Deploying Internet Authentication Service

Embed Size (px)

Citation preview

  • 8/7/2019 Deploying Internet Authentication Service

    1/11

    Deploying Internet Authentication

    Service (IAS)Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003

    with SP1, Windows Server 2003 with SP2

    Servers running the Internet Authentication Service (IAS) component of the Microsoft

    Windows Server 2003 operating system perform centralized authentication,

    authorization, auditing, and accounting for many types of network access, including dial-up, virtual private network (VPN), wireless, and 802.1X authenticating switch access.

    IAS is the Microsoft implementation of the Remote Authentication Dial-In User Service

    (RADIUS) protocol. A number of design, implementation, and deployment issues must

    be considered when rolling out a scalable and robust IAS solution.

    Information about deploying remote access clients can be found in other chapters in this

    book.

    In This Chapter

    Overview of IAS Deployment

    Designing IAS

    Designing an Optimized IAS Solution

    Creating a Remote Access Policy Strategy

    Securing Your Remote Access Strategy

    Implementing Your IAS Solution

    Additional Resources for Remote Access

    Related Information

    For information about Windows Server 2003 Internet Authentication Service

    (IAS), see theNetworking Collection of the Windows Server 2003 TechnicalReference (or see theNetworking Collectionon the Web at

    http://www.microsoft.com/reskit).

    http://technet.microsoft.com/en-us/library/cc780380(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc738239(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780027(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780027(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786225(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc783329(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787513(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787568(WS.10).aspxhttp://go.microsoft.com/fwlink/?linkid=4614http://go.microsoft.com/fwlink/?linkid=4614http://technet.microsoft.com/en-us/library/cc780380(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc738239(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780027(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786225(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc783329(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787513(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787568(WS.10).aspxhttp://go.microsoft.com/fwlink/?linkid=4614
  • 8/7/2019 Deploying Internet Authentication Service

    2/11

    For information about Windows Server 2003 Routing and Remote Access, see theNetworking Collection of the Windows Server 2003 Technical Reference (or see

    theNetworking Collection on the Web at http://www.microsoft.com/reskit).

    For information about Windows Server 2003 Routing and Remote Access

    deployment, see "Deploying Dial-up and VPN Remote Access Servers,""Deploying Remote Access Clients Using Connection Manager," and

    "Connecting Remote Sites" in this book.

    Overview of IAS Deployment

    Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003

    with SP1, Windows Server 2003 with SP2

    You can use IAS to provide authentication and authorization for dial-up, VPN, wireless,and authenticating switch access to your network. For example, organizations that

    outsource network access and perform joint ventures with other organizations require the

    authentication of user accounts from outside of the private network. In addition,organizations that provide outsourcing services, such as Internet service providers (ISPs),

    require remote user connection accounting so that they can charge subscribers.

    Windows Server 2003 IAS enables you to centralize authorization, authentication, and

    accounting for remote access clients, enhancing the security of your network. WindowsServer 2003 IAS works with other standards-based implementations of the Remote

    Authentication Dial-In User Service (RADIUS) protocol, so that you can use it with any

    standards-compliant RADIUS client, server, or proxy server.

    Windows Server 2003 IAS is included in Microsoft Windows Server 2003, StandardEdition; Windows Server 2003, Enterprise Edition; and Windows Server 2003,

    Datacenter Edition. IAS is not provided with Microsoft Windows Server 2003, Web

    Edition. In addition, Windows Server 2003, Standard Edition, limits some IAS features.For more information, see "Concepts for IAS" later in this chapter.

    Windows Server 2003 IAS provides the following solutions for organizations that require

    secure network access:

    Compatibility with RADIUS servers and clients from any vendor that meets the

    specifications outlined in RFCs 2865, 2866, and 2869.

    Integration with the Active Directory directory service. IAS allows you to takeadvantage of Active Directory for user authentication, authorization, and client

    configuration, thus reducing management costs.

