共用方式為


IAS test lab tasks

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IAS test lab tasks

The following tasks are designed to take you through the common elements of setting up RADIUS server and proxy support with Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition:

  • PPTP and L2TP remote access VPN connections

  • IAS as a RADIUS server for the VPN server

  • Remote access policies for different types of VPN connections

  • IAS as a RADIUS proxy for the VPN server

Note

  • The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

PPTP and L2TP remote access VPN connections

To create a PPTP-based remote access VPN connection between CLIENT1 and VPN1, do the following:

1. Create a user account

  1. On DC1, use Active Directory Users and Computers to create a user account named PPTPUser with a password. For more information, see Create a new user account.

  2. Set the remote access permission on the Dial-in tab to Allow access. For more information, see Configure remote access permission for a user.

2. Create the PPTP connection

  1. On CLIENT1, use the Make New Connection Wizard to create a new virtual private network connection named PPTP, with the IP address of 10.0.0.2. For more information, see Make a virtual private network (VPN) connection.

  2. On CLIENT1, right-click the new PPTP connection, and then click Properties.

  3. Click the Networking tab, and then in Type of VPN, click PPTP VPN.

  4. Click OK to save changes to the PPTP connection.

3. Make the PPTP connection

  1. On CLIENT1, double-click the PPTP connection.

  2. In the PPTP dialog box, type PPTPUser@testlab.microsoft.com as the user name, type the password, and then select the Save this user name and password to use when check box.

  3. Click Connect.

4. Disconnect the PPTP connection

  • On CLIENT1, right-click the PPTP connection, and then click Disconnect.

To create an L2TP/IPSec remote access VPN connection between CLIENT1 and VPN1, do the following:

1. Create a user account

  1. On DC1, use Active Directory Users and Computers to create a user account named L2TPUser with a password. For more information, see Create a new user account.

  2. Set the remote access permission on the Dial-in tab to Allow access. For more information, see Configure remote access permission for a user.

2. Create the L2TP connection

  1. On CLIENT1, use the Make New Connection Wizard to create a new L2TP/IPSec connection named L2TP, with the IP address of 10.0.0.2. For more information, see Make a virtual private network (VPN) connection.

  2. Right-click the new L2TP connection, and then click Properties.

  3. Click the Networking tab, and then in Type of VPN, click L2TP IPSec VPN.

  4. Click OK to save changes to the L2TP connection.

3. Make the L2TP connection

  1. On CLIENT1, double-click the L2TP connection.

  2. In the L2TP dialog box, type L2TPUser@testlab.microsoft.com as the user name, type the password, and then select the Save this user name and password to use when check box.

  3. Click Connect.

IAS as a RADIUS server for the VPN server

To configure IAS1 as the RADIUS authentication and accounting server for the VPN server, do the following:

1. Add VPN1 as a RADIUS client to IAS1

  • On IAS1, add VPN1 as a RADIUS client with the client address of 172.16.0.4, the client vendor of Microsoft, and a shared secret. For more information, see Add RADIUS clients.

2. Configure IAS1 to log authentication events

3. Configure VPN1 for RADIUS and IAS1 as the RADIUS server

  • Configure VPN1 to use RADIUS authentication. Configure IAS1 as the RADIUS server with the IP address of 172.16.0.1 and the shared secret. For more information, see Use RADIUS authentication.

  • Configure VPN1 to use RADIUS accounting. Configure IAS1 as the RADIUS server with the IP address of 172.16.0.1 and the shared secret. For more information, see Use RADIUS accounting.

4. Make a PPTP connection

  1. On CLIENT1, use the PPTP connection to create a PPTP-based VPN connection with VPN1. For more information, see Connect to a remote network.

  2. At a Command Prompt, use the ping command to ping DC1 at its IP address of 172.16.0.1.

  3. Use the ping command to ping IAS1 at its IP address of 172.16.0.2.

  4. Disconnect the PPTP connection. For more information, see Disconnect from a remote network.

5. Make an L2TP connection

  1. On CLIENT1, use the L2TP connection to create an L2TP/IPSec VPN connection with VPN1.

  2. Use the ping command to ping DC1 at its IP address of 172.16.0.1.

  3. Use the ping command to ping IAS1 at its IP address of 172.16.0.2.

  4. Disconnect the L2TP connection.

6. Check the system event log for RADIUS events

  • On IAS1, use Event Viewer to view IAS events in the system event log for the PPTP and L2TP connections that were recently created using CLIENT1.

7. Check RADIUS authentication and accounting logs

  • On IAS1, use Windows Explorer to open the systemroot\System32\Logfiles\Iaslog.log file. View the authentication and accounting entries for the connections that were recently created using CLIENT1. For more information about the IAS log file format, see Interpreting IAS-formatted log files.

8. Capture RADIUS traffic with Network Monitor

  1. On IAS1, run Network Monitor from the Administrative Tools folder.

  2. Use Network Monitor to capture network traffic. For more information, see Capture network frames.

  3. On CLIENT1, make a VPN connection with VPN1 with the PPTP connection.

  4. On CLIENT1, disconnect the PPTP connection.

  5. On IAS1, stop Network Monitor and view the captured frames with the protocol of RADIUS. For more information, see Expand and collapse frame details.

Remote access policies for different types of VPN connections

To create remote access policies for different types of VPN connections, do the following:

1. Create different remote access policies for different types of connections

  1. On IAS1, use the New Remote Access Policy Wizard to create a new custom remote access policy with the following settings:
  • Policy name: PPTP connections

  • Conditions: NAS-Port-Type matches Virtual (VPN) and Tunnel-Type matches Point-to-Point Tunneling Protocol (PPTP)

  • Permission: Grant remote access permission

  • Profile settings, IP tab, Input packet filter

    • Deny all traffic except those listed below

    • Destination network, IP address: 172.16.0.1

    • Destination network, Subnet mask: 255.255.255.255

    • Protocol: Any

  • Profile settings, IP tab, Output packet filter:

    • Deny all traffic except those listed below

    • Source network, IP address: 172.16.0.1

    • Destination network, Subnet mask: 255.255.255.255

    • Protocol: Any

    For more information, see Add a remote access policy.

  1. Use the New Remote Access Policy Wizard to create a new custom remote access policy with the following settings:
  • Policy name: L2TP connections

  • Conditions: NAS-Port-Type matches Virtual (VPN) and Tunnel-Type matches Layer Two Tunneling Protocol (L2TP)

  • Permission: Grant remote access permission

  • Profile settings, IP tab, Input packet filter:

    • Deny all traffic except those listed below

    • Destination network, IP address: 172.16.0.2

    • Destination network, Subnet mask: 255.255.255.255

    • Protocol: Any

  • Profile settings, IP tab, Output packet filter:

    • Deny all traffic except those listed below

    • Source network, IP address: 172.16.0.2

    • Destination network, Subnet mask: 255.255.255.255

    • Protocol: Any

2. Make a PPTP connection and test connectivity

  1. On CLIENT1, make a VPN connection with VPN1 using the PPTP connection.

  2. Use the ping command to ping DC1 at its IP address of 172.16.0.1.

  3. Use the ping command to ping IAS1 at its IP address of 172.16.0.2.

    This command fails because packet filtering for all connections that match the PPTP connections policy allows only traffic sent to and from the IP address of 172.16.0.1.

  4. Disconnect the PPTP connection.

3. Make an L2TP connection and test connectivity

  1. On CLIENT1, make a VPN connection with VPN1 using the L2TP connection.

  2. Use the ping command to ping IAS1 at its IP address of 172.16.0.2.

  3. Use the ping command to ping DC1 at its IP address of 172.16.0.1.

    This command fails because packet filtering for all connections that match the L2TP connections policy allows only traffic sent to and from the IP address of 172.16.0.2.

  4. Disconnect the L2TP connection.

4. Check the system event log for RADIUS events

  • On IAS1, use Event Viewer to view the IAS events in the system event log for the connections that were recently created. Note that the authentication event message text contains the name of the remote access policy that accepted the connection.

IAS as a RADIUS proxy for the VPN server

To configure IAS2 as the RADIUS proxy for the VPN server, do the following:

1. Reconfigure VPN1 with IAS2 as its RADIUS server

  1. On VPN1, remove IAS1 as the RADIUS server for the RADIUS authentication provider. Next, configure IAS2 as the RADIUS server for the RADIUS authentication provider with the IP address of 172.16.0.3 and the shared secret. For more information, see Use RADIUS authentication.

  2. On VPN1, remove IAS1 as the RADIUS server for the RADIUS accounting provider. Next, configure IAS2 as the RADIUS server for the RADIUS accounting provider with the IP address of 172.16.0.3 and the shared secret. For more information, see Use RADIUS accounting.

2. Reconfigure IAS1 with IAS2 as a RADIUS client

  1. On IAS1, remove VPN1 as a RADIUS client. For more information, see Delete a RADIUS client.

  2. On IAS1, add IAS2 as a RADIUS client with the client address of 172.16.0.4, the client vendor of Microsoft, and a shared secret. For more information, see Add RADIUS clients.

3. Configure IAS2 as a RADIUS proxy between VPN1 and IAS1

  1. On IAS2, add VPN1 as a RADIUS client with the client address of 172.16.0.4, the client vendor of Microsoft, and a shared secret. For more information, see Add RADIUS clients.

  2. On IAS2, create a remote RADIUS server group that contains IAS1. For more information, see Add a remote RADIUS server group. In the New Remote RADIUS server Group Wizard, configure the following:

    • Group name: Testlab

    • Primary server: 172.16.0.2

    • Shared secret: SharedSecret
      Do not configure a backup server.

  3. Create a new connection request policy. For more information, see Add a connection request policy. In the New Connection Request Policy Wizard, configure the following:

    • Policy name: Proxy

    • Select the option to Forward connection requests to a remote RADIUS server for authentication

    • Realm name: testlab.microsoft.com

    • Clear the Before authentication, remove the realm name from the user name: check box.

    • server group: Testlab

Note

  • IAS1 and IAS2 must use the same shared secret. Additionally, IAS2 and VPN1 must use the same shared secret. The shared secret that is used between IAS1 and IAS2 can be different than the shared secret that is used between IAS2 and VPN1.

4. Make a PPTP connection

  1. On CLIENT1, make a VPN connection with VPN1 using the PPTP connection.

  2. Use ping to ping DC1 at its IP address of 172.16.0.1.

  3. Use ping to ping IAS1 at its IP address of 172.16.0.2.

    This command fails because packet filtering for all connections that match the PPTP connections policy allows only traffic sent to and from the IP address of 172.16.0.1.

  4. Disconnect the PPTP connection.

In this configuration, the authentication and accounting messages that are sent by the VPN server are being forwarded from IAS2 to IAS1.