Concepts for IAS
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
IAS implements the Internet Engineering Task Force (IETF) standard Remote Authentication Dial-In User Service (RADIUS) protocol, specified in RFCs 2865, 2866, and 2869, which enables the use of a homogeneous or heterogeneous network of dial-up, VPN, wireless, or authenticating switch equipment. When a remote client tries to connect to an access server configured to use the RADIUS protocol, the access server sends the connection request to the IAS server by using the RADIUS protocol. When an IAS server is a member of an Active Directory® domain, IAS uses the directory service as its user account database and is part of a single sign-on solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network) and to log on to an Active Directory domain.
In addition, the IAS server can accept or reject the request based on conditions that you specify in the remote access policies. Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. Access to the network resources can be controlled by applying policies to users or groups of users. For more information about using remote access policies to grant access, see "Remote Access Policies" in Help and Support Center for Windows Server 2003.
When using IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range. However, when using Windows Server 2003, Standard Edition, you can configure IAS with a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query.
RADIUS is a client/server protocol that requires a RADIUS client and a RADIUS server to provide network access. An access server or a RADIUS proxy is a RADIUS client, and the computer making the determination of authentication and authorization is a RADIUS server.
Figure 7.2 shows a typical IAS architecture. An access client contacts an IAS RADIUS proxy located at an ISP by using a local telephone connection. The IAS proxy examines the user name, which contains two elements – the identification of the user account name and the identification of the user account location (also known as a realm). Based on the realm portion of the user name in the connection request, the IAS RADIUS proxy forwards the connection request to a RADIUS server on a private network, which authenticates and authorizes the connection attempt with the Active Directory user accounts database and user account properties.
Figure 7.2 IAS Architecture
For more information about Internet Authentication Service (IAS), see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at http://www.microsoft.com/reskit) and "Internet Authentication Service" in Help and Support Center for Windows Server 2003.
For more information about realm names, see "Realm names" in Help and Support Center for Windows Server 2003.
A general understanding of the following topics is also essential to proper IAS deployment:
The Windows Server 2003 implementation of remote access.
Any network access mechanism your users require, such as dial-up, VPN, wireless, or authenticating switch access.
For more information about any of these topics, see the Windows Server 2003 Technical Reference and Help and Support Center for Windows Server 2003.
New in Windows Server 2003
Windows Server 2003 IAS includes the following new features:
Support for RADIUS proxy. With RADIUS proxy support, you can use IAS as a RADIUS message router or forwarder between access servers and other IAS servers. Based on attributes in the incoming RADIUS message, the RADIUS proxy forwards the message to a specific RADIUS server or client.
Support for mapping network authentication and authorization for IAS proxy. The proxy component of IAS supports the ability to separate the authentication and authorization of connection requests from access servers. The IAS proxy can forward password-based user credentials to an external RADIUS server for authentication, and perform authorization against a user account in an Active Directory domain and a locally configured remote access policy. Alternate user authentication databases can be used but connection authorization and restrictions are still determined through local administration. You can configure the proxy component with the Remote-RADIUS-to-Windows-User-Mapping attribute in the advanced properties of a connection request policy. For more information, see "Mapping network authentication and authorization" and "Connection request policies" in Help and Support Center for Windows Server 2003.
Support for IEEE 802.1X wireless and authenticating switches. IAS provides authentication, authorization, and accounting for connections that use the link-layer standard IEEE 802.1X for wireless and authenticating switch access. For more information about configuring IAS for wireless access authentication, see "Checklists: Configuring IAS for Wireless Access" and "Wireless access" in Help and Support Center for Windows Server 2003.
Support for Protected Extensible Authentication Protocol (PEAP) for 802.11 wireless clients. Protected Extensible Authentication Protocol (PEAP) provides protection for clients and authenticators (IAS or RADIUS servers) that are using Extensible Authentication Protocol (EAP). The next generation of EAP, PEAP uses Transport Layer Security (TLS) to create end-to-end communication between client and authenticator after the identity of the authenticator is verified. For more information, see "PEAP" in Help and Support Center for Windows Server 2003.
Enhanced EAP configuration for remote access policies. In Microsoft® Windows® 2000 Server, you can select only a single EAP type for a remote access policy. In Windows Server 2003 IAS, this limitation is removed. For example, you can select different computer certificates for VPN connections and EAP-TLS authentication for wireless connections, or you can select multiple EAP types for wireless connections in the circumstance where some of your wireless clients use EAP-TLS authentication and some of them use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAPv2). For more information, see "EAP" and "Configure PEAP and EAP methods" in Help and Support Center for Windows Server 2003.
Support for IAS Network Access Quarantine Control. IAS Network Access Quarantine Control provides phased network access, which restricts the access of remote clients to quarantine mode until each client is either verified as meeting or configured according to organization network access policy. After the client computer configuration is verified as meeting organization network policy, the quarantine restrictions, which consist of Quarantine IP-Filters and Session Timers, are removed and standard remote access policy is applied to the connection. For more information, see "IAS Network Access Quarantine Control" in Help and Support Center for Windows Server 2003.
