Internet access

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Internet access

This topic describes how IAS is used to authenticate and authorize Internet connections for the customers of an Internet service provider (ISP). In this example, the ISP has a single data center that supports a large number of customers. Dial-up servers are distributed with multiple Points of Presence (POPs). The ISP offers two service plans: A basic plan for users with dial-up modems and a premium plan that provides support for ISDN connections. Connection authorization is provided to customers based on the subscription plan.

For each basic plan customer, a Connection Manager service profile is used to enable access to the Internet through the ISP's POPs. For each premium plan user, the same Connection Manager service profile is used to enable ISDN access. The service profile contains both dial-up and ISDN POPs. Connection Manager makes the appropriate POPs available based on the type of connection device that the user selects.

This topic describes a configuration for an ISP that uses:

• Two IAS servers.

  Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication. If only one RADIUS server is configured and it becomes unavailable, ISP customers cannot connect to the Internet. By using two IAS servers and configuring all dial-up servers (RADIUS clients) for both the primary and secondary IAS servers, RADIUS clients detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.

• Active Directory domains.

  Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints. To optimize IAS authentication and authorization response times and minimize network traffic, IAS is installed on domain controllers.

• Custom remote access policies.

  Remote access policies are configured to specify, based on group membership, the different types of connection constraints for the two service plans (basic and premium).

• Multiple dial-up servers.

  Dial-up servers consist of third-party network access server (NAS) devices, and computers running different versions of Windows and the Routing and Remote Access service. The dial-up servers are geographically distributed at various POPs so that ISP customers can access the Internet with a local call.

The following illustration shows the configuration of an ISP providing Internet access.

Note

• This topic only describes how to configure IAS. It does not describe the configuration of Active Directory, the dial-up servers, or the Connection Manager profile. For more information about how to deploy these components, see the appropriate Help topics.

To configure IAS to support Internet access for an ISP, complete the following steps:

• Configure Active Directory for user accounts and groups.

• Configure the primary IAS server on a domain controller.

• Configure the secondary IAS server on a different domain controller.

• Configure RADIUS accounting and authentication on dial-up servers.

Configuring user accounts and groups

To configure user accounts and groups, do the following:

1. Ensure that all customers that are making Internet connections have a corresponding user account. The user principal names that are created should contain the @ (at) sign, followed by the ISP name (for example, UserName**@**ISPName).

2. If you want to manage access by group, ensure that all user accounts are configured with the Control access through Remote Access Policy remote access permission. For more information, see Configure remote access permission for a user.

3. Create two universal groups: one for basic plan users (named BasicPlanUsers) and one for premium plan users (named PremiumPlanUsers). Because of the large number of potential users, create global groups and make user accounts members of global groups. Next, add the global groups as members of the universal groups. For more information, see Group scope.

4. If some customers are using the Challenge-Handshake Authentication Protocol (CHAP), you must enable support for reversibly encrypted passwords in the appropriate domains. For more information, see Enable reversibly encrypted passwords in a domain.

Configuring the primary IAS server on a domain controller

To configure the primary IAS server on a domain controller, do the following:

1. On the domain controller, install IAS as an optional networking component. For more information, see Install IAS.

2. Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

3. If the IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, seeEnable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

4. Enable file logging for accounting and authentication events. For more information, see Configure log file properties.

5. If needed, configure additional UDP ports for authentication and accounting messages that are sent by RADIUS clients. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

6. Add the dial-up servers as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets. Enable the use of the Message Authenticator attribute only when it is supported by the RADIUS client.

7. Create remote access policies for both basic and premium plan customers.

   Create two remote access policies. One policy is used to authorize basic plan connections (by using the BasicPlanUsers group). The other policy is used to authorize premium plan connections (by using the PremiumPlanUsers group).

8. Authorize connections for basic plan users by using the New Remote Access Policy Wizard to create a common VPN policy with the following settings:

   • Policy name: Basic plan connections

   • Conditions: Windows-Groups matches BasicPlanUsers

   • Permission: Grant remote access permission

   • Profile settings, Dial-in Constraints tab: Allow access only through these media and the Async (Modem) media type are selected.

   • Profile settings, Authentication tab: The Microsoft Encrypted Authentication version 2 (MS-CHAP v2), Microsoft Encrypted Authentication (MS-CHAP), and Encrypted Authentication (CHAP) protocols are selected.

     For more information, see Add a remote access policy.

9. Authorize connections for premium plan users by creating a new remote access policy with the following settings:

   • Policy name: Premium plan connections

   • Conditions: Windows-Groups matches PremiumPlanUsers

   • Permission: Grant remote access permission

   • Profile settings, Dial-in Constraints tab: Allow access only through these media is selected, and then the ISDN Async V.110, ISDN Async V.120, and ISDN Async media type are selected.

   • Profile settings, Authentication tab: The Microsoft Encrypted Authentication version 2 (MS-CHAP v2), Microsoft Encrypted Authentication (MS-CHAP), and Encrypted Authentication (CHAP) protocols are selected.

10. Because all of the ISP customers are using either the basic or premium plan, delete the default remote access policies so that no other types of connections are authorized. For more information, see Delete a remote access policy.

    For additional examples of remote access policies, see Remote Access Policies Examples.

Configuring the secondary IAS server on a different domain controller

To configure the secondary IAS server on a different domain controller, do the following:

1. On the other domain controller, install IAS as an optional networking component. For more information, see Install IAS.

2. Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

3. If the secondary IAS server is authenticating connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, seeEnable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

4. Copy the configuration of the primary IAS server to the secondary IAS server. For more information, see Copy the IAS configuration to another server.

Configuring RADIUS accounting and authentication on dial-up servers

To configure each dial-up server to use the primary and secondary IAS servers for authentication, authorization, and accounting of remote access connections, do the following:

1. If the dial-up server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, configure the primary and secondary IAS servers as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting

2. If the dial-up server is a computer running Windows NT server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT server 4.0 online Help for information about how to configure the primary and secondary IAS servers as RADIUS servers for RADIUS authentication.

3. If the dial-up server is a third-party network access server (NAS), see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers).