Dial-Up and VPNs with Radius Authentication

  • Article

Dial-Up and VPNs with Radius Authentication

In addition to VPN-based remote access, the network administrator for Electronic, Inc. wants to provide modem-based dial-up remote access for employees of the New York office. All employees of the New York office belong to a Windows 2000-based group called NY_Employees. A separate remote access server running Windows 2000 provides dial-up remote access at the phone number 555-0111. Rather than administer the remote access policies of both the VPN server and the remote access server separately, the network administrator is using a computer running Windows 2000 with the Internet Authentication Service (IAS) as a RADIUS server. The IAS server has an IP address of 172.31.0.9 on the Electronic, Inc. extranet and provides centralized remote access authentication, authorization, and accounting for both the remote access server and the VPN server.

Figure 6 shows the Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server.

Figure 6: The Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server

Figure 6: The Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server

Domain Configuration
For each New York office employee that is allowed dial-up access, the remote access permission for the dial-in properties of the user account is set to Control access through Remote Access Policy.

Remote Access Policy Configuration
Remote access policies must be modified in two ways:

  1. The existing remote access policies that are configured on the VPN server running Windows 2000 must be copied to the IAS server.

  2. A new remote access policy is added for dial-up remote access clients on the IAS server.

Copying the Remote Access Policies
Once the VPN server running Windows 2000 is configured to use RADIUS authentication, the remote access policies stored on the VPN server are no longer used. Instead, the remote access policies stored on the IAS server running Windows 2000 are used. Therefore, the current set of remote access policies is copied to the IAS server.

For more information, see the "Copying the IAS Configuration to Another Server" procedure in Appendix A.

Creating a New Remote Access Policy for Dial-up Remote Access Clients
To define the authentication and encryption settings for dial-up connections by employees of the New York office, the following remote access policy is created on the RADIUS server computer:

  • Policy name: Dial-Up for New York Employees

  • Conditions:

    • NAS-Port-Type is set to all types exceptVirtual (VPN).

    • Windows-Groups is set to NY_Employees.

  • Permission is set to Grant remote access permission.

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is selected and Smartcard or other certificate (TLS) is configured to use the installed machine certificate. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and **Microsoft Encrypted Authentication (MS-CHAP)**are also selected.

    • Encryption tab: All options are selected.

RADIUS Configuration
To configure RADIUS authentication and accounting, the network administrator for Electronic, Inc. configures the following:

  • The RADIUS server is a computer running Windows 2000 Server with the Internet Authentication Service networking component installed. The Internet Authentication Service is configured for two RADIUS clients: the remote access server and the VPN server. For more information, see the "Registering RADIUS Clients" procedure in Appendix A.

  • The remote access server running Windows 2000 is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and a shared secret. For more information, see the "Configuring RADIUS Authentication" and "Configuring RADIUS Accounting" procedures in Appendix A.

  • The VPN server running Windows 2000 is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and a shared secret. For more information, see the "Configuring RADIUS Authentication" and "Configuring RADIUS Accounting" procedures in Appendix A.

Dial-up Remote Access Client Configuration
The Make New Connection wizard is used to create a dial-up connection with the following setting:

  • Phone number: 555-0111