IAS as a RADIUS server
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
IAS as a RADIUS server
Internet Authentication Service (IAS) can be used as a RADIUS server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be either an access server or a RADIUS proxy. When Internet Authentication Service (IAS) is used as a RADIUS server, it provides the following:
A central authentication and authorization service for all access requests that are sent by RADIUS clients.
IAS uses either a Microsoft® Windows NT® Server 4.0 domain, an Active Directory® domain, or the local Security Accounts Manager (SAM) to authenticate user credentials for a connection attempt. IAS uses the dial-in properties of the user account and remote access policies to authorize a connection.
A central accounting recording service for all accounting requests that are sent by RADIUS clients.
Accounting requests are stored in a local log file for analysis.
The following illustration shows IAS as a RADIUS server for a variety of access clients and a RADIUS proxy. IAS uses an Active Directory domain for user credential authentication of incoming RADIUS Access-Request messages.
When IAS is used as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:
Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients.
The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the IAS server.
The IAS server evaluates the Access-Request message.
If required, the IAS server sends an Access-Challenge message to the access server. The access server processes the challenge and sends an updated Access-Request to the IAS server.
The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.
The connection attempt is authorized with both the dial-in properties of the user account and remote access policies.
If the connection attempt is both authenticated and authorized, the IAS server sends an Access-Accept message to the access server.
If the connection attempt is either not authenticated or not authorized, the IAS server sends an Access-Reject message to the access server.
The access server completes the connection process with the access client and sends an Accounting-Request message to the IAS server, where the message is logged.
The IAS server sends an Accounting-Response to the access server.
Note
The access server also sends Accounting-Request messages for the following:
During the time in which the connection is established.
When the access client connection is closed.
When the access server is started and stopped.
You can use IAS as a RADIUS server when:
You are using a Windows NT Server 4.0 domain, an Active Directory domain, or the local Security Accounts Manager (SAM) as your user account database for access clients.
You are using the Microsoft® Windows Server® 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 Routing and Remote Access service on multiple dial-up servers, VPN servers, or demand-dial routers and you want to centralize both the configuration of remote access policies and connection logging for accounting.
You are outsourcing your dial-in, VPN, or wireless access to a service provider. The access servers use RADIUS to authenticate and authorize connections that are made by members of your organization.
You want to centralize authentication, authorization, and accounting for a heterogeneous set of access servers.
For more information, see Deploying IAS as a RADIUS Server.
Note
- You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.