Centralized authentication by using IAS
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Centralized authentication by using IAS
To spread the load between dial-up and VPN-based remote access users, the network administrator of Electronic, Inc. decided to configure a separate VPN server. To centralize the authentication and accounting functions for both the remote access server and the VPN server, a computer running Internet Authentication Service (IAS) with the IP address of 172.31.248.9 functions as a RADIUS server.
The following illustration shows the configuration of the Electronic, Inc. network for IAS-based centralized authentication and accounting.
.gif "Centralized authentication by using IAS")
The IAS server has its own set of remote access polices. Rather than maintain two different sets of remote access policies, one set for the remote access server and one for the VPN server, both the remote access server and the VPN server are configured to use RADIUS authentication. Therefore, both the remote access server and the VPN server are configured as RADIUS clients to the IAS server. The IAS server provides remote access authentication, authorization, and accounting for both the remote access server and the VPN server.
Remote access policy configuration
Once the server running Routing and Remote Access is configured to use RADIUS authentication, the remote access policies stored on the remote access server are no longer used. Instead, the remote access policies stored on the IAS server are used. Therefore, the current set of remote access policies is copied to the IAS server.
For more information, see Copy the IAS configuration to another server.
RADIUS configuration
To configure RADIUS authentication and accounting, the network administrator for Electronic, Inc. configures the following:
The IAS server is configured for two RADIUS clients: the dial-up remote access server and the VPN server. For more information, see Internet Authentication Service and Add RADIUS clients.
The dial-up server running Routing and Remote Access is configured to use RADIUS authentication and accounting (at the IP address of 172.31.248.9) and a shared secret. For more information, see Use RADIUS authentication and Use RADIUS accounting.
The VPN server running Routing and Remote Access is configured to use RADIUS authentication and accounting (at the IP address of 172.31.248.9) and a shared secret. For more information, see Use RADIUS authentication and Use RADIUS accounting.
Note
- The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.