Академический Документы
Профессиональный Документы
Культура Документы
Deploying IAS
Servers running the Internet Authentication Service (IAS) component of the Microsoft® Windows® Server 2003
operating system perform centralized authentication, authorization, auditing, and accounting for many types of
network access, including dial-up, virtual private network (VPN), wireless, and 802.1X authenticating switch
access. IAS is the Microsoft implementation of the Remote Authentication Dial-In User Service (RADIUS)
protocol. A number of design, implementation, and deployment issues must be considered when rolling out a
scalable and robust IAS solution.
Information about deploying remote access clients can be found in other chapters in this book.
In This Chapter
Overview of IAS Deployment........................................................................... ......62
Designing IAS............................................................................................ ............70
Designing an Optimized IAS Solution........................................... .........................85
Creating a Remote Access Policy Strategy.................................... ........................93
Securing Your Remote Access Strategy.............................................. .................101
Implementing Your IAS Solution.............................................. ............................110
Additional Resources.............................................................................. .............121
Related Information
• For information about Windows Server 2003 Internet Authentication Service (IAS), see the
Networking Guide of the Microsoft® Windows® Server 2003 Resource Kit (or see the
Networking Guide on the Web at http://www.microsoft.com/reskit).
• For information about Windows Server 2003 Routing and Remote Access, see the
Internetworking Guide of the Windows Server 2003 Resource Kit (or see the Internetworking
Guide on the Web at http://www.microsoft.com/reskit).
• For information about Windows Server 2003 Routing and Remote Access deployment, see
“Deploying Dial-Up and VPN Remote Access Servers,” “Deploying Remote Access Clients
Using Connection Manager,” and “Connecting Remote Sites” in this book.
62 Chapter 7 Deploying IAS
IAS Concepts
IAS implements the Internet Engineering Task Force (IETF) standard Remote Authentication Dial-In User
Service (RADIUS) protocol, specified in RFCs 2865, 2866, and 2869, which enables the use of a homogeneous
or heterogeneous network of dial-up, VPN, wireless, or authenticating switch equipment. When a remote client
tries to connect to an access server configured to use the RADIUS protocol, the access server sends the
connection request to the IAS server by using the RADIUS protocol. When an IAS server is a member of an
Active Directory® domain, IAS uses the directory service as its user account database and is part of a single
sign-on solution. The same set of credentials is used for network access control (authenticating and authorizing
access to a network) and to log on to an Active Directory domain.
In addition, the IAS server can accept or reject the request based on conditions that you specify in the remote
access policies. Remote access policies are an ordered set of rules that define how connections are either
authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote
access permission setting. Access to the network resources can be controlled by applying policies to users or
groups of users. For more information about using remote access policies to grant access, see “Remote access
policies” in Help and Support Center for Windows Server 2003.
When using IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition,
you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you
can configure RADIUS clients by specifying an IP address range. However, when using Windows Server 2003,
Standard Edition, you can configure IAS with a maximum of 50 RADIUS clients and a maximum of two remote
RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address,
but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified
domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address
returned in the DNS query.
RADIUS is a client/server protocol that requires a RADIUS client and a RADIUS server to provide network
access. An access server or a RADIUS proxy is a RADIUS client, and the computer making the determination of
authentication and authorization is a RADIUS server.
Additional Resources 65
Figure 7.2 shows a typical IAS architecture. An access client contacts an IAS RADIUS proxy located at an ISP
by using a local telephone connection. The IAS proxy examines the user name, which contains two elements –
the identification of the user account name and the identification of the user account location (also known as a
realm). Based on the realm portion of the user name in the connection request, the IAS RADIUS proxy forwards
the connection request to a RADIUS server on a private network, which authenticates and authorizes the
connection attempt with the Active Directory user accounts database and user account properties.
Figure 7.2 IAS Architecture
For more information about Internet Authentication Service (IAS), see the Networking Guide of the Windows
Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit) and
“Internet Authentication Service” in Help and Support Center for Windows Server 2003.
For more information about realm names, see “Realm names” in Help and Support Center for Windows
Server 2003.
A general understanding of the following topics is also essential to proper IAS deployment:
• Remote access.
• The Windows Server 2003 implementation of remote access.
• Any network access mechanism your users require, such as dial-up, VPN, wireless, or
authenticating switch access.
• Network security.
• Active Directory.
• Authentication.
• Accounting.
For more information about any of these topics, see the Windows Server 2003 Resource Kit and Help and
Support Center for Windows Server 2003.
