Using RADIUS for Multiple Remote Access Servers

When you have more than one Windows 2000 remote access server, the administration of remote access policies can become cumbersome very quickly. Instead, you can configure a single computer running Windows 2000 and IAS as a RADIUS server and configure the remote access servers as RADIUS clients. The IAS server provides centralized remote access authentication, authorization, accounting, and auditing. Assuming that you've already configured the remote access servers to provide access for dial-up or VPN clients, you can accomplish this by performing the procedures listed next. Each of these procedures is described in the sections that follow:

  • Configure the remote access servers for RADIUS authentication.
  • Configure the remote access servers for RADIUS accounting.
  • Configure the IAS server.

To provide redundancy and fault tolerance, configure a primary and a secondary IAS server, and copy the remote access policies from the primary server to the secondary one. Then configure each remote access server with two RADIUS servers that correspond to the two IAS servers. If the primary IAS server becomes unavailable, the remote access servers will automatically fail over to the secondary IAS server.

Configuring a Remote Server for RADIUS Authentication

When you configure the properties of a remote access server running Windows 2000, you need to select RADIUS as the authentication provider. To change a server to RADIUS authentication, follow these steps:

  1. Right-click the server name in Routing and Remote Access and choose Properties from the shortcut menu.
  2. Click the Security tab. Under Authentication Provider, select RADIUS Authentication, and then click Configure.
  3. Provide the server name—the host name or IP address of the IAS server. If you already have IAS installed, you do not need to change the shared secret. Otherwise, you need to change it. The remote access server running Windows 2000 and the IAS server share a secret that is used to encrypt messages sent between them. The two servers must share the same secret.
  4. Click OK when you're finished.

The remote access server sends its authentication requests to the UDP port on which the IAS server listens. The default value of 1812 is based on RFC 2138, "Remote Authentication Dial-in User Service (RADIUS)," and does not need to be changed when you're using an IAS server.

Configuring the Remote Server for RADIUS Accounting

When you configure the properties of a remote access server running Windows 2000, you need to select RADIUS accounting as the accounting provider.

To change a server to RADIUS accounting, follow these steps:

  1. Right-click the server name in Routing and Remote Access and choose Properties from the shortcut menu.
  2. Click the Security tab. Under Accounting Provider, select RADIUS Accounting, and then click Configure.
  3. Provide the server name—the host name or IP address of the IAS server.
  4. If you already have IAS installed, you do not need to change the shared secret. Otherwise, you need to change it. Note that the remote access server running Windows 2000 and the IAS server share a secret that is used to encrypt messages sent between them. Both the remote access server and the IAS server must share the same secret. Click OK.

Configuring the IAS Server for RADIUS

You need to register each of the remote access servers as clients on the IAS server. Once the remote access servers are configured to use RADIUS authentication, only the remote access policies stored on the IAS server are used, so if one of the remote access servers contains the remote access policies that are applied to all of the remote access servers, you need to copy the remote access policies to the IAS server. To copy the policies from a remote server to the IAS server, open a command window and type netsh aaaa show config <path\file>.txt. The path can be relative, absolute, or a UNC path. This command creates a text file that includes all of the configuration settings.

Copy the text file to the destination IAS server, and open a command prompt on the destination machine. Type netsh exec <path\file>.txt. A message appears telling you whether the update was successful. This procedure does not work unless both the source and destination computers are running the same version of Windows 2000.



Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net