Using RADIUS in a heterogeneous remote access infrastructure
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Using RADIUS in a heterogeneous remote access infrastructure
For some Internet service providers and corporate remote access environments, the remote access equipment consists of multiple remote access devices of different types from different manufacturers. In a heterogeneous remote access environment, a single standard must exist for providing authentication of remote access user credentials and accounting of remote access activity.
In many of these environments, the Remote Authentication Dial-In User Service (RADIUS) is used. RADIUS is a client/server protocol where RADIUS clients send authentication and accounting requests to a RADIUS server. The RADIUS server checks the remote access authentication credentials on the user accounts and logs remote access accounting events.
You can configure a server running Routing and Remote Access as a RADIUS client. In this scenario, the network also includes a RADIUS server called Internet Authentication Service (IAS) that can be used by Routing and Remote Access. For more information about IAS, see Features of IAS.
If you want to configure a server running Routing and Remote Access as a RADIUS client, complete the following steps:
Configure the remote access server.
Configure the remote access server for RADIUS authentication.
Configure the remote access server for RADIUS accounting.
The following illustration shows the elements of a server running Routing and Remote Access that uses RADIUS in a heterogeneous remote access infrastructure.
Configuring the remote access server
You must configure the server running Routing and Remote Access to provide remote access to either dial-up networking clients or virtual private networking clients. For more information, see the following:
Configuring the remote access server for RADIUS authentication
When you configure the properties of the server running Routing and Remote Access, select RADIUS authentication as the authentication provider. For more information, see Use RADIUS authentication.
When you add a RADIUS server, you must configure the following:
Server Name
The host name or IP address of the computer that is running the RADIUS server process.
Secret
The RADIUS client (the server running Routing and Remote Access) and the RADIUS server share a secret that is used to encrypt messages sent between them. You must configure both the RADIUS client and the RADIUS server to use the same shared secret.
Port
The RADIUS client must send its authentication requests to the UDP port on which the RADIUS server is listening. The default value of 1812 is based on RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)." For some older RADIUS servers based on the earliest implementations of RADIUS, the port should be set to 1645.
Configuring the remote access server for RADIUS accounting
When you configure the properties of the server running Routing and Remote Access, select RADIUS accounting as the accounting provider. For more information, see Use RADIUS accounting.
When you add a RADIUS server, you must configure the following:
Server Name
The host name or IP address of the computer that is running the RADIUS server process.
Secret
The RADIUS client (the server running Routing and Remote Access) and the RADIUS server share a secret that is used to encrypt messages sent between them. You must configure both the RADIUS client and the RADIUS server to use the same shared secret.
Port
The RADIUS client must send its accounting requests to the UDP port on which the RADIUS server is listening. The default value of 1813 is based on RFC 2866, "RADIUS Accounting." For some older RADIUS servers, the port should be set to 1646.