VPN / RADIUS

[JD]

Previously, I stated the following:

Machine #1: Windows 2003 Active Directory / Exchange 2003 Server

Machine #2: Windows 2003 File Server / FTP (proposed VPN server)

I want to put VPN (RRAS component of OS) onto Machine #2.

I was told that I ONLY need RADIUS if VPN component is NOT on MACHINE #1 -
the DC.
If that is true, then can I have the RADIUS Server component be installed on
the same server as VPN (RRAS) - Machine #2???

Essentially, if I install VPN/RRAS onto my DC or Machine #1 - then I do not
need to install RADIUS, and if I install VPN/RRAS onto Machine #2 then I
need RADIUS somewhere (which then I prefer to install on same machine -
RADIUS and VPN pieces on same server)

Please clarify me if wrong anywhere or best solution. Thanks everyone.

 

[James McIllece [MS]]

Previously, I stated the following:

Machine #1: Windows 2003 Active Directory / Exchange 2003 Server

Machine #2: Windows 2003 File Server / FTP (proposed VPN server)

I want to put VPN (RRAS component of OS) onto Machine #2.

I was told that I ONLY need RADIUS if VPN component is NOT on MACHINE
#1 - the DC.
If that is true, then can I have the RADIUS Server component be
installed on the same server as VPN (RRAS) - Machine #2???

Essentially, if I install VPN/RRAS onto my DC or Machine #1 - then I
do not need to install RADIUS, and if I install VPN/RRAS onto Machine
#2 then I need RADIUS somewhere (which then I prefer to install on
same machine - RADIUS and VPN pieces on same server)

Please clarify me if wrong anywhere or best solution. Thanks
everyone.

You can install IAS (Internet Authentication Service, or MSFT RADIUS) on
either machine with no problem.

You then need to configure the RADIUS client (aka the VPN server) and the
IAS server with a shared secret, and configure the VPN server to use the
RADIUS protocol & server. In IAS, add the VPN server as a RADIUS client,
then review the default remote access policies with an eye toward modifying
them to suit your needs or toward creating new ones from scratch. You can
configure authorization by user or group; I recommend group, unless you
have just a few users. Don't forget to check the dial-in properties of user
accounts in AD -- the best setting is "Control access through remote access
policy," although this choice is not available if your domain functional
level is below Windows 2000 native. For information about configuring dial-
in properties for a user account, see "Configure dial-in user properties"
in AD Help.

Configuring Remote Access Logging is also a good idea so that you can
perform troubleshooting if you encounter problems. The default Connection
Request Policy should work for you as-is, so you don't need to worry about
that (and you don't need to create a Remote RADIUS Server Group," either).

Make sure to read the IAS Help topic "To enable the IAS server to read user
accounts in Active Directory," plus I highly recommend reading additional
IAS Help. This topic provides a good logical flow to follow, as well as
links to key topics: "Checklist: Configuring IAS for dial-up and VPN
access"

You can post to microsoft.public.internet.radius if you encounter any
problems.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.