Network Access Technologies
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Network Access Technologies
Network access is a critical component of any organization’s network infrastructure. Administrators have to dynamically enable and control network access for employees, vendors, business partners, and entire branch offices that are in a variety of physical locations and that are using many different types of devices. Enabling network access, while maintaining security, is an enormous challenge for administrators. You can use the Microsoft Windows Server 2003 operating system to implement a comprehensive network access solution that can include the following variety of technologies:
Secure access to wireless local area networks (WLANs)
Secure remote access to intranets over the Internet
Services that provide centralized network connection authentication, authorization, and accounting
Tools and services that support the creation and distribution of components to manage secure client-side network access
Network Access Technologies Architecture
In Windows Server 2003, there are four network access technology components:
Virtual private networks (VPNs)
Internet Authentication Service (IAS)
The following figure shows the components of a network access technology infrastructure. In this example, the Connection Manager service profile initiates remote access client connections to dial-up or VPN-based remote access servers. The remote access servers act as Remote Authentication Dial-In User Service (RADIUS) clients and send the access requests to an IAS server for authentication and authorization. Similarly, the 802.11 wireless client requests access from the wireless access point, which sends the access requests to an IAS server.
The IAS server receives and processes the access requests and queries a user account database to verify access client credentials.
Network Access Technology Architecture
Network Access Technologies Components
The following network access technologies provide a range of options for secure client access to an organization’s network.
The WLAN protocol, 802.11, and associated technologies, such as the 802.1X protocol, are IEEE standards supported by Microsoft to provide secure wireless networking that allows you to extend your core network infrastructure to roaming wireless clients.
The IEEE 802.11 wireless standard defines the specifications for the physical layer and the media access control (MAC) sublayer for wireless communications. The 802.1X standard defines port-based network access control used to provide authenticated network access for Ethernet networks. Although this standard was originally designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
Until the recent development and wide adoption of WiFi, also known as 802.11b, network clients needed to be physically connected to a LAN to obtain high-speed network access to the LAN.
For more information, see 802.11 Wireless Technical Reference.
A VPN is the extension of a private network that encompasses secure links across shared or public networks, such as the Internet, so that remote clients can securely connect to an organization’s network resources. VPN technology also enables remote offices to securely connect to each other so that they can share resources and information over the Internet. A VPN connection uses secure authentication and data encryption to preserve the privacy and integrity of data as it traverses the Internet.
For more information, see VPN Technical Reference.
IAS is the Microsoft implementation of the RADIUS standard defined by the Internet Engineering Task Force (IETF) in RFCs 2138 and 2139. IAS performs centralized authentication, authorization, auditing, and accounting of users who are connecting to a wireless or wired local area network (LAN), using a remote access connection to connect to a private intranet. A server running IAS can be configured to perform a RADIUS server role or a RADIUS proxy role.
Configured as a RADIUS server, an IAS server accepts connection requests from access clients and performs connection authentication and authorization for many types of network access, including wireless, wired, and remote access dial-up and VPN connections. You can use an IAS server to authenticate users in databases on domain controllers running Windows NT Server version 4.0, Windows 2000 Server, or Windows Server 2003. Configured as a RADIUS proxy, an IAS proxy server forwards authentication and accounting messages to a RADIUS server. When used as a RADIUS proxy, an IAS proxy server is a central switching or routing point through which RADIUS access and accounting messages flow.
You can use Connection Manager to create and distribute customized remote access client connections, called service profiles. Service profiles are used to automatically configure remote access clients so they can connect to servers that are running the Routing and Remote Access service or other dial-up or VPN servers by using administrator-defined connection settings. By customizing remote access connections and controlling how users remotely connect to a network, administrators can simplify their remote access solution, reduce the organizational resources dedicated to assisting remote users, and increase the security of remote connections to the private intranet.
For more information, see Connection Manager Technical Reference.
Network Access Technologies Scenarios
The four network access technologies in this section can be deployed in a variety of configurations to meet the specific needs of your environment. When an access client attempts to connect to a wireless access point or a remote access server, the wireless access point or remote access server acts as a RADIUS client and communicates with an IAS server for authentication and authorization to complete the network connection. Connection Manager profiles can be used to automate client-side remote access client configuration