Elements of a remote access policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Elements of a remote access policy

A remote access policy is a named rule that consists of the following elements:

  • Conditions

  • Remote access permission

  • Profile

Conditions

Remote access policy conditions are one or more attributes that are compared to the settings of the connection attempt. If there are multiple conditions, then all of the conditions must match the settings of the connection attempt in order for it to match the policy.

The following table shows the condition attributes that you can set for a remote access policy.

Attribute name Description

Authentication Type

The type of authentication that is being used by the access client. Authentication types include CHAP, EAP, MS-CHAP, and MS-CHAP v2.

Called Station ID

The phone number of the network access server (NAS). This attribute is a character string. You can use pattern matching syntax to specify area codes. For more information, see Pattern matching syntax. In order to receive called station ID information during a call, the phone line, the hardware, and the Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition driver for the hardware must support passing the called ID. Otherwise, the called station ID is manually set for each port. To manually set phone numbers on ports, see Set the phone number on a port.

Calling Station ID

The phone number used by the caller. This attribute is a character string. You can use pattern matching syntax to specify area codes. For more information, see Pattern matching syntax. For more information about obtaining the calling station ID, see Caller ID and callback.

Client Friendly Name

The name of the RADIUS client that is requesting authentication. This name is configured in Friendly name on the Settings tab in the properties of a RADIUS client in Internet Authentication Service. This attribute is a character string. You can use pattern matching syntax to specify client names. For more information, see Pattern matching syntax. This attribute is used by the IAS server.

Client IP Address

The IP address of the RADIUS client. This can be the IP address of either the originating RADIUS client or an intermediate RADIUS proxy. This attribute is a character string. You can use pattern matching syntax to specify IP networks. For more information, see Pattern matching syntax. This attribute is used by the IAS server.

Client Vendor

The vendor of the network access server (NAS) that is requesting authentication. The Routing and Remote Access service is the Microsoft NAS manufacturer. You can use this attribute to configure separate policies for different NAS manufacturers who are RADIUS clients to an IAS server. This attribute is used by the IAS server. Ensure that you configure the NAS as a RADIUS client on the IAS server. For more information, see Add RADIUS clients.

Day and Time Restrictions

The day of the week and the time of day of the connection attempt. The day and time is relative to the day and time of the server providing the authorization.

Framed Protocol

The type of framing for incoming packets. Examples are PPP, SLIP, Frame Relay, and X.25. This attribute is used by the IAS server.

NAS Identifier

The name of the network access server (NAS). This attribute is a character string. You can use pattern matching syntax to specify multiple NASs. For more information, see Pattern matching syntax. This attribute is used by the IAS server.

NAS IP Address

The IP address of the NAS (the RADIUS client) that sent the message. This attribute is a character string. You can use pattern matching syntax to specify IP networks. For more information, see Pattern matching syntax. This attribute is used by the IAS server.

NAS Port Type

The type of media that is used by the access client. Examples include analog phone lines (known as async), ISDN, tunnels or virtual private networks (known as virtual), IEEE 802.11 wireless, and Ethernet switches.

Service Type

The type of service that is being requested. Examples include framed (such as PPP connections) and login (such as Telnet connections). For more information about RADIUS service types, see RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)." This attribute is used by the IAS server.

Tunnel Type

The type of tunnel that is being created by the requesting client. Tunnel types include the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol (L2TP), which are used by Windows XP; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000, remote access clients and demand-dial routers. You can use this condition to specify profile settings, such as authentication methods or encryption strengths for a specific type of tunneling technology.

Windows Groups

The names of the groups to which the user or computer account that is attempting the connection belongs. There is no condition attribute for a specific user or computer name. It is not necessary to have a separate remote access policy for each group. Instead, you can use multiple groups or nested groups to consolidate and delegate the administration of group membership. For a remote access or IAS server in a Windows 2000 native domain, you can use universal groups. For more information, see Domain and forest functionality.