66 Chapter 7 Deploying IAS
• Support for IAS Network Access Quarantine Control. IAS Network Access Quarantine
Control provides phased network access, which restricts the access of remote clients to
quarantine mode until each client is either verified as meeting or configured according to
organization network access policy. After the client computer configuration is verified as
meeting organization network policy, the quarantine restrictions, which consist of Quarantine
IP-Filters and Session Timers, are removed and standard remote access policy is applied to the
connection. For more information, see “IAS Network Access Quarantine Control” in Help and
Support Center for Windows Server 2003.
• Support for logging to MSDE 2000 and SQL Server 2000 databases. You can use an XML-
compliant database, such as Microsoft® SQL Server™ 2000 and SQL Server Desktop Engine
(MSDE 2000), to log user authentication requests, periodic data, and accounting requests
received from one or more access servers. For more information, see “SQL Server database
logging” in Help and Support Center for Windows Server 2003.
• Support for ignoring the dial-in properties of user accounts. You can configure a RADIUS
attribute on the profile properties of a remote access policy to ignore the dial-in properties of
user accounts. To support multiple types of connections for which IAS provides authentication
and authorization, it might be necessary to disable the processing of user account dial-in
properties. This can be done to support scenarios in which specific dial-in properties are not
required. For more information, see “New features for IAS” in Help and Support Center for
Windows Server 2003.
• Support for configuring RADIUS clients by IP address range. For IAS in Windows 2000,
you must specify a RADIUS client by IP address or by Domain Name System (DNS) name. In
addition, you must configure each RADIUS client separately, even if you have a number of
RADIUS clients on the same subnet. While this is not an issue for typical dial-in or VPN access
server configurations, numerous wireless access points can be placed on the same subnet,
creating a circumstance where use of an IP address range simplifies configuration and
administration. In Windows Server 2003, Enterprise Edition, and Windows Server 2003,
Datacenter Edition, IAS allows you to specify a RADIUS client by using an IP address range.
All of the RADIUS clients in the range must use the same configuration and shared secret. For
more information, see “Configure RADIUS clients” in Help and Support Center for Windows
Server 2003.
• Support for computer authentication. In Windows Server 2003, Standard Edition; Windows
Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, Active
Directory and IAS support the authentication of computer accounts by using standard user
authentication methods such as Point-to-Point Protocol (PPP). This allows a computer and its
computer certificate to be authenticated for wireless or authenticating switch access clients.
68 Chapter 7 Deploying IAS
• Support for checking user certificate purposes. To enforce the use of specific types of user
certificates for specific connection types, you can configure IAS to check the purposes (also
known as object identifiers orOIDs) of certificates in their Enhanced Key Usage (EKU)
extensions. You can configure a list of object identifiers that are required to be present in the
user certificate. For more information, see “Network access authentication and certificates” and
“Add RADIUS attributes to a remote access policy” in Help and Support Center for Windows
Server 2003.
• Improved attribute manipulation. In Windows 2000, you can use IAS to manipulate the
contents of the User-Name RADIUS attribute. Using connection request policies in IAS for
Windows Server 2003, you can manipulate the User-Name, Called-Station-ID, and Calling-
Station-ID RADIUS attributes. For more information, see “Connection request policies” in
Help and Support Center for Windows Server 2003.
• Support for the Authentication Type remote access policy condition. You can create remote
access policies by using the Authentication Type condition in IAS for Windows Server 2003.
You can use the Authentication Type condition to specify connection constraints that are based
on the authentication protocol or method that is used by the access client. For more information,
see “Elements of a remote access policy” in Help and Support Center for Windows
Server 2003.
• Improved support for the Class attribute. In Windows 2000, IAS automatically generates a
value for the Class attribute and appends it to the existing value of the Class attribute received
in the RADIUS request message. The result is the Class attribute in the RADIUS response
message. In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise
Edition; and Windows Server 2003, Datacenter Edition, you can disable the automatic
generation of a value for the Class attribute by using the Generate-Class-Attribute setting on
the Advanced tab in the properties of a remote access policy profile. Automatic generation of a
value for the Class attribute is disabled by default. Instead of appending the generated value of
the Class attribute to the existing Class attribute, IAS creates a separate Class attribute. The
RADIUS response message contains both the original Class attribute and the second Class
attribute that is generated by IAS. For more information, see “Add RADIUS attributes to a
remote access policy” in Help and Support Center for Windows Server 2003.
