Installing and Configuring IAS
1.Click Start > Control Panel > Add Remove Programs, then click Add/Remove Windows Components.
2.Select Networking Services > Details from the dialog box in the Windows Components Wizard.
3.Select Internet Authentication Service followed by OK, then click Next.
Once IAS is installed, it is time to configure the properties for the IAS server as follows:
1.Click Start > Programs > Administrative Tools > Internet Authentication Service.
2.Right-click Internet Authentication Service and select Properties.
3.Select the Ports tab, and configure the RADIUS authentication and accounting UDP ports if they don't already show 1812 and 1645 for authentication, and 1813 and 1646 for accounting.
4.Continuing from Properties, on the General tab, select each required option for IAS event logging, then click OK.
5.Right-click RADIUS Clients and select New RADIUS Client.
6.From the New RADIUS Client Wizard add basic client information, then click Next.
7.Select RADIUS Standard from the Client-Vendor drop-down list on the New RADIUS Client screen and enter the shared secret password of your choice, then select Finish.
Next: Configuring Remote Access Policies
Configuring Remote Access Policies
We now want to configure the remote access policies. In this instance, we will grant access to a Windows Global Group called Radius-Clients as follows:
1.Create a Group called Radius-Clients. Click Start > Administrative Tools > Active Directory Users and Computers. Right-click the Users container and select New > Group. In the New Objec-Group box, type Radius-Clients in the Group Name text box, then click OK.
2.Create the policy condition and policy profile through the New Remote Access Policy Wizard. Click Start > Administrative Tools > Routing and Remote Access. Right-click Remote Access Policies in the left pane of the management console and select New Remote Access Policy to start the New Remote Access Policy Wizard, then click Next.
3.Select Set up a custom policy and enter Radius-Clients in the Policy Name box.
4.Click Next to move to the Policy Conditions screen. Click Add to specify Windows-Groups for the condition portion of the RRAS Policy.
5.Click Add to open the Groups selection box, then click Add again. From the Select Groups dialog box, type Dial into the text box and click the Check Names button. The Radius-Clients group should be displayed in the text box.
6.Click OK, then click OK again and click Next to view the Permissions screen. Select Grant remote access permission.
7.Click Next to proceed to the Profile screen. Click the Edit Profile button to invoke the Edit Dial-in Profile dialog box. Click the Multilink tab. We want to allow Multilink connections and we will drop the second line if the bandwidth requirement drops below 50 percent. Select Allow Multilink connections. Select Require BAP for dynamic Multilink requests and accept the defaults.
8.Click OK. Click Next and then click Finish to complete the Remote Access Policy configuration. Now, any users that belong to the Radius-Clients group will be granted dial-in access with multilink capabilities.
Configuring the IAS Server Properties
.com
1.Select Remote access logging from the left pane of the MMC.
2.From the right pane, right-click Local File or SQL Server, then select Properties.
3.From the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:
4.For accounting request and response captures, select Accounting requests.
5.For authentication requests, Access-Accept messages, and Access-Reject messages captures, select Authentication requests.
6.For periodic status update captures, select Periodic status.
7.Click OK to finish.
Registering the IAS Server
Now that we have a configuration nearly completed, we could copy the IAS configuration from the first IAS server to additional IAS servers, but in this instance we'll omit this stage and go on to we have to register the IAS server in the appropriate Active Directory domains. As noted earlier, there are there are three ways to accomplish this. We'll register the IAS server in the default domain using Active Directory Users and Computers:
1.Log on to the IAS server with an account that has administrative credentials for the domain.
2.Open Active Directory Users and Computers. Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
3.In the left pane of the ADUC console, click the Users folder for your domain.
4.In the right pane, right-click RAS and IAS Servers, then click Properties.
5.In the RAS and IAS Servers Properties dialog box, on the Members tab, add the IAS server if it is not already present.
6.Click OK to finish.
You have now done everything you need to do for the Routing and Remote Access server to use the IAS server for authentication. By default, the IAS (RADIUS) server will use Windows authentication to determine if authentication is successful.
Configuring RRAS policies to Permit or Deny Access
A traditional LAN is normally located within a single building or site. The systems within the LAN are administered by a single individual or a group of individuals and policies exist for administration and configuration. However, if users connect from outwith the LAN, the systems they connect from may not be administered by the corporate administrator or administrators. This can cause configuration problems as well as security problems.
Remote access policies help administrators apply a consistent policy to machines that are not directly administered within the corporate LAN. Administrators can use remote access policies to limit the access rights and privileges of remote users and computers by validating connections and specifying connection restrictions. Connection settings that can be validated by standard remote access policy settings include:
•Authentication methods
•Group membership
•Remote access permission
•Time of day
•Type of connection
Advanced remote access policy validation settings include the following:
•Access server identity
•Access client phone number or MAC address
•Whether user account dial-in properties are ignored
•Whether unauthenticated access is allowed
Authentication methods include the following:
•PEAP
•EAP
•MS-CHAP v1 and v2
•CHAP
•PAP
•Unauthenticated access
Authentication Methods
Authentication method refers to the type of authentication being used by the client, eg: EAP, CHAP, MS-CHAP etc.).
