The Authentication Process

The IAS server first compares the shared secret between the client and server. If they match, the IAS server then compares the user-identification data forwarded by the NAS against the data in its database to determine whether the password is correct. If the password was entered correctly, the server returns a message to the NAS to allow the user onto the network. This is called an ACCESS-ACCEPT packet. If password authentication fails, the server sends a message to reject the request, and the NAS disconnects the user. This is called an ACCESS-REJECT packet.

The ACCESS-ACCEPT packet also tells the NAS the privileges for which the user is authorized, based on the user profile stored in the user database. Servers can authorize users for protocols, services such as host-logon facilities, or specific network addresses. NAS equipment interprets this authorization data to permit only the network privileges that the server has authorized.

A subscriber who accesses a local NAS provides a user ID to tell the ISP how the authentication request should be forwarded. The NAS passes the user ID and password to a RADIUS server within the ISP. Corporations will usually include a Realm identifier with their user names when they use public networks so that the ISP’s servers will know how to route authentication requests. A Realm identifier is typically appended onto the user name (for example, username@realm) and the ISP’s RADIUS server forwards requests based on the realm identifier.

The following diagram illustrates the authentication process.

IAS compares the name against its Windows NT domain controller. To be authenticated, the user name and password must exactly match data in the Windows NT user database. If the user name matches but the password does not, IAS returns an ACCESS-REJECT packet to the requesting NAS, and the IAS server stops processing the request.

Any server that can send requests to an IAS server is a client. Clients can be network access servers or other RADIUS servers. An NAS is a client when IAS is receiving requests directly from the NAS. A RADIUS server is a client when it forwards an authentication request from its client NAS to your local IAS server. In each case, a password called a shared secret authenticates all RADIUS requests between clients and servers to ensure that only the authorized client could have sent the RADIUS request.

IAS provides administrators with the ability to create a RADIUS profile that applies to all authentication requests. This profile is a collection of RADIUS attributes that perform specific functions. The most common profile is included in IAS, but administrators may edit this profile to suit their needs and the capabilities of their ISP.


© 1997 by Microsoft Corporation. All rights reserved.