Vous êtes sur la page 1sur 36

70-291: MCSE Guide to

Managing a Microsoft Windows


Server 2003 Network, Enhanced

Chapter 11:
Internet Authentication
Service
Objectives
• Understand and describe the purpose of the RADIUS
protocol
• Describe the function of RADIUS servers, clients,
and proxies
• Configure a RADIUS server using the Internet
Authentication Service
• Configure a RADIUS proxy using the Internet
Authentication Service

Guide to MCSE 70-291, Enhanced 2


Objectives (continued)
• Configure RRAS as a RADIUS client
• Troubleshoot RADIUS

Guide to MCSE 70-291, Enhanced 3


RADIUS Overview
• RADIUS: remote authentication dial-in user service
• Designed to centralize the authentication process for
large distributed networks
• Originally intended for dial-up networks
• Can be used for VPN servers, switches, and wireless
access points
• Two mandatory server roles:
• RADIUS client
• RADIUS server

Guide to MCSE 70-291, Enhanced 4


RADIUS Overview (continued)
• The RADIUS client accepts authentication
information from users or devices and forwards the
information to a RADIUS server
• The RADIUS server accepts authentication
information from a RADIUS client
• Windows Server 2003 can act as either a RADIUS
server or RADIUS client

Guide to MCSE 70-291, Enhanced 5


RADIUS Overview (continued)
• Install IAS to use Windows Server 2003 as a
RADIUS Server
• RADIUS proxies act as intermediaries between
RADIUS clients and RADIUS servers

Guide to MCSE 70-291, Enhanced 6


Radius Overview (continued)

Guide to MCSE 70-291, Enhanced 7


Radius Overview (continued)

Guide to MCSE 70-291, Enhanced 8


Outsourcing Dial-up Requirements
• You can use IAS to outsource dial-up requirements
and allow roaming users to continue logging on using
Active Directory user name and passwords
• A user dials into ISP, ISP forwards request to
RADIUS proxy, RADIUS proxy forwards request to
RADIUS server, RADIUS server passes information
to domain controller for authentication

Guide to MCSE 70-291, Enhanced 9


Outsourcing Dial-up Requirements
(continued)

Guide to MCSE 70-291, Enhanced 10


Configuring IAS as a RADIUS
Server
• IAS is standard component of Windows Server 2003
• Installed through Add or Remove Programs
• Must be configured using IAS snap-in before being
used
• IAS must be registered with Active Directory if
Active Directory is used on the network
• IAS server will not respond to any requests from
RADIUS clients not listed in the IAS configuration

Guide to MCSE 70-291, Enhanced 11


Configuring IAS as a RADIUS
Server (continued)

Guide to MCSE 70-291, Enhanced 12


Configuring IAS as a RADIUS
Server (continued)

Guide to MCSE 70-291, Enhanced 13


Configuring IAS as a RADIUS
Server (continued)

Guide to MCSE 70-291, Enhanced 14


Configuring IAS as a RADIUS
Server (continued)

Guide to MCSE 70-291, Enhanced 15


Activity 11-1: Configuring IAS as
a Radius Server
• Objective: Install IAS so your server can act as a
RADIUS server
• Install IAS through Add or Remove Programs
• Add RADIUS clients
• Enter a password in the shared secret box

Guide to MCSE 70-291, Enhanced 16


Configuring RRAS as a RADIUS
Client
• The RRAS server acts as a RADIUS client if it passes
authentication requests
• You may specify that a RADIUS server be used for
authentication when configuring RRAS
• You must specify the name or IP address of the
RADIUS server and shared secret when configuring
RRAS as a RADIUS server

Guide to MCSE 70-291, Enhanced 17


Configuring RRAS as a RADIUS
Client (continued)

Guide to MCSE 70-291, Enhanced 18


Configuring RRAS as a RADIUS
Client (continued)

Guide to MCSE 70-291, Enhanced 19


Activity 11-2: Configuring a RRAS
Client
• Objective: Configure a RRAS server to use IAS for
authentication
• Use Routing and Remote Access control
• Add new RADIUS server to the list
• Enter shared secret

