Internet Authentication Service |
The IAS features include the following:
The authentication of users attempting connections is an important security concern. IAS supports a variety of authentication protocols and allows you to use arbitrary authentication methods to meet your authentication requirements.
The following section describes the authentication methods supported in Windows 2000.
Outsourced dialing (also referred to as wholesale dialing) involves a contract between an organization or private company (the customer) and an ISP in which the ISP allows the company's employees to connect to the ISP's network before establishing the VPN tunnel to the company's private network. When an employee connects to the ISP's remote access server, the authentication and usage records are forwarded to the IAS server at the company. The IAS server allows the company to control user authentication, track usage, and manage which employees are allowed to gain access the ISP's network.
The advantage of outsourcing is the potential savings. For example, by using an ISP's routers, network access servers, and T1 lines (instead of buying your own), you can save a great deal on hardware (infrastructure) costs. You can also significantly decrease your long-distance phone bill costs by dialing into the ISP's with worldwide connections or roaming consortium's scattered Point of Presence (POPs) belonging to other ISPs. Thus, by handing off support to the provider, you can eliminate a large amount of your administrative budget.
To grant the connecting user-appropriate access to the network, IAS authenticates users in Microsoft® Windows NT® version 4.0 domains and Windows 2000 Local Security Accounts Manager (SAM). IAS also supports new features in Active Directory™ directory service, such as user principal names and Universal Groups.
Remote access policies are a set of conditions that network administrators can use to get more flexibility in granting remote access. They provide flexibility in controlling who is allowed to connect to your network. Although it is simple to manage remote access permission for each user account, this approach can become unwieldy as your organization grows. Remote access policies provide a more powerful and flexible way to manage remote access permission.
You can use remote access policies to control remote access based on a variety of conditions, such as:
Each remote access policy contains a profile of a setting from which you can control connection parameters. For example, you can:
Support for the RADIUS standard allows IAS to control connection parameters for any network access server that implements that standard. The RADIUS standard also allows individual remote access vendors to create proprietary extensions called vendor-specific attributes. IAS has incorporated the extensions from a number of vendors in its multivendor dictionary.
Support for the RADIUS standard allows IAS to collect the usage (accounting) records sent by a NAS at a single point. IAS logs audit information (for example, authentication Accepts and Rejects) and usage information (for example, logon and logoff records) to log files. IAS supports a log-file format that can be directly imported into a database. The data in the database can be analyzed by using third-party data-analysis software.
The Windows 2000 Routing and Remote Access service is configured to use Windows authentication and accounting, or to use RADIUS authentication and accounting. When RADIUS authentication or accounting is selected, any RFC-compliant RADIUS server can be used. However, using an IAS server is recommended to achieve the optimum level of integration in Windows 2000 environments and take advantage of centralized remote access policies.
For example, in a small network environment or branch offices with a small number of remote access servers and no requirements for centralized management of remote access, the Routing and Remote Access service can be configured to use Windows authentication and accounting.
In a global enterprise with large numbers or remote access servers deployed worldwide, centralized authentication and accounting using IAS can be beneficial. However, if a small branch office is experiencing a low bandwidth connection to the global enterprise with the centralized IAS server, the Windows authentication and accounting configuration can be copied from a central location to the remote access servers of the branch office.
IAS and the Routing and Remote Access service share the same remote access policies and authentication and accounting logging capabilities. When the Routing and Remote Access service is configured for Windows authentication, local policies, and logging are used. When the Routing and Remote Access service is configured as a RADIUS client to an IAS server, the policies and logging of the IAS server are used.
This integration provides consistent implementation across IAS and the Routing and Remote Access service. It allows you to deploy the Routing and Remote Access service in small sites without the need for a separate, centralized IAS server; it also provides the capability to scale up to a centralized remote access management model when you have multiple remote access servers in your organization. In this case, IAS in conjunction with remote access servers implements a single point of administration for remote access to your network for outsourced-dial, demand-dial, and VPN access. The policies within IAS at a central large site can be exported to the independent remote access server in a small site.
IAS provides a graphical user interface (snap-in) that enables you to configure local or remote IAS servers.
You can monitor IAS by using Windows 2000–based tools, such as Event Viewer or System Monitor, or by using Simple Network Management Protocol (SNMP).
You can use IAS in a variety of network configurations of varying size, from stand-alone servers for small networks to large corporate and ISP networks.
The IAS Software Development Kit (SDK) can be used to:
Provides the capability to implement arbitrary authentication methods using EAP.
IAS configuration can be imported/exported by running netsh from the command prompt.