70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service

Guide to MCSE , Enhanced 2 Objectives Understand and describe the purpose of the RADIUS protocol Describe the function of RADIUS servers, clients, and proxies Configure a RADIUS server using the Internet Authentication Service Configure a RADIUS proxy using the Internet Authentication Service

Guide to MCSE , Enhanced 3 Objectives (continued) Configure RRAS as a RADIUS client Troubleshoot RADIUS

Guide to MCSE , Enhanced 4 RADIUS Overview RADIUS: remote authentication dial-in user service Designed to centralize the authentication process for large distributed networks Originally intended for dial-up networks Can be used for VPN servers, switches, and wireless access points Two mandatory server roles: RADIUS client RADIUS server

Guide to MCSE , Enhanced 5 RADIUS Overview (continued) The RADIUS client accepts authentication information from users or devices and forwards the information to a RADIUS server The RADIUS server accepts authentication information from a RADIUS client Windows Server 2003 can act as either a RADIUS server or RADIUS client

Guide to MCSE , Enhanced 6 RADIUS Overview (continued) Install IAS to use Windows Server 2003 as a RADIUS Server RADIUS proxies act as intermediaries between RADIUS clients and RADIUS servers

Guide to MCSE , Enhanced 7 Radius Overview (continued)

Guide to MCSE , Enhanced 8 Radius Overview (continued)

Guide to MCSE , Enhanced 9 Outsourcing Dial-up Requirements You can use IAS to outsource dial-up requirements and allow roaming users to continue logging on using Active Directory user name and passwords A user dials into ISP, ISP forwards request to RADIUS proxy, RADIUS proxy forwards request to RADIUS server, RADIUS server passes information to domain controller for authentication

Guide to MCSE , Enhanced 10 Outsourcing Dial-up Requirements (continued)

Guide to MCSE , Enhanced 11 Configuring IAS as a RADIUS Server IAS is standard component of Windows Server 2003 Installed through Add or Remove Programs Must be configured using IAS snap-in before being used IAS must be registered with Active Directory if Active Directory is used on the network IAS server will not respond to any requests from RADIUS clients not listed in the IAS configuration

Guide to MCSE , Enhanced 12 Configuring IAS as a RADIUS Server (continued)

Guide to MCSE , Enhanced 13 Configuring IAS as a RADIUS Server (continued)

Guide to MCSE , Enhanced 14 Configuring IAS as a RADIUS Server (continued)

Guide to MCSE , Enhanced 15 Configuring IAS as a RADIUS Server (continued)

Guide to MCSE , Enhanced 16 Activity 11-1: Configuring IAS as a Radius Server Objective: Install IAS so your server can act as a RADIUS server Install IAS through Add or Remove Programs Add RADIUS clients Enter a password in the shared secret box

Guide to MCSE , Enhanced 17 Configuring RRAS as a RADIUS Client The RRAS server acts as a RADIUS client if it passes authentication requests You may specify that a RADIUS server be used for authentication when configuring RRAS You must specify the name or IP address of the RADIUS server and shared secret when configuring RRAS as a RADIUS server

Guide to MCSE , Enhanced 18 Configuring RRAS as a RADIUS Client (continued)

Guide to MCSE , Enhanced 19 Configuring RRAS as a RADIUS Client (continued)

Guide to MCSE , Enhanced 20 Activity 11-2: Configuring a RRAS Client Objective: Configure a RRAS server to use IAS for authentication Use Routing and Remote Access control Add new RADIUS server to the list Enter shared secret

Guide to MCSE , Enhanced 21 Activity 11-3: Testing RADIUS Objective: Create a VPN connection to your RRAS server to test RADIUS authentication Create a new VPN network connection Select anyone’s use If RADIUS is configured successfully, your RRAS server should contact the IAS service on your partner’s computer

Guide to MCSE , Enhanced 22 Configuring IAS as a RADIUS Proxy Windows Server 2003 can act as a RADIUS proxy Windows Server 2003 can act as both RADIUS proxy and RADIUS server at the same time Connection request policies determine how a RADIUS request is handled

Guide to MCSE , Enhanced 23 Remote RADIUS Server Groups Server groups are required for IAS to act as a RADIUS proxy RADIUS requests and logging information are forwarded to remote RADIUS server groups Server groups allow for load balancing and fault tolerance Weight setting is used to configure load balancing Priority is assigned to provide fault tolerance

Guide to MCSE , Enhanced 24 Remote RADIUS Server Groups (continued)

Guide to MCSE , Enhanced 25 Activity 11-4: Creating a Remote RADIUS Server Group Objective: Create a remote RADIUS server group that can be used when IAS is configured as a RADIUS proxy Use the New Remote RADIUS Server Group Wizard Group name is Engineering Enter shared secret

Guide to MCSE , Enhanced 26 Connection Request Policies Constructed similarly to a remote access policy No permissions Conditions are a subset of the conditions found in remote access policies Conditions include Day-And-Time-Restrictions, Client-IP-Addresses, and Client-Vendor Profile has very different options than profile in remote access policy

Guide to MCSE , Enhanced 27 Connection Request Policies (continued)

Guide to MCSE , Enhanced 28 Connection Request Policies (continued)

Guide to MCSE , Enhanced 29 Activity 11-5: Creating a Connection Request Policy Objective: Create a new connection request policy to configure your server as a RADIUS proxy Add a new connection request policy Use New Connection Request Policy Wizard Use proxy name EngineeringProxy

Guide to MCSE , Enhanced 30 Troubleshooting RADIUS Most remote access problems are not related to RADIUS Before troubleshooting RADIUS, ensure users can obtain remote access without RADIUS Use log files whenever possible

Guide to MCSE , Enhanced 31 Troubleshooting RADIUS (continued)

Guide to MCSE , Enhanced 32 Troubleshooting RADIUS (continued)

Guide to MCSE , Enhanced 33 Troubleshooting RADIUS (continued)

Guide to MCSE , Enhanced 34 Activity 11-6: Logging IAS Information to a File Objective: Enable IAS event logging Ensure that all accounting requests are logged Ensure that all valid and nonvalid authentication requests are logged Ensure all interim accounting requests are logged

Guide to MCSE , Enhanced 35 Summary RADIUS may be used to centralize remote access authentication and logging RADIUS is composed of the RADIUS clients, RADIUS servers, and RADIUS proxies RADIUS clients forward authentication requests to RADIUS servers, RADIUS servers then authenticate the requests and authorize the connections A RADIUS proxy can be used as an intermediary between RADIUS clients and servers in large environments IAS allows Windows Server 2003 to act as a RADIUS server

Guide to MCSE , Enhanced 36 Summary (continued) RRAS can act as a RADIUS client when configured as a remote access server IAS can also be configured as a RADIUS proxy Connection request policies are used on each request to determine whether IAS acts as a RADIUS server or a RADIUS proxy Connection request policies are composed of a condition and a profile IAS can log information to a file or SQL server