Group membership is configured via Active Directory Users and Computers. Groups can significantly reduce the administrative workload by grouping users together according to job functions, access rights and requirements and other common similarities. Group membership policy restrictions can be used to allow corporate users to gain network access based on one set of criteria, while users from a specific vendor or partner might have a different set of remote access restrictions
Time of day restrictions ensure that users can only log in at certain times. This can be used to prevent users from connecting during maintenance operations or to keep remote users out of the network after normal business hours.
Type of connection validation sets different remote access policies based on the method the user uses to connect, eg: VPN users could have one policy, while analog dialup users are subject to a different policy.
Access server identity validation ensures that users connecting to a particular access server have a specific policy applied to them. This can be used to ensure that a user is connecting through proper channels, eg: if someone was to attempt to break into the network through a non-authorised connection, this restriction would block them.
Access client phone number validation ensures the user is connecting from an authorized location or computer. Using the client's Calling Station ID) for validation relies upon a certain amount of physical security as well as password or certificate-based electronic security. Someone would need to break into the calling location and use that phone to connect based on this validation.
Connection Restrictions
Once a remote access policy has authorised a connection, it can set connection restrictions based on the following:
•Encryption strength
•Idle timeout
•IP packet filters
•Maximum session time
Remote access policies can also apply advanced connection restrictions based on
the following:
•IP address for PPP connections
•Static routes
Encryption strength can range from 40-bit to 168-bit. Encryption property settings for Windows Server 2003 include:
•no encryption
•Basic encryption (40-bit MPPE or 56-bit DES)
•strong encryption (56-bit MPPE or 56-bit DES)
•strongest encryption (128-bit MPPE or 168-bit 3DES).
Idle timeout is used to secure the network by disconnecting users after a specific amount of idle time has elapsed.
IP packet filters restrict connections based on the services being requested, eg: Telnet access may be granted to a dial-in user by configuring an IP packet filter to allow traffic to TCP port 23 at a specified address.
Maximum session time ensures security by disconnecting a user after a specified
amount of time regardless of the current session status (idle or active).
Specific IP addresses may be distributed through PPP connections to restrict access to portions of the network, providing another method for securing network access through remote access policy.
Static routes also set network access restrictions by routing or not routing specific
traffic based on destination network address
Global Remote Access Policies
Global remote access policies may be varied according to the following:
•Access client phone number or MAC address
•Authentication methods
•Group membership
•Identity of the access server
•Time of day
•Type of connection
•Whether or not unauthenticated access is allowed
Windows Server 2003 remote access servers provide remote access policy through the
Routing and Remote Access Service on stand-alone machines. The RRAS policy applies to connections through that specific RRAS server. If you are using IAS or RADIUS on your network, remote access policies are configured through the IAS or RADIUS server.
Remote access policies determine what users or machines gain access, through what method, when, and what restrictions are put on them once they have access. By default, two policies are created. One controls access to the remote access server itself and the other controls access to network resources outside of the remote access server.
You can also create your own policies to control access by right-clicking on remote access policies and selecting New Remote Access Policy. You will then be asked if you want to use the wizard to guide you through policy creation or you can choose to create a custom policy.
If you use the wizard, it will guide you through the process of creating the new policy. You will be asked questions like what service this is for (VPN, Ethernet, dial-up, wireless, etc.), is it for a group or individual users, what authentication protocols are to be used, what encryption methods are to be used and other settings, based on the type of remote connection you are configuring.
If you choose to create a custom policy, you will be asked to select the user or group that the policy applies to, then you will be prompted to create Conditions which determine when the policy is applied. For example, a policy might apply only to the group, say HR-users and it could be configured to assign them a different default gateway.
Configuring a remote access policy for an RRAS server
1.Configure the user accounts to use remote access policy for dial-in access.
2.Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
3.Verify that the user accounts have the Remote Access Permission (Dial-in or VPN) option set to Control access through Remote Access Policy.
4.Open the Routing and Remote Access management console to configure the policy, then click Start > Programs > Administrative Tools > Routing and Remote Access.
5.If necessary, double-click Routing and Remote Access and the server name.
6.In the left pane, right-click Remote Access Policies, then click New Remote Access Policy.
7.Select the appropriate policy settings as discussed above.
8.Delete the default policies.
|The logbook for this section should provide a record of the steps you have taken to configure remote access authentication protocols to provide authentication for remote access clients and configure remote access policies to permit or deny access. Completion of activities in this section should provide sufficient evidence for these tasks.|
1.Click Start > Control Panel > Add Remove Programs, then click Add/Remove Windows Components.
