Using Win2K Remote Access Policies with NT 4.0 RAS Servers
You can configure NT 4.0 RAS servers to use RADIUS authentication; as a result, those servers can use Win2K IAS that you've configured with remote access policies. The NT 4.0 RAS server physically accepts connections from a remote user but off-loads authentication to the IAS server. The IAS server, like a Win2K RAS server in an NT 4.0 domain, can authenticate local users, users in an NT 4.0 SAM domain, or users in Active Directory (AD).
Before you configure NT 4.0 RAS servers to use RADIUS authentication, you need to make sure you have installed on the servers the RRAS Routing Update, which isn't included in any service pack. You can download the RRAS Routing Update from Microsoft's Web site (http://www.microsoft.com/ntserver/nts/downloads/winfeatures/rras/rrasdown.asp). After you install the update, your NT 4.0 RAS administration utility will change appearance and look like Figure 3. (However, if you previously installed the RRAS Routing Update and then reinstall it, you won't see a change in the administration utility's appearance.)
If you're interested only in running RAS (rather than routing), you need to use only Active Connections and Ports in the Routing and RAS Administration utility. Click the Active Connections and Ports icon to see details about remote access client connections.
To configure your NT 4.0 RAS server to use IAS for authentication, go to Control Panel, Network, Services. In the resulting dialog box, double-click Routing and Remote Access Service, which takes you to the Remote Access Setup dialog box. Click the Network button, and you'll see the Network Configuration dialog box, which Figure 4 shows. This dialog box lets you configure RAS properties.
Under Authentication provider, select RADIUS, then click Configure to reach the RADIUS Configuration dialog box. Click Add. In the resulting RADIUS Server dialog box, which Figure 5 shows, you need to provide the IAS server's IP address or DNS name, the Secret (i.e., the shared password), the timeout interval, and the initial score. You can enable and disable authentication and accounting separately and specify the ports that those functions use.
If you are using multiple IAS servers for fault tolerance and load balancing, add the servers one by one in the same way. When you finish, click OK on all dialog boxes. Your NT 4.0 RAS server will now use your IAS servers for authentication, which means your remote access clients will be subject to Win2K remote access policies on the IAS server.
Outsourcing Remote Access Services
You or your enterprise might decide that the cost of outsourcing your remote access service is cheaper than keeping the function inhouse. But you can outsource your remote access service and maintain control of dial-up permissions and connections. In such an outsourced scenario, users connect to a remote access server (i.e., network access server—NAS) at your company's ISP, which routes the connection to your corporate network. In the process, the ISP can also enforce a tunneled connection to help secure transferred data and monitor and restrict which applications use the service (e.g., allow access to designated servers only, deny traffic other than FTP or a similar service).
However, the ISP needs to authenticate and authorize the remote access user before allowing the user access to the corporate network. To perform this function, the ISP needs to have a list of user accounts and know which accounts have remote access permission. This information exists on your AD network or in your NT 4.0 SAM database, and you can provide the ISP with access to the information by configuring IAS to communicate with the ISP's NAS. To provide this access, you must configure your firewall to let authentication traffic from the ISP through to your IAS server and define the ports that this traffic will use. Ask your ISP which ports it will use for RADIUS authentication to send traffic to your network; the ports are likely to be UDP 1645 (which NT 4.0 servers use) or UDP port 1812 (which Win2K RRAS servers use). By default, Win2K IAS listens on both ports. If the ISP doesn't use either of those ports, you need to specify an alternative in the firewall and in IAS.
When you're configuring IAS to accept traffic from the ISP, you need to accommodate ping requests and realm names. Ping requests ensure that a RADIUS server (in this case, your IAS server) is available. For example, your ISP will periodically send ping requests to the IAS server with deliberately fictitious names that are intended for rejection (i.e., they will bounce). A bounced request signals to the ISP that the IAS server is online. No response signals an inoperative server or connectivity problem.
Such bounces can unnecessarily stress the IAS server and domain controller (DC) and fill up error log files. To reduce this stress on the IAS server and DC, agree in advance with your ISP on the name that the ISP will use for ping requests. You can then configure your IAS server's registry so that the server sends back an immediate rejection (i.e., Auto Reject) when it receives a ping message with the name you and your ISP have agreed on. Immediate rejection means that the server doesn't pass the ping request on to the DC for authentication, which will fail. Thus, the rejection creates less stress on IAS and the DC. To accomplish this registry change, you need to add a new REG_SZ value called Ping User-Name under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters registry subkey. Set the string to be the same as the username you have agreed to use for ping requests.
Register
