C
clyde
Is it neccessary to run and IAS server to support RADIUS
when creating a VPN server
Any help appreciated
when creating a VPN server
Any help appreciated
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
H
Herb Martin
Is it neccessary to run and IAS server to support RADIUS
IAS is RADIUS.
Microsoft's product name for their RADIUS implementation
is IAS.
So if you have need to authenticate THROUGH RADIUS or
wish to authenticate to RADIUS open authentication servers
you need IAS or another non-Microsoft solution.
You typically need RADIUS (IAS) in four situations:
1) Different companies OWN the access points and the
authentication servers
2) Different vendors BUILD the access points and the
authentication servers
3) You wish to use different MACHINES so as to
separate the access from the authentication for the
purpose usually of inserting FIREWALLS between
4) You wish to consolidate the ACCESS POLICY of
many access points on a single server (RADIUS).
In #1 and #2, you are providing an open standard glue between
access servers and authenticators (AD, UNIX, etc.)
In #3, you are separating the functionality. While this could be
for performance reasons it is generally so that you can further
protect the different components with filters and firewalls since
by their nature access servers are EXPOSED.
In #4, you might have 10 access servers (even owned by the
same company and all built by Microsoft) but wish to consolidate
the "Remote Access Policy" on your single-IAS server so that
changes can be made one time and affect all access servers/clients.
Several (or even all) of the reasons may apply at the same time.
when creating a VPN server
IAS is RADIUS.
Microsoft's product name for their RADIUS implementation
is IAS.
So if you have need to authenticate THROUGH RADIUS or
wish to authenticate to RADIUS open authentication servers
you need IAS or another non-Microsoft solution.
You typically need RADIUS (IAS) in four situations:
1) Different companies OWN the access points and the
authentication servers
2) Different vendors BUILD the access points and the
authentication servers
3) You wish to use different MACHINES so as to
separate the access from the authentication for the
purpose usually of inserting FIREWALLS between
4) You wish to consolidate the ACCESS POLICY of
many access points on a single server (RADIUS).
In #1 and #2, you are providing an open standard glue between
access servers and authenticators (AD, UNIX, etc.)
In #3, you are separating the functionality. While this could be
for performance reasons it is generally so that you can further
protect the different components with filters and firewalls since
by their nature access servers are EXPOSED.
In #4, you might have 10 access servers (even owned by the
same company and all built by Microsoft) but wish to consolidate
the "Remote Access Policy" on your single-IAS server so that
changes can be made one time and affect all access servers/clients.
Several (or even all) of the reasons may apply at the same time.
W
Wajihy [MSFT]
it depends if you configure your VPN server for windows authentication you
don't needs IAS ( IAS is a radius server)
but if you configure you VPN server for radius authentication then you need
to have IAS server installed
--
This posting is provided "AS IS", with NO warranties and confers NO rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
don't needs IAS ( IAS is a radius server)
but if you configure you VPN server for radius authentication then you need
to have IAS server installed
--
This posting is provided "AS IS", with NO warranties and confers NO rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
H
Herb Martin
it depends if you configure your VPN server for windows authentication you
While it is true that if your access server can use
Windows authentication this is not the only reason
for using a IAS/RADIUS server.
He may have security or other reasons for "needing"
IAS, as described below....
One typically need RADIUS (IAS) in four situations:
1) Different companies OWN the access points and the
authentication servers
2) Different vendors BUILD the access points and the
authentication servers
3) You wish to use different MACHINES so as to
separate the access from the authentication for the
purpose usually of inserting FIREWALLS between
4) You wish to consolidate the ACCESS POLICY of
many access points on a single server (RADIUS).
In #1 and #2, you are providing an open standard glue between
access servers and authenticators (AD, UNIX, etc.)
In #3, you are separating the functionality. While this could be
for performance reasons it is generally so that you can further
protect the different components with filters and firewalls since
by their nature access servers are EXPOSED.
In #4, you might have 10 access servers (even owned by the
same company and all built by Microsoft) but wish to consolidate
the "Remote Access Policy" on your single-IAS server so that
changes can be made one time and affect all access servers/clients.
Several (or even all) of the reasons may apply at the same time.
don't needs IAS ( IAS is a radius server)
but if you configure you VPN server for radius authentication then you need
to have IAS server installed
While it is true that if your access server can use
Windows authentication this is not the only reason
for using a IAS/RADIUS server.
He may have security or other reasons for "needing"
IAS, as described below....
One typically need RADIUS (IAS) in four situations:
1) Different companies OWN the access points and the
authentication servers
2) Different vendors BUILD the access points and the
authentication servers
3) You wish to use different MACHINES so as to
separate the access from the authentication for the
purpose usually of inserting FIREWALLS between
4) You wish to consolidate the ACCESS POLICY of
many access points on a single server (RADIUS).
In #1 and #2, you are providing an open standard glue between
access servers and authenticators (AD, UNIX, etc.)
In #3, you are separating the functionality. While this could be
for performance reasons it is generally so that you can further
protect the different components with filters and firewalls since
by their nature access servers are EXPOSED.
In #4, you might have 10 access servers (even owned by the
same company and all built by Microsoft) but wish to consolidate
the "Remote Access Policy" on your single-IAS server so that
changes can be made one time and affect all access servers/clients.
Several (or even all) of the reasons may apply at the same time.
W
Wajihy [MSFT]
thanks Herb, you are totally right
--
This posting is provided "AS IS", with NO warranties and confers NO rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
--
This posting is provided "AS IS", with NO warranties and confers NO rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
H
Herb Martin
Wajihy said:thanks Herb, you are totally right
The first time I played with IAS, I used my first Win2000
machine which was a DC and an RRAS router (remember
I was still playing.)
Installed IAS on it and got it to work; then I wondered,
"So what?"
IAS with one server is pretty boring. <grin>
Took me a while to figure out the four reasons for IAS/RADIUS
and to date I haven't seen these clearly delineated in any book
or documentation.
There is one more reason, a variation, if we introduce RADIUS
Proxies -- which Microsoft and IAS don't provide.
#5 Many access points to many authenticators.
This is a variation one "different owners" and likely "different
vendors" and "consolidated policy" as well.
An example would be a large ISP with access points in various
cities, and many customers who contract for that service but
wish to provide their own authentication and policy settings to
their OWN users.
Many access points do not all have to know about the many
customers (just the RADIUS Proxy) AND...
Many customers do not have to let the many access points
in through their firewalls, but only the RADIUS Proxy at the
vendor is allowed to contact the "real" customer RADIUS
Server (and thereby receive client authentication and policy.)
I guess there is a sixth reason but it comes with the territory;
RADIUS/IAS are also consider accounting/auditing services
to keep track of such usage.