUS server and Troubleshooting IAS as a RADIUS proxy.

Q. What are the troubleshooting tools for IAS?
A.

The tools you use for troubleshooting IAS are the following:

  • IAS event logging and Event Viewer
  • Network Monitor
  • System Monitor counters
  • SNMP Service

For more information, see Troubleshooting tools to use with IAS.

For information about troubleshooting IAS for 802.11 wireless connections, see Troubleshooting IEEE 802.11 Wireless Access with Microsoft Windows XP.