Choose Router User Accounts and Groups
Applies To: Windows Server 2008, Windows Server 2008 R2
After a calling router is authenticated by using either Windows or RADIUS as the authentication provider, it must be authorized: that is, it must be given permission to establish a connection with the answering router. You use two interrelated sets of components to authorize access by the calling router: user accounts and (optionally) groups, and remote access network policies.
Before you can successfully configure either the router user accounts or network policies, you need to understand the relationship between the two. Configuring the router user account includes the option of choosing whether to use network policies to grant the calling router access to the answering router. You can grant or deny permission for the calling router to access the answering router either at the user account level or at the network policy level. The permission specified in the user account overrides the permission specified in a network policy. However, if you choose the Control access through NPS Network Policy option in the user account that the answering router uses to authenticate the calling router, the network policy setting takes precedence. This option is available only for accounts on stand-alone routers or members of a native mode Active Directory domain. For more information about remote access network policies, see Configure a Remote Access Network Policy in the RRAS Deployment Guide.
To allow or reject connection attempts according to a variety of criteria, you can specify several remote access options in the user account of the calling router and multiple options in network policies. This level of precision enhances the security of your site-to-site connection by providing great flexibility in how you can control access to the answering router and its network resources.
You can configure router user accounts individually for each router or by adding router accounts to an Active Directory group. For more information, see Create User Accounts for the Site-to-Site Connection in the RRAS Deployment Guide.