Dial-up and VPN remote access

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dial-up and VPN remote access

This topic describes how IAS is used to support authentication, authorization, and accounting for dial-up and virtual private network (VPN) connections to an organization. This topic describes a typical configuration for an organization that uses:

  • Two IAS servers.

    Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication. If only one RADIUS server is configured and it becomes unavailable, dial-up and VPN access clients cannot connect. By using two IAS servers and configuring all dial-up and VPN servers (RADIUS clients) for both the primary and secondary IAS servers, RADIUS clients can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.

  • Active Directory domains.

    Active Directory domains contain the user accounts, passwords, and dial-up properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints. To optimize IAS authentication and authorization response times and minimize network traffic, IAS is installed on domain controllers.

  • A smart card certificate infrastructure.

    The Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication protocol is used with smart cards to authenticate employee connections and provide the highest level of security for authentication.

  • Custom remote access policies.

    Remote access policies are configured to specify, based on group membership, the different requirements for various types of connections and users.

  • Multiple dial-up and VPN servers.

    Dial-up and VPN servers consist of computers running different versions of Windows and the Routing and Remote Access service, and third-party network access server (NAS) devices.

The following illustration shows the common dial-up and VPN remote access configuration.

Components of a RADIUS infrastructure

Note

  • This topic only describes how to configure IAS. It does not describe the configuration of Active Directory, the smart card certificate infrastructure, or the dial-up and VPN servers. For more information about how to deploy these components, see the appropriate Help topics.

To configure IAS for this example, complete the following steps:

  • Configure Active Directory for user accounts and groups.

  • Configure the primary IAS server on a domain controller.

  • Configure the secondary IAS server on a different domain controller.

  • Configure RADIUS accounting and authentication on dial-up and VPN servers.

Configuring user accounts and groups

To configure user accounts and groups, do the following:

  1. Ensure that all users that are making remote access connections have a corresponding user account. This includes employees, contractors, vendors, and business partners.

  2. Set the remote access permission on user accounts to Allow access or Deny access to manage network access by user. Or, to manage network access by group, set the remote access permission on user accounts to Control access through Remote Access Policy. For more information, see Configure remote access permission for a user.

  3. Organize remote access users into the appropriate universal and nested groups in order to take advantage of group-based remote access policies. For more information, see Group scope.

  4. If you are using the Challenge-Handshake Authentication Protocol (CHAP), enable support for reversibly encrypted passwords in the appropriate domains. For more information, see Enable reversibly encrypted passwords in a domain.

  5. If you are using certificate-based authentication, configure the domain in which IAS server computers will be members for the auto-enrollment of computer certificates. For more information, see Configure automatic certificate allocation from an enterprise CA.

Configuring the primary IAS server on a domain controller

To configure the primary IAS server on a domain controller, do the following:

  1. On the domain controller, install IAS as an optional networking component. For more information, see Install IAS.

  2. Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the IAS server authenticates connection attempts for user accounts in other domains, verify that these domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, see Authentication across forests.

  4. Enable file logging for accounting and authentication events. For more information, see Configure log file properties.

  5. If needed, configure additional UDP ports for authentication and accounting messages that are sent by RADIUS clients. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  6. Add the dial-up and VPN servers as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets. Enable the use of the Message Authenticator attribute, but only when it is also supported by the RADIUS client.

  7. Create remote access policies that reflect your remote access usage scenarios.

    For example, to configure a remote access policy to permit members of the Contractors group dial-up connections from 8:00 AM to 5:00 PM, Monday through Friday, create a new custom remote access policy with the following settings:

    • Policy name: Contractor connections

    • Conditions: Windows-Groups matches Contractors

    • Permission: Grant remote access permission

    • Profile settings, Dial-in constraints tab: Allow access only on these days and at these times is set to 8:00 AM to 5:00 PM, Monday through Friday; llow access only through these media is set to Async (Modem).

    All other settings are at their default values.

  8. As another example, to configure a remote access policy that requires VPN connections for members of the Employees group to use smart card authentication and 128-bit encryption, use the New Remote Access Policy Wizard to create a common VPN policy with the following settings:

    • Policy name: VPN connections

    • Access Method: VPN access

    • User or Group: Select Group, and then specify the Employees group (example).

    • Authentication methods: Select Smart Card or other Certificate, and then clear all other check boxes.

    • Policy Encryption Level: Select the Strongest encryption check box, and then clear all other check boxes.

      For additional examples of remote access policies, see Remote Access Policies Examples.

      If you have created new remote access policies, either delete the default remote access policy named Allow access if dial-up permission is enabled, or move it so that it is the last policy to be evaluated. For more information, see Delete a remote access policy and Change the policy evaluation order.

Configuring the secondary IAS server on a different domain controller

To configure the secondary IAS server on a different domain controller, do the following:

  1. On the other domain controller, install IAS as an optional networking component. For more information, see Install IAS.

  2. Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the secondary IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, see Authentication across forests.

    For additional examples of remote access policies, see Remote Access Policies Examples.

    If you have created new remote access policies, either delete the default remote access policy named Allow access if dial-up permission is enabled, or move it so that it is the last policy to be evaluated. For more information, see Delete a remote access policy and Change the policy evaluation order.

  4. Copy the configuration of the primary IAS server to the secondary IAS server. For more information, see Copy the IAS configuration to another server.

Configuring RADIUS authentication and accounting on dial-up and VPN servers

To configure each dial-up or VPN server to use the primary and secondary IAS servers for authentication, authorization, and accounting of remote access connections, do the following:

  1. If the dial-up or VPN server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service; configure the primary and secondary IAS servers as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting.

  2. If the dial-up or VPN server is a computer running Windows NT Server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT Server 4.0 online Help for information about how to configure the primary and secondary IAS servers as RADIUS servers for RADIUS authentication.

  3. If the dial-up or VPN server is a third-party network access server (NAS), see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers).