Authentication and Authorization
The distinction between authentication and authorization is important for understanding how connection attempts are either accepted or denied.
Authentication is the verification of the credentials of the connection attempt. This process consists of sending the credentials from the remote access client to the remote access server in either a cleartext or encrypted form using an authentication protocol.
Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.
For a connection attempt to be accepted, the connection attempt must be both authenticated and authorized. It is possible for the connection attempt to be authenticated using valid credentials, but not authorized. In this case, the connection attempt is denied.
If the remote access server is configured for Windows authentication, Windows 2000 security verifies the credentials for authentication and the dial-up properties of the user account, and locally stored remote access policies authorize the connection. If the connection attempt is both authenticated and authorized, the connection attempt is accepted.
If the remote access server is configured for RADIUS authentication, the credentials of the connection attempt are passed to the RADIUS server for authentication and authorization. If the connection attempt is both authenticated and authorized, the RADIUS server sends an accept message back to the remote access server and the connection attempt is accepted. If the connection attempt is either not authenticated or not authorized, the RADIUS server sends a reject message back to the remote access server and the connection process is denied.
If the RADIUS server is a Windows 2000 server–based computer running the Internet Authentication Service (IAS), the IAS server performs authentication through Windows 2000 security and authorization through the dial-up properties of the user account and the remote access policies stored on the IAS server.
The configuration of the Routing and Remote Access service authentication provider is done from the Security tab from the properties of a remote access router in the Routing and Remote Access snap-in or by using the netsh ras aaaa set authentication and netsh ras aaaa set authserver commands.