Published: July 11, 2005 | Updated: January 4, 2008
This FAQ answers commonly asked questions about Internet Authentication Service (IAS) and related technologies in Microsoft Windows Server 2003. Click a question to view its answer. To view all the answers at one time, select the View all answers check box.
In Windows Server 2008, IAS has been replaced with Network Policy Server (NPS).
|A.||IAS is the Windows implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2003.|
In Windows Server 2008, the RADIUS server and proxy implementation is known as Network Policy Server (NPS).
|A.||RADIUS is a widely deployed protocol that enables centralized authentication, authorization, and accounting (AAA) for network access. Originally developed for dial-up remote access, RADIUS is now supported by wireless access points (APs), authenticating Ethernet switches, virtual private network (VPN) servers, Digital Subscriber Line (DSL) access servers, and other types of network access servers.|
RADIUS is defined in the following Internet Engineering Task Force (IETF) Requests for Comments (RFCs):
IAS for Windows Server 2003 supports the following RFCs:
|A.||For an overview of IAS in Windows Server 2003, see
Internet Authentication Service.|
|A.||IAS documentation is included with
Windows Server 2003 (click Start, then click Help and Support). There are also IAS sections of the
Windows Server 2003 Deployment Guide and Windows Server 2003 Technical Reference.|
For the product documentation resources available for IAS in Windows Server 2003, see the Windows Server 2003 Internet Authentication Service (IAS) TechCenter.
For a list of all the resources for IAS in Windows Server 2003, see the Windows Server 2003 Internet Authentication Service Web site.
For private networks, IAS is used to provide centralized authentication, authorization, and accounting (AAA) for the following types of network access:
For public networks, IAS is used to provide AAA for Internet access for dial-up, broadband, or wireless connections.
|A.||IAS and its integration with the Active Directory directory service allows your Windows-based client computer to take advantage of single sign-on, in which Active Directory domain credentials are used to access the network for dial-up, VPN, or IEEE 802.1X-based access. IEEE 802.1X authentication is typically used for IEEE 802.11 wireless LAN access and for authenticating switches. A user does not need to remember different sets of credentials for accessing the network and accessing the resources of the network.|
IAS provides the flexibility to define granular access control through remote access policies, which allow you to define security policy customized to address the security concerns of the type of connection. For example, IAS remote access policies allow you to differentiate between employees and vendors and provide different levels of access through the configuration of IP packet filters and virtual LAN identifiers (VLAN IDs).
IAS supports strong standards-based authentication methods. For more information, see the "IAS Authentication Protocols" section of this FAQ.
|A.||IAS in Windows Server 2003 is a RADIUS server and proxy. For a detailed description of the new features of IAS in Windows Server 2003, see
New features for IAS.|
You can configure IAS in Windows Server 2003 Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. With IAS in Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.
You can extend IAS in the following ways:
IAS supports the following authentication protocols:
For more information, see
Authentication Methods for use with IAS.
|A.||No. There are no plans to support Cisco Systems' Lightweight Extended Authentication Protocol (LEAP) (also known as EAP-Cisco in version 11.21 of the Cisco Aironet AP firmware).|
Microsoft supports and recommends PEAP over LEAP for the following reasons:
For more information, see
The Advantages of Protected Extensible Authentication Protocol (PEAP).
No. PEAP has broader market presence and is the direction shared by Microsoft, Cisco, and RSA. Microsoft does not plan to support Tunneled TTLS. PEAP is available on many platforms and works with existing domains, which makes it easier for customers to deploy. Most vendors have announced that they plan to support PEAP.
IAS in Windows Server 2003 does not support authentication of user accounts in a Structured Query Language (SQL) or open database connectivity (ODBC) database. If you must authenticate against these types of databases, you can do one of the following:
Remote access policies provide the authorization of connection attempts. After the credentials have been authenticated, IAS evaluates the parameters of the connection attempt against the set of configured remote access policies. The connection attempt is authorized if it:
If the connection attempt does not match any remote access policy or matches a remote access policy and either does not have remote access permission or fails to meet all of the conditions of the dial-in properties of the account and the remote access policy profile settings, the connection attempt is rejected.
Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each remote access policy, there are one or more conditions, a set of profile settings, and a remote access permission setting.
When a connection attempt matches a remote access policy, the result of applying the remote access permission, the policy profile settings, and the group membership and the dial-in properties of a user or computer account is the following:
For the details of remote access policy processing, see
Accepting a connection attempt. For additional information about the elements of a remote access policy, see the
Elements of a remote access policy.
There are two ways to use remote access policies to grant authorization:
You can create remote access policies from the Internet Authentication Service snap-in. Right-click Remote Access Policies, and then click New Remote Access Policy.
