Implementing Your IAS Solution


Deploying IAS involves configuring IAS as a RADIUS server or proxy, optimizing your IAS configuration to best meet your needs, and configuring compatibility with third-party access servers. Figure 7.12 illustrates this process.

click to expand
Figure 7.12: Implementing Your IAS Solution

Deploying IAS as a RADIUS Server

Deploying IAS as a RADIUS server on your network involves configuring Active Directory, configuring the primary and backup IAS servers, and configuring the access servers. Figure 7.13 illustrates this process.

click to expand
Figure 7.13: Deploying IAS as a RADIUS Server

Configure User Accounts and Groups

To configure user accounts and groups, do the following:

  1. Ensure that all users that are making remote access connections have a corresponding user account.

  2. Set the remote access permission on user accounts to Grant access or Deny access to manage network access by user. Or, to manage network access by group, set the remote access permission on user accounts to Control access through Remote Access Policy.

  3. Organize remote access users into the appropriate universal and nested groups in order to take advantage of group-based remote access policies.

  4. If you are using CHAP, enable support for reversibly encrypted passwords in the appropriate domains. You can configure reversibly encrypted passwords by using Group Policy. For more information, see "Enable reversibly encrypted passwords in a domain" in Help and Support Center for Windows Server 2003.

  5. If you are using certificate-based authentication, configure the domain in which IAS server computers will be members for the auto-enrollment of certificates. With Windows Server 2003, you can auto-enroll both user and computer certificates.

For more information about configuring user accounts for IAS, see "Dial-up and VPN remote access" in Help and Support Center for Windows Server 2003.

For more information about reversibly encrypted passwords, see "Enable reversibly encrypted passwords in a domain" in Help and Support Center for Windows Server 2003.

Configure the Primary IAS Server on a Domain Controller

To configure the primary IAS server on a domain controller, do the following:

  1. On the domain controller, install IAS by using Add/Remove Windows Components. For more information, see "Install IAS" in Help and Support Center for Windows Server 2003.

  2. Configure the IAS server to read the properties of user accounts in the domain. For more information, see "Enable the IAS server to read user accounts in Active Directory" in Help and Support Center for Windows Server 2003.

  3. If the IAS server authenticates connection attempts for user accounts in other domains, use the Active Directory Domains and Trusts snap-in to verify that these domains have a two-way trust with the domain in which the IAS server is a member. Next, configure the IAS server to read the properties of user accounts in other domains by adding the IAS server to the RAS and IAS Servers security group on all domain controllers with user account databases to be accessed by the IAS server. For more information, see "Enable the IAS server to read user accounts in Active Directory" in Help and Support Center for Windows Server 2003.

  4. Enable file logging for accounting and authentication events. You can log session information to text files in either IAS format or database-compatible format, or you can log to a server running SQL Server 2000 or later. In addition, you can configure which information you want to log. For more information, see "Remote access logging" in Help and Support Center for Windows Server 2003.

  5. If needed, configure additional User Datagram Protocol (UDP) ports for authentication and accounting messages that are sent by RADIUS clients. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  6. Add the access servers as RADIUS clients of the IAS server. Verify that you are configuring the correct name or IP address and shared secrets. Enable the use of the Message-Authenticator attribute, but only when it is also supported by the RADIUS client.

  7. Create remote access policies that reflect your network access usage scenarios.

  8. If you have created new remote access policies, either delete the default remote access policies or move them so that they are the last policies to be evaluated.

For more information about configuring IAS, see "Dial-up and VPN remote access" in Help and Support Center for Windows Server 2003.

Configure the Secondary IAS Server on a Different Domain Controller

To configure the secondary IAS server on a different domain controller, do the following:

  1. On the other domain controller in the same domain, install IAS by using Add/Remove Windows Components. For more information, see "Install IAS" in Help and Support Center for Windows Server 2003.

  2. Configure the secondary IAS server to read the properties of user accounts in the domain by adding the IAS server to the RAS and IAS Servers security group. For more information, see "Enable the IAS server to read user accounts in Active Directory" in Help and Support Center for Windows Server 2003.

  3. If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server is a member. Next, configure the secondary IAS server to read the properties of user accounts in other domains by adding the IAS server to the RAS and IAS Servers security group in those domains. For more information, see "Enable the IAS server to read user accounts in Active Directory" in Help and Support Center for Windows Server 2003.

  4. Copy the configuration of the primary IAS server to the secondary IAS server.

For more information about copying IAS configuration, see "Copy the IAS configuration to another server" in Help and Support Center for Windows Server 2003.

Configure RADIUS Clients for Use with IAS Servers

To configure each RADIUS client to use the primary and secondary IAS servers for authentication, authorization, and accounting of remote access connections, do the following:

  • If the RADIUS client is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, use the Routing and Remote Access snap-in to configure the RADIUS client to use the primary and secondary IAS servers as RADIUS servers. For more information about configuring the RADIUS client, see "Use RADIUS authentication" and "Use RADIUS accounting" in Help and Support Center for Windows Server 2003.

  • If the RADIUS client is a computer running Windows NT 4.0 and the Routing and Remote Access Service (RRAS), see Windows NT 4.0 Help for information about how to configure RRAS to use the primary and secondary IAS servers as RADIUS servers for RADIUS authentication.

  • If the RADIUS client is a third-party network access server, see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers).

Deploying IAS as a RADIUS Proxy

Deploying IAS as a RADIUS proxy on your network involves configuring the primary and secondary IAS proxies, configuring the Internet firewalls, and configuring for compatibility with third-party access servers. Figure 7.14 illustrates this process.

click to expand
Figure 7.14: Deploying IAS as a RADIUS Proxy

Configure the Primary IAS Proxy

To configure the primary IAS proxy in the perimeter network, do the following:

  1. On a computer running Windows Server 2003, Standard Edition or Windows Server 2003, Enterprise Edition in the perimeter network, install IAS by using Add/Remove Windows Components. For more information, see "Install IAS" in Help and Support Center for Windows Server 2003. The computer on which IAS is installed does not need to be dedicated to forwarding RADIUS messages. You can install IAS on a computer running other services, such as a DHCP server, a file server, or a DNS server.

  2. If needed, configure additional UDP ports for RADIUS messages that are sent by the RADIUS proxies. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  3. Add the RADIUS proxies as RADIUS clients of the IAS server. Verify that you are configuring the correct name or IP address and shared secrets.

  4. Create a remote RADIUS server group that contains the IAS servers in your organization.

  5. Create a connection request policy that forwards RADIUS request messages based on the realm name of your organization. For more information about realm names, see "Realm names" in Help and Support Center for Windows Server 2003.

  6. Use the New Connection Request Policy Wizard to create a connection request policy that forwards connection requests to a remote RADIUS server group and where the realm name matches the realm name of the user accounts in your organization. Clear the check box that removes the realm name for authentication. In the New Connection Request Policy Wizard, use the New Remote RADIUS Server Group Wizard to create a remote RADIUS server group with members that include the two IAS servers within your intranet.

  7. Delete the default connection request policy named Use Windows authentication for all users.

For more information about configuring IAS proxies in the perimeter network, see "Outsourced dial and a proxy in the perimeter network" in Help and Support Center for Windows Server 2003.

Configure the Secondary IAS Proxy

To configure the secondary IAS proxy in the perimeter network, do the following:

  1. On another computer running Windows Server 2003, Standard Edition or Windows Server 2003, Enterprise Edition in the perimeter network, install IAS by using Add/Remove Windows Components. For more information, see "Install IAS" in Help and Support Center for Windows Server 2003.

  2. Using Netsh, copy the configuration of the primary IAS proxy to the secondary IAS proxy in the perimeter network.

For more information about copying IAS configuration, see "Copy the IAS configuration to another server" in Help and Support Center for Windows Server 2003.

Configure the Intranet and Internet Firewalls

To support RADIUS traffic, you must take two steps. First, configure the Internet firewall to allow RADIUS traffic between the IAS proxies on the perimeter network and the RADIUS clients on the Internet. Then configure the intranet firewall to allow RADIUS traffic between the IAS proxies on the perimeter network and the IAS servers on the intranet.

