Introduction to connection request processing

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Introduction to connection request processing

In Windows 2000, Internet Authentication Service (IAS) can only be used as a RADIUS server. In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, IAS can be used as either a RADIUS server or a RADIUS proxy.

When IAS is used as a RADIUS server:

  • Access-Request messages are authenticated through Active Directory or a Windows NT server 4.0 domain, or through the Security Account Manager (SAM) in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition. They are authorized with the user or computer account dial-in properties and remote access policies. Additionally, IAS can return an Access-Accept message without authenticating and authorizing the Access-Request message.

  • Accounting-Request messages are logged in a local log file based on remote access logging settings.

Note

  • IAS can be configured for separate use as an authentication RADIUS server or an accounting RADIUS server.

When IAS is used as a RADIUS proxy:

  • Access-Request messages are forwarded to another RADIUS server for authentication and authorization.

  • Accounting-Request messages are logged in a local log file (based on remote access logging settings) and forwarded to another RADIUS server for accounting.

Note

  • IAS can be configured for separate use as an authentication RADIUS proxy or an accounting RADIUS proxy.

To determine whether a specific connection attempt request or an accounting message received from a RADIUS client should be processed locally or forwarded to another RADIUS server, the IAS server uses connection request processing. Connection request processing is a combination of:

  • Connection request policies

    Connection request policies determine, for any incoming RADIUS request message, whether the message is processed locally or forwarded to another RADIUS server. For more information, see Connection request policies.

  • Remote RADIUS server groups

    Remote RADIUS server groups specify multiple RADIUS servers when an incoming RADIUS request message is forwarded. For more information, see Remote RADIUS server groups.

Note

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.