    Use of standards-based strong authentication methods for network access.

    http://go.microsoft.com/fwlink/?linkid=4614http://technet.microsoft.com/en-us/library/cc759171(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc783792(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc779726(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778118(WS.10).aspxhttp://go.microsoft.com/fwlink/?linkid=4614http://technet.microsoft.com/en-us/library/cc759171(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc783792(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc779726(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778118(WS.10).aspx
  • 8/7/2019 Deploying Internet Authentication Service

    3/11

    Management of network access that is outsourced to an ISP. IAS allows you to

    create an agreement between your organization and the ISP in which the ISP can

    charge a roaming users department for that employees network usage. In thisway, each employee does not need to submit an expense statement or create a

    roaming account to connect to the corporate network remotely.

    Dynamic key management for wireless access points as a means to increase

    network security.

    Designing IAS

    Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003

    with SP1, Windows Server 2003 with SP2

    After taking an inventory of your network environment, the first step in designing an IAS

    solution is to determine the role of the IAS server. For example, determine whether you

    need the IAS server to authenticate the connection request that it receives, forward therequest to another IAS server for authentication, or perform a mixture of both functions

    depending on context. Finally, an important step in the design process is to configure IAS

    to work with different types of clients.

    Figure 7.3 shows the process for designing IAS.

    Figure 7.3 Designing IAS

  • 8/7/2019 Deploying Internet Authentication Service

    4/11

    Designing an Optimized IAS Solution

    Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003with SP1, Windows Server 2003 with SP2

    Optimize your IAS design by planning how to scale your IAS servers, whether or not to

    add IAS servers, where to place your IAS servers, and other steps as illustrated in

    Figure 7.9.

    Figure 7.9 Designing an Optimized IAS Solution

  • 8/7/2019 Deploying Internet Authentication Service

    5/11

    IAS RADIUS clients and servers require minimal management and administration.

    However, over time, changes in the number of access clients, changes in WAN

    technology, and other factors can reduce the performance of IAS.

    You can optimize IAS performance by positioning your IAS servers strategically. Use the

    following guidelines when deciding where to position your IAS servers:

    Locate IAS servers in the same domain with the server that provides remote useraccount authentication.

    Locate IAS on a domain controller and store the user account database in ActiveDirectory.

    In addition, the following factors can negatively impact IAS performance:

    The current load of the domain controller.

    The resolution of user principal names, resulting in an additional remote

    procedure call (RPC) query against the computer that contains the global catalog.

  • 8/7/2019 Deploying Internet Authentication Service

    6/11

    EAP-based authentication methods, involving multiple challenge-response

    exchanges.

    The type of hardware in use.

    Network latency between:

    o The IAS server and the domain controller.

    o The IAS server and the computer that contains the global catalog.

    o The IAS server and the access server.

    You can optimize the performance of an IAS solution by scaling IAS to meet increasing

    demands in your organization and by including more than one RADIUS client and server

    in your network design.

    Creating a Remote Access Policy Strategy

    Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003with SP1, Windows Server 2003 with SP2

    Remote clients connect to the network by using remote access policies. Plan an

    authorization method for security, and then plan your user groups and user accounts.

    Next, create your remote access policies to centralize management. Figure 7.10 illustratesthis process.

    Figure 7.10 Creating a Remote Access Policy Strategy

  • 8/7/2019 Deploying Internet Authentication Service

    7/11

    Securing Your Remote Access Strategy

    Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003

    with SP1, Windows Server 2003 with SP2

    You can use IAS authentication, authorization, and accounting to secure your remoteaccess solutions. You can also implement security precautions to protect your IAS serverand IAS-related traffic. Figure 7.11 illustrates this process.

    Figure 7.11 Securing Your Remote Access Strategy

  • 8/7/2019 Deploying Internet Authentication Service

    8/11

    Implementing Your IAS Solution

    Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003with SP1, Windows Server 2003 with SP2

    Deploying IAS involves configuring IAS as a RADIUS server or proxy, optimizing your

    IAS configuration to best meet your needs, and configuring compatibility with third-party

    access servers. Figure 7.12 illustrates this process.

    Figure 7.12 Implementing Your IAS Solution

  • 8/7/2019 Deploying Internet Authentication Service

    9/11

    Additional Resources for Remote Access

    Updated: March 28, 2003

    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003

    with SP1, Windows Server 2003 with SP2

    These resources contain additional information and tools related to this chapter.