Filters on the Internet Interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

Filters on the Perimeter Network Interface

Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

For added security, if you know the IP address of each RADIUS client sending the packets through the firewall, you can configure more specific filters for traffic between the IP address of the RADIUS client and the IP address of the IAS server on the perimeter network.

For more information about configuring packet filters, see "Manage Packet Filters" and "Apply packet filters for business partner extranet" in Help and Support Center for Windows Server 2003.

Configure RADIUS Clients for Use with IAS Proxies

To configure each RADIUS client to use the primary and secondary IAS proxies, do the following:

  • If the RADIUS client is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, use the Routing and Remote Access snap-in to configure the RADIUS client to use the primary and secondary IAS servers.

  • If the RADIUS client is a computer running Windows NT 4.0 and the Routing and Remote Access Service (RRAS), see Windows NT 4.0 Help for information about how to configure RRAS to use the primary and secondary IAS proxies as RADIUS servers.

  • If the RADIUS client is a third-party network access server, see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers.

For more information about configuring RADIUS accounting and authentication, see "Use RADIUS accounting" and "Use RADIUS authentication" in Help and Support Center for Windows Server 2003.

Configuring IAS for Compatibility with Third-Party Access Servers

If you are using Windows Server 2003 IAS with a third-party access server, you might need to configure the IAS server to prevent it from sending the class attribute. Specifically, if the IAS server sends the class attribute, some network access servers require the use of certain vendor-specific attributes to be included in the class attribute.

Alternatively, you can configure vendor-specific attributes and custom attributes to enable compatibility with a third-party access server.

For more information about how to configure the class attribute, see "Add RADIUS attributes to a remote access policy" in Help and Support Center for Windows Server 2003. For more information about configuring IAS for compatibility with a third-party access server, see "IAS as a RADIUS server design considerations" in Help and Support Center for Windows Server 2003.

Configure Vendor-Specific Attributes

IAS allows administrators to associate specific RADIUS attributes with each remote access policy. These attributes are described in RFC 2865. In addition to the standard RADIUS attributes, some access server manufacturers use vendor-specific attributes (VSAs) to provide functionality that is not supported in standard attributes.

If your access server manufacturer uses VSAs, you might need to associate those VSAs with remote access protocols so that your access server processes authentication requests properly. IAS enables you to create or edit VSAs to take advantage of proprietary functionality supported by some access server vendors.

To provide access server-specific support, you can add vendor-specific attributes to remote access policies. IAS includes VSAs from some vendors in its dictionary. You cannot add other VSAs to the dictionary.

To configure IAS to support vendor-specific attributes, complete the following steps:

  1. Determine which vendor-specific attributes the access server requires. The third-party access server manufacturer documentation provides information about the individual attributes that must be specified.

  2. Determine which attributes are standard RADIUS attributes and which require the addition of vendor-specific RADIUS attributes (attribute type 26). For more information, see "Interpreting IAS-formatted log files" in Help and Support Center for Windows Server 2003.

  3. Specify the attribute values for the VSAs in the IAS remote access policy. When you add VSAs to the remote access policy profile to support proprietary functionality for your access point, you must determine whether the VSA conforms to the format recommended in RFC 2865. If it does, you must specify a network access vendor by either name or vendor code, a vendor-assigned attribute number, the attribute format (that is, the type of data, such as string or hexadecimal), and the attribute value. If it does not, you must specify a network access vendor by either name or vendor code and a hexadecimal attribute value that represents the attribute data. For more information, see "Vendor-specific attribute overview" in Help and Support Center for Windows Server 2003.

Configure Custom Attributes

The IAS Software Development Kit (SDK), part of the Windows Server 2003 SDK, allows you to configure your IAS server to send custom attributes to the access server in addition to standard attributes. This enables you to build your own extension to the IAS snap-in.

For more information about configuring custom attributes, see the Software Development Kit (SDK) information in the MSDN Library link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.




Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net