IAS Scenarios

  • Article
On This Page

Dial-up Corporate Access
Outsourced Corporate Access Through Service Providers
Internet Access

IAS is deployed in these common scenarios:

  • Dial-up corporate access.

  • Outsourced corporate access through service providers.

  • Internet access.

Dial-up Corporate Access

This section describes how IAS can be set up to support remote authenticated dial-up connections to the corporation. This scenario shows a typical setup and configuration for a corporation with clients requiring access to the corporate network.

This section covers the following:

  • Corporate characteristics and requirements for authentication.

  • Network components installed to support this corporate environment.

  • The remote user authentication process to be implemented in this scenario.

  • The setup of the network components required to support this authentication process.

  • Implementation and administration considerations.

Characteristics and Requirements

The corporation used in this scenario has a large primary location with multiple sales locations. All locations require secure access to the corporate network. The corporation requires a reliable method to authenticate remote users in an environment that has the following characteristics:

  • The corporate network uses Active Directory to control user access.

  • Sales locations have demand-dial connections to the corporate network.

  • Remote management of network servers is required.

  • Access capabilities are not identical for all employees, and access is given to specific employees based on the group to which they belong (for example, corporate employees are granted remote access, but contract employees are not).

  • Users must be able to access the network when dialing in from home and during travel.

Note: This scenario covers only IAS setup and some basic steps for configuring Windows 2000 Routing and Remote Access. For more information, see Remote Access Scenarios in Windows 2000 Server Help.

Network Components

IAS servers are set up on the corporate network to authenticate remote users. The following components are installed to support this scenario:

  • In the corporate network:

    • A primary IAS server and a backup IAS server running Windows 2000 Server and connected to the local area network (LAN). The IAS server is used as the RADIUS server, performing authentication, authorization, accounting, and auditing of the remote access users.

    • Active Directory domain controllers running Windows 2000 Server and connected to the LAN. Active Directory contains the user accounts and groups used to set up remote access policies for remote users.

    • Network access servers (NASs) running the Routing and Remote Access service component of Windows 2000 Server and connected to the LAN. The NAS operates as a RADIUS client and is responsible for passing user information to the appropriate RADIUS servers (in this scenario, IAS), and then acting on the response.

    Note: This scenario uses Routing and Remote Access servers as the NASs. If you use other RADIUS-compatible NASs (such as CISCO, Ascend, or US Robotics), then you need to change the configuration to reflect their use.

  • For each remote dial-up user:

    • A computer with a modem (or other supported communications device) and connection software configured to support standard dial-up access capabilities using Point-to-Point Protocol (PPP).

Authentication Process for This Scenario

The network components determine the authentication process. Using the setup and configuration as specified in this scenario, accounting and authentication are accomplished as follows:

  • When the NAS is started, an Accounting-On packet is sent.

  • When a remote user dials up the corporation, the process illustrated in Figure 24 occurs, and all requests and responses are logged:

    Figure 24
    Figure 24: The Authentication Process for a Dial-up Corporate Access Scenario

  1. The user dials the corporate number, reaching the NAS.

  2. The NAS sends the RADIUS authentication request to the IAS server.

  3. IAS forwards the authentication request to the domain controller, where the user credentials are checked.

  4. IAS uses the remote access policies and the user attributes to determine if dial-up access is allowed.

    Note: IAS requires permission to read the attributes from the user account. This permission is given if the server is a member of the built-in RAS and IAS Servers security group.

  5. If a remote access policy is matched, and the profile does not reject the user, then IAS sends an Access-Accept packet.

  6. The user is granted access based on the connection settings specified in the Access-Accept packet. The NAS then assigns an IP address and other parameters to the client and starts routing the packets sent to and received from the client.

    • The NAS sends an Accounting-Start packet to the IAS server, indicating that the user session has started.

    • During the session, interim accounting packets are sent.

    • When the user disconnects, the NAS sends an Accounting-Stop packet to the IAS server, indicating the end of the user session.

Setup

To set up IAS to support this scenario, complete these steps:

  1. Verify that the domain controllers have been configured to support the remote users.

  2. Install and configure IAS.

  3. Copy the IAS configuration from the primary IAS server to the backup IAS server.

  4. Register the primary and backup IAS servers with Active Directory.

  5. Verify the configuration of RADIUS accounting and authentication on the NASs.

  6. Verify the connection capabilities of the remote users.

The following information provides details about each of these setup steps and the requirements for their completion:

Step 1: Verify that the domain controllers have been configured to support the remote users.

Verify that the remote users are in the appropriate universal and nested groups, that the computer running IAS has permission to read the user accounts in the domain, and that the user names and passwords are valid by testing their ability to log on to the LAN.

Note: If you specify support for CHAP, you need to configure support for reversibly encrypted passwords. For more information, see Windows 2000 Server online Help.

Step 2: Install and configure IAS.

To set up the primary IAS server in the corporate network, do the following:

  1. Verify that the IAS server is a member of the forest against which it will authenticate remote users (a trust relationship is required for this, and all domains in Active Directory forests automatically have trust relationships with each other). If IAS and the user account are not in the same forest, the domain for the user account must have a trust relationship with the domain in which IAS is a member. For more information on trust relationships, see Understanding Domain Trusts in Windows 2000 Server Help.

  2. Log on with Local Administrative credentials.

  3. If you did not select IAS as an optional component when you installed Windows 2000 Server, install it using Add/Remove Programs in Control Panel.

  4. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

  5. In the Internet Authentication Service console, right-click Internet Authentication Service and then click Properties to configure the properties for the primary IAS server:

    • On the Service tab, select both options for event logs.

    • On the RADIUS tab, specify the RADIUS authentication and RADIUS accounting UDP ports to be used, and then click OK.

      Note: These ports must be the same as those used by the NASs. The current RADIUS standards are UDP ports 1812 (for RADIUS authentication) and 1813 (for RADIUS accounting). The default values are set to the commonly used values: UDP ports 1812 and 1645 for authentication and 1813 and 1646 for accounting. If you are unsure of your port settings, see your vendor-specific documentation for the NAS.

    • Realm names are not used in this example and information is not required on the Realms tab.

  6. Configure IAS support for the RADIUS clients. To do this, in the console tree, right-click Clients, click New Client, and then follow the directions to add and specify information about each RADIUS client (each NAS), specifying the Friendly name, Protocol (specified as Radius), Client address, Client-Vendor information (specified as RADIUS Standard), and the Shared secret.

    Notes: Ensure that the shared secrets for both authentication and accounting in IAS match those specified for the NASs.

    Before enabling the option to check digital signatures, ensure that the NAS supports the sending of a digital signature for authentication types other than Extensible Authentication Protocol (EAP). For EAP, digital signature is always checked and you do not have to select the digital signature option.

  7. Set up remote access policies. Because permanent and contract employees have different access restrictions, set up separate policies for each:

    Set up the policy for permanent employees by doing the following:

    1. In the Internet Authentication Service console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

    2. In the Add Remote Access Policy dialog box, specify a name for the policy. For this scenario, you can enter Permanent employees, and then click Next.

    3. In the next dialog box, click Add to specify a condition for this policy.

    4. In the Select Attribute dialog box, under Attribute types, select Windows-Groups, and click Add twice. Then select the name of the groups to which this policy is to be applied (such as Permanent employees group), click Add, and then click OK twice.

    5. In the Add Remote Access Policy dialog box, click Next.

    6. Click Grant remote access permission, and then click Next.

    7. Click Edit Profile.

    8. In the Edit Dial-in Profile dialog box, on the Authentication tab, select MS-CHAP and MS-CHAP v2 as the authentication methods, and then click OK. Use the defaults for all other settings in the profile.

    9. Click Finish.

    Set up a remote access policy for contract employees that is the same as for permanent employees, except that it includes a condition that limits the hours of permitted access. To set up this policy, repeat the steps that you used to set up the policy for permanent employees, but specify the name of the policy as Contract Employees and then use the following steps to restrict access hours:

    1. In the details pane of the Internet Authentication Service console tree, double click Contract Employees.

    2. In the Contract Employees Properties dialog box, click Add to add another condition.

    3. In the Select Attribute dialog box, select Day-And-Time-Restrictions, and then click Add.

    4. In the Time of day constraints dialog box, select the hours of access (for example, 7 AM to 7 PM on weekdays only), select Permitted, and then click OK twice.

      • To ensure that your configured policies do not conflict with the default policy (Allow access if dial-up permission is enabled), delete the default policy.

Configure logging for user authentication and accounting.

Although you can specify the basic logging configuration in IAS, you might want to create additional programs to use the logging data for accounting and troubleshooting. For example, you can set up a program to track departmental usage of remote access capabilities. For this scenario, consider the following when configuring logging:

  • You should use the database-import log format for your log files to facilitate incorporation and use of the data in your own programs. If you select this format, you can use a database program to directly analyze the log file for usage, access, and report generation.

  • You should specify that all types of requests received by the server (including authentication, accounting, and periodic updates) be logged. If you determine later that not all of this logging information is required, you can change your selection.

Step 3: Copy the IAS configuration from the primary IAS server to the backup IAS server.

Copy the client configurations, remote access policies, and logging configuration to the backup IAS server. For more information on copying the IAS configuration from one server to another, see the Remote access Policy Management section.

Step 4: Register the primary and backup IAS servers with Active Directory.

To authenticate users, the primary and backup IAS servers must be registered on the domain controllers in Active Directory in the built-in groups as members of the RAS and IAS Servers security group. Add the IAS servers by doing the following:

  1. Log on to the server using domain administrator credentials.

  2. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, click Users.

  4. In the details pane, right-click RAS and IAS Servers.

  5. In the RAS and IAS Servers Properties dialog box, on the Members tab, add each of the IAS servers.

Note: You can also use the netsh ras register server [domain] [server] command for server registration.

Step 5: Verify the configuration of RADIUS accounting and authentication on the NASs.

To ensure that the RADIUS accounting and authentication configuration has been appropriately configured on each NAS using Windows 2000 Server Routing and Remote Access, and to verify that the configuration matches that of IAS (as specified in Steps 2 and 3), do the following:

  1. Log on to the server using domain administrator credentials.

  2. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  3. For each NAS on which you have installed Routing and Remote Access, right-click the server name, click Properties, and then check the following information:

    • On the General tab, verify that Remote access server is selected.

    • On the Security tab, verify the following:

      • RADIUS Authentication is selected and is configured with the names of the primary and backup IAS servers, each with the appropriate shared secret and port. Be certain that MS-CHAP v2 and MS-CHAP are selected under Authentication Methods.

      • RADIUS Accounting is selected and is configured with the names of the primary and backup IAS servers, each with the appropriate shared secret and port, and with the Send RADIUS Accounting-On and Accounting-Off messages option selected.

    • On the IP tab, verify that the following are selected:

      • Enable IP routing.

      • Allow IP-based remote access and demand-dial connections.

      • Dynamic Host Configuration Protocol (DHCP).

Step 6: Verify the connection capabilities of the remote users.

The final step in setting up IAS is to verify that the remote dial-up users can use Network and Dial-up Connections to access the corporate network.

Implementation and Administration Considerations

Depending on the size of your corporation, a single IAS server is probably sufficient. In many cases, the IAS server can be installed on the same computer as the domain controller.

Note: This scenario provides a basic implementation plan for a corporate environment. You can adjust the number of servers and other implementation decisions to support the requirements of your environment.

All IAS administration can be managed remotely.

If remote access policies need to be updated, update the policies on the primary IAS server, and then copy the configuration to the other IAS servers.

Outsourced Corporate Access Through Service Providers

This section describes how IAS can be set up to support a corporation that has outsourced its remote dial-up access to an Internet service provider (ISP). In this scenario, the corporation has implemented a wholesale access agreement with the ISP and has a configuration that enables its corporate employees to access the corporate network by connecting to the ISP's worldwide Points of Presence (POPs).

This section covers the following:

  • Corporate characteristics and requirements for authentication using outsourced dial-up access.

  • Network components installed to support outsourced dial-up access in this corporate environment.

  • The remote user authentication process to be implemented using this scenario.

  • The configuration of the network components required to support this authentication process.

  • Implementation and administration considerations, including considerations for initiating ISP support for dial-up access.

Characteristics and Requirements

The corporation in this scenario has a large corporate location with remote users, each, each of whom requires secure access to the corporate network. The corporation has determined that it is more cost-effective to provide remote access by outsourcing the remote corporate access. The corporation requires a reliable method to authenticate remote users in an environment that has these characteristics:

  • The corporate network uses Active Directory to control user access.

  • Access capabilities are not identical for all employees, and access is given to specific employees based on the group to which they belong (for example, corporate employees are granted access, but contract employees are not).

  • The corporation has a large number of remote users who require a secure method for accessing the corporate network.

  • Members of the marketing and sales team travel internationally and require global access using local dial-up connections to minimize long distance charges.

  • The encryption and authentication requirements for the Internet connection are less stringent than those for the VPN connection. For example, in this scenario, the Internet connection uses CHAP and no encryption, but the VPN connection uses smart card and Extensible Authentication Protocol (EAP) with 128-bit encryption.

  • Users must be able to access the network when dialing in from home and during travel.

  • The ISP providing outsourced support for remote access has a large number of POPs worldwide, all of which must provide corporate users with secure access to the corporate network.

Note: This scenario includes only IAS setup and does not cover the complete configuration of all remote access and VPN components.

Network Components

In this scenario, a primary IAS server and a backup IAS server are set up on the corporate network to authenticate remote users. The following components are installed to support this scenario:

  • In the corporate network:

    • A primary IAS server and a backup IAS server that are running Windows 2000 Server and are connected to the corporate local area network (LAN) and the Internet. The IAS server serves as the RADIUS server, performing authentication, authorization, accounting, and auditing of remote access users.

    • Active Directory domain controllers that are running Windows 2000 Server and connected to the LAN. Active Directory contains the user accounts and groups used to set up remote access policies for remote users.

    • PPTP servers running Windows 2000 Server with Routing and Remote Access service enabled, configured to accept PPTP connections, and connected to the LAN and through a leased line to the Internet. The PPTP server has a network address on both the Internet and the private LAN and is used to provide users with VPN connections to the corporate network.

    Note: PPTP is a protocol for creating a secure connection. PPTP can encapsulate Point-to-Point Protocol (PPP) packets within Internet Protocol (IP) packets and forward them over any IP network, including the Internet.

  • At the ISP:

    • Network access servers (NASs) running Windows 2000 Server. The NAS operates as a RADIUS client. In this scenario, requests reach IAS through the RADIUS proxy server at the ISP and are routed to the corporate server. You can use any RADIUS-compatible NAS (such as Windows 2000 Routing and Remote Access service, Cisco, U.S. Robotics, Ascend, or others.

