Lesson 5: Creating a Remote Access Policy

A number of options and settings are available to you for configuring remote access. Creating a remote access policy involves the following three major steps:

• Configuring dial-in settings for users by using the Active Directory Users and Computers tool
• Creating a policy and its conditions by using the Routing and Remote Access tool
• Editing the policy's profile

These do not have to be completed in any order or at the same time. However, it is important to plan these policies thoroughly and address all three components of creating remote access policies in order to provide secure access to your users.

On a stand-alone server, the dial-in settings are found on the Dial-In tab of the Properties dialog box for a user account in the Users folder. For a server using Active Directory directory services, the dial-in settings are found on the Dial-In tab of the Properties dialog box for a user account in the Active Directory Users And Computers window. Figure 9.6 shows a user's Properties dialog box.

Figure 9.6 A user's Properties dialog box

The Remote Access Permission (Dial-In Or VPN) property determines whether remote access is explicitly allowed, explicitly denied, or determined through remote access policies. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. The Control Access Through Remote Access Policy option is only available on user accounts for stand-alone Windows 2000 remote access servers or members of a native Windows 2000 domain.

If the Verify Caller-ID check box is selected, the server verifies the caller's phone number. If the caller's phone number does not match the configured phone number, the connection attempt is denied.

All parts of the connection must support caller ID. Caller ID support on the remote access server consists of caller ID answering equipment and the driver that passes caller ID information to RRAS. If you configure a caller ID phone number for a user and you do not have support for the passing of caller ID information from the caller to RRAS, the connection attempt is denied.

If the Callback Options property is enabled, the server calls back a specific phone number (set by the caller or by the network administrator) during the connection process. To disable callback, select No Callback, and the user cannot use callback. To enable callback, select either of the two following options: Set By Caller (Routing And Remote Access Service Only) or Always Callback To. If you want the user to determine whether or not to use callback, select Set By Caller (Routing And Remote Access Service Only). If you want the user to always use callback, select Always Callback To.

If the Assign A Static IP Address check box option is enabled, the network administrator assigns a specific IP address to the user when a connection is made.

If the Apply Static Routes check box option is selected, the network administrator defines a series of static IP routes that are added to the routing table of the remote access server when a connection is made. This setting is designed for use with demand-dial routing.

Remote access policy conditions are assigned attributes that are compared to the settings of a connection attempt. If there are multiple conditions in a policy, all of the conditions must correspond to the settings of the connection attempt to result in a match. The condition attributes you can set are described in the following list:

• Called-Station-ID. A character string identifying the phone number of the network access server (NAS). The phone line, hardware, and hardware driver must support reception of caller ID data. You can use a wildcard (asterisk) in this attribute, but the attribute is not used by Windows 2000 IAS.
• Calling-Station-ID. A character string identifying the phone number used by the caller. You can use a wildcard (asterisk) in this attribute, but the attribute is not used by Windows 2000 IAS.
• Client-Friendly-Name. A character string identifying the name of the RADIUS client computer requesting authentication. You can use a wildcard (asterisk) in this attribute, and the attribute is used by Windows 2000 IAS.
• Client-IP-Address. A character string identifying the IP address of the RADIUS client. You can use a wildcard (asterisk) in this attribute, and the attribute is used by Windows 2000 IAS.
• Client-Vendor. A character string identifying the vendor of the network access server (NAS) that is requesting authentication. The Windows 2000 remote access server is the Microsoft RAS NAS manufacturer. This attribute configures separate policies for different NAS manufacturers who are RADIUS clients to an IAS server. Because this attribute is designed for the IAS server, be sure that you also configure the NAS as a RADIUS client on the IAS server.
• Day-And-Time-Restrictions. The day of the week and the time of day for the server's connection attempt. You cannot use a wildcard (asterisk) in this attribute, and the attribute is not used by Windows 2000 IAS.
• Framed-Protocol. The type of framing for incoming packets. Examples are PPP, AppleTalk, Serial Line Internet Protocol (SLIP), Frame Relay, and X.25. You cannot use a wildcard (asterisk) in this attribute, but the attribute is used by Windows 2000 IAS.
• NAS-Identifier. A character string identifying the NAS from which the request originated. You can use a wildcard (asterisk) in this attribute, but the attribute is not used by Windows 2000 IAS.
• NAS-IP-Address. A character string identifying the IP address of the NAS. You can use a wildcard (asterisk) in this attribute, and the attribute is used by Windows 2000 IAS.
• NAS-Port-Type. The type of media used by the caller. Examples are analog phone lines (Async), ISDN, and VPNs. You cannot use a wildcard (asterisk) in this attribute, and the attribute is not used by Windows 2000 IAS.
• Service-Type. The type of service being requested. Examples include framed (such as PPP connections) and login (such as Telnet connections). For more information on RADIUS service types, see RFC 2138. You cannot use a wildcard (asterisk) in this attribute, but the attribute is used by Windows 2000 IAS.
• