Configuring a Remote Access Policy

[Previous] [Next]

A remote access policy consists of three elements that make up a rule for analyzing remote connections. These elements are the conditions, the profile, and the remote access permission for the policy. The remote access permission was discussed earlier, in the section "Understanding the Default Policy." Recall that the remote access permission for the policy applies only when an administration-by-policy model is being employed.

Specifying Conditions of Remote Access Policies

When granting or denying access by group membership in the previous sections, you added the Windows-Groups attribute as a condition that users making connection attempts had to match (Figure 31-13). Table 31-1 describes this and other attributes that can be included in a remote access policy.

Figure 31-13. The remote access attributes that can be added to policies.

Table 31-1. Attributes for remote access policies

Attribute NameDescription
Called-Station-Id Phone number of the remote access server. To receive this information, the phone line, hardware, and hardware drivers must support the passing of the information. Otherwise, the called station ID is set manually for each port.
Calling-Station-Id Phone number used by the caller. If you configure a caller ID number for a user, the phone system, remote server, and all connecting hardware must support the passing of caller ID information. If any link in the connection does not support caller ID, the connection attempt is denied.
Client-Friendly-Name (IAS server only) Name of the RADIUS client computer that is seeking authentication.
Client-IP-Address (IAS server only) IP address of the RADIUS client.
Client-Vendor (IAS server only) Vendor of the network access server that is a RADIUS client. Used to configure different policies for different manufacturers.
Day-And-Time-Restriction Days and times for connection attempts.
Framed-Protocol Protocol such as PPP, SLIP, Frame Relay, or X.25 to be used for framing incoming packets.
NAS-Identifier (IAS server only) String to identify the originating network access server (NAS).
NAS-IP-Address (IAS server only) IP address of the originating NAS.
NAS-Port-Type Medium used by the originating caller. Examples are analog telephone and ISDN lines.
Service-Type Type of service the caller requests. Examples are framed (PPP) and login (Telnet).
Tunnel-Type Tunneling protocols to be used. Examples are PPTP and L2TP.
Windows-Groups Groups that the caller is a member of.

Configuring Profiles in Remote Access Policies

The profile in a remote access policy is a set of conditions that apply when a connection is authorized. The profile applies whether the condition has been authorized by permission in the user account or by permission in the policy. To see the profile that applies to a policy, open the policy's Properties window and click the Edit Profile button. The Edit Profile window has six tabs that can be configured (Figure 31-14). Each tab is discussed in the sections that follow.

click to view at full size.

Figure 31-14. Settings in the remote access policy profile.

Specifying Dial-In Constraints

On the Dial-In Constraints tab, you can set the following limitations on the dial-in connection:

  • Disconnect If Idle For The time after which an idle connection is terminated. By default, no connection is automatically terminated when idle.
  • Restrict Maximum Session To The time after which a connection is disconnected. By default, there is no time limit on connections.
  • Restrict Access To The Following Days And Times The days and hours when a connection is allowed. This option is cleared by default. The remote access server will not disconnect a connection that is active at a time when connection attempts aren't allowed.
  • Restrict Dial-In To This Number Only The specific number that a user must call for a connection to be allowed.
  • Restrict Dial-In Media The type of medium the caller must be connecting with, such as ISDN, T1, or ADSL. If the medium specified doesn't match the medium being used, the call will be rejected.

Specifying IP Address Policies

The IP tab defines the IP address policies for the profile:

  • IP Address Assignment Policy By default, the server supplies an IP address for the connection, but you can specify that the server must supply an address or that the client can request an IP address.
  • IP Packet Filters Specifies the types of packets that are allowed (or not allowed) in the traffic to the client or from the client or both. Packet filtering can be based on such things as the source and destination IP addresses, protocol type, source or destination port, and so forth.

Enabling Multilink and the Bandwidth Allocation Protocol

On the Multilink tab, you can choose settings to enable Multilink and the Bandwidth Allocation Protocol (BAP). The server must have Multilink and BAP enabled for these settings to be enforced in the profile. Enabling Multilink allows clients to combine multiple physical connections into a single logical connection. If you enable Multilink, you should also enable BAP so that links can be dynamically added or dropped as needed. (Multilink has no mechanism for adapting to changing bandwidth needs.)

  • Multilink Settings Disables Multilink completely or sets the maximum number of ports that a connection can use. This option defaults to the server's setting.
  • Bandwidth Allocation Protocol Settings Causes a Multilink connection to be reduced automatically if the lines fall below a specified capacity for a specified length of time.

Specifying Authentication Methods

On the Authentication tab, you set the authentication methods that are allowed for the connection. The same authentication methods must be enabled on the remote access server for the properties of the profile to be enforced. For more on authentication methods, see the section "Configuring Authentication for a Remote Access Server" in Chapter 18.

Specifying an Encryption Method

The Encryption tab lets you set the encryption properties for this profile. The settings are as follows:

  • No Encryption Allows a nonencrypted connection. To require encryption, clear this check box.
  • Basic Uses Microsoft Point-to-Point Encryption (MPPE) with a 40-bit key for dial-up and PPTP connections. For L2TP over an IPSec-based VPN, uses 56-bit Data Encryption Standard (DES) encryption.
  • Strong Uses MPPE with a 56-bit key for dial-up and PPTP connections. For L2TP over an IPSec-based VPN, uses 56-bit DES encryption.

Setting Advanced Attributes

On the Advanced tab, you can set RADIUS attributes that are sent to the RADIUS client by the IAS server. These attributes are specific to RADIUS authentication and are ignored by the remote access server.



Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net