Share via


Checklist: Configuring the IAS server for authenticated switch access

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Checklist: Configuring the IAS server for authenticated switch access

Step Reference

Review RADIUS and IAS concepts.

IAS Overview; Understanding IAS

Review IAS implementation best practices.

IAS Best Practices

Review IAS security issues.

Security information for IAS

If you are using certificates for authentication, install a computer certificate on IAS server computers.

Computer certificates for certificate-based authentication

Install IAS on the servers to be used as primary and backup IAS servers.

Install IAS

Configure the properties of the primary IAS server, including the ports used and event log settings.

Configure IAS Properties

Configure logging methods for user authentication and accounting requests.

Configure Logging for User Authentication and Accounting

Add the Ethernet switches as RADIUS clients on the primary IAS server.

Add RADIUS clients

Use the New Remote Access Policy Wizard to create a common policy for Ethernet access.

Add a remote access policy

If you are using certificate authentication and initially installing computer certificates on your Ethernet clients over an authenticated Ethernet connection, enable guest authentication.

Guest authentication

If you are using certificate authentication and initially installing a computer certificate on your Ethernet clients over an authenticated Ethernet connection, create a group named Guests and add the Guest account as a member.

Create a new group; Add a member to a group

If you are using certificate authentication and initially installing computer certificates on your Ethernet clients over an authenticated Ethernet connection, use the New Remote Access Policy Wizard to create a custom policy for new Ethernet switch clients (clients that do not have computer certificates that are used in the authentication process). Set the NAS-Port-Type condition to Ethernet and the Windows-Groups condition to Guests. On the Dial-in Constraints tab of the profile, restrict the maximum session time to 10 minutes. On the Advanced tab of the profile, add the Tunnel-Type attribute with the value of Virtual LANs (VLAN), and then add the Tunnel-Pvt-Group-ID attribute with the VLAN ID value that corresponds to guest Ethernet clients.

Add a remote access policy

Copy the IAS configuration from the primary IAS server to the backup IAS server.

Copy the IAS configuration to another server

Register the primary and backup IAS servers in the appropriate Active Directory domains.

Enable the IAS server to read user accounts in Active Directory

Verify the configuration of the Ethernet switches. Ensure that the RADIUS servers used for the Ethernet switch authentication and accounting are the IAS server computers.

Manufacturer's documentation

Optional. Configure first-time Ethernet switch clients for authenticated access.

Checklist: Configuring a first-time Ethernet switch client for authenticated access

Optional. Install a computer certificate on Ethernet clients over an unauthenticated Ethernet connection.

Checklist: Installing a computer certificate on an Ethernet client over an unauthenticated Ethernet connection

Optional. Install user certificates from floppy disk on Ethernet clients.

Checklist: Installing a user certificate from floppy disk on an Ethernet client

Note

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.