Author: Colin Weaver Company: ITdojo, Inc. Last Revision: 1/31/05

2. Configure a Remote Access Policy using IAS.

The policy is what defines the AAA rules (Authentication, Authorization & Accounting). We want to create a rule that reads something like this, “If you are a computer that is a member of the Global – Authorized PCs global group in the phatcat.com domain and you are connected to an Ethernet port, you are allowed on to the network. If you are anything else, you’re denied access to the network.”

• To set up the Remote Access Policy, follow these steps:
  • From the Internet Authentication Service MMC snap-in, right-click on Remote Access Policies and select New Remote Access Policy. The New Remote Access Policy Wizard will begin. Click Next.
  • Since I’m using Windows Server 2003 I have the option of using a wizard to set up the policy. This simplifies the process a bit. If you have the wizard option, select it and then enter a name in the field below it. The name needs to be something meaningful to you. For this article I am using Authenticate Domain PCs as my Policy Name. If you don’t have the wizard option (Windows 2000 IAS) all you need to do is select:
    • NAS-Port-Type matches Ethernet and;
    • Windows-Group matches Phatcat\Global – Authorized PCs (or whatever your group name is)
  • Wizard users, click Next and select the Ethernet radio button. Click Next.
  • On the Users or Group page, click the Group radio button and then click Add… . Enter the name of your group(s) and then click OK.
  • On the Authentication page, choose Protected EAP (PEAP) and then click the Configure… button.
  • In the certificate selection drop-down choose the certificate you want to use. If you don’t see a certificate here it means your RADIUS server doesn’t have a certificate enabled for Server Authentication installed. You’ll need to remedy this before moving on.
  • In the EAP Types window make sure Secured Password (EAP-MSCHAP v2) is listed. Leave the Enable Fast Reconnect check box cleared. Click OK.
  • Click Finish.

The Remote Access Policy is now configured. It should be at the top of the list on the detail pane. Order is important on this list. More than anything be sure the policy you just created is not the last one on the list. It won’t work if it is. The safest bet is for it to be on the top of the list. You need to sort any other policies you have in order to make sure you get the desired behavior (if you have others, that is).

• To verify your policy settings double-click on the policy in the detail pane of IAS. You should see a settings tab. Make sure it contains the following Policy Conditions:
  • NAS-Port-Type matches Ethernet and;
  • Windows-Group matches Phatcat\Global – Authorized PCs (or whatever your group name is)
• At the bottom of the settings page make sure the Grand remote access permission is selected. Click OK.