    • A RADIUS proxy server that acts as a RADIUS client to other servers.

  • For each remote dial-up user:

    • A computer that has a modem, or other supported communications device, and connection software and is configured to support standard dial-up access capabilities using PPP and VPN connections. In this scenario, Connection Manager service profiles are used to enable single-logon access through the ISP, using dial-up and VPN connections.

      Note: To use Connection Manager, the service profile must be delivered, installed, and set up on all computers requiring remote access. Connection Manager service profiles are created using the Connection Manager Administration Kit (CMAK) wizard. For more information on how to create, deliver, and set up Connection Manager service profiles, see Connection Manager Administration Kit in Windows 2000 Server Help.

    • Smart card access capabilities.

Authentication Process for This Scenario

The network components determine the authentication process. Using the setup and configuration as specified in this scenario, accounting and authentication occur as follows:

  • When the NAS is started, an Accounting-On packet is sent. If the RADIUS proxy server is appropriately configured to forward Accounting-On packets, the packet is forwarded to the IAS server at the corporation, where it is logged.

  • When a remote user dials in to the ISP, the process illustrated in Figure 25 takes place, and all requests and responses are logged:

    Figure 25
    Figure 25: The Authentication Process for an Outsourced Corporate Access Scenario

    1. The user selects the present location and a local or other appropriate phone number (POP) for the ISP from the phone book in the Connection Manager service profile. Using CHAP authentication, the user connects to the ISP's NAS. Appended to the user name is a realm name, either specified by the user or automatically appended by Connection Manager. This name is used by the NAS to route the authentication and accounting requests to the IAS server in the corporate network.

    2. The NAS sends the RADIUS authentication request to the RADIUS proxy server.

    3. The RADIUS proxy server uses the realm name to route the request to the corporation's IAS server. This request may be routed through multiple RADIUS proxies (belonging to another ISP or a roaming consortium of ISPs) before reaching the corporate IAS server. IAS applies all realm-stripping rules for the user name.

      Note: When the user principal name is received from the user, IAS queries the global catalog and maps the user principal name suffix to a fully qualified domain name (FQDN).

    4. IAS forwards the authentication request to the domain controller, where the user credentials are checked.

    5. IAS evaluates the remote access policies and the user attributes to determine if dial-up access is allowed.

      Note: IAS requires permission to read the attributes from the user account. This permission is provided when the server is a member of the built-in RAS and IAS Servers security group.

    6. If a remote access policy is matched and the profile does not reject the user, then IAS sends an Access-Accept packet.

    7. The RADIUS proxy server forwards the Access-Accept packet.

    8. The user is granted access, based on the connection settings specified in the Access-Accept packet.

    9. The NAS assigns an IP address and other parameters to the client to start routing the packets sent to and received from the client.

    10. Connection Manager then initiates a tunnel to the PPTP server in the corporate network.

    11. The PPTP server sends an authentication request for this user to the IAS server, verifying VPN access capabilities.

    12. The IAS server receives the request and forwards the packet to the domain controller. Again, the user credentials are checked, the remote access policies and user attributes are evaluated, and the user is granted VPN access based on the connection settings specified in the Access-Accept packet.

    13. The PPTP server sends an Accounting-Start message to the RADIUS server.

      • During the session, interim accounting packets are sent by both the NAS and PPTP server.

      • When the user disconnects, the PPTP server sends an Accounting-Stop packet to the IAS server, indicating the end of the user session.

Setup

To set up IAS to support this scenario, complete the following steps:

  1. Verify that the firewall is appropriately set up to support IAS.

  2. Verify that the domain controllers have been configured to support the remote users.

  3. Install and configure IAS.

  4. Copy the IAS configuration from the primary IAS server to the backup IAS server.

  5. Register the primary and backup IAS servers with Active Directory.

  6. Verify that the PPTP servers are appropriately set up to support RADIUS accounting and authentication and properly configured for VPN connections.

  7. Verify the configuration of RADIUS accounting and authentication on the ISP's RADIUS proxy server.

  8. Verify connection capabilities for remote users.

The following information provides details about each of these setup steps and about the requirements for their completion.

Step 1: Verify that the firewall is appropriately set up to support IAS.

For information on how to set up the firewall, see the section on Security and IAS.

Step 2: Verify that the domain controllers have been configured to support the remote users.

Verify that groups have been created for the users (in this scenario, with permanent and contract employees in separate groups), the remote users are in the appropriate universal and nested groups, the computer running IAS has permission to read the user accounts in the domain, and the user names and passwords are valid on the LAN. Because you are using groups, verify that remote access permission is set to Control access through Remote Access Policy in the user account. Also verify that Active Directory is in native mode and, for permanent employees using CHAP authentication, that reversibly encrypted password storage has been enabled.

Notes: If you specify support for CHAP, you need to configure support for reversibly encrypted passwords.

Step 3: Install and configure IAS.

