Features of IAS

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Features of IAS

IAS includes support for the following features:

  • A variety of authentication methods

    IAS supports a number of authentication protocols and allows you to add custom methods that meet your authentication requirements. The supported authentication methods are:

    • Password-based Point-to-Point Protocol (PPP) authentication protocols

      Password-based PPP authentication protocols, such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and MS-CHAP version 2 (MS-CHAP v2), are supported. For more information, see Authentication methods.

    • Extensible Authentication Protocol (EAP)

      An Internet standards-based infrastructure that allows the addition of arbitrary authentication methods, such as smart cards, certificates, one-time passwords, and token cards. A specific authentication method that uses the EAP infrastructure is an EAP type. IAS includes support for EAP-Message Digest 5 (MD5) and EAP-Transport Level Security (EAP-TLS). For more information, see EAP.

  • A variety of authorization methods

    IAS supports a number of authorization methods and allows you to add custom methods that meet your authorization requirements. The supported authorization methods are:

    • Dialed Number Identification Service (DNIS)

      The authorization of a connection attempt that is based on the number called. DNIS supplies the number that was called to the call receiver and is provided by most standard telephone companies.

    • Automatic Number Identification/Calling Line Identification (ANI/CLI)

      The authorization of a connection attempt that is based on the phone number of the caller. ANI/CLI service supplies the number of the caller to the call receiver and is provided by most standard telephone companies.

    • Guest authorization

      The use of the Guest account as the identity of the user when the connection is made without user credentials (user name and password).

      For more information, see Unauthenticated access.

  • Heterogeneous access servers

    IAS supports access servers that support RADIUS RFCs 2865 and 2866. In addition to dial-up access servers (also known as network access servers), IAS also supports the following:

    • Wireless access points

      By using remote access policies and the Wireless-IEEE 802.11 port type condition, IAS can be used as a RADIUS server for wireless access points that use RADIUS for authentication and authorization of wireless nodes. For more information, see New features for IAS.

    • Authenticating switches

      By using remote access policies and the Ethernet port type condition, IAS can be used as a RADIUS server for Ethernet network switches that use RADIUS for authentication and authorization of switch nodes. For more information, see New features for IAS.

    • Integration with the Routing and Remote Access service

      Both IAS and the Routing and Remote Access service share remote access policies and log file capabilities. This integration provides a consistent implementation for both IAS and the Routing and Remote Access service. It enables you to deploy Routing and Remote Access in small sites without the requirement of a separate, centralized IAS server. It also provides the ability to scale to a centralized remote access management model, whenever you have multiple Routing and Remote Access servers in your organization. IAS, in conjunction with Routing and Remote Access servers, implements a single point of administration for remote access to your network for outsourced-dial, demand-dial, and VPN access. The policies within IAS at a central and large site can be exported to the independent Routing and Remote Access server in a small site.

  • RADIUS proxy

    IAS allows an incoming RADIUS request to be forwarded to another RADIUS server for the processing of authentication and authorization, or accounting. As a RADIUS proxy, IAS can be used whenever the RADIUS request must be routed to another RADIUS server. IAS can forward requests based on user name, access server IP address, access server identifier, and other conditions. For more information, see New features for IAS.

  • Outsourced dial-up and wireless network access

    Outsourced dialing (also known as wholesale dialing) provides a contract between an organization (the customer) and an Internet service provider (ISP). The ISP allows organization employees to connect to its network before the VPN tunnel to the organization’s private network is established. When an organization employee connects to the ISP's NAS, the authentication and usage records are forwarded to the IAS server at the organization. The IAS server enables the organization to control user authentication, track usage, and determine which employees are allowed to access the ISP's network.

    The advantage of outsourced dialing is the potential savings. By using an ISP's routers, network access servers, and wide area network (WAN) links instead of purchasing your own, you might save a great deal on hardware (infrastructure) costs. By dialing into the ISP with worldwide connections, you might significantly decrease your long-distance phone bill. And, by moving support requirements to the provider, you might eliminate administrative costs.