For an example of configuring a remote access policy, see
Step-by-Step Guide for Configuring Remote Access Policies Using Routing and Remote Access.
|A.||For examples of remote access policies with IAS in Windows Server 2003, see
Remote Access Policies Examples.|
|A.||IAS supports the configuration of many remote access policies. However, in most cases you only need a small number. The exact number depends on the different types of network access (for example, VPN and wireless) and how you want to control that access (for example, you want to specify different connection conditions for different groups of users for VPN access). If you are using Windows groups to grant access and determine connection parameters, use universal groups and group nesting to reduce the number of remote access policies.|
|A.||IAS in Windows Server 2003 allows you to ignore the dial-in properties of user and computer accounts during connection attempt processing. To enable this feature, set the Ignore-User-Dialin-Properties RADIUS attribute to True. For more information, see
Add RADIUS attributes to a remote access policy.|
When Active Directory is in running in mixed mode, the Dial-in tab allows you to configure only those dial-in properties that are available in Windows NT 4.0 domains. Only the Remote Access Permission (Dial-in or VPN) (Allow access and Deny access options) and Callback Options settings are available.
For more information, see the
Dial-in properties of a user account.
|A.||Enable event logging for IAS, attempt the connection, and then check the system event log for events with the Source set to "IAS." The text of the event corresponding to the connection attempt lists the name of the matching remote access policy.|
For more information, see Event logging for IAS.
Because IAS in Windows Server 2003 can act as a RADIUS server, a RADIUS proxy, or both at the same time, you must configure IAS with rules so that it can determine how to handle an incoming connection request or accounting message. To determine whether a specific connection attempt request or an accounting message received from a RADIUS client should be processed locally (IAS is acting as a RADIUS server) or forwarded to another RADIUS server (IAS is acting as a RADIUS proxy), the IAS server uses connection request processing. Connection request processing is a combination of:
Each connection request policy consists of a set of conditions and a set of profile settings. When an IAS server receives a RADIUS request message (either a connection attempt or an accounting message), it compares the attributes of the message to the conditions of the first policy in the ordered list of connection request policies.
When a RADIUS request message matches a connection request policy, the result of applying the connection request policy profile settings is the following:
For the details of connection request policy processing, see
Processing a connection request. For additional information about the elements of a connection request policy, see
Connection request policies.
|A.||You can create connection request policies from the Internet Authentication Service snap-in in Windows Server 2003. Right-click Connection Request Policies, and then click New Connection Request Policy. The New Connection Request Policy Wizard will guide you through the configuration of the policy name, the policy conditions, profile settings, and the configuration of a remote RADIUS server group (if needed).|
|A.||For examples of connection request policies, see
Connection Request Processing Examples.|
|A.||IAS supports the configuration of many connection request policies. However, in most cases you only need a small number. The exact number depends on the different roles of the IAS server (as a RADIUS server or RADIUS proxy) and how you want to change the attributes of RADIUS request messages before they are either processed locally or forwarded to another RADIUS server.|
|A.||When IAS is a member of an Active Directory domain infrastructure, it uses an Active Directory global catalog server to resolve the name in the connection attempt to an Active Directory account and an Active Directory domain controller to verify the credentials of the user or computer requesting network access and to obtain the dial-in properties and group membership of the user or computer account.|
In order to obtain dial-in properties and group membership for user and computer accounts, the IAS server must be made a member of the RAS and IAS Servers group in the domain in which it is a member and other domains as needed. For more information, see Enable the IAS server to read user accounts in Active Directory.
|A.||You must configure your firewall to allow traffic to and from the IP address of the IAS server and UDP port 1812 for connection attempt (authentication) traffic and 1813 for accounting traffic. UDP ports 1812 and 1813 are defined for RADIUS traffic in RFCs 2865 and 2866. For more details, see
IAS and firewalls.|
|A.||See the "Certificate requirements for EAP" section of Network access authentication and certificates.|
|A.||The UserName RADIUS attribute contains a name identifying the user or computer account, such as email@example.com. In some cases, you must change the UserName attribute contents from one form of an account name to another. To change the UserName RADIUS attribute, you must configure realm manipulation rules.|
For IAS in Windows Server 2003, you must configure realm manipulation rules from the properties of a connection request policy. For more information, see Configure attribute manipulation.
For information on the syntax used to configure realm manipulation rules with examples, see Pattern matching syntax.
No. Following is an unsupported workaround:
User accounts in the IAS Admin group are able to use the Internet Authentication Service snap-in to manage the local IAS server. Members of the IAS Admin group cannot administer IAS remotely. They must use Terminal Server or Remote Desktop functionality.
|A.||Most network access servers (RADIUS clients) support the configuration of a primary and secondary RADIUS server. The exact behavior of a specific network access server for RADIUS failover (switching to the secondary RADIUS server when the primary server becomes unavailable) and failback (switching back to the primary RADIUS server when it becomes available again) depends on the network access server. For more information, consult your network access server's documentation.|
|A.||When IAS in Windows Server 2003 is configured to forward RADIUS request messages to a remote RADIUS server group, it uses failover and failback settings as configured on the Load Balancing tab for the properties of a RADIUS server in a remote RADIUS server group.|
Settings on the Load Balancing tab configure the way in which the IAS server detects when a group member first becomes unavailable (failover) and when it becomes available after it has been determined to be unavailable (failback).
