IAS Configuration

  • Article
On This Page

IAS Properties
Clients
Remote Access Logging
Configuring Windows 2000 Routing and Remote Access Service for RADIUS

The configuration of IAS consists of these settings:

  • Global properties for the IAS server, which are independent of RADIUS clients.

  • RADIUS clients, involving one client for each NAS that is sending RADIUS packets to the IAS server.

  • Remote access policies, consisting of the list of policies to allow or reject all connection types for all RADIUS clients of the IAS server.

  • Remote access logging, which consists of the types of events to be logged, the log file format, and log file settings.

Beyond the configuration of IAS, this section also includes information on how to configure the Windows 2000 Routing and Remote Access service as a RADIUS client to an IAS server.

Note: All of the instructions below begin from the Internet Authentication Service administrative tool.

IAS Properties

To configure global properties of an IAS server, right-click Internet Authentication Service, and then click Properties.

Service Tab

Figure 15 shows the Service tab for an IAS server:


Figure 15: The Service tab for the Properties of an IAS Server

The Service tab is used to:

  • Type a name of the server to distinguish it from other IAS servers. The default name is IAS.

  • Enable or disable the logging of rejected or discarded authentication requests in the Windows 2000 system event log. This option is enabled by default.

  • Enable or disable the logging of successful authentication requests in the Windows 2000 system event log. This option is enabled by default.

RADIUS Tab

Figure 16 shows the RADIUS tab for an IAS server:


Figure 16: The RADIUS tab for the Properties of an IAS Server

The RADIUS tab is used to do the following:

  • Enumerate the list of UDP ports over which RADIUS authentication messages are sent and received. By default, IAS uses UDP ports 1812 and 1645. UDP port 1812 is the reserved RADIUS-authentication port described in RFC 2138. UDP port 1645 is used by earlier RADIUS clients.

  • Enumerate the list of UDP ports over which RADIUS accounting messages are sent and received. By default, IAS uses UDP ports 1813 and 1646. UDP port 1813 is the reserved RADIUS accounting port described in RFC 2139. UDP port 1646 is used by earlier RADIUS clients.

Realms Tab

Figure 17 shows the Realms tab for an IAS server:


Figure 17: The Realms tab for the Properties of an IAS Server

The Realms tab is used to configure a prioritized list of find-and-replace rules to manipulate realm names before name-cracking and authentication. Pattern-matching syntax is used to specify the strings to find and replace. For more information on pattern matching syntax, see Appendix D. Find-and-replace rules can be added, edited, and removed. The rules are applied to the incoming user name in the order in which they are listed. Use the Move Up and Move Down buttons to specify the order.

Clients

To add a new RADIUS client for the IAS server, right-click Clients, and then click New Client. The IAS New Client wizard will guide you through the procedure. To modify an existing client’s properties, right-click the client name and then click Properties.

Figure 18 shows the properties of a RADIUS client:


Figure 18: The Properties of a RADIUS Client

The Settings tab is used to:

  • Specify a friendly name for the RADIUS client. This name does not have to correspond to the DNS, NetBIOS, or computer name of the RADIUS client.

  • Specify either the IP address or the DNS name of the RADIUS client. If you specify the DNS name, you can verify that the name is being resolved to the correct address. If the DNS name is associated with multiple IP addresses, you can choose the address to use.

  • Specify the vendor of the RADIUS client. Select RADIUS standard for a vendor-independent client. For a Windows 2000 Routing and Remote Access server, select Microsoft.

  • Specify whether the client must always include the RADIUS signature attribute (also known as a digital signature) in Access-Request messages for connection requests using the PAP, CHAP, MS-CHAP v1, and MS-CHAP v2 authentication protocols. With EAP, the signature attribute is always required. If you enable this, you must ensure that the RADIUS client is configured to always send the signature attribute. Otherwise, IAS will discard the Access-Request upon receipt.

  • Specify and verify the shared secret. The shared secret is a password used between IAS and this specific RADIUS client to mutually verify identity. Both IAS and the RADIUS client must be configured with the same shared secret for successful communication to occur. The shared secret can be up to 128 bytes long, is case-sensitive, and can contain alphanumeric and special characters. To protect your IAS server and your RADIUS clients from dictionary and denial-of-service attacks, make the shared secret a long (more than 16 characters) sequence of random letters, numbers, and punctuation.

Remote Access Logging

Remote access logging in the Internet Authentication Service administrative tool is used to configure log file settings. To access the properties for local logging, click Remote Access Logging, right-click Local File, and then click Properties.

Settings Tab

Figure 19 shows the Settings tab in Local File Properties:


Figure 19: The Settings Tab for the Local File Properties in Remote Access Logging

The Settings tab is used to:

  • Enable or disable the logging of accounting requests in the IAS log file. Accounting requests include Accounting-On, Accounting-Off, Accounting-Start, and Accounting-Stop messages. IAS logs only accounting requests sent by the RADIUS client. If the RADIUS client is not configured for RADIUS accounting, then accounting requests for that client are not logged. This setting is not enabled by default.

  • Enable or disable the logging of authentication requests in the IAS log file. This setting is not enabled by default.

  • Enable or disable the logging of interim accounting requests in the IAS log file. This setting is not enabled by default.

Local File Tab

Figure 20 shows the Local File tab in Local File Properties:


Figure 20: The Local File Tab for the Local File Properties in Remote Access Logging

The Local File tab is used to:

  • Specify the log file format. The database-compatible format is an ODBC-compatible format that is typically selected when you want to move the log file information to a database program. The IAS format is an ID-value paired format that provides information on all RADIUS attributes in the RADIUS message. By default, IAS format is selected.

  • Specify the duration of the log file or its maximum size. By default, Unlimited file size is selected.

  • Specify the location of the IAS log file.

For more information about log file format, see Windows 2000 Server Help.

Configuring Windows 2000 Routing and Remote Access Service for RADIUS

On a Routing and Remote Access server, RADIUS authentication and accounting is configured from the Security tab on the properties of a Routing and Remote Access server (right-click the server name in the Routing and Remote Access administrative tool, and then click Properties).

Figure 21 shows the Security tab for the Routing and Remote Access server properties:


Figure 21: The Security Tab for the Routing and Remote Access Server Properties

To configure the Routing and Remote Access server for RADIUS authentication, select RADIUS Authentication in Authentication provider. To configure the Routing and Remote Access server for RADIUS accounting, select RADIUS Accounting in Accounting provider.

Figure 22 shows the authentication settings for a RADIUS server:


Figure 22: The Settings for RADIUS Server Authentication

The Add/Edit RADIUS Server dialog box is used to do the following:

  • Specify the DNS name or IP address of the RADIUS server.

  • Specify the shared secret.

  • Specify the amount of time in seconds to wait for a response from this RADIUS server before trying another RADIUS server.

  • Specify the initial responsiveness score of this RADIUS server.

  • Specify the UDP port used by the Routing and Remote Access service for sending and receiving RADIUS authentication messages.

  • Specify whether the Routing and Remote Access server must always include the RADIUS signature attribute in Access-Request messages for PAP, CHAP, MS-CHAP v1, and MS-CHAP v2. With EAP, the signature attribute is always required. If you enable this, you must ensure that the RADIUS server is configured to always receive the signature attribute. This is the RADIUS client setting that corresponds to the IAS RADIUS client setting called Client must always send the signature attribute in the request.

Figure 23 shows the settings for a RADIUS server for accounting:


Figure 23: The Settings for RADIUS Server Accounting

The Add/Edit RADIUS Server dialog box is used to:

  • Specify the DNS name or IP address of the RADIUS server.

  • Specify the shared secret.

  • Specify the amount of time in seconds to wait for a response from this RADIUS server before trying another RADIUS server.

  • Specify the initial responsiveness score of this RADIUS server.

  • Specify the UDP port used by the Routing and Remote Access service for sending and receiving RADIUS accounting messages.

Specify whether the Routing and Remote Access server sends the RADIUS Accounting-On and Accounting-Off messages when the Routing and Remote Access service is started and stopped.