Notes

  • If conditions that use an IAS server attribute are evaluated against a Routing and Remote Access service server that is configured for Windows authentication, they do not match and the policy is not applied.

  • Not all access servers send all of the IAS server-specific attributes.

  • You cannot use the built-in local or domain groups for the Windows Groups attribute.

Remote access permission

If all conditions of a remote access policy are met, remote access permission is either granted or denied. You can use either the Grant remote access permission option or the Deny remote access permission option to set remote access permission for a policy.

Remote access permission is also granted or denied for each user account. The user remote access permission overrides the policy remote access permission. When remote access permission on a user account is set to the Control access through Remote Access Policy option, the policy remote access permission determines whether the user is granted access.

Granting access through either the user account permission setting or the policy permission setting is only the first step in accepting a connection. The connection attempt is subject to the settings of both the user account dial-in properties and policy profile properties. If the connection attempt does not match the settings of the user account or policy profile properties, the connection attempt is rejected.

Profile

A remote access policy profile is a set of properties that are applied to a connection when it is authorized--either through the user account or policy permission settings. A profile consists of the following groups of properties:

  • Dial-in constraints

  • IP

  • Multilink

  • Authentication

  • Encryption

  • Advanced

Dial-in constraints

You can set the following dial-in constraints:

  • Minutes server can remain idle before it is disconnected

    The time after which a connection is disconnected when there is no activity. By default, this property is not set. Additionally, the Routing and Remote Access service does not disconnect an idle connection.

  • Minutes client can be connected

    The maximum amount of time that a connection is connected. The connection is disconnected by the access server after the maximum session length. By default, this property is not set and there is no maximum session limit.

  • Allow access only on these days and at these times

    The days of the week and hours of each day that a connection is allowed. If the day and time of the connection attempt do not match the configured day and time limits, the connection attempt is rejected. By default, this property is not set and there are no day or time limits. The Routing and Remote Access service does not disconnect active connections that were previously connected at a time when connection attempts were allowed.

  • Allow access to this number only

    The specific phone number that a caller must call in order for a connection to be allowed. If the dial-in number of the connection attempt does not match the configured dial-in number, the connection attempt is rejected. By default, this property is not set and all dial-in numbers are allowed.

  • Allow access only through these media

    The specific types of media, such as modem (also known as async), ISDN, virtual private network (known as virtual), or 802.11 wireless that a caller must use in order for a connection to be allowed. If the dial-in medium of the connection attempt does not match the configured dial-in media, the connection attempt is rejected. By default, this property is not set and all media types are allowed.

For information about setting dial-in constraints on a profile, see Configure dial-in constraints.

IP

You can set IP properties that specify IP address assignment behavior. You have the following options:

  • The access server must supply an IP address.

  • The access client can request an IP address.

  • IP address assignment is determined by the access server (this is the default setting).

  • A static IP address is assigned. A static IP address assigned to the user account overrides this setting. The IP address assigned is typically used to accommodate vendor-specific attributes for IP addresses.

You can also use the IP tab to define IP packet filters that apply to remote access connection traffic. This is intended for use with the Routing and Remote Access service. You can configure IP traffic that is allowed to remote access clients (output filters) or from remote access clients (input filters) on an exception basis. Either all traffic is allowed, except traffic specified by filters; or all traffic is blocked, except traffic specified by filters . Remote access policy profile filtering applies to all remote access connections that match the remote access policy.

Filters configured on the IP tab are applied to client connections on a Windows Server 2003 remote access server, but are not applied to dial-on-demand connections.

For information about setting IP options on a profile, see Configure IP options.

You can set Multilink properties that both enable Multilink and determine the maximum number of ports that a Multilink connection can use. Additionally, you can set Bandwidth Allocation Protocol (BAP) policies that both determine BAP usage and specify when extra BAP lines are dropped. The Multilink and BAP properties are specific to the Routing and Remote Access service. By default, Multilink and BAP are disabled.