Guide to MCSE 70-291, Enhanced 20


Activity 11-3: Testing RADIUS
• Objective: Create a VPN connection to your RRAS
server to test RADIUS authentication
• Create a new VPN network connection
• Select anyone’s use
• If RADIUS is configured successfully, your RRAS
server should contact the IAS service on your
partner’s computer

Guide to MCSE 70-291, Enhanced 21


Configuring IAS as a RADIUS
Proxy
• Windows Server 2003 can act as a RADIUS proxy
• Windows Server 2003 can act as both RADIUS proxy
and RADIUS server at the same time
• Connection request policies determine how a
RADIUS request is handled

Guide to MCSE 70-291, Enhanced 22


Remote RADIUS Server Groups
• Server groups are required for IAS to act as a
RADIUS proxy
• RADIUS requests and logging information are
forwarded to remote RADIUS server groups
• Server groups allow for load balancing and fault
tolerance
• Weight setting is used to configure load balancing
• Priority is assigned to provide fault tolerance

Guide to MCSE 70-291, Enhanced 23


Remote RADIUS Server Groups
(continued)

Guide to MCSE 70-291, Enhanced 24


Activity 11-4: Creating a Remote
RADIUS Server Group
• Objective: Create a remote RADIUS server group
that can be used when IAS is configured as a
RADIUS proxy
• Use the New Remote RADIUS Server Group Wizard
• Group name is Engineering
• Enter shared secret

Guide to MCSE 70-291, Enhanced 25


Connection Request Policies
• Constructed similarly to a remote access policy
• No permissions
• Conditions are a subset of the conditions found in
remote access policies
• Conditions include Day-And-Time-Restrictions,
Client-IP-Addresses, and Client-Vendor
• Profile has very different options than profile in
remote access policy

Guide to MCSE 70-291, Enhanced 26


Connection Request Policies
(continued)

Guide to MCSE 70-291, Enhanced 27


Connection Request Policies
(continued)

Guide to MCSE 70-291, Enhanced 28


Activity 11-5: Creating a Connection
Request Policy
• Objective: Create a new connection request policy to
configure your server as a RADIUS proxy
• Add a new connection request policy
• Use New Connection Request Policy Wizard
• Use proxy name EngineeringProxy

Guide to MCSE 70-291, Enhanced 29


Troubleshooting RADIUS
• Most remote access problems are not related to
RADIUS
• Before troubleshooting RADIUS, ensure users can
obtain remote access without RADIUS
• Use log files whenever possible

Guide to MCSE 70-291, Enhanced 30


Troubleshooting RADIUS
(continued)

Guide to MCSE 70-291, Enhanced 31


Troubleshooting RADIUS
(continued)

Guide to MCSE 70-291, Enhanced 32


Troubleshooting RADIUS
(continued)

Guide to MCSE 70-291, Enhanced 33


Activity 11-6: Logging IAS
Information to a File
• Objective: Enable IAS event logging
• Ensure that all accounting requests are logged
• Ensure that all valid and nonvalid authentication
requests are logged
• Ensure all interim accounting requests are logged

Guide to MCSE 70-291, Enhanced 34


Summary
• RADIUS may be used to centralize remote access
authentication and logging
• RADIUS is composed of the RADIUS clients, RADIUS
servers, and RADIUS proxies
• RADIUS clients forward authentication requests to RADIUS
servers, RADIUS servers then authenticate the requests and
authorize the connections
• A RADIUS proxy can be used as an intermediary between
RADIUS clients and servers in large environments
• IAS allows Windows Server 2003 to act as a RADIUS server

Guide to MCSE 70-291, Enhanced 35


Summary (continued)
• RRAS can act as a RADIUS client when configured
as a remote access server
• IAS can also be configured as a RADIUS proxy
• Connection request policies are used on each request
to determine whether IAS acts as a RADIUS server
or a RADIUS proxy
• Connection request policies are composed of a
condition and a profile
• IAS can log information to a file or SQL server

Guide to MCSE 70-291, Enhanced 36