Connection request policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Connection request policies

Connection request policies are sets of conditions and profile settings that give network administrators flexibility in configuring how incoming authentication and accounting request messages are handled by the IAS server. With connection request policies, you can create a series of policies so that some RADIUS request messages sent from RADIUS clients are processed locally (IAS is being used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (IAS is being used as a RADIUS proxy). This capability allows IAS to be deployed in many new RADIUS scenarios.

With connection request policies, you can use IAS as a RADIUS server or as a RADIUS proxy, based on the time of day and day of the week, by the realm name in the request, by the type of connection being requested, by the IP address of the RADIUS client, and so on.

It is important to remember that with connection request policies, a RADIUS request message is processed only if the settings of the incoming RADIUS request message match at least one of the connection request policies. For example, if the settings of an incoming RADIUS Access-Request message do not match at least one of the connection request policies, an Access-Reject message is sent.

For more information about how incoming RADIUS request messages from RADIUS clients are processed, see Processing a connection request.

To create a connection request policy, see Configure Connection Request Policies.

A connection request policy is a named rule that consists of the following elements:

  • Conditions

  • Profile

Connection request policies, like remote access policies, operate on the following principle:

  • Based on the RADIUS request message matching all of the conditions of a connection request policy, the profile settings of the policy are applied to determine the processing of the message.

Conditions

Connection request policy conditions are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS request message. If there are multiple conditions, then all of the conditions must match the attributes of the incoming RADIUS message in order for the RADIUS request message to match the policy.

The following table shows the condition attributes that you can set for a connection request policy.

Attribute name Description

Called Station ID

The phone number of the network access server (NAS). This attribute is a character string. You can use pattern matching syntax to specify area codes. For more information, see Pattern matching syntax.

Calling Station ID

The phone number used by the caller (the access client). This attribute is a character string. You can use pattern matching syntax to specify area codes. For more information, see Pattern matching syntax.

Client Friendly Name

The name of the RADIUS client computer that is requesting authentication. This attribute is a character string. You can use pattern matching syntax to specify client names. For more information, see Pattern matching syntax.

Client IP Address

The IP address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern matching syntax to specify IP networks. For more information, see Pattern matching syntax.

Client Vendor

The vendor of the network access server (NAS) that is requesting authentication. A computer running the Routing and Remote Access service is the Microsoft NAS manufacturer. You can use this attribute to configure separate policies for different NAS manufacturers. This attribute is a character string. You can use pattern matching syntax. For more information, see Pattern matching syntax.

Day and Time Restrictions

The day of the week and the time of day of the connection attempt. The day and time is relative to the day and time of the IAS server.

Framed Protocol

The type of framing for incoming packets. Examples are PPP, SLIP, Frame Relay, and X.25.

NAS Identifier

The name of the network access server (NAS). This attribute is a character string. You can use pattern matching syntax to specify NAS identifiers. For more information, see Pattern matching syntax.

NAS IP Address

The IP address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern matching syntax to specify IP networks. For more information, see Pattern matching syntax.

NAS Port Type

The type of media used by the access client. Examples are analog phone lines (known as async), ISDN, tunnels or virtual private networks (known as virtual), IEEE 802.11 wireless, and Ethernet switches.

Remote RADIUS to Windows User Mapping

Specifies that Windows authorization occurs for users authenticated by a remote RADIUS server. For example, visitors to your network from partner organizations can be authenticated by their organization's RADIUS server, and can use a Windows user account at your organization to access a guest local area network (LAN) on your network. For more information, see Mapping network authentication and authorization

Service Type

The type of service being requested. Examples include framed (for example, PPP connections) and login (for example, Telnet connections). For more information about RADIUS service types, see RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)."

Tunnel Type

The type of tunnel that is being created by the requesting client. Tunnel types include the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol (L2TP), used by Windows XP; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000 remote access clients and demand-dial routers.

User Name

The user name that is used by the access client in the RADIUS message. This attribute is a character string that typically contains a realm name and a user account name. For more information about realm names, see Realm names. You can use pattern matching syntax to specify user names. For more information, see Pattern matching syntax.

Profile

A connection request policy profile is a set of properties that are applied to an incoming RADIUS message. A connection request policy profile consists of the following groups of properties:

  • Authentication

  • Accounting

  • Attribute manipulation

  • Advanced

Authentication

You can set the following authentication options that are used for RADIUS Access-Request messages:

  • Authenticate requests on this server.

    Use a Windows NT 4.0 domain or the Active Directory directory service, or the local Security Account Manager (SAM) on Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; for both authentication and the matching remote access policy and user account dial-in properties for authorization. In this case, the IAS server is being used as a RADIUS server.

