Appendix A - Frequently Asked Questions
What is IAS?
Internet Authentication Service (IAS) is the Microsoft Windows 2000 implementation of a Remote Authentication Dial-in User Service (RADIUS) server. RADIUS provides an industry-standard method to authenticate, authorize, and provide accounting for remote access and router-to-router connections. IAS can be used as a RADIUS server to any device, typically a network access server (NAS) that supports RADIUS.
What platforms does IAS run on?
IAS runs on any version of Windows 2000 Server (including Advanced Server and Datacenter Server) and is included with the operating system. IAS does not support a RADIUS-proxy capability and can only use Windows 2000 local Security Accounts Manager (SAM) or a Windows NT 4.0 or Windows 2000 domain controller for authentication.
There are two versions of a Microsoft RADIUS server for Windows NT Server 4.0:
The first version is named Internet Connection Services for Microsoft Remote Access Server and is included in the Windows NT 4.0 Option Pack. You can download the Windows NT 4.0 Option Pack from http://www.microsoft.com/ntserver/nts/downloads/recommended/NT4OptPk/default.asp
The second version is named Internet Connection Services for Microsoft RAS, Commercial Edition. It is an upgrade of the version supplied with the Windows NT 4.0 Option Pack. Internet Connection Services for Microsoft RAS, Commercial Edition provides a RADIUS proxy capability and support for different authentication mechanisms such as the Microsoft Membership System database, ODBC compliant databases, and local flat file.
For more information on Internet Connection Services for Microsoft RAS, Commercial Edition, see http://www.microsoft.com/ISN/misc/icsoverview.asp. You can download Internet Connection Services for Microsoft RAS, Commercial Edition at http://www.microsoft.com/ISN/downloads.asp#2.
Does IAS work with all Network Access Servers (NASs)?
Yes. Any NAS, VPN server, or device that supports RFCs 2138 and 2139 will work with IAS. Check your NAS documentation to determine RFC 2138 and 2139 compliance.
What is new in IAS, the Windows 2000 versions of the RADIUS server?
There are several enhancements in Windows 2000 IAS that make it more scalable, robust, and secure than the versions made available for Windows NT 4.0. Here are some of the new features in Windows 2000:
Support for new authentication protocols and methods such as Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), Dialed Number Identification Service (DNIS) authorization, Automatic Number Identification (ANI) authorization, and unauthenticated access.
Centralized authorization of connection attempts based on remote access policies.
Centralized auditing and accounting that supports multilingual log files.
Remote monitoring and administration of your IAS servers.
Scalability to up to millions of users.
Enhanced Software Development Kit (SDK) to create custom EAP modules, authentication modules, or authorization modules.
Why should I use IAS over other RADIUS servers?
IAS has the following features:
Support for new authentication protocols and methods, such as Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), Dialed Number Identification Service (DNIS) authorization, Automatic Number Identification (ANI) authorization, and unauthenticated access.
Support for CHAP.
Local or remote graphical-user-interface configuration.
Integration with Windows 2000, including the use of user accounts, groups of Windows NT or Windows 2000 domains, and the Windows 2000 Event Log.
Detailed authentication and accounting logging.
Scalability to the largest ISPs.
Support for RFC-based RADIUS SNMP MIBs.
Flexible remote access policies to provide centrally managed authorization and connection-parameter enforcement.
Multi-vendor dictionary that allows the creation of custom vendor-specific attributes.
Authentication and authorization capabilities, extended through the IAS SDK.
Can IAS authenticate user accounts in NetWare Directory Services (NDS)?
No. IAS in Windows 2000 authenticates only user accounts that reside in a local SAM, a Windows NT 4.0 domain, or a Windows 2000 domain.
To authenticate user accounts in an NDS tree, you will either have to use a RADIUS proxy to forward the authentication request to a RADIUS server that supports NDS authentication or create an IAS authentication module using the IAS SDK that authenticates the user credentials using an NDS tree. A computer using the Internet Connection Services for Microsoft RAS, Commercial Edition and Windows NT 4.0 could be used as the RADIUS proxy. If there is a method for submitting user authentications to NDS through an ODBC interface, then you can use the Internet Connection Services for Microsoft RAS, Commercial Edition and Windows NT 4.0 as the RADIUS server that is providing the authentication.
