Determine the Role of the IAS Server
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can configure your IAS server to act as a RADIUS server, a RADIUS proxy, or both, depending on where you want network access requests to be authenticated.
RADIUS server
If you want your IAS server to authenticate the connection requests that it receives, rather than forwarding connection requests to another IAS server, use the IAS server as a RADIUS server. For example, if your access servers connect directly to your network, then the IAS server is configured as a RADIUS server to authenticate the connection.
Figure 7.4 shows an IAS server configured as a RADIUS server. An access client connects to an access server. The access server sends a connection request to an IAS RADIUS server located on the corporate network, which authenticates and authorizes the connection attempt.
Figure 7.4 IAS Configured as a RADIUS Server
.gif "IAS Configured as a RADIUS Server")
RADIUS proxy
If you want an IAS server to forward connection requests to another IAS server, use IAS as a RADIUS proxy. Use the RADIUS proxy capabilities in the following situations.
Using IAS proxy at a third-party ISP
You are an ISP providing outsourced network connection services to multiple customers. Your network access servers send connection requests to the IAS RADIUS proxy. Based on the realm portion of the user name in the connection request, the IAS RADIUS proxy forwards the connection request to a RADIUS server maintained by the customer that can authenticate and authorize the connection attempt.
Figure 7.5 shows an IAS server configured as a RADIUS proxy. An access client contacts an access server at an ISP. The ISP access server sends a connection request to an IAS RADIUS proxy. Based on the realm portion of the user name in the connection request, the IAS RADIUS proxy forwards the connection request to a RADIUS server located on the corporate network, which authenticates and authorizes the connection attempt.
Figure 7.5 IAS Configured as a RADIUS Proxy at a Third-Party ISP
.gif "IAS Architecture")
Using IAS proxy with multiple forests
You have multiple forests and want to perform cross-forest authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). Rather than configuring your access servers to send their connection requests to an IAS RADIUS server, configure them to send their connection requests to an IAS RADIUS proxy.
Figure 7.6 shows an IAS server configured as a RADIUS proxy forwarding RADIUS messages to RADIUS servers in multiple forests. The IAS RADIUS proxy uses the domain name portion of the user name and forwards the request to an IAS server in each forest.
Figure 7.6 IAS as a RADIUS Proxy with Multiple Forests
.gif "IAS as a RADIUS Proxy with Multiple Forests")
Using IAS proxy for load balancing
You want to increase the capacity for connection requests. In this case, rather than configure your access servers to attempt to load balance across multiple RADIUS servers, configure them to send their connection requests to an IAS RADIUS proxy. The IAS RADIUS proxy can load balance across multiple RADIUS servers and scale up to large numbers of RADIUS clients and authentications per second.
Figure 7.7 shows an access server forwarding a request to a RADIUS proxy to load balance to multiple RADIUS servers. The remote client connects to a RADIUS client, such as an access server. The access server sends the authentication request to the RADIUS proxy, which load balances the request across different IAS servers.
Figure 7.7 Load Balancing
.gif "Load Balancing")
IAS server and proxy
If you need your IAS server to authenticate some requests and forward other requests, use IAS as both a RADIUS server and a RADIUS proxy. For example, if you are performing cross-forest authentication, use your IAS server as a RADIUS server to authenticate users in the same forest, and use it as a RADIUS proxy to forward authentication requests to another IAS server for users in another forest.
Figure 7.8 shows an IAS server configured to be both a RADIUS server and a RADIUS proxy. The remote client connects to an IAS server configured as both a RADIUS server and a RADIUS proxy. Based on the realm portion of the access client user name, the IAS server determines whether to authenticate the request directly or forward the authentication request on to another IAS server in a different forest.
Figure 7.8 IAS Configured as Both a RADIUS Server and a RADIUS Proxy
.gif "IAS Configured as RADIUS Server and Proxy")