Support for logging to MSDE 2000 and SQL Server 2000 databases. You can use an XML-compliant database, such as Microsoft® SQL Server™ 2000 and SQL Server Desktop Engine (MSDE 2000), to log user authentication requests, periodic data, and accounting requests received from one or more access servers. For more information, see "SQL Server database logging" in Help and Support Center for Windows Server 2003.
Support for ignoring the dial-in properties of user accounts. You can configure a RADIUS attribute on the profile properties of a remote access policy to ignore the dial-in properties of user accounts. To support multiple types of connections for which IAS provides authentication and authorization, it might be necessary to disable the processing of user account dial-in properties. This can be done to support scenarios in which specific dial-in properties are not required. For more information, see "New features for IAS" in Help and Support Center for Windows Server 2003.
Support for configuring RADIUS clients by IP address range. For IAS in Windows 2000, you must specify a RADIUS client by IP address or by Domain Name System (DNS) name. In addition, you must configure each RADIUS client separately, even if you have a number of RADIUS clients on the same subnet. While this is not an issue for typical dial-in or VPN access server configurations, numerous wireless access points can be placed on the same subnet, creating a circumstance where use of an IP address range simplifies configuration and administration. In Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, IAS allows you to specify a RADIUS client by using an IP address range. All of the RADIUS clients in the range must use the same configuration and shared secret. For more information, see "Configure RADIUS Clients" in Help and Support Center for Windows Server 2003.
Support for computer authentication. In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, Active Directory and IAS support the authentication of computer accounts by using standard user authentication methods such as Point-to-Point Protocol (PPP). This allows a computer and its computer certificate to be authenticated for wireless or authenticating switch access clients.
Support for checking user certificate purposes. To enforce the use of specific types of user certificates for specific connection types, you can configure IAS to check the purposes (also known as object identifiers orOIDs) of certificates in their Enhanced Key Usage (EKU) extensions. You can configure a list of object identifiers that are required to be present in the user certificate. For more information, see "Network access authentication and certificates" and "Add RADIUS attributes to a remote access policy" in Help and Support Center for Windows Server 2003.
Improved attribute manipulation. In Windows 2000, you can use IAS to manipulate the contents of the User-Name RADIUS attribute. Using connection request policies in IAS for Windows Server 2003, you can manipulate the User-Name, Called-Station-ID, and Calling-Station-ID RADIUS attributes. For more information, see "Connection request policies" in Help and Support Center for Windows Server 2003.
Support for the Authentication Type remote access policy condition. You can create remote access policies by using the Authentication Type condition in IAS for Windows Server 2003. You can use the Authentication Type condition to specify connection constraints that are based on the authentication protocol or method that is used by the access client. For more information, see "Elements of a remote access policy" in Help and Support Center for Windows Server 2003.
Improved support for the Class attribute. In Windows 2000, IAS automatically generates a value for the Class attribute and appends it to the existing value of the Class attribute received in the RADIUS request message. The result is the Class attribute in the RADIUS response message. In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, you can disable the automatic generation of a value for the Class attribute by using the Generate-Class-Attribute setting on the Advanced tab in the properties of a remote access policy profile. Automatic generation of a value for the Class attribute is disabled by default. Instead of appending the generated value of the Class attribute to the existing Class attribute, IAS creates a separate Class attribute. The RADIUS response message contains both the original Class attribute and the second Class attribute that is generated by IAS. For more information, see "Add RADIUS attributes to a remote access policy" in Help and Support Center for Windows Server 2003.
IAS Terms and Definitions
This section provides brief definitions of important IAS terms. For more information, see the sources mentioned in "Additional Resources for Remote Access" later in this chapter, or Help and Support Center for Windows Server 2003.
Internet Authentication Service (IAS) A component of Windows Server 2003 that performs centralized authentication, authorization, auditing, and accounting for a variety of different types of network access, including dial-up, VPN, wireless, and authenticating switch access.
Remote Authentication Dial-In User Service (RADIUS) protocol A protocol, specified in RFCs 2138 and 2139, that enables use of a homogeneous or heterogeneous network of dial-up or VPN equipment.
RADIUS server A server that implements the RADIUS protocol. A RADIUS server performs authentication, authorization, and accounting on behalf of a RADIUS client.
RADIUS client A network access server that uses a RADIUS server to perform authentication, authorization, and accounting for its access clients.
RADIUS proxy A server that forwards incoming RADIUS messages to specific RADIUS servers for additional processing, based on RADIUS attributes in the incoming RADIUS message. An IAS server can act as a RADIUS server for some requests and a RADIUS proxy for others.
Authentication The process of performing identity verification of the entities that communicate over a network; for example, the process that verifies the identity of a user who logs on to a computer either locally, at a computer’s keyboard, or remotely, by means of a network connection.
Authorization The process that determines what a user is permitted to do on a computer system or network. For remote access or demand-dial routing connections, the verification that the connection attempt is allowed. Authorization occurs after successful authentication. With IAS, you can manage authorization using remote access policies and Active Directory user account properties.
Auditing The process that tracks the activities of users by recording selected types of events in the security log of a computer.
Accounting A method of tracking account activity information such as logon and logoff records, to help maintain records for billing purposes. With IAS, you can also track authentication information, such as each accept, reject, and automatic account lockout.