Remote Access Dial-InUser Services(RADIUS)

RADIUS Authentication

RADIUS is a protocol that enables centralized authentication,authorization, and accounting for network access

RADIUS can be used to-Centrally manage network access for VPN, dial-up, and wireless networks-Process connection requests or accounting messages from RADIUS clients or proxies

Windows Implementation of RADIUS

Internet Authentication Service (IAS) is the Microsoftimplementation of a RADIUS server

Configure IAS to support-Dial-up corporate access-Extranet access for business partners-Internet access-Outsourced corporate access through service providers

Centralized Authentication & Policy Management

1.Dials in to a local RADIUS clientto gain network connectivity2.Forwards requests to a RADIUS server3.Authenticates requestsand stores accountinginformation4.Communicates to the RADIUSclient to grant or deny access

What is Network Access Quarantine

Network Access Quarantine can prevent remote accessclients from accessing resources until they conform to thecorporate IT policies

Some of the standards that NAQ can be used to safeguard-Appropriate virus definition-Latest service packs and hotfixes-Routing disabled-Firewall installed-Password-protected screensaver

Requirements for Network Access Quarantine

How Network Access Quarantine Works

NAQ process-Client connects using a CM profile-Routing and Remote Access validates the authentication request-MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeoutsettings are applied to the connection-CM profile runs the post-connect script and executes Rqc.exe ifvalidation is successful-Rqs.exe on the server verifies the script version sent by Rqc.exe todetermine if it was valid-If Rqs.exe determines that the script version was valid, the remoteaccess client is removed from the quarantine

Checklist for Network Access Quarantine

To prepare for NAQ-Enable Routing and Remote Access-Install the Remote Access Quarantine service-Create a validation script-Create quarantine resources-Create a remote access policy-Install the Connection Manager Administration Kit-Create a CM profile-Start the Remote Access Quarantine service

Remote Access Policies

There are two important attributes used in NAQ policy profile-MS-Quarantine-Session-TimeoutThe amount of time a client can be connected to the remote access serverwhile quarantinedClient must validate its settings during this time-MS-Quarantine-IPFilterProvides access to quarantine resourcesConfigure input and output filters

Connection Manager Profiles

Connection Manager profiles-Pre-package remote access connections for dial-up or VPN-Administrator-defined connection features-Simple client-side installation by using an executable-Post-connect script can be included to run Rqc.exe

Connection Manager Administration Kit-Used to create Connection Manager profiles-Can be installed from Add or Remove programs

Routing & Remote Access Logging

There are three types of logging-Event loggingRecords remote access server errors, warnings, and other information in thesystem event log-Local authentication and accounting loggingTracks usage and authentication attempts on the local remote access server-RADIUS-based authentication and accounting loggingTracks usage and authentication attempts on the RADIUS server

Authentication & Accounting Logging

Track remote access usage and authentication attempts

Maintain records for billing purposes

Isolate remote access policy issues

Specific Connections Logging

Connection Type: PPP Logfile Name:PPP logDescription: Records the series ot programmingfunctions and PPP control messages

Connection Type: L2TP/IPSecLogfile Name: Audit logDescription: Records information about IPSecrelated events

Connection Type: L2TP/IPSecLogfileName: Oakley logDescription: Records information about all Internet Key Exchange main-modeor quick-mode negotiation