RADIUS simplifies administration of remote access servers

If you have more than one remote access server, the administration of remote access policies can quickly become cumbersome. One way around this is to configure a single computer running Windows Server 2003 and IAS as a RADIUS server and configure the remote access servers as RADIUS clients.

If you have more than one remote access server, the administration of remote access policies can quickly become

cumbersome.

One way around this is to configure a single computer running Windows Server 2003 and IAS as a RADIUS (Remote Authentication Dial In User Service) server and configure the remote access servers as RADIUS clients.

The IAS server provides centralized remote access authentication, authorization, accounting and auditing. Assuming that you've already configured the remote access servers to provide access for dial-up or VPN clients, you can accomplish this by performing the procedures listed below.

Configure the remote access servers for RADIUS authentication.

When you configure the properties of a remote access server running Windows Server 2003, you need to select RADIUS as the authentication provider. To change a server to RADIUS authentication, follow these steps:

  1. Right-click the server name in Routing and Remote Access and choose Properties from the shortcut menu.
  2. Click the Security tab. Under Authentication Provider, select RADIUS Authentication, and then click Configure.
  3. Click Add. Provide the server name—the host name or IP address of the IAS server. If you already have IAS installed, you do not need to change the shared secret. Otherwise, you need to change it. The remote access server running Windows Server 2003 and the IAS server share a secret that is used to encrypt messages sent between them. The two servers must share the same secret.
  4. Click OK when you're finished.
Configure the remote access servers for RADIUS accounting.

When you configure the properties of a remote access server running Windows Server 2003, you need to select RADIUS accounting as the accounting provider. To change a server to RADIUS accounting, follow these steps:

  1. Right-click the server name in Routing and Remote Access and choose Properties from the shortcut menu.
  2. Click the Security tab. Under Accounting Provider, select RADIUS Accounting, then click Configure.
  3. Provide the server name (the host name or IP address of the IAS server).
  4. If you already have IAS installed, you don't need to change the shared secret. Otherwise, you must change it. The remote access server running Windows Server 2003 and the IAS server share a secret that is used to encrypt messages sent between them. Both the remote access server and the IAS server must share the same secret. Click OK.
Configure the IAS server.

You need to register each of the remote access servers as clients on the IAS server. Once the remote access servers are configured to use RADIUS authentication, only the remote access policies stored on the IAS server are used. So if one of the remote access servers contains the remote access policies that are applied to all of the remote access servers, you need to copy the remote access policies to the IAS server.

To copy the policies from a remote server to the IAS server:

  1. Open a command window and type netsh aaaa show config . txt. The path can be relative, absolute or a Universal Naming Convention (UNC) path. This command creates a text file that includes all the configuration settings.
  2. Copy the text file to the destination IAS server.
  3. Now open a command prompt on the destination machine. Type netsh exec . txt. You'll see a message telling you whether the update was successful.

Note: This procedure does not work unless both the source and destination computers are running the same version of Windows Server 2003.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

More information on this topic:


This was first published in November 2006

Dig deeper on Microsoft Active Directory

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close