Does IAS support callback?
If you configure the Set by Caller callback option on the dial-in properties of the user account, IAS returns the Service-Type=Callback-Framed attribute. This behavior is not clearly specified in the RADIUS RFCs and some NASs might not support this option. See your NAS documentation for more information.
If you configure the Always Callback to option on the dial-in properties of the user account and configure a phone number, IAS returns the Service-Type=Callback-Framed and Callback-Number="configured number" attributes. IAS conforms to the recommendation of the RFC, but some NASs might not. See your NAS documentation for more information.
Can I use IAS to authenticate Web users?
No. Most Web servers, including all versions of the Microsoft Internet Information Server, do not use RADIUS to authenticate Web users.
Does Microsoft support a RADIUS client?
Yes. Both the Windows NT 4.0 Routing and Remote Access Service (RRAS) and the Windows 2000 Routing and Remote Access service can be configured as a RADIUS client to any RADIUS server.
Can my users change their passwords remotely once the passwords have expired?
Yes, provided that the dial-in client supports password changes during authentication, the client is using an authentication method that supports password changes (such as MS-CHAP or MS-CHAP v2), and the user account is in either the local SAM or a Windows NT 4.0 or Windows 2000 domain.
Does IAS support RADIUS proxying?
No. However, RADIUS proxying is supported by the Internet Connection Services for Microsoft RAS, Commercial Edition for Windows NT 4.0.
Can IAS scale to millions of users?
Yes. IAS can be used in many different environments, from the small business all the way up to the largest ISP. For more information, see the section on Performance and IAS.
Is IAS a single point of failure?
No. Typical RADIUS configurations use a primary RADIUS server and a backup RADIUS server that are configured with the same set of policies. RADIUS clients are configured for both the primary and backup RADIUS servers. If the primary RADIUS server becomes unavailable, RADIUS clients begin using the backup.
Does IAS support the ability to control the number of concurrent logon sessions?
No. However, you can write an authorization module using the IAS SDK to support this feature.
Does IAS support Security Dynamics token cards?
Yes, both EAP-based and non-EAP-based Security Dynamics token cards are supported. The Windows 2000 Server Resource Kit contains an EAP module for EAP-based Security Dynamics token card authentication. Non-EAP-based Security Dynamics token-card authentication can be supported by developing an authentication module using the IAS SDK.
Does IAS support the Challenge Handshake Authentication Protocol (CHAP) for both Windows NT 4.0 and Windows 2000 domains?
Does IAS work in a Windows NT 4.0 domain?
Yes. IAS works in a Windows NT 4.0 domain, Windows 2000 native mode, and Windows 2000 mixed-mode domains.
Does IAS support authentication against the Microsoft Membership System or a U2 Web database?
Will IAS work with my NAS if the attributes for my NAS are not in the IAS multi-vendor dictionary?
Yes. If there is an attribute that your NAS requires, you can configure a custom vendor-specific attribute (VSA) on the Advanced tab of the profile for the matching remote access policy. Check your NAS documentation for the correct format of these attributes.
How can I manage the configuration of remote access policies from a central location?
Remote access policies are stored locally on the IAS server. All RADIUS clients of the IAS server are subject to the same set of policies. You can copy the configuration of one IAS server, including policies, with the following procedure:
At a command prompt, type netsh aaaa show config >path\file.ext. This stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a UNC path.
Copy the file you created to the destination computer and, at a command prompt on the destination computer, type netsh execpath\file.ext. A message appears indicating whether the update was successful.
How can I use the Light Directory Access Protocol (LDAP) to access the per-user attributes in Active Directory?
There is a published Application Program Interface (API) called MPR that you can use to do this.
How can I set a static IP address for each of my users?