  • Forward requests to another RADIUS server in a remote RADIUS server group.

    Forward the Access-Request message to another RADIUS server in a specified remote RADIUS server group. If the IAS server receives a valid Access-Accept message that corresponds to the Access-Request message, the connection attempt is considered authenticated and authorized. In this case, the IAS server is being used as a RADIUS proxy.

  • Accept the connection attempt without performing authentication or authorization.

    Do not check authentication of the user credentials and authorization of the connection attempt. An Access-Accept message is immediately sent to the RADIUS client. This setting is used for some types of compulsory tunneling where the access client is tunneled before the user's credentials are authenticated. For more information, see IAS and tunnels.

    This authentication option cannot be used when the access client’s authentication protocol is MS-CHAP v2 or EAP-TLS, both of which provide mutual authentication. In mutual authentication, the access client proves that it is a valid access client to the authenticating server (the IAS server), and the authenticating server proves that it is a valid authenticating server to the access client. When this authentication option is used, the Access-Accept message is returned. However, the authenticating server does not provide validation to the access client and mutual authentication fails.

For information about configuring authentication settings on a connection request profile, see Configure authentication.

Accounting

You can set the following accounting options that are used for RADIUS Accounting-Request messages:

  • Forward accounting information in a specific remote RADIUS server group.

    Pass the accounting request to another RADIUS server in a specified remote RADIUS server group. In this case, the IAS server is acting as a RADIUS proxy.

Note

  • IAS always records the accounting information for Accounting-Request messages in local log files on the basis of remote access logging settings. For more information, see Select requests to be logged.

For information about setting accounting settings on a connection request profile, see Configure accounting.

Attribute manipulation

You can configure a set of find and replace rules that manipulate the text strings of one of the following attributes:

  • User Name

  • Called Station ID

  • Calling Station ID

Find and replace rule processing occurs for one of the above attributes before the RADIUS message is subject to authentication and accounting settings.

Configuring attribute manipulation for the User Name attribute is equivalent to configuring realm replacement rules for IAS in Windows 2000.

If you are using the MS-CHAP v2 authentication protocol, you cannot manipulate the User Name attribute if the connection request policy is used to forward the RADIUS message. The only exception occurs when a backslash (\) character is used and the manipulation only affects the information to the left of it. A backslash character is typically used to indicate a domain name (the information to the left of the backslash character) and a user account name within the domain (the information to the right of the backslash character). In this case, only attribute manipulation rules that modify or replace the domain name are allowed.

For information about configuring attribute manipulation settings on a connection request profile, see Configure attribute manipulation. For information about the syntax of find and replace rules, see Pattern matching syntax.

Notes

  • Find and replace rules apply only to a single attribute. You cannot configure find and replace rules for each attribute.

  • You cannot add to the list of attributes available for manipulation.

Advanced

You can set advanced properties to specify the series of RADIUS attributes that are:

  • Added to the RADIUS response message when the IAS server is being used as a RADIUS authentication or accounting server.

    When there are attributes specified on both a remote access policy and the connection request policy, the attributes that are sent in the RADIUS response message are the combination of the two sets of attributes.

  • Added to the RADIUS message when the IAS server is being used as a RADIUS authentication or accounting proxy. If the attribute already exists in the message that is forwarded, it is replaced with the value of the attribute specified in the connection request policy.

For information about setting advanced options on a profile, see Configure advanced attributes.

The default connection request policy

A default connection request policy named Use Windows authentication for all users is created when you install IAS. This policy has the following configuration:

  • The Day-and-Time-Restrictions condition is set to all times and all days.

  • Authentication is set to authenticate requests on this server.

  • Accounting is not set to forward accounting information to a remote RADIUS server group.

  • Attribute manipulation rules are not configured.

  • Advanced attributes are not configured.

The default connection request policy uses IAS as a RADIUS server. To configure an IAS server to act as a RADIUS proxy, you must also configure a remote RADIUS server group. You can create a new remote RADIUS server group while you are creating a new connection request policy with the New Connection Request Policy Wizard. You can either delete the default connection request policy or verify that the default connection request policy is the last policy processed. For an example of a connection request policy that uses IAS as a RADIUS proxy, see Remote RADIUS server.

Note

  • If IAS and the Routing and Remote Access service are installed on the same computer, and the Routing and Remote Access service is configured for Windows authentication and accounting, it is possible for Routing and Remote Access service authentication and accounting requests to be forwarded to a RADIUS server. This can occur when Routing and Remote Access service authentication and accounting requests match a connection request policy that is configured to forward them to a remote RADIUS server group.