Creating a central point of authentication for network operating systems, remote access, corporate applications, and various other devices and systems would relieve a number of burdens for administrators. Thanks to directory synchronization tools, that type of centralization is getting closer to reality on the NOS level. And with Windows 2000’s built-in Internet Access Services (IAS), an implementation of Remote Authentication Dial-In User Service (RADIUS), administrators can extend their central point of administration across a host of devices besides network operating systems.

For this article, I will set up a VPN server on a Windows 2000 server that uses RADIUS to authenticate incoming user connections on a different Windows 2000 server that is running IAS.

My configuration

My first Windows 2000 Server is named win2ksvr and is a domain controller for the domain. This is the server that will run IAS and use RADIUS authentication. The second server is named lab2k and also runs Windows 2000 Server, but it’s not a member of the domain. This server has RAS installed to allow incoming VPN connections, which will be authenticated by the win2ksvr IAS service.

What IAS/RADIUS can provide
IAS provides central user administration and authorization. This means that from one terminal, you can provide a user access to any RADIUS-compliant devices (central administration) and have these attributes stored in Active Directory (central authorization) for fault tolerance.

Most network access service devices, such as dial-in modem banks and VPN servers, are capable of working with RADIUS, which is an Internet standard method for authentication. Many organizations are now using RADIUS to authenticate wireless LAN clients as well.

Installing IAS under Windows 2000
To install IAS, follow these steps:

  1. Go to Start | Settings | Control Panel | Add/Remove Programs.
  2. Choose Add/Remove Windows Components.
  3. Choose Network Services from the list of Windows component categories.
  4. Choose Internet Authentication Service from the list (Figure A).
  5. Click OK.
  6. Click Next.

Figure A
Installing IAS from Add/Remove Windows Components

The IAS manager
The IAS manager can be found at Start | Programs | Administrative Tools | Internet Authentication Service. Choose Internet Authentication Service (Local) and click Action | Properties to view the IAS configuration on your server. Figure B shows an example from my test lab installation.

Figure B
Sample IAS manager properties page

The Service tab lets you give the IAS instance a friendly name and set logging parameters. In the RADIUS tab, you can specify the ports used by RADIUS. RADIUS generally uses port 1812 or port 1645 for authentication and either 1813 or 1646 for accounting. Make sure that these values match the RADIUS parameters on your devices. Finally, the Realms tab allows you to find and replace information concerning names in RADIUS realms.

Register a new client
Before RADIUS can be used by clients, it must be provided with a list of clients that are allowed to use it. To do this, from the IAS manager, right-click on Clients and choose New Client. The New Client dialog box lets you enter a friendly name for the service, which can help reduce confusion if you support a large number of RADIUS clients. The second screen of the New Client wizard requests either the IP address or the DNS name of the client. You can also choose the client-vendor. In certain situations, this information is required, such as if you have remote access policies that are based on the vendor name.

You should select the Client Must Always Send The Signature Attribute In The Request check box if your remote RADIUS client uses digital signatures for verification. Otherwise, leave it blank.

Finally, the Shared Secret text boxes are akin to passwords, in that they must be identical on both the RADIUS client and server for the server to process requests from the client. See Figure C for an example of the client configuration screen.

Figure C
RADIUS client information

Verify that it works
For this example, I configured a second Windows 2000 Server with the VPN component of Routing and Remote Access to use this new RADIUS server for authentication. On the RADIUS server, I created a user named VUser (VPN User) and granted it dial-in permission on the user property page. I did not create this user on the Windows 2000 VPN server. In addition, the Windows 2000 servers are not in the same domain.

To test RADIUS, I just need to create a VPN connection to the Windows 2000 VPN/RAS server, which should in turn query the RADIUS server about the user account.

The VPN connection is indeed successful, as evidenced by Figure D, which shows the connection information. Careful observers will notice that both the VPN client and server are on the same network. This is not a mistake in this case, since both are on my testing lab network.

Figure D
The VPN connection details

Finally, just to make absolutely certain that this connection did actually use RADIUS, look at Figure E, which is pulled directly from the Event Viewer on the IAS server. This event shows the information related to the connection, and the event source is IAS.

Figure E
Event Viewer details of the VPN connection

While this was a somewhat simplistic demonstration of how to set up and configure IAS to use RADIUS authentication, each step you need to take in setting up IAS is detailed here. To use it with other devices, you simply need to provide the proper RADIUS credentials, including the RADIUS server IP address and the shared secret key that you configure when you create a new client on the IAS server.