2.Select Networking Services > Details from the dialog box in the Windows Components Wizard.
3.Select Internet Authentication Service followed by OK, then click Next.
Once IAS is installed, it is time to configure the properties for the IAS server as follows:
1.Click Start > Programs > Administrative Tools > Internet Authentication Service.
2.Right-click Internet Authentication Service and select Properties.
3.Select the Ports tab, and configure the RADIUS authentication and accounting UDP ports if they don't already show 1812 and 1645 for authentication, and 1813 and 1646 for accounting.
4.Continuing from Properties, on the General tab, select each required option for IAS event logging, then click OK.
5.Right-click RADIUS Clients and select New RADIUS Client.
6.From the New RADIUS Client Wizard add basic client information, then click Next.
7.Select RADIUS Standard from the Client-Vendor drop-down list on the New RADIUS Client screen and enter the shared secret password of your choice, then select Finish.
Next: Configuring Remote Access Policies
Configuring Remote Access Policies
We now want to configure the remote access policies. In this instance, we will grant access to a Windows Global Group called Radius-Clients as follows:
1.Create a Group called Radius-Clients. Click Start > Administrative Tools > Active Directory Users and Computers. Right-click the Users container and select New > Group. In the New Objec-Group box, type Radius-Clients in the Group Name text box, then click OK.
2.Create the policy condition and policy profile through the New Remote Access Policy Wizard. Click Start > Administrative Tools > Routing and Remote Access. Right-click Remote Access Policies in the left pane of the management console and select New Remote Access Policy to start the New Remote Access Policy Wizard, then click Next.
3.Select Set up a custom policy and enter Radius-Clients in the Policy Name box.
4.Click Next to move to the Policy Conditions screen. Click Add to specify Windows-Groups for the condition portion of the RRAS Policy.
5.Click Add to open the Groups selection box, then click Add again. From the Select Groups dialog box, type Dial into the text box and click the Check Names button. The Radius-Clients group should be displayed in the text box.
6.Click OK, then click OK again and click Next to view the Permissions screen. Select Grant remote access permission.
7.Click Next to proceed to the Profile screen. Click the Edit Profile button to invoke the Edit Dial-in Profile dialog box. Click the Multilink tab. We want to allow Multilink connections and we will drop the second line if the bandwidth requirement drops below 50 percent. Select Allow Multilink connections. Select Require BAP for dynamic Multilink requests and accept the defaults.
8.Click OK. Click Next and then click Finish to complete the Remote Access Policy configuration. Now, any users that belong to the Radius-Clients group will be granted dial-in access with multilink capabilities.
Configuring the IAS Server Properties
.com
1.Select Remote access logging from the left pane of the MMC.
2.From the right pane, right-click Local File or SQL Server, then select Properties.
3.From the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:
4.For accounting request and response captures, select Accounting requests.
5.For authentication requests, Access-Accept messages, and Access-Reject messages captures, select Authentication requests.
6.For periodic status update captures, select Periodic status.
7.Click OK to finish.
Registering the IAS Server
Now that we have a configuration nearly completed, we could copy the IAS configuration from the first IAS server to additional IAS servers, but in this instance we'll omit this stage and go on to we have to register the IAS server in the appropriate Active Directory domains. As noted earlier, there are there are three ways to accomplish this. We'll register the IAS server in the default domain using Active Directory Users and Computers:
1.Log on to the IAS server with an account that has administrative credentials for the domain.
2.Open Active Directory Users and Computers. Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
3.In the left pane of the ADUC console, click the Users folder for your domain.
4.In the right pane, right-click RAS and IAS Servers, then click Properties.
5.In the RAS and IAS Servers Properties dialog box, on the Members tab, add the IAS server if it is not already present.
6.Click OK to finish.
You have now done everything you need to do for the Routing and Remote Access server to use the IAS server for authentication. By default, the IAS (RADIUS) server will use Windows authentication to determine if authentication is successful.
Configuring RRAS policies to Permit or Deny Access
A traditional LAN is normally located within a single building or site. The systems within the LAN are administered by a single individual or a group of individuals and policies exist for administration and configuration. However, if users connect from outwith the LAN, the systems they connect from may not be administered by the corporate administrator or administrators. This can cause configuration problems as well as security problems.
Remote access policies help administrators apply a consistent policy to machines that are not directly administered within the corporate LAN. Administrators can use remote access policies to limit the access rights and privileges of remote users and computers by validating connections and specifying connection restrictions. Connection settings that can be validated by standard remote access policy settings include:
•Authentication methods
•Group membership
•Remote access permission
•Time of day
•Type of connection
Advanced remote access policy validation settings include the following:
•Access server identity
•Access client phone number or MAC address
•Whether user account dial-in properties are ignored
•Whether unauthenticated access is allowed
Authentication methods include the following:
•PEAP
•EAP
•MS-CHAP v1 and v2
•CHAP
•PAP
•Unauthenticated access
Authentication Methods
Authentication method refers to the type of authentication being used by the client, eg: EAP, CHAP, MS-CHAP etc.).
