Considerations For Radius Configuration And Network Locations

By Author: unknownmem
Total Articles: 128
Comment this article

When RADIUS is used, the VPN client establishes a connection to the microsoft exams(http://www.mcsa-70-270.com)
server, but the VPN server acts as a RADIUS client and uses the RADIUS server to authenticate and authorize the client. Figure 10-13 shows this process.
VPN connections
Consider the following points when designing RADIUS authentication:
When RADIUS is used, remote access policies on the RADIUS server dictate authorization policy.
Active Directory can be used by the RADIUS server as its account database. The bRADIUS server must be able to communicate with Active Directory.
The VPN server must be able to communicate with the RADIUS server.
The VPN server passes user credentials to the RADIUS server. This data is encrypted using the RADIUS shared secret. This shared secret must be configured
on both the VPN server and the RADIUS server.
RADIUS can also provide proxy services to other RADIUS servers. Many organizations use ISP-based RADIUS servers to forward authentication requests from an
organization's mobile users to the organization's RADIUS servers.
...
... In addition, consider the following new Windows Server 2003 IAS options:
Supports a RADIUS proxy. A Free Security+ practice exams(http://www.examshots.com/certification/Security+-67.html)
forwards or routes messages between access servers and other I AS servers.
Allows network authentication and authorization to be mapped by the IAS proxy to different computers. Authentication can be directed to an external RADIUS
server (a non-Windows account database can be used), and authorization can be directed by remote access policies.
Supports 802.Ix wired and wireless connections and authenticating switches. Supports Protected Extensible Authentication Protocol (PEAP) for 802.11 wired
and wireless clients. PEAP uses Transport Layer Security (TLS) for end-to-end communication.
Provides for enhanced EAP configuration using remote access policies. Windows 2000 allowed only a single EAP type. Windows Server 2003 remote access policies
support several.
Supports ignoring user dial-in properties. (User dial-in properties might modify some setting that is contrary to policy. To ensure full control of settings resides with Remote Access policy, use this setting.)
Supports configuring RADIUS clients by IP address range.
Supports computer authentication, and therefore supports wireless or authentication-switch access clients.
Supports user certificate purpose-checking. MCITP certification(http://www.upcert.com)
types are determined by the certificate Enhanced Key Usage (EKU) extension.
Supports user authentication—based remote access policies.