To set up the primary IAS server, do the following:

  1. Verify that the server running IAS is a member of the forest against which it will authenticate remote users (because a trust relationship is required for this, and all domains in Active Directory forests automatically have trust relationships with each other). If IAS and the user account are not in the same forest, then the domain for the user account must have a trust relationship with the domain of which IAS is a member. For more information on trust relationships, see Understanding Domain Trusts in Windows 2000 Server Help.

  2. Log on to the server with administrative credentials.

  3. If you did not select IAS as an optional component when you installed Windows 2000 Server, install it using Add/Remove Programs in Control Panel.

  4. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

  5. In the Internet Authentication Service console, right-click Internet Authentication Service, and then click Properties to configure these properties for the primary IAS server:

    • On the Service tab, select both options for event logs.

    • On the RADIUS tab, specify the RADIUS authentication and RADIUS accounting UDP ports to be used, and then click OK.

      Note: These ports must be the same as those used by the servers. The most current RADIUS standards are UDP ports 1812 (for RADIUS authentication) and 1813 (for RADIUS accounting). The default values are set to the commonly used values: UDP ports 1812 and 1645 for authentication and 1813 and 1646 for accounting. If you are unsure of your port settings, see your vendor-specific documentation for the NAS.

    • If the realm names used at the ISPs to access the corporate network are different from those required to access corporate domains, specify rules for manipulating the realm names on the Realms tab.

  6. Set up IAS support for the RADIUS clients. In the Internet Authentication Service console tree, right-click Clients, click New Client, and then follow the directions to add and include information about each RADIUS client (including the corporate network's PPTP and ISP's RADIUS proxy servers). Specify the Friendly name, Protocol (specified as Radius), Client address, Client-Vendor information (specified as RADIUS Standard), and the Shared secret.

    Notes: Ensure that the authentication and accounting shared secrets in IAS match those specified for the NASs.

    Before enabling the option for checking digital signatures, ensure that the NAS supports sending a digital signature for authentication types other than Extensible Authentication Protocol (EAP). For EAP, the digital signature option is always checked.

  7. Configure remote access policies to support permanent employee access through outsourced dial-up connection. To configure these policies, do the following:

    • Configure a remote access policy for smart card access that uses 128-bit encryption. In Internet Authentication Service console tree, right-click Remote Access Policies, and then click New Remote Access Policy. Use the New Remote Access Policy wizard to do the following:

      • Specify a Policy friendly name of Smart Card Access (or another, if preferred), and then click Next.

      • To add a condition, click Add, select Windows-Groups, click Add, click Add again, select the name of the group (such as Permanent corporate employees), click Add, and then click OK twice.

      • To add a second condition, click Add, select NAS-Port-Type, click Add, select Virtual (VPN), click Add, click OK, and then click Next.

      • Select Grant remote access permission, and then click Next.

      • Click Edit profile and then, on the Authentication tab, select Extensible Authentication Protocol, select Smart card or other certificate (TLS), and then click Configure.

      • In the Smart card or Other Certificate (TLS) Properties dialog box, select the machine certificate you want to use, and then click OK.

      • Click Finish to save the settings for this policy.

    • Set up a remote access policy for permanent employees. In Internet Authentication Service console tree, right-click Remote Access Policies, click New Remote Access Policy. Use the New Remote Access Policy wizard to do the following:

      • Specify the Policy friendly name, Permanent employees (or another, if preferred), and then click Next.

      • To add a condition, click Add, select Windows-Groups, click Add, select the name of the group (such as Permanent corporate employees), click Add, click OK twice, and then click Next.

      • Click Grant remote access permission, and then click Next.

      • Click Edit Profile and then, on the Authentication tab, select CHAP as the authentication method, and then click OK.

      • Click Finish to save the settings for this policy.

      Note: Because an access policy granting access is only defined for permanent employees, contract employees (who are in a different group) are denied access.

    • To ensure that the policies you configured do not conflict with the default policy (Allow access if dial-up permission is enabled), delete the default policy.

  8. Configure logging for user authentication and accounting.

    Although you can specify the basic logging configuration in IAS, you might want to create additional programs to use the logging data for accounting and troubleshooting. For example, you can set up a program to track departmental usage of remote access capabilities. For this scenario, consider the following when configuring logging:

    • You should use the database-import log format for your log files to facilitate incorporation and use of the data in your own programs. If you select this format, you can use a database program to analyze your log files for usage, access, and report generation.

    • You should specify that all three types of authentication and accounting requests received by the server be logged.

Step 4: Copy the IAS configuration from the primary IAS server to the backup IAS server.

Copy the IAS configuration, including IAS properties, client configurations, remote access policies, and logging configuration to the backup IAS server.

Step 5: Register the primary and backup IAS servers with Active Directory.

To be able to authenticate users, the primary and backup IAS servers must be registered as members of the RAS and IAS Servers security group on the domain controllers in Active Directory in the built-in groups. Add the IAS servers by doing the following:

  1. Log on to the server using domain-administrator credentials.

  2. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, click Users.

  4. In the details pane, right-click RAS and IAS Servers.

  5. In the RAS and IAS Servers Properties dialog box, on the Members tab, add each of the IAS servers.

Note: You can also use the netsh ras register server [domain] [server] command for server registration.

