Add RADIUS clients

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To add RADIUS clients

  1. Open Internet Authentication Service.

  2. Right-click RADIUS Clients, and then click New RADIUS Client.

  3. Use the New RADIUS Client Wizard to both add and configure a client.

Notes

  • To open Internet Authentication Service, click Start, click Control Panel, double-click Administrative Tools, and then double-click Internet Authentication Service.

  • If the client is a network access server (NAS) and you are planning to use NAS-specific remote access policies for configuration (for example, a remote access policy that contains vendor-specific attributes), in the New RADIUS Client Wizard, click Client Vendor, and then select the name of the manufacturer. If you do not know the name of the manufacturer or it is not in the list, click RADIUS Standard. If the RADIUS client is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition and the Routing and Remote Access service, click Microsoft.

  • When you have a number of RADIUS clients on the same subnet (such as, numerous wireless access points), you can simplify RADIUS client administration by specifying an address range while running the wizard, instead of specifying the IP address or DNS name of a single RADIUS client. All of the RADIUS clients in the range must use the same configuration and shared secret. The address range for RADIUS clients is expressed in the network prefix length notation w.x.y.z/p, where w.x.y.z is the dotted decimal notation of the address prefix and p is the prefix length (the number of high order bits that define the network prefix). This is also known as Classless Inter-Domain Routing (CIDR) notation. An example is 192.168.21.0/24. To convert from subnet mask notation to network prefix length notation, p is the number of high order bits set to one in the subnet mask.

  • If your access server supports use of the Message Authenticator attribute (also known as the signature attribute), in the New RADIUS Client Wizard, click Request must contain the Message Authenticator attribute. If the access server does not support the Message Authenticator attribute, do not select this option.

  • If IAS receives an access request from a RADIUS proxy, it cannot detect the manufacturer of the NAS that originated the request. This can cause problems if you plan to use remote access policy conditions that are based on the client vendor and have at least one client that is defined as a RADIUS proxy. Requests from the proxy might not match any of the remote access policies and be denied.

  • Shared secrets are case-sensitive. Verify that the client's shared secret and the shared secret you type in Shared secret are identical. For more information, see Related Topics.

  • If the client address cannot be resolved when you click Verify, make sure that the DNS name that you typed is correct.

  • You can use the friendly name that you provide for your RADIUS clients with the Client-Friendly-Name condition in remote access policies. For more information, see Related Topics.

  • Enabling the use of the Message Authenticator attribute provides additional security when PAP, CHAP, MS-CHAP, and MS-CHAP v2 are used for authentication. EAP uses the Message Authenticator attribute by default and does not require that you enable it. For more information, see Related Topics.

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Shared secrets
Message Authenticator attribute
IAS as a RADIUS server design considerations
Elements of a remote access policy
Delete a RADIUS client