Choose the Authentication Provider

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Site-to-site connections between remote offices require an authentication and accounting provider for:

  • Authentication of calling router credentials and authorization of the site-to-site connection.

  • Accounting services that record the creation and termination of each site-to-site connection.

When a connection is attempted, the answering router authenticates the credentials of the calling router by using one of two authentication providers: Windows or RADIUS. Your choice of authentication provider is determined by whether your solution involves a site-to-site only connection or a combined site-to-site and remote access connection:

  • For a site-to-site only connection, choose Windows. When you choose Windows as the authentication, authorization, and accounting provider, the same Windows authentication process that validates user credentials when a user logs on also validates the calling router.

  • For a combined site-to-site and remote access connection, choose either Windows or RADIUS. If the same answering router will support both a site-to-site connection and remote access users (such as home or mobile users), you can use either Windows or Remote Authentication Dial-in User Service (RADIUS) as your authentication provider. Servers running Network Policy Server (NPS) provide an Internet standards–compliant RADIUS server and proxy.

If you have more than one answering router or other types of access servers (such as wireless access servers), you can use a single RADIUS server to provide centralized authentication, authorization, and accounting for all answering routers and access servers instead of administering each answering router and access server separately. To simplify administration for a combined site-to-site and remote access connection, you can use NPS to store both site-to-site and remote access information.

In an Active Directory domain, it is recommended that you use Windows Server 2008 R2 or Windows Server 2008 NPS as your RADIUS server. The NPS RADIUS server is tightly integrated with Windows Server, Active Directory, and RRAS. When you use RADIUS authentication, you configure each participating answering router as a RADIUS client. After you configure both the answering router and the NPS server, the answering router uses remote access network policies stored on the NPS server instead of those on the answering router.

Although it is possible to use RADIUS as the authentication provider for a site-to-site only connection, you do not need RADIUS. Deploying an NPS server is unnecessary administrative overhead for a demand-dial connection that connects two sites but does not support remote access users.

The credentials that the calling router passes to the answering router for verification are those of a user account, either in Active Directory or on the answering router. Authorization is granted based on the dial-in properties that you specify in the user account and on network policies configured on the answering router (or on the RADIUS server). For more information, see Choose Router User Accounts and Groups in this guide.

The authentication provider that you choose also functions as the authorization provider. However, RRAS does not require that you use the same provider for authentication and authorization that you use for accounting. You can use Windows for authentication and RADIUS for accounting, or vice versa. However, if you have multiple answering routers that support remote access users, consider using RADIUS for integrated authentication, authorization, and accounting, and, if you use NPS, to manage network policies.