IAS Features Supported by Microsoft Windows Servers

Daniel Brecht
Categories : Security privacy ,Internet
Tags : Internet security privacy topics products

Page content

Purpose

The Internet Authentication Service (IAS) in Microsoft Windows Server 2003 acts as a Remote Authentication Dial-in User Service (RADIUS) server and proxy (through connection request processing) to authenticate a user’s identity and authorize a connection. Briefly said, it will connect the dial-up connection server or a Network Access Server (NAS) and forward requests and messages to other RADIUS servers.

IAS is available on Windows servers like…

ISA Server 2004 that offers network firewalls and VPNs IPsec
ISA Server 2006 (with an improved user interface) that supports stateful filtering and complete inspection of all VPN traffic.

And, IAS works with Windows NT 4.0 Option Pack or Microsoft Commercial Internet Service (MCIS), which is where Microsoft had first made it available.

Note: With the release of Windows Server 2008, Microsoft’s IAS was renamed Network Policy Server (NPS), which supports the same two API sets as IAS: Network Policy Server Extensions API and Server Data Objects API.

Function and Use

IAS as a RADIUS server

IAS provides authentication (with RSA SecurID two-factor authentication), authorization and accounting for all network access connections. It uses an Active Directory domain controller to validate the user’s credentials - by checking the user properties and permissions against the remote access policies - and will either authorize or reject the connection. (Note: For the IAS server to access Active Directory domains, which contain the user accounts, passwords and dial-in properties that each IAS server requires to authenticate user credentials, the IAS server must be registered first.)

It is also used to provide services for all access requests that are stored in a local log or Structured Query Language (SQL) file. And, to collect and maintain data in a central location, IAS can be used as a Virtual Private Network (VPN) connection.

IAS supports RSA enVision technology, which is an information management platform, that can collect, manage and protect data from any Internet Protocol (IP) device. This adds the security needed for maximizing the protection when accessing resources on the Web.

Security

IAS supports a number of authentication protocols, like the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), which are password-based authentication protocols. IAS also supports the Extensible Authentication Protocol Message Digest 5 (EAP-MD5) and Transport Level Security (TLS), as well as the Protected Extensible Authentication Protocol (PEAP) to provide secure password authentication for wireless clients.

In addition to supporting authentication requirements, it supports a number of authorization methods based on the number called, from the Dialed Number Identification Service (DNIS), and based on the phone number of the caller, from the Automatic Number Identification/Calling Line Identification (ANI/CLI).

Furthermore, it can support multiple IAS servers (with the Netsh command-line tool) and manage them remotely (just by typing the name or IP address of the remote IAS server).

Setup and Configuration

To install IAS, the user must select it from Networking Services dialog box in the Add/Remove Windows Components, and, If prompted, insert the Windows Server information.

Instead, to configure it, just open its Properties and click on the General tab, and then select each required option. And, to either start or stop it, just click on Start or Stop Service.

Users can configure IAS properties to…

Deploy IAS as a RADIUS server or proxy
Run it as a NAT (Network Address Translation) router
Manage IAS on a remote computer
Use multiple port settings for authentication or accounting requests
Log all events (such as rejected, discarded and successful authentication requests)

Microsoft points out that, “[a]fter you install and configure IAS, save the configuration by using the netsh aaaa show config > path\file.txt command. [Do this] each time a change is made.” [1]

Benefits

Implementing Your IAS Solution

IAS is useful for providing various types of remote access to a network. Capable of dial-in, VPN or wireless network access services, it benefits users that need to deploy a RADIUS or proxy. It comes in handy for auditing and troubleshooting networked connections because it has event logging to record events. And, it is also useful for connection analysis - as it has request logging to track network activities as well as security attacks.

In summary, IAS can be implemented in a variety of ways to best meet a user’s need. For example, public users can benefit from it to provide a solution for Internet access and configure it to be compatible with third-party access servers, and company users can configure it to authenticate access to extranet resources for business partners.

Reference Section

Read more about it on BH:

Remote Access Service on Windows 2003 Setup Guy

Source:

[1] IAS Best Practices: https://technet.microsoft.com/en-us/library/cc780683%28WS.10%29.aspx

External Resource:

FAQs: https://technet.microsoft.com/en-us/network/5f368b04-71b6-47b2-ae2c-63f9c0890c9a

Additional Resource:

RSA enVision: https://www.rsa.com/experience/envision/3n1/

Image Credits: