A remote access policy consists of three elements that make up a rule for analyzing remote connections. These elements are the conditions, the profile, and the remote access permission for the policy. The remote access permission was discussed earlier, in the section "Understanding the Default Policy." Recall that the remote access permission for the policy applies only when an administration-by-policy model is being employed.
When granting or denying access by group membership in the previous sections, you added the Windows-Groups attribute as a condition that users making connection attempts had to match (Figure 31-13). Table 31-1 describes this and other attributes that can be included in a remote access policy.
Figure 31-13. The remote access attributes that can be added to policies.
Table 31-1. Attributes for remote access policies
Attribute Name | Description |
---|---|
Called-Station-Id | Phone number of the remote access server. To receive this information, the phone line, hardware, and hardware drivers must support the passing of the information. Otherwise, the called station ID is set manually for each port. |
Calling-Station-Id | Phone number used by the caller. If you configure a caller ID number for a user, the phone system, remote server, and all connecting hardware must support the passing of caller ID information. If any link in the connection does not support caller ID, the connection attempt is denied. |
Client-Friendly-Name | (IAS server only) Name of the RADIUS client computer that is seeking authentication. |
Client-IP-Address | (IAS server only) IP address of the RADIUS client. |
Client-Vendor | (IAS server only) Vendor of the network access server that is a RADIUS client. Used to configure different policies for different manufacturers. |
Day-And-Time-Restriction | Days and times for connection attempts. |
Framed-Protocol | Protocol such as PPP, SLIP, Frame Relay, or X.25 to be used for framing incoming packets. |
NAS-Identifier | (IAS server only) String to identify the originating network access server (NAS). |
NAS-IP-Address | (IAS server only) IP address of the originating NAS. |
NAS-Port-Type | Medium used by the originating caller. Examples are analog telephone and ISDN lines. |
Service-Type | Type of service the caller requests. Examples are framed (PPP) and login (Telnet). |
Tunnel-Type | Tunneling protocols to be used. Examples are PPTP and L2TP. |
Windows-Groups | Groups that the caller is a member of. |
The profile in a remote access policy is a set of conditions that apply when a connection is authorized. The profile applies whether the condition has been authorized by permission in the user account or by permission in the policy. To see the profile that applies to a policy, open the policy's Properties window and click the Edit Profile button. The Edit Profile window has six tabs that can be configured (Figure 31-14). Each tab is discussed in the sections that follow.
Figure 31-14. Settings in the remote access policy profile.
On the Dial-In Constraints tab, you can set the following limitations on the dial-in connection:
The IP tab defines the IP address policies for the profile:
On the Multilink tab, you can choose settings to enable Multilink and the Bandwidth Allocation Protocol (BAP). The server must have Multilink and BAP enabled for these settings to be enforced in the profile. Enabling Multilink allows clients to combine multiple physical connections into a single logical connection. If you enable Multilink, you should also enable BAP so that links can be dynamically added or dropped as needed. (Multilink has no mechanism for adapting to changing bandwidth needs.)
On the Authentication tab, you set the authentication methods that are allowed for the connection. The same authentication methods must be enabled on the remote access server for the properties of the profile to be enforced. For more on authentication methods, see the section "Configuring Authentication for a Remote Access Server" in Chapter 18.
The Encryption tab lets you set the encryption properties for this profile. The settings are as follows:
On the Advanced tab, you can set RADIUS attributes that are sent to the RADIUS client by the IAS server. These attributes are specific to RADIUS authentication and are ignored by the remote access server.