IAS and tunnels

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IAS and tunnels

Tunneling, also known as encapsulation, is a method of using an internetwork infrastructure of one protocol to transfer a payload. Sometimes, the payload consists of the frames (or packets) of another protocol. Instead of being sent as the originating host produces it, the frame is encapsulated with an additional header. The additional header provides routing information so that the encapsulated payload can traverse an intermediate internetwork (also known as a transit internetwork). The encapsulated packets are then routed between tunnel endpoints over the transit internetwork. After the encapsulated payload packets reach their destination on the transit internetwork, the frame is de-encapsulated and forwarded to its final destination.

The entire process of the encapsulation, transmission, and de-encapsulation of packets is called tunneling. The logical path in the transit internetwork through which the encapsulated packets travel is called a tunnel.

With remote access virtual private network (VPN) connections, there are two types of tunneling:

  1. Voluntary tunneling

  2. Compulsory tunneling

Voluntary tunneling

A user or client computer can issue a VPN request to configure and create a voluntary tunnel. In this case, the user's computer is a tunnel endpoint that acts as the tunnel client. Voluntary tunneling occurs when a workstation or router uses tunneling client software to create a VPN connection to the target tunnel server. In order to accomplish this, the appropriate tunneling protocol must be installed on the client computer. In a dial-up situation, which is the most common use, the client must establish a dial-up connection to the internetwork before the client can set up a tunnel. A good example of this is the dial-up Internet user, who must dial an ISP and obtain an Internet connection before a tunnel over the Internet is created.

Voluntary tunneling is not different from other types of network access, and IAS can be used for authentication, authorization, and accounting.

Compulsory tunneling

Compulsory tunneling is the creation of a secure tunnel by another computer or network device on the client computer's behalf. Compulsory tunnels are configured and created automatically for users without their knowledge or intervention. With a compulsory tunnel, the user's computer is not a tunnel endpoint. Another device between the user's computer and the tunnel server is the tunnel endpoint, which acts as the tunnel client.

Some vendors that sell dial-up access servers provide for the creation of a tunnel on behalf of a dial-up client. The computer or network device that provides the tunnel for the client computer is known as a front-end processor (FEP) in PPTP, an L2TP access concentrator (LAC) in L2TP, or an IP Security gateway in IPSec. The term FEP is used to describe tunnel creation functionality, regardless of the protocol used. To perform its function, the FEP must have the appropriate tunneling protocol installed and must be capable of establishing the tunnel when the client computer attempts a connection. The Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000 Routing and Remote Access service cannot be used as a FEP.

An organization can contract with an ISP to deploy a nationwide set of FEPs. These FEPs can establish tunnels across the Internet to a VPN server that is connected to the organization private network, thereby consolidating calls from geographically diverse locations into a single Internet connection at the organization network.

There are two types of compulsory tunneling. In the first type, the tunnel is created before the access client is authenticated. Based on the realm name or the caller ID of the access client, the FEP sends an Access-Request to an IAS server. The IAS server sends back an immediate Access-Accept with RADIUS attributes for the tunnel creation without performing authentication and authorization. After the tunnel is created, the access client authenticates against the tunnel server.

In the second type of compulsory tunneling, the tunnel is created after the access client is authenticated by the FEP. In this case, the FEP sends the Access-Request message with the client credentials to an IAS server. The IAS server authenticates and authorizes the connection attempt and returns RADIUS attributes in the Access-Accept message, which specify to the NAS how to initiate a tunnel to a VPN server. The tunnel-endpoint (the VPN server at which the tunnel is terminated), can be changed on the basis of conditions in a remote access policy. For example, the tunnel-endpoint can be changed on the basis of the user name or the user account group membership. Controlling compulsory tunnels with remote access policies provides more flexibility than static tunneling (which requires a dedicated network access server) or realm-based tunneling (which requires that all users in a given realm use the same tunnel settings).

RADIUS attributes used with compulsory tunneling

The following is a list of RADIUS attributes that are used to carry compulsory tunneling information from the IAS server to the FEP. The same set of attributes is used regardless of the type of compulsory tunnel.

  • Attributes used only for authorization:

    • Tunnel-Preference

    • Tunnel-Password

      This attribute should not be used with RADIUS proxies.

  • Attributes used in authorization and accounting:

    • Tunnel-Type (for example, PPTP and L2TP)

    • Tunnel-Medium-Type (for example, X.25, ATM, Frame Relay, and IP)

    • Tunnel-Client-Endpoint

    • Tunnel-Server-Endpoint

    • Tunnel-Private-Group-ID

    • Tunnel-Assignment-ID

    • Tunnel-Client-Auth-ID

    • Tunnel-Server-Auth-ID

  • Attributes used only for accounting:

    • Acct-Tunnel-Connection-ID

Compulsory tunneling example

The following table lists the set of compulsory tunneling RADIUS attributes that specify a compulsory tunnel. This tunnel uses the Layer Two Tunneling Protocol (L2TP) with a VPN server at the IP address of, and a tunnel password of og*37y#cW@95?4xT.

Attribute Value






IP (IP version 4)





Layer Two Tunneling Protocol (L2TP)

To configure IAS, add your versions of all of these attributes and their appropriate values on the Advanced tab in the profile properties of the applicable remote access policy. For more information, see Add RADIUS attributes to a remote access policy.


  • You can use a RADIUS Access-Accept packet to send tunnel attributes that describe multiple tunnels. However, IAS only returns information for a single tunnel.

  • IAS only supports one compulsory tunnel for each connection request and remote access policy.