Installing and Configuring IAS

To use IAS for dial-up or VPN connections, you must perform several tasks, including installing IAS, configuring clients and servers, and setting remote access policy. This section describes each of these tasks in turn.

Installing IAS

The first step is to install IAS on the primary and backup remote servers. You might need the Windows 2000 Server or Advanced Server CD-ROM. To install IAS, follow these steps:

  1. On the remote server, open Control Panel.
  2. Open Add/Remove Programs and click Add/Remove Windows Components.
  3. In the Windows Components Wizard, select Networking Services and click Details.
  4. Select Internet Authentication Service. Click OK to close the Details dialog box.
  5. Click Next, and IAS is installed. You might be asked for the Windows 2000 CD-ROM during the installation.

Configuring IAS

The default IAS configuration is correct in most cases. If your remote access scenario is very complex, you might need to change the configuration. To check the configuration, follow these steps:

  1. Launch Internet Authentication Service from the Administrative Tools folder.
  2. In the console tree, right-click Internet Authentication Service and choose Properties from the shortcut menu.
  3. In the Service tab, you can change the description or the event logging options.
  4. Click the RADIUS tab to view the default UDP ports. If your RADIUS authentication and accounting ports differ, make the changes here.
  5. Click the Realms tab to change the realm information. Click OK when you're finished.

More Info

A realm is a security authentication device used by Kerberos version 5. The uses of realms are spelled out in RFC 1510, "The Kerberos Network Authentication Service (V5)."

Configuring Clients for IAS

The next step is to add the network access servers (NASs) and, if you're using a VPN, the PPTP servers as clients on the primary IAS server. To add clients, follow these steps:

  1. Launch Internet Authentication Service from the Administrative Tools folder.
  2. In the console tree, right-click Clients and choose New Client from the shortcut menu.
  3. Supply a friendly name for the client, and click Next.
  4. Supply the client address and a shared secret.
  5. Click Finish when you're done.

A shared secret is a password used between an IAS server and other servers connected to it. The shared secret must be the same on both machines and must follow general password rules—it's case sensitive, can use alphanumeric and special characters, and can be up to 255 characters long. Because shared secrets are embedded in the software and you don't have to type them in all the time as you do passwords, you can easily make them quite long. Longer shared secrets are more secure than short ones.

Real World

How RADIUS Works

RADIUS authenticates users through a series of communications between the client and the server. Once a user is authenticated, the client provides that user with access to the appropriate network services.

Using a modem, the user dials in to a modem connected to an IAS server. Once the modem connection is completed, the server prompts the user for a name and password. The server creates a data packet—the authentication request—from this information. The packet includes information identifying the specific server sending the authentication request, the port that is being used for the modem connection, and the user name and password.

The authentication request is sent over the network from the RADIUS client to the RADIUS server. If the RADIUS server cannot be reached, the RADIUS client can route the request to an alternate server. When an authentication request is received, the authentication server validates the request and then decrypts the data packet to access the user name and password information. This information is passed to the appropriate security system (Kerberos version 5 in Windows 2000).

If the user name and password are correct, the server sends an authentication acknowledgment that includes information regarding the user's network system and service requirements. If at any point in this logon process conditions are not met, the RADIUS server sends an Authentication Reject to the server and the user is denied access to the network.



Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net