Additional Resources 69
Designing IAS
After taking an inventory of your network environment, the first step in designing an IAS solution is to
determine the role of the IAS server. For example, determine whether you need the IAS server to authenticate
the connection request that it receives, forward the request to another IAS server for authentication, or perform a
mixture of both functions depending on context. Finally, an important step in the design process is to configure
IAS to work with different types of clients.
Figure 7.3 shows the process for designing IAS.
Figure 7.3 Designing IAS
Additional Resources 71
RADIUS server
If you want your IAS server to authenticate the connection requests that it receives, rather than forwarding
connection requests to another IAS server, use the IAS server as a RADIUS server. For example, if your access
servers connect directly to your network, then the IAS server is configured as a RADIUS server to authenticate
the connection.
Figure 7.4 shows an IAS server configured as a RADIUS server. An access client connects to an access server.
The access server sends a connection request to an IAS RADIUS server located on the corporate network,
which authenticates and authorizes the connection attempt.
Figure 7.4 IAS Configured as a RADIUS Server
72 Chapter 7 Deploying IAS
RADIUS proxy
If you want an IAS server to forward connection requests to another IAS server, use IAS as a RADIUS proxy.
Use the RADIUS proxy capabilities in the following situations.
Using IAS proxy at a third-party ISP
You are an ISP providing outsourced network connection services to multiple customers. Your network access
servers send connection requests to the IAS RADIUS proxy. Based on the realm portion of the user name in the
connection request, the IAS RADIUS proxy forwards the connection request to a RADIUS server maintained by
the customer that can authenticate and authorize the connection attempt.
Figure 7.5 shows an IAS server configured as a RADIUS proxy. An access client contacts an access server at an
ISP. The ISP access server sends a connection request to an IAS RADIUS proxy. Based on the realm portion of
the user name in the connection request, the IAS RADIUS proxy forwards the connection request to a RADIUS
server located on the corporate network, which authenticates and authorizes the connection attempt.
Figure 7.5 IAS Configured as a RADIUS Proxy at a Third-Party ISP
Figure 7.6 shows an IAS server configured as a RADIUS proxy forwarding RADIUS messages to RADIUS
servers in multiple forests. The IAS RADIUS proxy uses the domain name portion of the user name and
forwards the request to an IAS server in each forest.
Figure 7.6 IAS as a RADIUS Proxy with Multiple Forests
Figure 7.7 shows an access server forwarding a request to a RADIUS proxy to load balance to multiple
RADIUS servers. The remote client connects to a RADIUS client, such as an access server. The access server
sends the authentication request to the RADIUS proxy, which load balances the request across different IAS
servers.
Figure 7.7 Load Balancing
If you are using Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, you
can specify a RADIUS client by using an IP address range. All of the RADIUS clients in the range must use the
same configuration and shared secret. This configuration is useful, for example, if you place many wireless
access points on the same subnet.
The address range for RADIUS clients is expressed in the network prefix length notation w.x.y.z/p, where w.x.y.z
is the dotted decimal notation of the address prefix and p is the prefix length (the number of high order bits that
define the network prefix). This is also known as Classless Inter-Domain Routing (CIDR) notation. An example
is 192.168.21.0/24. For more information, see “Configure RADIUS clients” in Help and Support Center for
Windows Server 2003.
Plan Authentication
When designing network authentication solutions, protecting the authentication channel can prevent potential
security attacks.
Most password-based authentication methods, such as CHAP and MS-CHAP, do not provide privacy-protected
channels to guard against offline dictionary attacks by hackers that intercept authentication traffic on the
network. Because of this, ensure that password-based authentication methods are always deployed with
protection from IPSec or PEAP.
EAP-TLS
Certificate-based authentication methods are much more secure than password-based authentication methods.
Use certificate-based authentication methods, such as PEAP and EAP, in all possible circumstances because
they protect the authentication channel and provide strong security. EAP-TLS is designed, in part, to protect
against spoofing or other attacks and can be deployed without protection from IPSec or PEAP. EAP-TLS
requires a public key infrastructure (PKI) and is an authentication method that can be used with all connection
types supported by IAS (wireless, authenticating switch, VPN, and dial-up).
By using Group Policy in Windows Server 2003, you can easily distribute certificates to clients and servers with
auto-enrollment. For the maximum strength user credentials, deploy EAP-TLS with a smart cards. Smart cards
provide maximum strength with two-factor authentication. Certificates installed in the computer certificate store
(without smart cards) offer single-factor authentication.