The Routing and Remote Access service must have Multilink and BAP enabled in order for the Multilink properties of the profile to be enforced. For more information about enabling Multilink and BAP for the Routing and Remote Access service, see Enable Multilink and Enable BAP and BACP.

For information about setting Multilink options on a profile, see Configure multilink options.

Authentication

You can set authentication properties to both enable the authentication types that are allowed for a connection and specify the EAP type that must be used. Additionally, you can configure the EAP type. By default, Microsoft Encrypted Authentication (MS-CHAP) and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) are enabled. With Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition; you can specify whether users can change their expired passwords using MS-CHAP and MS-CHAP v2 (enabled by default). For more information, see Authentication methods.

The Routing and Remote Access service must have the corresponding authentication types enabled in order for the authentication properties of the profile to be enforced. For more information about enabling authentication methods for the Routing and Remote Access service, see Enable authentication protocols.

For information about setting authentication options on a profile, see Configure authentication.

Encryption

You can set encryption properties for the following encryption strengths:

  • No Encryption

    This option allows a nonencrypted connection. To require encryption, clear this option.

  • Basic

    For dial-up and PPTP-based VPN connections, Microsoft Point-to-Point Encryption (MPPE) is used with a 40-bit key. For L2TP/IPSec VPN connections, 56-bit Data Encryption Standard (DES) encryption is used.

  • Strong

    For dial-up and PPTP VPN connections, MPPE is used with a 56-bit key. For L2TP/IPSec VPN connections, 56-bit DES encryption is used.

  • Strongest

    For dial-up and PPTP VPN connections, MPPE is used with a 128-bit key. For L2TP/IPSec VPN connections, triple DES (3DES) encryption is used.

These settings are intended to be used with Routing and Remote Access. When other access servers are used, select No Encryption and clear all encryption strengths.

For information about setting encryption options on a profile, see Configure encryption.

Advanced

You can set advanced properties to specify the series of RADIUS attributes that are sent back by the IAS server to be evaluated by the RADIUS client. RADIUS attributes are specific to performing RADIUS authentication, and are ignored by a server that is running the Routing and Remote Access service and is configured for Windows authentication. By default, Framed-Protocol is set to PPP and Service-Type is set to Framed.

The only advanced attributes that are used by the Routing and Remote Access service are Account-Interim-Interval, Framed-Protocol, Framed-MTU, Reply-Message, and Service-Type.

For information about setting advanced options on a profile, see Add RADIUS attributes to a remote access policy.

Notes

  • Some elements of a remote access policy correspond to RADIUS attributes that are used during RADIUS-based authentication. For remote access policies on an Internet Authentication Service (IAS) server, verify that the access servers used are sending RADIUS attributes that correspond to the configured remote access policy conditions and profile settings. If a NAS does not send a RADIUS attribute that corresponds to a remote access policy condition or profile setting, then all RADIUS authentications from that NAS are denied.

  • You can only use the Generate-Session-Timeout attribute if your user account database is a Security Accounts Manager (SAM) database or is the user account database for an Active Directory domain. When the value of Generate-Session-Timeout is set to True, the ForceLogoff value for a SAM database should be set to 0. In the Local Security Settings console, ForceLogoff is changed to zero when Network security: Force logoff when logon hours expire is enabled. For information about how to change the ForceLogoff value for the SAM database at the command prompt, see Net accounts.

  • You can configure wireless connection policy so that wireless clients periodically reauthenticate. This ensures that the client Wired Equivalent Privacy (WEP) encryption keys are changed often enough to provide adequate security for the wireless connection. To configure reauthentication, set the session timeout in your remote access policy or connection request policy for wireless connections (using the Session-Timeout attribute) to the required interval (for example, 10 minutes). Additionally, configure the Termination-Action attribute with the Attribute value set to RADIUS-Request. If the Termination-Action attribute is not set to RADIUS-Request, wireless access points might end the connection during reauthentication. For more information, see your hardware documentation.

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.