Mapping network authentication and authorization

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Mapping network authentication and authorization

You can use IAS proxy to split network access authorization and authentication between two user account databases. You can authenticate visitors (such as partner organization employees) with their password-based credentials stored in an external partner organization user database, while performing authorization with your local Active Directory user account database. To split authentication and authorization, you must create a local user account for each visitor. The visitor account user name must map to an account in the partner organization user database with the same user name. When the visitor logs on to your network, the external user database provides authentication, while the local user database and remote access policies are used to process authorization.

The forwarding of authentication requests to the partner organization RADIUS server is necessary only when visitor authentication is performed with password-based credentials. Visitors can also be authenticated by mapping certificates to local user accounts. If a partner organization uses certificate-based authentication, you can authenticate visitors by trusting the partner organization certification authority (CA) and mapping visitor certificates to local user accounts. Because the visitor is authenticated locally with a certificate, it is not necessary to forward authentication requests to the remote RADIUS server at the partner organization.

For more information about certificate mapping, see Mapping certificates to user accounts, Map a certificate to a user account, and Map an account from a trusted non-Windows kerberos realm to a user account.

Mapping with password-based authentication

When partner organizations use password-based authentication, you must configure local user accounts for visitors and configure the IAS proxy server to forward authentication requests to a remote RADIUS server group that contains the partner company RADIUS server.

Configuring visitor user accounts

If you are using password-based authentication, you must create a user account for each visitor. The visitor user account must be created so that the user name in the local database and the user name in the partner organization user database match exactly. To allow visitors access to your organization network while authenticating them at their partner organization, perform the following actions to configure visitor accounts:

  • Add the user principal name suffix to the domain.

    For more information, see Add user principal name suffixes.

  • Create an organizational unit that will contain the user accounts for visitors.

    For more information, see Create a new organizational unit.

  • Create user accounts in the organizational unit for visitors.

    When you create the user account, the user logon name must exactly match the visitor's user logon name as configured in the user account database at the partner organization. For example, if the user's user logon name at Microsoft Corporation is user@microsoft.com, designate "user" as the User logon name while creating the new user account with Active Directory Users and Computers. Also, select the correct UPN suffix from the drop-down list of suffixes. For example, if in step one you added the UPN suffix "microsoft.com", select "@microsoft.com" from the list. For more information, see Create a new user account

  • Configure user account properties

    Make sure that the user account is configured in a way that will allow the visitor network access, but will also contain any necessary security restrictions. For example, in user account properties, on the Dial-in tab, you can set Remote Access Permission (Dial-in or VPN) to Allow access.

Configuring the IAS proxy server

To allow visitors access to your organization network, you need to perform the following actions on your IAS proxy server:

  • Configure the partner organization RADIUS server as a member of a Remote RADIUS server group.

    Run the New Remote RADIUS Server Group Wizard, create and name a custom group, and then add the partner organization RADIUS server (or servers) to the group. While adding each server, configure the shared secret (obtained from the partner organization) on the Authentication/Accounting tab of the Add RADIUS server dialog box.

    For more information, see Add a remote RADIUS server group and Configure the Members of a Remote RADIUS Server Group.

  • Configure a connection request policy for visitor access.

    To determine whether a specific connection attempt request or an accounting message received from a RADIUS client should be processed locally or forwarded to another RADIUS server, the IAS server uses connection request processing. When you allow visitor access with external authentication, you must configure a minimum of two connection request policies on your IAS proxy server. One policy allows your organization employees access, while denying access to other network access attempts. Another policy allows visitor access. When you configure your policy evaluation order, place the policy or policies for your organization users last, with the visitor policy processed first. For more information, see Change the policy evaluation order.

    To configure a connection request policy, run the New Connection Request Policy Wizard, create and name a custom policy, and then add Policy Conditions. You can configure as many conditions as you want, but you must include the User-Name attribute. Use wildcard and other characters described in Pattern matching syntax to configure a value that must be matched by the user principal name (UPN) suffix your visitors will use when logging on. For example, if you want to authenticate all visitors from Microsoft Corporation with this connection request policy, you can type "^.@microsoft\\.com$" in User-Name. In Request Processing Method, click Edit Profile, and then click the Advanced tab. Click Add, and then add the attribute Remote-RADIUS-to-Windows-User-Mapping, with the attribute value set to True. This attribute tells the IAS proxy server to authenticate users (whose properties match other policy conditions) against the RADIUS servers configured in the Remote RADIUS Server Group. On the Attribute tab, you can configure replacement text for the User-Name attribute, as well as configure any other attributes that you require. On the Authentication tab, click Forward requests to the following remote RADIUS server group for authentication, and then choose the Remote RADIUS server group that can authenticate your visitors.

    For more information, see Add a connection request policy, Realm names, Configure Connection Request Processing, and Connection Request Processing.