PEAP
PEAP uses Secure Sockets Layer (SSL) technology to privacy-protect authentication communications, and to
key the encryption of link layer network connections. You can deploy PEAP with either EAP-MS-CHAPv2 or
EAP-TLS as the authentication type. PEAP-EAP-MS-CHAPv2 is a secure password authentication method
recommended for wireless deployments. However, PEAP is not available for VPN or dial-up connections.
PEAP provides protection for the EAP method negotiation that occurs between client and server through a TLS
channel. This helps prevent an attacker from injecting packets between the client and the access server to cause
the negotiation of a less secure EAP method.
Additional Resources 77
Clients using PEAP as the authentication method have the ability to authenticate the IAS or RADIUS server.
Because the server also authenticates the client, mutual authentication occurs.
PEAP fast reconnect, which reduces the delay in time between an authentication request by a client and the
response by the IAS or RADIUS server, allows wireless clients to move between wireless access points without
repeated requests for authentication. This reduces resource requirements for both client and server, and allows
users to move between access points without reentering credentials.
If you deploy PEAP, do not deploy the same authentication type both inside of the PEAP Transport Layer
Security (TLS) channel and outside of the PEAP TLS channel. For example, do not deploy both PEAP-EAP-
TLS and EAP-TLS on the same network. You can deploy different authentication types inside and outside the
TLS channel. For example, you can deploy PEAP-EAP-MS-CHAPv2 and EAP-TLS on the same network.
Authentication and PPP and PPTP Connections
For dial-up Point-to-Point Protocol (PPP) or Point-to-Point Tunneling Protocol (PPTP) VPN connections, it is
recommended that you use EAP-TLS with smart cards or certificates as the authentication method.
For L2TP/IPSec VPN connections, you can use MS-CHAPv2 as the authentication method. Internet Protocol
security (IPSec) uses computer certificates to establish a secure channel before authentication proceeds,
providing the necessary protection for authentication and other communication.
When planning authentication:
• For wireless connections, you can configure all the connection properties on the
client (including authentication methods) using Windows Server 2003 Group Policy. For
example, you can configure wireless connections to specific networks to require use of EAP-
TLS.
• You can use Connection Manager Administration Kit (CMAK) to create a Connection Manager
profile for installation on client computers. With Connection Manager, you can manage the
client connection properties (including authentication methods) used for access to your
network.
• Configure remote access policies at the IAS server to only allow the authentication methods
you want to allow per connection type, such as dial-up or VPN. .
For more information, see “Authentication methods” and “Public key infrastructure” in Help and Support
Center for Windows Server 2003.
Note
You can use the Routing and Remote Access service included with
Windows Server 2003 or the Microsoft® Windows® 2000 operating
system to provide network access. However, you can also use third-
party network access servers with Windows Server 2003 IAS. To
ensure that the third-party access server works with Windows
Server 2003 IAS, check with the manufacturer to confirm that the
product supports RFCs 2865, 2866, and 2869.
IAS supports both voluntary and compulsory tunneling. Table 7.1 describes the differences between both types
of tunneling and when you might use each type.
Table 7.1 Comparison of Voluntary and Compulsory Tunneling
When to Use It Which IAS Components to
Tunnel Type
Use
Voluntary Use this option if your clients The ISP uses IAS as a
tunneling need to choose their RADIUS proxy to forward the
tunneling location request to the corporate IAS
themselves. server.
For example, the user dials in The corporation uses IAS as
to an ISP. At the client’s a RADIUS server to
request, the ISP creates a authorize and authenticate
tunnel to the corporation. The the request.
user can alternatively request Either the ISP or the
a tunnel to somewhere else, corporation can use a third-
such as the Internet. party RADIUS server.
Compulsory Use this option if you want to The ISP uses IAS as a
tunneling use one tunnel for many RADIUS server to authorize
clients. the request.
For example, if a corporation The corporation uses IAS as
has clients in geographically a RADIUS server to
dispersed locations, it can authorize and authenticate
contract with an ISP to deploy the request.
regional tunnel servers. Any Either the ISP or the
client can dial in to any of the corporation can use a third-
tunnel servers, which then party RADIUS server.
creates a compulsory tunnel
to the corporation.
Compulsory tunneling is
typically used for dial-up
clients, but can also be used
for VPN clients.
