Processing a connection request

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Processing a connection request

When an IAS server receives a valid RADIUS request message from a RADIUS client, it is processed as follows:

1. The first policy in the ordered list of connection request policies is checked. If there are no policies and the RADIUS message is an Access-Request message, an Access-Reject message is immediately sent. If there are no policies and the RADIUS message is an Accounting-Request message, the message is discarded.

2. If all conditions of the policy do not match the RADIUS request message, then go to the next policy. If there are no additional policies and the RADIUS message is an Access-Request message, an Access-Reject message is immediately sent. If there are no additional policies and the RADIUS message is an Accounting-Request message, the message is discarded.

3. If all conditions of the policy match the RADIUS request message, then apply the attribute manipulation rules that are configured in the policy.

4. If the RADIUS message is an Access-Request message, check the authentication settings on the profile of the matching policy.

   • If the authentication setting requires using this server for authentication, use a Windows NT 4.0 domain or the Active Directory directory service, or the local Security Account Manager (SAM) on Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; for authentication. Use the matching remote access policy and user or computer account dial-in properties for authorization. For more information, see Accepting a connection attempt.

   • If the authentication setting requires forwarding the Access-Request message to a remote RADIUS server group, forward the Access-Request message to a member of the remote RADIUS server on the basis of priority and weight settings.

   • If the authentication setting requires accepting the connection attempt without performing authentication or authorization, an Access-Accept message is immediately sent.

5. If the RADIUS message is an Accounting-Request message, check the accounting settings on the profile of the matching policy.

   • If the accounting settings specify that accounting information is to be sent to a member of a remote RADIUS server group, forward the accounting message to the appropriate RADIUS server in the group on the basis of priority and weight settings.

   • Based on the settings for remote access logging, record the information in the local accounting log file.

The following illustration shows the logic of connection request policies.

For examples of how different connection requests are processed, see Connection Request Processing Examples.

Note

• You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.