You can set a static IP address using the Assign a Static IP Address option in the Dial-in properties of a user account. This option can only be set on user accounts in a local SAM for a stand-alone IAS server or on user accounts in a Windows 2000 native mode domain.
How do I read the IAS log files?
The file formats for the IAS log files are documented in Windows 2000 Server online Help. The Windows 2000 Server Resource Kit includes iasparse.exe, a command-line utility used to parse and read IAS log files, and TRU Access Manager Limited Edition, a network accounting application developed by Telco Research.
Along with RFCs 2138 and 2139, there are several addendum drafts that describe compulsory tunneling, signature attributes, and EAP. Are these supported in IAS?
Yes. The drafts describe several RADIUS attributes that were introduced by the IETF after the release of RFCs 2138 and 2139. Selected attributes from these drafts are supported.
Which NASs were tested with IAS?
Interoperability testing was done on NASs from Cisco, Lucent (Ascend Communications), 3-Com (US Robotics), the Windows NT 4.0 Routing and Remote Access Service (RRAS), and the Windows 2000 Routing and Remote Access service.
How many IAS servers do I need?
This depends on the number of authentication requests you anticipate. IAS can perform hundreds of authentication requests per second on single server. Using that as a guideline, you can make a better determination of the number of servers you will need. For more information, see the section on Performance and IAS.
Can I manage my IAS servers from my laptop, which is running Windows 2000 Professional?
Yes. You can install the Administration Tools on your laptop running Windows 2000 Professional and administer all of your IAS servers with the Internet Authentication Service administrative tool.
How does unauthenticated access work?
Unauthenticated access does not require the user to provide a user name, password, or domain. If you enable unauthenticated access, IAS uses the Windows 2000 Guest account to authenticate and authorize the user’s connection attempt. The Guest account must be enabled and the remote access permission must be set to either Allow access or Control access through Remote Access Policy.
Do I have to install IAS on a domain controller?
No. IAS can be installed on a computer that is a domain member. IAS performs authentication of domain credentials of incoming Access-Request messages using a secure communications channel with a domain controller.
How does IAS perform authentication?
The IAS server receives the user credentials from the NAS in the RADIUS Access-Request message. If there is a domain included in the user credentials, then IAS will look up the user’s account in that domain. The domain must be either a trusted domain or the domain in which the IAS server is a member. Otherwise, the connection attempt is rejected.
If the user credentials do not specify a domain, the IAS server determines the default domain from the registry. If the default domain is not specified in the registry, the IAS server uses the domain of which it is a member. If the IAS server is not a member of a domain, it attempts to authenticate the user credentials through the local SAM.
How do remote access policies work in IAS?
Remote access policies provide the authorization of the connection attempt. Once the user credentials have been authenticated, IAS evaluates the parameters of the connection attempt against the set of configured remote access policies. If the connection attempt matches a remote access policy (meets all of the conditions of the policy); has remote access permission; and meets all of the conditions of the account, the dial-in properties of the user account, and the remote access policy-profile settings, the connection attempt is accepted.
If the connection attempt does not match any remote access policy, does not have remote access permission, or fails to meet all of the conditions of the account and dial-in properties of the user account and the remote access policy profile settings, the connection attempt is rejected.
A connection attempt must be both authenticated and authorized before it is accepted.
How many remote access policies do I need?
IAS supports having dozens of policies. However, in most cases, only a handful of policies are needed to provide authorization. If you are using Windows groups to grant access and determine connection parameters, use universal groups and group nesting to reduce the number of policies. If you have unique needs outside of the policies in IAS, you can use the IAS SDK to write your own authorization module.
What are the minimum hardware requirements for IAS?
The minimum hardware requirements for IAS are the same as those for Windows 2000 Server: a Pentium 133 MHz (or equivalent) computer with 128MB of RAM.
Where can I learn more about IAS?
Windows 2000 Server Help contains conceptual, deployment, troubleshooting, and procedure information on IAS. Chapter 8 of the Windows 2000 Server Resource Kit Internetworking Guide, called Internet Authentication Service, contains additional technical details for IAS.