Voluntary Tunneling
In voluntary tunneling, during the authorization phase, the corporate IAS server restricts the client connection to
use a specificVPN protocol (PPTP or L2TP/IPSec) if an administrator has configured remote access policies to
restrict connections to those using the specified protocol. The designated protocol must be installed on the client
or the connection attempt is rejected. After the access request is authenticated and authorized, the client
establishes a VPN tunnel to the corporate access server.
A user or client computer can issue a VPN request to configure and create a voluntary tunnel. In this case, the
user’s computer is a tunnel endpoint that acts as the tunnel client. Voluntary tunneling occurs when a
workstation or router uses tunneling client software to create a VPN connection to the target tunnel server. In
order to accomplish this, the appropriate tunneling protocol must be installed on the client computer. In a dial-up
situation, which is the most common use, the client must establish a dial-up connection to the internetwork
before the client can set up a tunnel. A good example of this is the dial-up Internet user, who must dial an ISP
and obtain an Internet connection before a tunnel over the Internet is created.
Voluntary tunneling is not different from other types of network access, and IAS can be used for authentication,
authorization, and accounting.
Additional Resources 81
Compulsory Tunneling
Compulsory tunneling is the creation of a secure tunnel by another computer or network device on the client
computer’s behalf. Compulsory tunnels are configured and created automatically for users without their
knowledge or intervention. With a compulsory tunnel, the user’s computer is not a tunnel endpoint. Another
device between the user’s computer and the tunnel server is the tunnel endpoint, which acts as the tunnel client.
The computer or network device that provides the tunnel for the client computer is known as a front-end
processor (FEP) in PPTP, an L2TP access concentrator (LAC) in L2TP, or an IP security gateway in IPSec. The
term FEP is used to describe tunnel creation functionality, regardless of the protocol used. To perform its
function, the FEP must have the appropriate tunneling protocol installed and must be capable of establishing the
tunnel when the client computer attempts a connection. In Windows Server 2003, Standard Edition; Windows
Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000, the Routing
and Remote Access service cannot be used as a FEP.
An organization can contract with an ISP to deploy a nationwide set of FEPs. These FEPs can establish tunnels
across the Internet to a VPN server that is connected to the organization private network, thereby consolidating
calls from geographically diverse locations into a single Internet connection at the organization network.
There are two types of compulsory tunneling. In the first type, the tunnel is created before the access client is
authenticated. Based on the realm name or the caller ID of the access client, the FEP sends an Access-Request
message to an IAS server. The IAS server sends back an immediate Access-Accept message with RADIUS
attributes for the tunnel creation without performing authentication and authorization. After the tunnel is created,
the access client authenticates against the tunnel server.
In the second type of compulsory tunneling, the tunnel is created after the access client is authenticated by the
FEP. In this case, the FEP sends the Access-Request message with the client credentials to an IAS server. The
IAS server authenticates and authorizes the connection attempt and returns RADIUS attributes in the Access-
Accept message, which specify to the NAS how to initiate a tunnel to a VPN server. The tunnel endpoint (the
VPN server at which the tunnel is terminated), can be changed on the basis of conditions in a remote access
policy. For example, the tunnel endpoint can be changed on the basis of the user name or the user account group
membership. Controlling compulsory tunnels with remote access policies provides more flexibility than static
tunneling (which requires a dedicated access server) or realm-based tunneling (which requires all users in a
specific realm to use the same tunnel settings).
For more information, see “IAS and tunnels” in Help and Support Center for Windows Server 2003.
82 Chapter 7 Deploying IAS
IAS RADIUS clients and servers require minimal management and administration. However, over time,
changes in the number of access clients, changes in WAN technology, and other factors can reduce the
performance of IAS.
86 Chapter 7 Deploying IAS
You can optimize IAS performance by positioning your IAS servers strategically. Use the following guidelines
when deciding where to position your IAS servers:
• Locate IAS servers in the same domain with the server that provides remote user account
authentication.
• Locate IAS on a domain controller and store the user account database in Active Directory.
In addition, the following factors can negatively impact IAS performance:
• The current load of the domain controller.
• The resolution of user principal names, resulting in an additional remote procedure call (RPC)
query against the computer that contains the global catalog.
• EAP-based authentication methods, involving multiple challenge-response exchanges.
• The type of hardware in use.
• Network latency between:
• The IAS server and the domain controller.
• The IAS server and the computer that contains the global catalog.
• The IAS server and the access server.
You can optimize the performance of an IAS solution by scaling IAS to meet increasing demands in your
organization and by including more than one RADIUS client and server in your network design.
