Choosing the Authentication Provider

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Site-to-site connections between remote offices require an authentication and accounting provider for:

  • Authentication of calling router credentials and authorization of the site-to-site connection.

  • Accounting services that record the creation and termination of each site-to-site connection.

When a connection is attempted, the answering router authenticates the credentials of the calling router by using one of two authentication providers: Windows or RADIUS. Your choice of authentication provider is determined by whether your solution involves a site-to-site only connection or a combined site-to-site and remote access connection:

  • For a site-to-site only connection, choose Windows. When you choose Windows as the authentication, authorization, and accounting provider, the same Windows authentication process that validates user credentials when a user logs on also validates the calling router.

  • For a combined site-to-site and remote access connection, choose either Windows or RADIUS. If the same answering router will support both a site-to-site connection and remote access users (such as home or mobile users), you can use either Windows or Remote Authentication Dial-in User Service (RADIUS) as your authentication provider. Servers running the Internet Authentication Service (IAS) component of Windows Server 2003 provide an Internet standards–compliant RADIUS server and proxy.

If you have more than one answering router or other types of access servers (such as wireless access servers), you can use a single RADIUS server to provide centralized authentication, authorization, and accounting for all answering routers and access servers instead of administering each answering router and access server separately. To simplify administration for a combined site-to-site and remote access connection, you can use IAS to store both site-to-site and remote access information.

In an Active Directorydomain, it is recommended that you use the Windows Server 2003 version of IAS as your RADIUS server. The IAS RADIUS server is tightly integrated with Windows Server 2003, Active Directory, and the Routing and Remote Access service. When you use RADIUS authentication, you configure each of participating answering router as a RADIUS client. After you configure both the answering router and the IAS server, the answering router uses remote access policies stored on the IAS server instead of those on the answering router.

Although it is possible to use RADIUS as the authentication provider for a site-to-site only connection, you do not need RADIUS. Deploying an IAS server is unnecessary administrative overhead for a demand-dial connection that connects two sites but does not support remote access users.

The credentials that the calling router passes to the answering router for verification are those of a user account, either in Active Directory or on the local computer. Authorization is granted based on the dial-in properties that you specify in the user account and on remote access policies configured on the answering router (or on the RADIUS server). For more information, see "Choosing Router User Accounts and Groups" and "Choosing a Remote Access Policy Type" later in this chapter.

The authentication provider that you choose also functions as the authorization provider. However, the Routing and Remote Access service does not require that you use the same provider for authentication and authorization that you use for accounting. You can use Windows for authentication and RADIUS for accounting, or vice versa. However, if you have multiple answering routers that support remote access users, consider using RADIUS for integrated authentication, authorization, and accounting, and, if you use IAS, to manage remote access policies.

For more information about RADIUS authentication, see "Checklist: Configuring IAS for dial-up and VPN accessChecklist: Configuring IAS for dial-up and VPN access" in Help and Support Center for Windows Server 2003. For more information about deploying IAS to perform centralized authentication, authorization, and accounting, see "Deploying Internet Authentication Service (IAS)" in this book.