Choosing Router User Accounts and Groups
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
After a calling router is authenticated by using either Windows or RADIUS as the authentication provider, it must be authorized: that is, it must be given permission to establish a connection with the answering router. You use two interrelated sets of components to authorize access by the calling router: user accounts and (optionally) groups, and remote access policies.
Before you can successfully configure either the router user accounts or remote access policies (both described later in this chapter), you need to understand the relationship between the two. Configuring the router user account includes the option of choosing whether to use remote access policies to grant the calling router access to the answering router. You can grant or deny permission for the calling router to access the answering router either at the user account level or at the remote access policies level. The permission specified in the user account overrides the permission specified in a remote access policy. However, if you choose the Control access through Remote Access Policy option in the user account that the answering router uses to authenticate the calling router, the remote access policy permission specified on Properties page for the remote access policy governs whether the user account of the calling router is granted or denied access. This option is available only for accounts on stand-alone routers or members of a native mode Active Directory domain. For more information about remote access policies, see "Choosing a Remote Access Policy Type" later in this chapter.
To allow or reject connection attempts according to a variety of criteria, you can specify several remote access options in the user account of the calling router and multiple additional options by using remote access policies. This level of precision enhances the security of your site-to-site connection by providing great flexibility in how you can control access to the answering router and its network resources.
You can configure router user accounts individually for each router or by adding router accounts to an Active Directory group.