Remote Access Server
Remote Access Server |
|
Remote access has the following management issues:
Because it is administratively unsupportable to have separate user accounts for the same user on separate servers and to try to keep them all simultaneously current, most administrators set up a master account database at a domain controller (PDC) or on a Remote Authentication Dial-in User Service (RADIUS) server. This allows the remote access server to send the authentication credentials to a central authenticating device.
For PPP connections, IP, IPX, and AppleTalk addressing information must be allocated to remote access clients during the connection establishment process. The Windows 2000 remote access server must be configured to allocate IP addresses, IPX network and node addresses, and AppleTalk network and node addresses.
More information about address allocation for IP and IPX can be found later in this chapter.
In Windows NT versions 3.5x and 4.0, authorization was based on a simple Grant dial-in permission to user option in User Manager or the Remote Access Admin utility. Callback options were also configured on a per-user basis. In Windows 2000, authorization is granted based on the dial-in properties of a user account and remote access policies.
Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in authorizing connection attempts. The Windows 2000 Routing and Remote Access service and Windows 2000 Internet Authentication Service (IAS) both use remote access policies to determine whether to accept or reject connection attempts. For more information about remote access policies, see "Internet Authentication Service" in this book.
With remote access policies, you can grant remote access by individual user account or through the configuration of specific remote access policies.
Access by user account is the administrative model used in Windows NT version 3.5x and 4.0. In Windows 2000, if you wish to manage remote access on an individual per-user basis, set the remote access permission on those user accounts that are allowed to create remote access connections to Allow access and modify the profile properties of the default remote access policy called Allow access if dial-in permission is enabled for the needed connection parameters.
If the remote access server is only providing dial-up remote access connections and no VPN connections, then delete the default remote access policy called Allow access if dial-in permission is enabled and create a new remote access policy with a descriptive name, such as Dial-up remote access if dial-in permission is enabled.
As an example of typical settings to allow dial-up remote access connections, configure the remote access policy permission to Deny remote access permission and set the conditions and profile settings as listed in Tables 7.2 and 7.3. For detailed information about configuring these settings, see Windows 2000 Server Help.
Table 7.2 Remote Access Policy Conditions for Dial-Up Access by User Account
| Conditions | Setting |
|---|---|
| NAS-Port-Type | Select all except Virtual. |
Table 7.3 Remote Access Policy Profile Settings for Dial-Up Access by User Account
| Profile Tab | Setting |
|---|---|
| Authentication tab | Enable Microsoft encrypted authentication version 2 (MS-CHAP v2) and Microsoft encrypted authentication (MS-CHAP). |
The access by policy administrative model is intended for Windows 2000 remote access servers that are either standalone or a member of a Windows 2000 native mode domain. To manage remote access by policy, set the remote access permission on all user accounts to Control access through Remote Access Policy. Then define the new remote access policies that allow or deny access based on your needs. If the remote access server computer is a member of a Windows NT 4.0 domain or a Windows 2000 mixed domain and you want to manage access by policy, set the remote access permission on all user accounts to Allow access. Then, remove the default policy called Allow access if dial-in permission is enabled and create new policies that allow or deny access. A connection that does not match any configured remote access policy is denied, even if the remote access permission on the user account is set to Allow access.
A typical use of policy-based access is to allow access through group membership. For example, create a Windows 2000 group with a name, such as DialUpUsers, whose members are those users who are allowed to create dial-up remote access connections.
To create a remote access server that only allows dial-up remote access connections, delete the default remote access policy called Allow access if dial-in permission is enabled and then create a new remote access policy with a descriptive name, such as Dial-up remote access if member of DialUpUsers group.
As an example of typical settings to allow dial-up remote access for only members of a specific group, configure the remote access policy permission to Grant remote access permission and set the conditions and profile settings as listed in Tables 7.4 and 7.5. For detailed information about configuring these settings, see Windows 2000 Server Help.
Table 7.4 Remote Access Policy Conditions for Dial-Up Access by User Account
| Conditions | Setting |
|---|---|
| NAS-Port-Type | Select all except Virtual. |
| Windows-Groups | DialUpUsers (example) |
Table 7.5 Remote Access Policy Profile Settings for Dial-Up Access by User Account
| Profile Tab | Setting |
|---|---|
| Authentication tab | Enable Microsoft encrypted authentication version 2 (MS-CHAP v2) and Microsoft encrypted authentication (MS-CHAP) (example) |
The remote access server can be configured to use either Windows or RADIUS as an authentication provider.
If Windows is selected as the authentication provider, then the user credentials sent by users attempting remote access connections are authenticated using normal Windows authentication mechanisms.
If the remote access server is a member server in mixed or native Windows 2000 domain and is configured for Windows authentication, the computer account of the remote access server computer must be a member of the RAS and IAS Servers security group. This can be done by a domain administrator with the Active Directory User and Groups snap-in or with the netsh ras add registeredserver command before the installation of the Routing and Remote Access server. If the user installing the Routing and Remote Access service is a domain administrator, then the computer account is automatically added to the RAS and IAS Servers security group during the installation of the Routing and Remote Access service.
If RADIUS is selected and configured as the authentication provider on the remote access server, then user credentials and parameters of the connection request are sent as a series of RADIUS request messages to a RADIUS server such as a computer running Windows 2000 Server and the Internet Authentication Service (IAS).
The RADIUS server receives a user-connection request from the remote access server and authenticates the client against its authentication database. A RADIUS server can also maintain a central storage database of other relevant user properties. In addition to the simple yes or no response to an authentication request, RADIUS can inform the remote access server of other applicable connection parameters for this user — such as maximum session time, static IP address assignment, and so on.
RADIUS can respond to authentication requests based upon its own database, or it can be a front end to another database server such as a generic Open Database Connectivity (ODBC) server or a Windows 2000 PDC. The latter server could be located on the same machine as the RADIUS server, or could be centralized elsewhere. In addition, a RADIUS server can act as a proxy client to a remote RADIUS server.
The RADIUS protocol is described in RFCs 2138 and 2139. For more information about remote access server authentication scenarios and the remote access server as a RADIUS client, see Windows 2000 Server Help. For more information about IAS, see "Internet Authentication Service" in this book.
Note
Both the Routing and Remote Access service when configured for Windows authentication and IAS use the same process to provide authentication and authorization of incoming connection requests. For more information on this process, see "Internet Authentication Service" in this book.
The remote access server can be configured to use either Windows or RADIUS as an accounting provider. If Windows is selected as the accounting provider, then the accounting information is accumulated in a log file on the remote access server. If RADIUS is selected as the accounting provider, RADIUS accounting messages are sent to the RADIUS server for accumulation and later analysis.
Most RADIUS servers can be configured to place authentication request records into an accounting file. There are also a set of messages (from the remote access server to the RADIUS server) that request accounting records at the start of a call, the end of a call, and at predetermined intervals during a call. A number of third parties have written billing and audit packages that read these RADIUS accounting records and produce various useful reports.
The computer acting as the remote access server can participate in a Simple Network Management Protocol (SNMP) environment as an SNMP agent by installing the Windows 2000 SNMP Service. The remote access server records management information in various object identifiers of the Internet Management Information Base (MIB) II that is installed with the Windows 2000 SNMP service. Objects in the Internet MIB II are documented in RFC 1213.