ISPs can use realms to group and route users. A realm name can be a prefix (e.g., CompanyName/) or a suffix (e.g., @company.com) added to the username. When an ISP assigns a realm name to a remote user, this value will pass to your IAS server as part of the user authentication. Because Microsoft authentication doesn't use realms, the realm name must be removed (i.e., stripped) from the username before the authentication request reaches the AD or the SAM. Realm stripping creates a standard Microsoft authentication request. To configure realm stripping, open the IAS server's Properties dialog box and select the Realms tab. Click Add to build a list of Find and Replace rules that the system executes in sequential order. To look for and remove a specific realm name, specify the name in the Find text box and leave the Replace text box empty. For the complete list of the pattern-matching syntax, use the online Help and search the topic Pattern matching syntax, which provides several examples.
Configuring Win2K IAS
If IAS isn't installed on your system, you need to add IAS to your Win2K server as a Networking Service. You can add IAS by going to Control Panel, Add/Remove Programs, Add/Remove Windows Components. Select Networking Services, click Details, and select Internet Authentication Service. Click OK, then click Next to finish the Windows Components Wizard. Then, select Internet Authentication Service from Administrative Tools. You'll see options for Clients, Remote Access Logging, and Remote Access Policies.
If IAS runs within an AD environment on your system, you need to register IAS with AD so that IAS has access to user accounts. To register IAS, right-click Internet Authentication Service (Local) in the MMC Internet Authentication Service snap-in and select Register Service in Active Directory. If IAS is running outside AD, Register Service in Active Directory will be shaded and you don't need to register it.
The next step is to define the remote access policies you want to use. If you've installed IAS on the same server as your RRAS service, which has preconfigured remote access policies, these policies will automatically import and you'll see them under the Remote Access Policies in the Internet Authentication Service snap-in. If IAS isn't on the same server as your RRAS service, you need to configure your remote access policies from scratch or use the scripting tool Netsh to import them from an existing Win2K RRAS server. After you configure remote access policies, open the server Properties dialog box and determine whether you need to configure any server properties (e.g., ports to listen on, realm stripping).
To configure the IAS server's clients—which are either the RAS server or your ISP's NAS—right-click Clients in the Internet Authentication Service snap-in, then select New Client. This action brings up the Add Client dialog box, where you need to specify a Friendly name (i.e., the name you'll see on the Internet Authentication Service snap-in). Then click Next to bring up the Add RADIUS Client dialog box, which Figure 6 shows.
In this dialog box, you specify the IP address or DNS name of your RAS server (or ISP's NAS), specify the Secret, and select whether you want to use signatures for greater security. You can ignore the Client-Vendor drop-down list unless you use the special Client-Vendor attribute in your remote access policy. If you want to use Client-Vendor attributes and your IAS client is a Microsoft RAS server, you must change IAS's default RADIUS Standard setting in the Client-Vendor drop-down list to Microsoft. If you want to use Client-Vendor attributes and your IAS client is a NAS, check with the NAS's administrator about which value to use. The Client-Vendor drop-down list contains several vendor implementations, including 3Com, Cisco Systems, Eicon Networks, Shiva, and US Robotics. If you're in doubt about which setting to use, stay with the RADIUS Standard default setting.
You can add as many clients as you have RAS (or NAS) servers. Figure 7 shows an example of IAS configured for two RAS servers. After you define your clients, right-click a client's icon to rename or delete the client or edit its properties. You won't see any indication in the Internet Authentication Service snap-in that the clients are connected, and you won't find an update or refresh option, either.
If you're using multiple IAS servers for fault tolerance, you need to configure the servers identically with the same client details, server details, and remote access policies. The Netsh scripting tool can help you accomplish this identical configuration by exporting settings from one server to a file on a 3.5" disk, from which other IAS servers can import the settings. To use Netsh, type
netsh aaaa show config >A:IAS.txt
from a command prompt on the configured IAS server. This command transfers the output to a file. Then, insert the 3.5" disk with the file on an unconfigured IAS server. From a command prompt on the unconfigured server, type
netsh exec a:IAS.txt
This command executes the saved configuration. A confirmation message will inform you that the server configuration succeeded. Open the Internet Authentication Service snap-in to confirm that the settings imported correctly.
You're now ready to go with your central authentication for remote access clients, whether the authentication is for multiple Win2K RAS servers, NT 4.0 RAS servers, or an ISP's network access server.