  • Configure a remote access policy for visitor access.

    Because you can create remote access policies that are based on different types of connections and group membership, you can create a remote access policy used specifically to process network access attempts by visitors. At minimum, you need two remote access policies: one for your employees and a different one for visitors. For more information, see Introduction to remote access policies and Remote Access Policies Examples.

  • Ensure that network access servers are configured as RADIUS clients to this IAS proxy.

    When visitors log on to your network, they do so through network access servers, such as wireless access points. These access points must be configured as RADIUS clients to your IAS proxy server.

    For more information, see Configure RADIUS Clients.

After the IAS proxy is configured to forward authentication requests and user accounts for visitors are created in Active Directory, the password-based authentication request is forwarded to the partner organization RADIUS server when the visitor logs onto your organization network. If the user is authenticated, authorization is performed against your organization Active Directory user database. Active Directory returns user attributes (values configured for the user account, such as Allow access on the Dial-in tab of user properties), and IAS performs policy evaluation against these local user account attributes.

Important

  • By configuring a local user account with the UPN of an account in the remote partner organization user account database, you map one account to the other. If the partner organization changes the user name of an account you have mapped, you must change the user name in your user account database, too.

Mapping with certificate-based authentication

Certificate-based authentication is more secure than password-based authentication. In addition, when you map certificates to user accounts instead of using password-based authentication methods, an authentication request is not forwarded to the partner organization RADIUS server and user account database. For these reasons, certificate mapping enhances security and can significantly reduce logon time for users.

A certificate is mapped to a user account in one of two ways: a single certificate is mapped to a single user account (one-to-one mapping) or multiple certificates are mapped to one user account (many-to-one mapping).

One-to-one mapping

For one-to-one mapping of certificates to visitor user accounts, you must perform the following steps:

  • Create a user account for each visitor according to the steps in "Configuring visitor user accounts."

    Because the user account itself is not mapped to the user account at the partner organization, the user account names do not have to exactly match the user account names in the partner organization user accounts database. Configuring the local account with the same user name, however, can make it easier to configure realm manipulation rules.

  • Map the certificate to a user account.

    For more information, see Mapping certificates to user accounts and Map a certificate to a user account

  • Perform cross-certification or authorize the partner organization CA as a qualified subordinate certification authority using a computer running Windows Server 2003, Enterprise Edition and Certificate Services.

    Performing cross-certification or authorizing the partner organization CA as a qualified subordinate CA is recommended for domains with a Windows Server 2003 domain functional level and clients running Windows XP. If your domains are Windows 2000 native, it is recommended that you use a certificate trust list (CTL) instead.

    For more information, see Domain and forest functionality, Qualified subordination, Qualified subordination overview, and Perform qualified subordination.

  • Configure your IAS server or IAS proxy server

    Because authentication requests are not forwarded to external RADIUS servers when authentication is performed with certificates, you are not required to use IAS as a proxy server.

Many-to-one mapping

Many-to-one certificate mapping allows you to map many certificates to one user account. After you have trusted the enterprise root CA of a partner organization, you can map all certificates issued by the partner organization CA to one account that you create in your local domain. This solution provides ease of management for many users, and eliminates the need to create an individual user account for every visitor to your organization.

For many-to-one mapping of certificates, you must perform the following steps:

  • Perform cross-certification or authorize the partner organization CA as a qualified subordinate certification authority using a computer running Windows Server 2003, Enterprise Edition and Certificate Services.

    Performing cross-certification or authorizing the partner organization CA as a qualified subordinate CA is recommended for domains with a Windows Server 2003 domain functional level and clients running Windows XP. If your domains are Windows 2000 native, it is recommended that you use a certificate trust list (CTL) instead.

    For more information, see Domain and forest functionality, Qualified subordination, Qualified subordination overview, and Perform qualified subordination.

  • Create one user account and map the partner organization certificate to the account.

    For more information, see Mapping certificates to user accounts and Map a certificate to a user account.

  • Configure your IAS server or IAS proxy server

    Because authentication requests are not forwarded to external RADIUS servers when authentication is performed with certificates, you are not required to use IAS as a proxy server.

For more information about designing your IAS proxy server deployment, see IAS as a RADIUS proxy design considerations.

Notes

  • After you run the New Remote RADIUS Server Group Wizard, the New Connection Request Policy Wizard is opened by default. If you do not want the New Connection Request Policy Wizard to open, click Start the New Connection Request Policy Wizard when this wizard closes in the New Remote RADIUS Server Group Wizard.

  • For strong security between your IAS proxy server and your partner organization RADIUS servers, you can use Internet Protocol security (IPSec). For more information, see Securing RADIUS traffic with IPSec. For additional security recommendations and concerns, see IAS as a RADIUS proxy security considerations and Security information for IAS.

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.