Step 6: Verify that the PPTP servers are appropriately set up to support RADIUS accounting and authentication and are properly configured for VPN connections

To ensure that RADIUS accounting and authentication configuration has been appropriately set up on each PPTP server using the appropriate remote access software, and to verify that the configuration matches that of IAS (ensuring that IAS is configured as the authentication and accounting provider), do the following:

  1. Log on to the server using domain administrator credentials.

  2. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  3. For each PPTP server on which you have installed Routing and Remote Access, right-click the server name, click Properties, and then check the following:

    • On the General tab, verify that Remote access server is selected.

    • On the Security tab, verify the following:

      • RADIUS Authentication is selected and is configured with the names of the primary and backup IAS servers, each with the appropriate shared secret and port. Be certain that EAP is selected under Authentication Methods.

      • RADIUS Accounting is selected and configured with the names of the primary and backup IAS servers, each with the appropriate shared secret and port, and with the Send RADIUS Accounting On and Accounting Off messages option selected.

    • On the IP tab, verify that the following are selected:

      • Enable IP routing.

      • Allow IP-based remote access and demand-dial connections.

      • Dynamic Host Configuration Protocol (DHCP).

    • On the PPP tab, verify that all options are selected.

Verify that the PPTP servers are properly configured for VPN connections.

Step 7. Verify the configuration of RADIUS accounting and authentication on the ISP's RADIUS proxy server.

  1. Provide realm information to the ISP and verify that realm handling is appropriately configured on the RADIUS proxy server.

  2. Provide the shared secret to the ISP for configuration of the RADIUS proxy server and verify that the server is appropriately configured to handle the shared secret.

  3. Ask the ISP which attributes are sent in requests and what should be returned in the response.

  4. Ask whether the ISP’s RADIUS proxy server supports digital signatures. If they do, ensure that the profile is set up to require it.

  5. Check with the ISP to find out what hardware they use.

Step 8: Verify connection capabilities for remote users.

The final step in setting up IAS is to verify that the remote VPN users can use Connection Manager to access the corporate network.

  1. Verify that Connection Manager service profiles have been provided to users.

  2. Verify smart card access.

  3. After the service profiles are installed, verify that the phone numbers used to connect to the NASs are set up correctly and that the realm name is handled appropriately.

Implementation and Administration Considerations

All IAS administration can be managed remotely.

  • If remote access policies need to be updated, update the policies on the primary IAS server and then copy the IAS configuration to the other IAS servers.

  • Network access servers can be updated remotely.

  • Remote usage can be tracked on the corporate network.

This scenario provides a basic implementation plan for outsourced dial-up access for a corporate environment. When implementing IAS, you can adjust this scenario to support the requirements of your environment. Depending on the size of your corporation, a single IAS server is probably sufficient. In many cases, the IAS server can be installed on the same computer as the domain controller.

Internet Access

This section describes how IAS can be set up to support customer-authenticated dial-up connections to an Internet service provider (ISP). This scenario shows a typical setup and configuration for an ISP with customers who require access to the Internet.

This section covers the following:

  • ISP characteristics and requirements for authentication.

  • Network components installed to support this ISP environment.

  • The customer authentication process to be implemented using this scenario.

  • The setup of the network components required to support this authentication process.

  • Implementation and administration considerations.

Characteristics and Requirements

The ISP in this scenario has a single data center that supports a large number of users and NASs that are distributed with multiple Points of Presence (POPs). The ISP requires a reliable method to authenticate users in an environment that has these characteristics:

  • The ISP uses Active Directory to control user access.

  • The ISP offers two service plans. There is a basic unlimited access plan for users with dial-up modems and a premium plan that provides support for ISDN connections. Access is given to users based on the plan for which they sign up, which determines group membership.

  • Users must be able to access the network using local access numbers for each of the ISP's POPs.

Note: This scenario covers only how to set up IAS and some basic steps for configuring Windows 2000 Routing and Remote Access service.

Network Components

In this scenario, IAS servers are set up on the corporate network to authenticate users connecting through any POP that has been configured on any of the ISP's network access servers (NASs). The following components are installed to support this scenario:

  • At the ISP:

    • A primary IAS server and a backup IAS server running Windows 2000 Server. The IAS servers are used as the RADIUS servers, performing authentication, authorization, accounting, and auditing of all users.

    • Active Directory domain controllers running Windows 2000 Server. Active Directory contains the user accounts and groups used to set up remote access policies for all users.

    • Network access servers (NASs) running the Routing and Remote Access service component of Windows 2000 Server and connected to the LAN. The NAS operates as a RADIUS client and is used to pass user information to the appropriate RADIUS servers (in this scenario, IAS), acting on the response.

    Note: This scenario uses Routing and Remote Access servers as the NASs. If you use other RADIUS-compatible NASs (such as CISCO, Ascend, or US Robotics), you must change the configuration to reflect the use of the other NASs.