|A.||. IAS does not support the capability to limit the number of simultaneous sessions or connections that can be made with the same set of credentials. Controlling simultaneous sessions with the same set of credentials is important for Internet service providers (ISPs) who want to prevent their customers from sharing their Internet sign-on credentials with others. |
|A.||Virtual LANs (VLANs) allow network architects and administrators to logically group network resources (such as servers, printers, and client computers) even when they are not on the same physical subnet. When you configure the profile of an IAS remote access policy for use with VLANs, you must configure the Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-Tag attributes. For more information, see Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs).|
|A.||Yes. IAS has a built-in dictionary of many RADIUS VSAs. For additional VSAs, you can add them to a specific remote access policy. For more information, see
Configure vendor-specific attributes for a remote access policy.|
|A.||Network Access Quarantine Control, a feature of Windows Server 2003, allows you to configure IAS and other components of a Windows-based remote access infrastructure to force remote access clients to run customized scripts to check system health (such as the state of antivirus software) prior to allowing them full access to a private intranet. For more information, see
Network Access Quarantine Control in Windows Server 2003.|
|A.||If possible, install IAS on an Active Directory domain controller. To provide authentication and authorization of wireless connection attempts, an IAS server acting as a RADIUS server must contact a domain controller to verify authentication credentials and obtain the properties of user and computer accounts. By installing IAS on a domain controller computer, the delay associated with exchanging network traffic with a domain controller is eliminated. For increased performance, configure the domain controller on which IAS is installed to be an Active Directory global catalog. IAS uses the global catalog to resolve the contents of the UserName RADIUS attribute to an Active Directory user or computer account.|
For more information about optimizing performance for IAS, see the "Performance-tuning IAS" section of IAS Best Practices.
|A.||See the "Using IAS in large organizations" section of
IAS Best Practices.|
You can use IAS to create log files based on the authentication and accounting requests received from network access servers (RADIUS clients), and collect this information in a central location. By setting up and using log files to track authentication information, such as each connection acceptance and rejection, you can simplify administration. You can set up and use logs to track accounting information (such as logon and logoff records) to maintain records for billing purposes.
IAS activity can be written to local files or, for Windows Server 2003, to a SQL Server database. For more information, see
Remote Access Logging and
Deploying SQL Server Logging with Windows Server 2003 Internet Authentication Service (IAS).
|A.||By default, IAS listens for incoming RADIUS traffic on all configured IP addresses. For IAS in Windows Server 2003, you can specify an IP address on which IAS listens for RADIUS messages from the Properties dialog box of the Internet Authentication Service node in the Internet Authentication Service snap-in. In the Authentication or Accounting fields, use the following syntax: IPAddress:UDPPort. For example, if you have multiple network adapters and you only want to receive RADIUS authentication messages sent to the IP address of 10.0.0.99 and UDP port 1812, you would type 10.0.0.99:1812 in Authentication.|
|A.||If you must add a large number of individual RADIUS clients, you can use the Addradiusclient.exe tool that is available with the
Securing Wireless LANs with PEAP and Passwords solution guide.|
The RADIUS shared secret is a text string configured on a RADIUS client (a network access server or a RADIUS proxy) and its RADIUS server that provides security for RADIUS messages. The RADIUS shared secret is used for the following:
For more information, see
|A.||You can use the remote access account lockout feature to specify how many times a remote access authentication fails against a valid user account before the account is locked out for remote access. Remote access account lockout is especially important for remote access VPN connections over the Internet. With remote access account lockout enabled, a dictionary attack or a denial of service attack against a specific account is thwarted after a specified number of authentication failures.|
For more information, see Remote access account lockout.
|A.||Without computer authentication, a computer using IEEE 802.1X to obtain network access does not have connectivity when starting their computer. This causes the computer to skip logon scripts and Computer Configuration Group Policy updates. When you use computer authentication, 802.1X authentication occurs during computer startup and the computer receives Computer Configuration Group Policy updates. When the user logs on to the computer, the computer already has access to Active Directory resources and logon scripts run successfully.|
|A.||If you have a number of wireless APs on the same subnet in an extended service set (ESS) configuration, IAS in Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition allows you to specify a RADIUS client by using an IP address range. All of the RADIUS clients in the range must use the same configuration and shared secret.|
|A.||You can use IAS event logs and performance counters for typical operations such as monitoring and troubleshooting. IAS also supports Simple Network Management Protocol (SNMP) and Performance Management Information Bases (MIBs).|
Microsoft Operations Manager (MOM) can read IAS events. IAS events contain embedded insertion strings and MOM can separate insertion strings into individual fields. Other monitoring products do not support this capability.
The tools you use for troubleshooting IAS are the following:
For more information, see
Troubleshooting tools to use with IAS.