    Related Information

    TheNetworking Collection of the Windows Server 2003 Technical Reference (or

    see theNetworking Collectionon the Web at http://www.microsoft.com/reskit)for more information about Internet Authentication Service.

    "Deploying Remote Access Clients Using Connection Manager" in this book.

    "Designing a Public Key Infrastructure" inDesigning and Deploying Directoryand Security Services of this kit for more information about how to design a

    certificate infrastructure.

    "Deploying Dial-up and VPN Remote Access Servers" in this book.

    "Deploying a Wireless LAN" in this book for information about deploying

    wireless access clients.

    http://go.microsoft.com/fwlink/?linkid=4614http://go.microsoft.com/fwlink/?linkid=4614http://technet.microsoft.com/en-us/library/cc783792(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc773138(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759171(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780901(WS.10).aspxhttp://go.microsoft.com/fwlink/?linkid=4614http://technet.microsoft.com/en-us/library/cc783792(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc773138(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759171(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780901(WS.10).aspx
  • 8/7/2019 Deploying Internet Authentication Service

    10/11

    RFC 2865:Remote Authentication Dial In User Service (RADIUS).

    RFC 2866:RADIUS Accounting.

    RFC 2869:RADIUS Extensions.

    Related Help Topics

    For best results in identifying Help topics by title, in Help and Support Center, under the

    Search box, clickSet search options. UnderHelp Topics, select the Search in title

    only checkbox.

    "Internet Authentication Service" in Help and Support Center for Windows

    Server 2003.

    "Remote Access Policies" in Help and Support Center for Windows Server 2003.

    "IAS as a RADIUS server" in Help and Support Center for Windows Server 2003.

    "Deploying IAS as a RADIUS Proxy" in Help and Support Center for Windows

    Server 2003.

    "Compulsory tunnels" in Help and Support Center for Windows Server 2003 for

    information about the RADIUS attributes used with compulsory tunneling.

    "Computer certificates for certificate-based authentication" in Help and Support

    Center for Windows Server 2003.

    "Dial-up and VPN remote access" in Help and Support Center for WindowsServer 2003 for more information about configuring user accounts for IAS.

    "Copy the IAS configuration to another server" in Help and Support Center forWindows Server 2003 for more information about copying IAS configuration.

    "Outsourced dial and a proxy in the perimeter network" in Help and SupportCenter for Windows Server 2003 for more information about configuring IAS

    proxies in the perimeter network.

    "Add RADIUS attributes to a remote access policy" in Help and Support Center

    for Windows Server 2003 for more information about how to configure the classattribute.

    "Manage Packet Filters" in Help and Support Center for Windows Server 2003for more information about configuring packet filters.

    "Use RADIUS accounting" and "Use RADIUS authentication" in Help and

    Support Center for Windows Server 2003 for more information about configuring

    RADIUS accounting and authentication.

    http://technet.microsoft.com/en-us/library/cc787275(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc757988(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc758376(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc756708(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc785323(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc739739(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782585(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786869(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc776352(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784616(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc758919(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778372(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787275(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc757988(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc758376(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc756708(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc785323(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc739739(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782585(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786869(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc776352(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784616(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc758919(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc778372(WS.10).aspx
  • 8/7/2019 Deploying Internet Authentication Service

    11/11

    "Managing multiple IAS servers" in Help and Support Center for Windows

    Server 2003 for more information about synchronizing the configuration of

    multiple IAS servers.

    "Configure accounting" in Help and Support Center for Windows Server 2003 for

    more information about using separate IAS servers for authentication andaccounting.

    "Configure authentication" in Help and Support Center for Windows Server 2003.

    "Configure encryption" in Help and Support Center for Windows Server 2003.

    "PEAP" in Help and Support Center for Windows Server 2003.

    "Network access authentication and certificates" in Help and Support Center forWindows Server 2003 for more information about certificate enrollment methods

    and domain membership

    http://technet.microsoft.com/en-us/library/cc782001(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786495(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759294(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc737344(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc757996(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759575(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc782001(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786495(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759294(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc737344(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc757996(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc759575(WS.10).aspx