IAS Features

The IAS features include the following:

Centralized User Authentication

The authentication of users attempting connections is an important security concern. IAS supports a variety of authentication protocols and allows you to use arbitrary authentication methods to meet your authentication requirements.

The following section describes the authentication methods supported in Windows 2000.

  • Point-to-Point Protocol (PPP) is a set of industry-standard framing and authentication protocols that enables remote access solutions to be interoperable in a multivendor network. IAS supports the authentication protocols within PPP, such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) versions 1 and 2, and Extensible Authentication Protocol (EAP).

  • Extensible Authentication Protocol (EAP) is an infrastructure that allows the addition of arbitrary authentication methods such as Smart Cards, certificates, one-time passwords, and Token Cards.

  • Dialed Number Identification Service (DNIS) is an authorization method based on the number called by the user.

  • Automatic Number Identification/Calling Line Identification (ANI/CLI) is an authorization method based on the number the user called from. ANI is also known as Caller ID.

  • Guest authentication is an authorization method where the caller does not send a user name or password during the authentication process. If unauthenticated access is enabled, the Guest account is used as the identity of the caller by default.

Outsourced Dialing and Worldwide Remote Access

Outsourced dialing (also referred to as wholesale dialing) involves a contract between an organization or private company (the customer) and an ISP in which the ISP allows the company's employees to connect to the ISP's network before establishing the VPN tunnel to the company's private network. When an employee connects to the ISP's remote access server, the authentication and usage records are forwarded to the IAS server at the company. The IAS server allows the company to control user authentication, track usage, and manage which employees are allowed to gain access the ISP's network.

The advantage of outsourcing is the potential savings. For example, by using an ISP's routers, network access servers, and T1 lines (instead of buying your own), you can save a great deal on hardware (infrastructure) costs. You can also significantly decrease your long-distance phone bill costs by dialing into the ISP's with worldwide connections or roaming consortium's scattered Point of Presence (POPs) belonging to other ISPs. Thus, by handing off support to the provider, you can eliminate a large amount of your administrative budget.

Centralized User Authorization

To grant the connecting user-appropriate access to the network, IAS authenticates users in Microsoft® Windows NT® version 4.0 domains and Windows 2000 Local Security Accounts Manager (SAM). IAS also supports new features in Active Directory ™ directory service, such as user principal names and Universal Groups.

Remote access policies are a set of conditions that network administrators can use to get more flexibility in granting remote access. They provide flexibility in controlling who is allowed to connect to your network. Although it is simple to manage remote access permission for each user account, this approach can become unwieldy as your organization grows. Remote access policies provide a more powerful and flexible way to manage remote access permission.

You can use remote access policies to control remote access based on a variety of conditions, such as:

  • User membership in a Windows 2000 security group.

  • The time of day, or day of the week of the connection.

  • The type of media through which the user is connecting (for example, ISDN, modem, or a VPN tunnel).

  • The type of VPN tunneling protocol used (Point-to-Point Tunneling Protocol or Layer Two Tunneling Protocol).

  • The phone number the user calls.

  • The phone number the user calls from.

Each remote access policy contains a profile of a setting from which you can control connection parameters. For example, you can:

  • Permit or deny the use of certain authentication methods.

  • Control the amount of time the connection can be idle.

  • Control the maximum time of a single session.

  • Control the number of links in a multilink session.

  • Control encryption settings.

  • Add packet filters to control what the user can access when connected to the network. For example, you can use filters to control which IP addresses, hosts, and ports the user is allowed to send or receive packets.

  • Create a mandatory tunnel that forces all packets from that connection to be securely tunneled through the Internet and terminated in a private network.

  • Allow users to request a specific IP address, or specify that the remote access server must assign an IP address.

Centralized Administration of Remote Access Servers

Support for the RADIUS standard allows IAS to control connection parameters for any network access server that implements that standard. The RADIUS standard also allows individual remote access vendors to create proprietary extensions called vendor-specific attributes. IAS has incorporated the extensions from a number of vendors in its multivendor dictionary.

Centralized Auditing and Usage Accounting

Support for the RADIUS standard allows IAS to collect the usage (accounting) records sent by a NAS at a single point. IAS logs audit information (for example, authentication Accepts and Rejects) and usage information (for example, logon and logoff records) to log files. IAS supports a log-file format that can be directly imported into a database. The data in the database can be analyzed by using third-party data-analysis software.

Integration with Routing and Remote Access Service

The Windows 2000 Routing and Remote Access service is configured to use Windows authentication and accounting, or to use RADIUS authentication and accounting. When RADIUS authentication or accounting is selected, any RFC-compliant RADIUS server can be used. However, using an IAS server is recommended to achieve the optimum level of integration in Windows 2000 environments and take advantage of centralized remote access policies.

For example, in a small network environment or branch offices with a small number of remote access servers and no requirements for centralized management of remote access, the Routing and Remote Access service can be configured to use Windows authentication and accounting.

In a global enterprise with large numbers or remote access servers deployed worldwide, centralized authentication and accounting using IAS can be beneficial. However, if a small branch office is experiencing a low bandwidth connection to the global enterprise with the centralized IAS server, the Windows authentication and accounting configuration can be copied from a central location to the remote access servers of the branch office.

IAS and the Routing and Remote Access service share the same remote access policies and authentication and accounting logging capabilities. When the Routing and Remote Access service is configured for Windows authentication, local policies, and logging are used. When the Routing and Remote Access service is configured as a RADIUS client to an IAS server, the policies and logging of the IAS server are used.

This integration provides consistent implementation across IAS and the Routing and Remote Access service. It allows you to deploy the Routing and Remote Access service in small sites without the need for a separate, centralized IAS server; it also provides the capability to scale up to a centralized remote access management model when you have multiple remote access servers in your organization. In this case, IAS in conjunction with remote access servers implements a single point of administration for remote access to your network for outsourced-dial, demand-dial, and VPN access. The policies within IAS at a central large site can be exported to the independent remote access server in a small site.

Graphical User Interface

IAS provides a graphical user interface (snap-in) that enables you to configure local or remote IAS servers.

Remote Monitoring

You can monitor IAS by using Windows 2000–based tools, such as Event Viewer or System Monitor, or by using Simple Network Management Protocol (SNMP).

Scalability

You can use IAS in a variety of network configurations of varying size, from stand-alone servers for small networks to large corporate and ISP networks.

IAS Software Development Kit

The IAS Software Development Kit (SDK) can be used to:

  • Control the number of end-user network sessions.

  • Extend the remote access authorizations currently provided by IAS.

  • Export usage/audit data to a database.

  • Create custom authentication methods for IAS (non-EAP).

EAP Software Development Kit

Provides the capability to implement arbitrary authentication methods using EAP.

Import/Export of Configuration to Manage Multiple IAS Servers

IAS configuration can be imported/exported by running netsh from the command prompt.