In larger organizations with complex forest or domain topologies, use IAS as a RADIUS proxy to forward
authentication requests to remote RADIUS server groups. You can also designate remote RADIUS server
groups to process only accounting requests, freeing the servers performing authentication from handling
accounting traffic.
To optimize authentication and accounting performance in your IAS design,
take the following actions:
• Run IAS on the same computer as the domain controller. This speeds IAS access to the Active
Directory user accounts database when IAS is performing user authentication and authorization.
• Run IAS on the same computer that contains the global catalog. If it is not possible to run IAS
on the same computer as the domain controller or the computer that contains the global catalog,
verify that you have an efficient domain and site topology, and place the IAS server on the same
subnet as a domain controller or global catalog server.
• Reduce the number of user accounts in each domain by redesigning your domain topology.
• Add IAS proxy servers to load balance authentication and accounting between servers in
remote RADIUS server groups.
• Upgrade the hardware resources of the existing IAS servers.
• Replace existing IAS servers with higher performance servers.
• Reduce the level of detail recorded in IAS accounting. IAS accounting can record user
authentication requests, accounting requests, and periodic data. Make sure you are logging only
the amount of information you need to troubleshoot network access.
• If you configure IAS accounting for SQL Server logging, install SQL Server Desktop Engine
(MSDE 2000) on the IAS server, and log to MSDE 2000 instead of directly to SQL Server 2000
running on another computer. This configuration assists in preventing logging failure due to
network hardware failure or heavy network traffic. Use a custom application, service, or
component to periodically publish the accounting logs from the MSDE 2000 database on each
IAS server to the master SQL Server 2000 database.
• For wireless deployments, use PEAP-EAP-MS-CHAPv2 with fast reconnect. PEAP uses
cached TLS keys during re-authentication with access points configured as RADIUS clients of
a single IAS server. Cached authentication is critical for wireless deployments because wireless
clients authenticate each time they move to and associate with a new access point. In addition to
improving performance, PEAP fast reconnect significantly reduces the latency of authentication
and the public key operation overhead on both the client and the RADIUS server.
Additional Resources 91
Caution
Do not edit the registry unless you have no alternative. The registry
editor bypasses standard safeguards, allowing settings that can
damage your system, or even require you to reinstall Windows. If you
must edit the registry, back it up first and see the Registry Reference
on the Windows Server 2003 Deployment Kit companion CD or at
http://www.microsoft.com/reskit.
For more information, see “Remote access logging” in Help and Support Center for Windows Server 2003.
In very large environments (such as an ISP with millions of remote access users and extremely heavy load
conditions) that must process a large number of both authentication requests and accounting packets per second,
you can optimize IAS performance by doing the following:
• Using a faster domain controller to yield better throughput. The number of authentications per
second depends on the hardware used for the domain controller.
• Using separate IAS servers for authentication and accounting. IAS proxy servers can send all
accounting requests to a specific remote RADIUS server group, while sending authentication
requests to other groups. For more information, see “Configure accounting” in Help and
Support Center for Windows Server 2003.
• Running the IAS server on a domain controller with a global catalog. Choose this option if you
have a high-latency connection between your IAS server and your domain controller, or
between your IAS server and your global catalog, but you do not have problems with your IAS
performance.
• Increasing the number of concurrent authentication calls in progress at one time by using the
MaxConcurrentApi registry entry. Keep in mind that if you assign too high a value to this
registry entry, your IAS server can place an excessive load on your domain controller. Values
from 2 to 5 provide the best performance.
For more information about the MaxConcurrentApi registry entry, see the Registry Reference
on the Windows Server 2003 Deployment Kit companion CD or at
http://www.microsoft.com/reskit.
Additional Resources 93
Caution
Do not edit the registry unless you have no alternative. The registry
editor bypasses standard safeguards, allowing settings that can
damage your system, or even require you to reinstall Windows. If you
must edit the registry, back it up first and see the Registry Referenceon
the Windows Server 2003 Deployment Kit companion CD or at
http://www.microsoft.com/reskit.
If you do not implement any remote access policies, all connection attempts fail.
Before you configure remote access policies, you must make decisions about the following:
• Whether to use Network Access Quarantine Control for VPN and dial-up connections.
• Whether to use custom or common policies. When you use the New Remote Access Policy
Wizard in the IAS snap-in, you can choose to create a common or a custom policy. For a
common policy, you must configure an access method, whether to grant access permissions by
user or by group, authentication methods, and levels of allowed encryption (depending on the
access method selected). For a custom policy, you must configure a set of policy conditions,
whether remote access permission for the policy is granted or denied, and remote access policy
profile settings. For more information, see “Add a remote access policy” in Help and Support
Center for Windows Server 2003.