  • For each individual user of the basic plan (no ISDN support):

    • A computer configured to support standard dial-up capabilities using Point-to-Point Protocol (PPP). In this scenario, a Connection Manager service profile is used to enable access to the Internet through the ISP POPs.

  • For each individual user of the premium plan (with ISDN support):

    • A computer configured to support standard dial-up capabilities as well as ISDN direct access capabilities using PPP. The same Connection Manager service profile used for the basic plan is used to enable access through ISDN because the service profile contains both dial-up and ISDN POPs. Connection Manager makes the appropriate POPs available based on the type of connection device the user selects.

    Note: To use Connection Manager, the service profile must be delivered, installed, and set up on all computers requiring remote access. Connection Manager service profiles are created with the Connection Manager Administration Kit (CMAK) wizard. For more information on how to create, deliver, and set up Connection Manager service profiles, see Connection Manager Administration Kit in Windows 2000 Server Help.

Authentication Process for This Scenario

The network components determine the authentication process. Using the setup and configuration as specified in this scenario, accounting and authentication are accomplished as follows:

  • When the NAS is started, an Accounting-On packet is sent.

  • When a remote user connects to one of the ISP POPs, the process illustrated in Figure 26 occurs and all requests and responses are logged:

    Figure 24
    Figure 26: The Authentication Process for an Outsourced Corporate Access Scenario

    1. The user selects the present location and an appropriate phone number (POP) for the ISP from the phone book in the Connection Manager service profile.

    2. The NAS sends the RADIUS authentication request to the IAS server.

    3. IAS forwards the authentication request to the domain controller at that location and the user credentials are checked.

    4. IAS evaluates the remote access policies and user attributes to determine if dial-up access is allowed.

      Note: IAS requires permission to read the attributes from the user account. This permission is granted if the server is a member of the built-in RAS and IAS Servers security group.

    5. If a remote access policy is matched and the profile does not reject the user, then IAS sends an Access-Accept packet.

    6. The user is granted access based on the connection settings specified in the Access-Accept packet. The NAS then assigns an IP address and other parameters to the client and starts routing the packets sent to and received from the client.

      • The NAS sends an Accounting-Start packet to the IAS server, indicating that the user session has started.

      • During the session, interim accounting packets are sent.

      • When the user disconnects, the NAS sends an Accounting-Stop packet to the IAS server, indicating the end of the user session.

Setup

To set up IAS to support this scenario, complete these steps:

  1. Verify that the domain controllers have been configured to support remote users.

  2. Install and configure IAS.

  3. Copy the IAS configuration from the primary IAS server to the backup IAS server.

  4. Register the primary and backup IAS servers with Active Directory.

  5. Verify the configuration of RADIUS accounting and authentication on the NASs.

  6. Verify connection capabilities for remote users.

The following information covers each step and the requirements to complete them.

Step 1: Verify that the domain controllers have been configured to support remote users.

Verify that the users are configured with user principal names and are in the appropriate universal and nested groups. Make sure that the computer running IAS has permission to read the user accounts in the domain. In this scenario, you can set up two universal groups (one for users of the basic plan and one for users of the premium ISDN plan). Because of the large number of potential users, you can create global groups, nested in the universal groups, and put users in the sub-groups (not directly in the universal groups). Verify that the user names and passwords are valid on the LAN.

Verify that CHAP and MS-CHAP are supported on the domain controllers.

Notes: The user principal names created for the users should contain the @ (at sign) followed by the ISP's name (for example, Username@ISPName).

To support CHAP, you need to configure support for reversibly encrypted passwords and enable plaintext passwords.

Step 2: Install and configure IAS.

To set up the primary IAS server, do the following:

  1. Verify that the server running IAS is a member of the forest against which it will authenticate remote users (since a trust relationship is required for this, and all domains in Active Directory forests automatically have trust relationships with each other). If IAS and the user account are not in the same forest, then the domain for the user account must have a trust relationship with the domain of which IAS is a member. For more information on trust relationships, see Understanding Domain Trusts in Windows 2000 Server Help.

  2. Log on with Local Administrative credentials.

  3. If you did not select IAS as an optional component when you installed Windows 2000 Server, install it using Add/Remove Programs in Control Panel.

  4. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

  5. In the Internet Authentication Service console, right-click Internet Authentication Service and then click Properties to configure the properties for the primary IAS server:

    • On the Service tab, select both options for event logs (you can later clear any options that are not useful in your environment).

    • On the RADIUS tab, specify the RADIUS authentication and RADIUS accounting UDP ports to be used, and then click OK.

      Note: These ports must be the same as those used by the NASs. The most current RADIUS standards are UDP ports 1812 (for RADIUS authentication) and 1813 (for RADIUS accounting). The default values are set to the commonly used values: UDP ports 1812 and 1645 for authentication and 1813 and 1646 for accounting. If you are unsure of your port settings, see your vendor-specific documentation for the NAS.

    • Realm names are not used in this example and information is not required on the Realms tab.

