Title: 70291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet
170-291 MCSE Guide to Managing a Microsoft
Windows Server 2003 Network, Enhanced Chapter
11 Internet Authentication Service
2Objectives
- Understand and describe the purpose of the RADIUS
protocol - Describe the function of RADIUS servers, clients,
and proxies - Configure a RADIUS server using the Internet
Authentication Service - Configure a RADIUS proxy using the Internet
Authentication Service
3Objectives (continued)
- Configure RRAS as a RADIUS client
- Troubleshoot RADIUS
4RADIUS Overview
- RADIUS remote authentication dial-in user
service - Designed to centralize the authentication process
for large distributed networks - Originally intended for dial-up networks
- Can be used for VPN servers, switches, and
wireless access points - Two mandatory server roles
- RADIUS client
- RADIUS server
5RADIUS Overview (continued)
- The RADIUS client accepts authentication
information from users or devices and forwards
the information to a RADIUS server - The RADIUS server accepts authentication
information from a RADIUS client - Windows Server 2003 can act as either a RADIUS
server or RADIUS client
6RADIUS Overview (continued)
- Install IAS to use Windows Server 2003 as a
RADIUS Server - RADIUS proxies act as intermediaries between
RADIUS clients and RADIUS servers
7Radius Overview (continued)
8Radius Overview (continued)
9Outsourcing Dial-up Requirements
- You can use IAS to outsource dial-up requirements
and allow roaming users to continue logging on
using Active Directory user name and passwords - A user dials into ISP, ISP forwards request to
RADIUS proxy, RADIUS proxy forwards request to
RADIUS server, RADIUS server passes information
to domain controller for authentication
10Outsourcing Dial-up Requirements (continued)
11Configuring IAS as a RADIUS Server
- IAS is standard component of Windows Server 2003
- Installed through Add or Remove Programs
- Must be configured using IAS snap-in before being
used - IAS must be registered with Active Directory if
Active Directory is used on the network - IAS server will not respond to any requests from
RADIUS clients not listed in the IAS configuration
12Configuring IAS as a RADIUS Server (continued)
13Configuring IAS as a RADIUS Server (continued)
14Configuring IAS as a RADIUS Server (continued)
15Configuring IAS as a RADIUS Server (continued)
16Activity 11-1 Configuring IAS as a Radius Server
- Objective Install IAS so your server can act as
a RADIUS server - Install IAS through Add or Remove Programs
- Add RADIUS clients
- Enter a password in the shared secret box
17Configuring RRAS as a RADIUS Client
- The RRAS server acts as a RADIUS client if it
passes authentication requests - You may specify that a RADIUS server be used for
authentication when configuring RRAS - You must specify the name or IP address of the
RADIUS server and shared secret when configuring
RRAS as a RADIUS server
18Configuring RRAS as a RADIUS Client (continued)
19Configuring RRAS as a RADIUS Client (continued)
20Activity 11-2 Configuring a RRAS Client
- Objective Configure a RRAS server to use IAS for
authentication - Use Routing and Remote Access control
- Add new RADIUS server to the list
- Enter shared secret
21Activity 11-3 Testing RADIUS
- Objective Create a VPN connection to your RRAS
server to test RADIUS authentication - Create a new VPN network connection
- Select anyones use
- If RADIUS is configured successfully, your RRAS
server should contact the IAS service on your
partners computer
22Configuring IAS as a RADIUS Proxy
- Windows Server 2003 can act as a RADIUS proxy
- Windows Server 2003 can act as both RADIUS proxy
and RADIUS server at the same time - Connection request policies determine how a
RADIUS request is handled
23Remote RADIUS Server Groups
- Server groups are required for IAS to act as a
RADIUS proxy - RADIUS requests and logging information are
forwarded to remote RADIUS server groups - Server groups allow for load balancing and fault
tolerance - Weight setting is used to configure load
balancing - Priority is assigned to provide fault tolerance
24Remote RADIUS Server Groups (continued)
25Activity 11-4 Creating a Remote RADIUS Server
Group
- Objective Create a remote RADIUS server group
that can be used when IAS is configured as a
RADIUS proxy - Use the New Remote RADIUS Server Group Wizard
- Group name is Engineering
- Enter shared secret
26Connection Request Policies
- Constructed similarly to a remote access policy
- No permissions
- Conditions are a subset of the conditions found
in remote access policies - Conditions include Day-And-Time-Restrictions,
Client-IP-Addresses, and Client-Vendor - Profile has very different options than profile
in remote access policy
27Connection Request Policies (continued)
28Connection Request Policies (continued)
29Activity 11-5 Creating a Connection Request
Policy
- Objective Create a new connection request policy
to configure your server as a RADIUS proxy - Add a new connection request policy
- Use New Connection Request Policy Wizard
- Use proxy name EngineeringProxy
30Troubleshooting RADIUS
- Most remote access problems are not related to
RADIUS - Before troubleshooting RADIUS, ensure users can
obtain remote access without RADIUS - Use log files whenever possible
31Troubleshooting RADIUS (continued)
32Troubleshooting RADIUS (continued)
33Troubleshooting RADIUS (continued)
34Activity 11-6 Logging IAS Information to a File
- Objective Enable IAS event logging
- Ensure that all accounting requests are logged
- Ensure that all valid and nonvalid authentication
requests are logged - Ensure all interim accounting requests are logged
35Summary
- RADIUS may be used to centralize remote access
authentication and logging - RADIUS is composed of the RADIUS clients, RADIUS
servers, and RADIUS proxies - RADIUS clients forward authentication requests to
RADIUS servers, RADIUS servers then authenticate
the requests and authorize the connections - A RADIUS proxy can be used as an intermediary
between RADIUS clients and servers in large
environments - IAS allows Windows Server 2003 to act as a RADIUS
server
36Summary (continued)
- RRAS can act as a RADIUS client when configured
as a remote access server - IAS can also be configured as a RADIUS proxy
- Connection request policies are used on each
request to determine whether IAS acts as a RADIUS
server or a RADIUS proxy - Connection request policies are composed of a
condition and a profile - IAS can log information to a file or SQL server