Guidelines For Designing An Authentication And Authorization Strategy Using Ias

By Author: jennie
Total Articles: 286
Comment this article

Follow these guidelines to design authentication and authorization strategies when using IAS:
When the user account dial-in MCSE 2003 exams permission is set to Control Access Through Remote Access Policy, specify connection access as dependent on Windows Groups. Otherwise, all user accounts will be allowed access if they meet the conditions and profile constraints of a remote access policy.
Always set the user account dial-in permission to Control Access Through Remote Access Policy where possible. This eases the management burden because access
can be managed by Windows groups instead of the administrator having to visit each user account page.
Configure shared password settings:
Select the Message Authenticator attribute with the shared secret when PAP, MS-CHAP, and MS-CHAPv2 authentication protocols are allowed. This param?eter ensures the entire RADIUS message is encrypted. (When EAP authentication types are used, the Message Authenticator attribute is used by default.)
Create 22-character or longer shared secrets composed of a random sequence ...
... of letters, numbers, and punctuation. Change this password often. This will help protect the IAS server and the free CompTIA practice tests clients from password-cracking attacks.
Configure each RADIUS client, RADIUS server, and RADIUS Proxy pair (each connection path) with a different shared secret.
Do not specify RADIUS clients by address range. If you specify RADIUS cli-ents by address range, you must use the same shared password for all RADIUS clients—and this is not a good security practice.
Do not allow PAP authentication. PAP passwords are passed in the clear.
Where possible, specify EAP for authentication and use EAP types that require certificates.
Configure Network Access Quarantine Control.
Specify the use of Terminal Services for remote administration, or specify the use of IPSec between the administrative workstation and the IAS computer.
Configure IPSec policies to encrypt RADIUS traffic between RADIUS clients andIAS.

Note The network access quarantine notifier and listener components (rqc.exe and rqs.exe) as well as a sample quarantine script are provided in the Windows Server 2003 Resource Kit Tools and are downloadable from the Downloads page of the Microsoft Web site at MCSE exams. Additionally, you can use the Windows Server 2003 SDK to write your own custom components.