    You can also outsource wireless access. A vendor can provide wireless access in a remote location and use your user name to forward the connection request to a RADIUS server that is under your control for authentication and authorization. A good example is wireless Internet access in an airport.

  • Centralized user authentication and authorization

    To authenticate a connection request, IAS validates the connection credentials against user accounts in the local Security Accounts Manager (SAM), a Microsoft® Windows NT® Server 4.0 domain, or an Active Directory® domain. For an Active Directory domain, IAS supports the use of Active Directory user principal names (UPNs) and universal groups.

    To authorize a connection request, IAS uses the dial-in properties of the user account that correspond to both the connection credentials and remote access policies. Although it is relatively easy to manage remote access permission for each user account, this approach does not scale well as an organization grows. Remote access policies provide a more powerful and flexible way to manage remote access permission. You can authorize network access based on various conditions, including:

    • User account membership in a group.

    • The time of day or day of the week.

    • The type of media through which the user is connecting (for example, wireless, Ethernet switch, modem, or VPN).

    • The phone number that the user calls.

    • The access server from which the request arrives.

      By configuring profile settings on remote access policies, you can control many connection parameters, including:

    • The use of specific authentication methods.

    • The idle timeout.

    • The maximum time of a single session.

    • The number of links in a multilink session.

    • The use of encryption and its strength.

    • The use of packet filters to control what the remote access user can access when connected to the network. For example, you can use filters to control which IP addresses, hosts, and ports the user is allowed to use in sending or receiving packets.

    • The creation of a compulsory tunnel that forces all packets from that connection to be securely tunneled through the Internet and terminated in a private network.

    • The virtual local area network identifier (VLAN ID) for wireless or Ethernet connections.

  • Centralized administration for all of your access servers

    Support for the RADIUS standard allows IAS to control connection parameters for any access server that implements RADIUS. The RADIUS standard also allows individual remote access vendors to create proprietary extensions called vendor-specific attributes (VSAs). IAS has incorporated the extensions from a number of vendors in its dictionary. Additional VSAs can be added to the profile of individual remote access policies. For more information, see Vendor-specific attribute overview.

  • Centralized auditing and usage accounting

    Support for the RADIUS standard allows IAS to collect, at a central location, the usage (accounting) records sent by all access servers. IAS stores audit information (for example, authentication accepts and rejects) and usage information (for example, connect and disconnect records) in log files. IAS supports a log file format that can be directly imported into a database. The data can then be analyzed with any standard data analysis application. For more information, see Logging user authentication and accounting requests.

  • Snap-in-based management tool

    IAS provides an administration tool named the Internet Authentication Service snap-in. You can run Internet Authentication Service from Administrative Tools to administer IAS on a local computer. Or, you can add the Internet Authentication Service snap-in to the Microsoft Management Console (MMC) to administer IAS running on either a local computer or a remote computer.

  • Local or remote monitoring with tools provided in Microsoft® Windows Server® 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition

    You can monitor IAS locally or on a remote computer with tools provided in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, including Event Viewer, System Monitor, and Simple Network Management Protocol (SNMP). You can also use Network Monitor to capture RADIUS messages for detailed traffic analysis and troubleshooting.

  • Scalability

    You can use IAS in a variety of network configurations of varying size, from stand-alone servers for small networks to large organization and ISP networks.

  • Support for multiple IAS servers

    The synchronization of the configuration of multiple IAS servers can be performed with the Netsh command-line tool. For more information see Copy the IAS configuration to another server.

  • Extensibility

    The Windows Server 2003 Platform Software Development Kit (SDK) contains two smaller networking SDKs--the IAS SDK and the EAP SDK.

    You can use the IAS SDK to:

    • Return custom attributes to the access server in addition to those returned by IAS. For example, you can create a customized module to assign IP addresses.

    • Control the number of user network sessions.

    • Import usage and audit data directly into an Open Database Connectivity (ODBC)-compliant database.

    • Create customized authorization modules.

    • Create customized authentication modules (non-EAP).

You can use the EAP SDK to create EAP types. For more information, see EAP.

Note

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.