• The groups and users to which the remote access policies apply.
• Whether the remote access policy grants or denies access to the users or the group.
• The restrictions that are placed on the users or the group.
For more information about Internet Authentication Service, including remote access policies, see the
Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit).
For specific information about settings for each element, see Help and Support for Windows Server 2003 or the
Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit).
Note
Not all network access servers send all of the RADIUS attributes.
Consult the documentation for your network access server to see
which attributes it sends.
Conditions
Specify the remote access conditions for each policy. Remote access policy conditions are one or more attributes
that are compared to the settings of the connection attempt. In order for the connection attempt to match the
policy, all conditions must match the settings of the connection attempt. Remote access policy profile settings
are applied only if the connection attempt matches the policy. Thus, remote access policies are applied only if
the connection attempt matches all of the conditions of the policy.
Permission
Specify whether the permission is granted or denied if the conditions of a remote access policy are met. You use
the Grant remote access permission option or the Deny remote access permission option to set remote access
permission for a policy.
During the authorization process, the dial-in properties of user accounts are evaluated before remote access
policy is applied. If the dial-in properties for the user account are set to Deny access, the connection attempt is
rejected and remote access policies are not evaluated. When dial-in properties for the user account are set to
Control access through Remote Access Policy, the remote access policy alone determines whether the user is
granted access.
When the dial-in properties for the user account are set to Grant access, remote access policies are evaluated
next. In this circumstance it is possible for the user to be denied access by settings in the remote access policy.
For example, if the remote access policy is configured to allow the user to connect only between the hours of 8
AM and 5 PM and the user is attempting to connect at 6 PM, the connection attempt fails due to the settings in
the remote access policy.
Profile
Specify the remote access policy profile properties to set dial-in constraints and other restrictions. These
properties are applied to a connection after the connection is authorized, whether the connection has been
authorized through the user account permission setting or the remote access policy.
Additional Resources 99
You can use these properties to specify the series of RADIUS attributes that are sent back to the RADIUS client
by the IAS server, including any vendor-specific attributes you are using. For more information about VSAs, see
“Configuring IAS for Compatibility with a Third-Party Access Server” later in this chapter.
Note
Elements of a remote access policy correspond to RADIUS attributes
that are used during RADIUS-based authentication. For an IAS server,
verify that the network access servers that you use are sending the
RADIUS attributes that correspond to the configured remote access
policy conditions and profile settings. If an access server does not send
a RADIUS attribute that corresponds to a remote access policy
condition or profile setting, then all RADIUS authentications from that
access server are denied.
(continued)
Additional Resources 103
(continued)
104 Chapter 7 Deploying IAS
(continued)
Additional Resources 105
Before the IAS server can access Active Directory–based domains to authenticate user credentials and user
access account properties, the IAS server must be registered in those domains.
For specific information about how to perform these steps, see “Computer certificates for certificate-based
authentication” in Help and Support Center for Windows Server 2003.
For more information about certificate enrollment methods and domain membership, see “Network access
authentication and certificates” in Help and Support Center for Windows Server 2003.
Additional Resources 107
Include RADIUS secrets in your remote access design when you are mutually authenticating RADIUS
computers and you encrypt the remote user password. It is best to specify RADIUS secrets that are at least 16
characters in length and that include uppercase letters, lowercase letters, numbers, and punctuation.
Use the Message-Authenticator attribute
Use the Message-Authenticator attribute (also known as a digital signature or the signature attribute) for
connection requests that use the PAP, CHAP, MS-CHAP, and MS-CHAPv2 authentication protocols. This
attribute ensures that an incoming RADIUS Access-Request message was sent from a RADIUS client
configured with the correct shared secret. You must enable the use of the Message-Authenticator attribute on
both the IAS server (as part of the configuration of the RADIUS client) and the RADIUS client (the network
access server or RADIUS proxy). Ensure that the RADIUS client supports the Message-Authenticator attribute
before you enable the attribute. The Message-Authenticator attribute is always used with EAP, regardless of
whether it is enabled on the IAS server and access server.
Configure your Internet firewall
In the most common configuration, the Internet firewall is situated on your perimeter network between your
secure network and the Internet. The perimeter network (also known as a screened subnet) is an IP network
segment that contains resources (such as Web and VPN servers) that are available to Internet users. In this
configuration, the IAS server is an intranet resource that is connected to the perimeter network.