  6. Set up IAS support for the RADIUS clients. In the Internet Authentication Service console tree, right-click Clients, and click New Client. Then follow the directions to add and specify information about each RADIUS client (NAS), specifying the Friendly name, Protocol (specified as RADIUS), Client address, Client-Vendor information (specified as RADIUS Standard), and the Shared secret.

    Notes: Ensure that the authentication and accounting shared secrets in IAS match those specified for the NASs.

    Before enabling the option to check digital signatures, ensure that the NAS supports sending a digital signature for authentication types other than Extensible Authentication Protocol (EAP).

    For EAP, digital signatures are always used and you do not have to select the digital signature option.

  7. Set up the remote access policies. Because most basic plans for ISPs do not include ISDN access, you should set up two groups. One should support multi-link connections (for premium plans) and one should not (for a basic plan).

    • Set up a remote access policy for the basic plan (non-ISDN users) by doing the following:

      • In the Internet Authentication Service console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

      • Using the Add Remote Access Policy wizard, specify a Policy friendly name for the policy (for this scenario, you can enter Basic Plan), and then click Next.

      • In the next dialog box, click Add, select Windows-Groups, click Add, click Add again, select the groups to which this policy applies (such as Basic Plan users), click Add, click OK twice, and then click Next.

      • Click Grant remote access permission, and then click Next.

      • Click Edit Profile.

      • On the Authentication tab, select CHAP, MS-CHAP, and MS-CHAP v2 as the authentication methods.

      • On the Dial-in Constraints tab, select Async and Sync, and then click OK.

      • Click Finish.

    • Set up a remote access policy for the premium plan that is the same as for the basic plan, except that it supports ISDN access. To set up this policy, repeat the steps that you used to set up the policy for the basic plan, but specify the name of the policy as Premium Plan, and select the Windows-Groups that contain the users who will have ISDN access. On the Dial-in Constraints tab, check all of the ISDN options (in addition to the options selected for the basic plan).

    • To ensure that the policies you configured do not conflict with the default policy (Allow access if dial-up permission is enabled), delete the default policy.

  8. Configure logging for user authentication and accounting.

    Although you can specify the basic logging configuration in IAS, you might want to create additional programs to use the logging data for accounting and troubleshooting. For example, you can set up a program to track departmental usage of remote access capabilities. For this scenario, consider the following when configuring logging:

    • You should use the database-import log format for your log files to facilitate incorporation and use of the data in your own programs. If you select this format, you can use a database program to analyze log file usage, access, and report generation.

    • You should specify that all types of requests received by the server (including authentication, accounting, and periodic updates) be logged.

Step 3: Copy the IAS configuration from the primary IAS server to the backup IAS server.

Copy the client configurations, remote access policies, and logging configuration to the backup IAS server.

Step 4: Register the primary and backup IAS servers with Active Directory

To authenticate users, the primary and backup IAS servers must be registered on the domain controllers in Active Directory in the built-in groups as members of the RAS and IAS Servers security group. Add the IAS servers by doing the following:

  1. Log on to the server using domain administrator credentials.

  2. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, click Users.

  4. In the details pane, right-click RAS and IAS Servers.

  5. In the RAS and IAS Servers Properties dialog box, on the Members tab, add each of the IAS servers.

Note: You can also use the netsh ras register server [domain] [server] command for server registration.

Step 5: Verify the configuration of RADIUS accounting and authentication on the NASs.

To ensure that RADIUS accounting and authentication configuration has been correctly configured on each NAS using Windows 2000 Server Routing and Remote Access service, and to verify that the configuration matches that of IAS (as specified in Steps 2 and 3), do the following:

  1. Log on to the server using domain administrator credentials.

  2. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  3. For each NAS on which you have installed Routing and Remote Access service, right-click the server name, click Properties, and then check the following information:

    • On the General tab, verify that Remote access server is selected.

    • On the Security tab, verify the following:

      • RADIUS Authentication is selected and is configured with the names of the primary and backup IAS servers. Verify that each IAS server is configured with the appropriate shared secret and port, and that CHAP, MS-CHAP v2 and MS-CHAP are selected under Authentication Methods.

      • RADIUS Accounting is selected and is configured with the names of the primary and backup IAS servers, each with the appropriate shared secret and port, and with the Send RADIUS Accounting On and Accounting Off messages option selected.

    • On the IP tab, verify that the following are selected:

      • Enable IP routing.

      • Allow IP-based remote access and demand-dial connections.

      • Dynamic Host Configuration Protocol (DHCP).

Step 6: Verify connection capabilities for remote users.

The final step in setting up IAS is to verify that the remote dial-up users can use Network and Dial-up Connections to access the ISP.

Implementation and Administration Considerations

Depending on the size of your corporation, a single IAS server is probably sufficient. In many cases, the IAS server can be installed on the same computer as the domain controller.

Note: This scenario provides a basic implementation plan for a corporate environment. Tailor the number of servers and other implementation decisions to support the requirements of your environment.

If remote access policies need to be updated, update the policies on the primary IAS server, and then copy the IAS configuration to the other IAS servers.