Group membership is configured via Active Directory Users and Computers. Groups can significantly reduce the administrative workload by grouping users together according to job functions, access rights and requirements and other common similarities. Group membership policy restrictions can be used to allow corporate users to gain network access based on one set of criteria, while users from a specific vendor or partner might have a different set of remote access restrictions
Time of day restrictions ensure that users can only log in at certain times. This can be used to prevent users from connecting during maintenance operations or to keep remote users out of the network after normal business hours.
Type of connection validation sets different remote access policies based on the method the user uses to connect, eg: VPN users could have one policy, while analog dialup users are subject to a different policy.
Access server identity validation ensures that users connecting to a particular access server have a specific policy applied to them. This can be used to ensure that a user is connecting through proper channels, eg: if someone was to attempt to break into the network through a non-authorised connection, this restriction would block them.
Access client phone number validation ensures the user is connecting from an authorized location or computer. Using the client's Calling Station ID) for validation relies upon a certain amount of physical security as well as password or certificate-based electronic security. Someone would need to break into the calling location and use that phone to connect based on this validation.
Connection Restrictions
Once a remote access policy has authorised a connection, it can set connection restrictions based on the following:
•Encryption strength
•Idle timeout
•IP packet filters
•Maximum session time
Remote access policies can also apply advanced connection restrictions based on
the following:
•IP address for PPP connections
•Static routes
Encryption strength can range from 40-bit to 168-bit. Encryption property settings for Windows Server 2003 include:
•no encryption
•Basic encryption (40-bit MPPE or 56-bit DES)
•strong encryption (56-bit MPPE or 56-bit DES)
•strongest encryption (128-bit MPPE or 168-bit 3DES).
Idle timeout is used to secure the network by disconnecting users after a specific amount of idle time has elapsed.
IP packet filters restrict connections based on the services being requested, eg: Telnet access may be granted to a dial-in user by configuring an IP packet filter to allow traffic to TCP port 23 at a specified address.
Maximum session time ensures security by disconnecting a user after a specified
amount of time regardless of the current session status (idle or active).
Specific IP addresses may be distributed through PPP connections to restrict access to portions of the network, providing another method for securing network access through remote access policy.
Static routes also set network access restrictions by routing or not routing specific
traffic based on destination network address
Global Remote Access Policies
Global remote access policies may be varied according to the following:
•Access client phone number or MAC address
•Authentication methods
•Group membership
•Identity of the access server
•Time of day
•Type of connection
•Whether or not unauthenticated access is allowed
Windows Server 2003 remote access servers provide remote access policy through the
Routing and Remote Access Service on stand-alone machines. The RRAS policy applies to connections through that specific RRAS server. If you are using IAS or RADIUS on your network, remote access policies are configured through the IAS or RADIUS server.
Remote access policies determine what users or machines gain access, through what method, when, and what restrictions are put on them once they have access. By default, two policies are created. One controls access to the remote access server itself and the other controls access to network resources outside of the remote access server.
You can also create your own policies to control access by right-clicking on remote access policies and selecting New Remote Access Policy. You will then be asked if you want to use the wizard to guide you through policy creation or you can choose to create a custom policy.
If you use the wizard, it will guide you through the process of creating the new policy. You will be asked questions like what service this is for (VPN, Ethernet, dial-up, wireless, etc.), is it for a group or individual users, what authentication protocols are to be used, what encryption methods are to be used and other settings, based on the type of remote connection you are configuring.
If you choose to create a custom policy, you will be asked to select the user or group that the policy applies to, then you will be prompted to create Conditions which determine when the policy is applied. For example, a policy might apply only to the group, say HR-users and it could be configured to assign them a different default gateway.
Configuring a remote access policy for an RRAS server
1.Configure the user accounts to use remote access policy for dial-in access.
2.Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
3.Verify that the user accounts have the Remote Access Permission (Dial-in or VPN) option set to Control access through Remote Access Policy.
4.Open the Routing and Remote Access management console to configure the policy, then click Start > Programs > Administrative Tools > Routing and Remote Access.
5.If necessary, double-click Routing and Remote Access and the server name.
6.In the left pane, right-click Remote Access Policies, then click New Remote Access Policy.
7.Select the appropriate policy settings as discussed above.
8.Delete the default policies.
|The logbook for this section should provide a record of the steps you have taken to configure remote access authentication protocols to provide authentication for remote access clients and configure remote access policies to permit or deny access. Completion of activities in this section should provide sufficient evidence for these tasks.|