If your IAS server is on a perimeter network, configure your Internet firewall to allow RADIUS messages to
pass between your IAS server and RADIUS clients on the Internet. You might need to configure an additional
firewall that is placed between your perimeter network and your intranet, which allows traffic to flow between
the IAS server on the perimeter network and domain controllers on the intranet.
If your IAS server is on the perimeter network, it might use either of the following to contact a domain
controller on the intranet:
• An interface on the perimeter network and an interface on the intranet (IP routing is not
enabled).
• A single interface on the perimeter network. In this configuration, IAS communicates with
intranet domain controllers through another firewall that connects the perimeter network to the
intranet.
For more information about Internet firewalls, see “Deploying ISA Server” in this book.
Enable remote access account lockout
Enable remote access account lockout to protect against online dictionary attacks. Remote access account
lockout disables network access for user accounts after a configured number of failed connection attempts has
been reached.
Additional Resources 109
Remote access account lockout can also be used to prevent a malicious user from intentionally locking out a
domain account by attempting to make multiple dial-up or VPN connections with the wrong password. You can
set the number of failed attempts for remote access account lockout to a number that is lower than the number of
logon retries for domain account lockout. By doing this, remote access account lockout occurs before domain
account lockout, which prevents the domain account from being intentionally locked out.
For more information about account lockout, see “Remote access account lockout” in Help and Support Center
for Windows Server 2003.
2. Using Netsh, copy the configuration of the primary IAS proxy to the secondary IAS proxy in
the perimeter network.
For more information about copying IAS configuration, see “Copy the IAS configuration to another server” in
Help and Support Center for Windows Server 2003.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• The Networking Guide of the Windows Server 2003 Resource Kit (or see he Networking Guide
on the Web at http://www.microsoft.com/reskit) for more information about Internet
Authentication Service.
• “Deploying Remote Access Clients Using Connection Manager” in this book.
• “Designing a Public Key Infrastructure” in Designing and Deploying Directory and Security
Services of this kit for more information about how to design a certificate infrastructure.
• “Deploying Dial-Up and VPN Remote Access Servers” in this book.
• “Deploying a Wireless LAN” in this book for information about deploying wireless access
clients.
• RFC 2865: Remote Authentication Dial In User Service (RADIUS).
• RFC 2866: RADIUS Accounting.
• RFC 2869: RADIUS Extensions.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set
search options. Under Help Topics, select the Search in title only checkbox.
• “Internet Authentication Service” in Help and Support Center for Windows Server 2003.
• “Remote access policies” in Help and Support Center for Windows Server 2003.
• “IAS as a RADIUS server” in Help and Support Center for Windows Server 2003.
• “Deploying IAS as a RADIUS proxy” in Help and Support Center for Windows Server 2003.
• “Compulsory tunnels” in Help and Support Center for Windows Server 2003 for information
about the RADIUS attributes used with compulsory tunneling.
• “Computer certificates for certificate-based authentication” in Help and Support Center for
Windows Server 2003.
• “Dial-up and VPN remote access” in Help and Support Center for Windows Server 2003 for
more information about configuring user accounts for IAS.
• “Copy the IAS configuration to another server” in Help and Support Center for Windows
Server 2003 for more information about copying IAS configuration.
122 Chapter 7 Deploying IAS
• “Outsourced dial and a proxy in the perimeter network” in Help and Support Center for
Windows Server 2003 for more information about configuring IAS proxies in the perimeter
network.
• “Add RADIUS attributes to a remote access policy” in Help and Support Center for Windows
Server 2003 for more information about how to configure the class attribute.
• “Manage packet filters” in Help and Support Center for Windows Server 2003 for more
information about configuring packet filters.
• “Use RADIUS accounting” and “Use RADIUS authentication” in Help and Support Center for
Windows Server 2003 for more information about configuring RADIUS accounting and
authentication.
• “Managing multiple IAS servers” in Help and Support Center for Windows Server 2003 for
more information about synchronizing the configuration of multiple IAS servers.
• “Configure accounting” in Help and Support Center for Windows Server 2003 for more
information about using separate IAS servers for authentication and accounting.
• “Configure authentication” in Help and Support Center for Windows Server 2003.
• “Configure encryption” in Help and Support Center for Windows Server 2003.
• “PEAP” in Help and Support Center for Windows Server 2003.
• “Network access authentication and certificates” in Help and Support Center for Windows
Server 2003 for more information about certificate enrollment methods and domain
membership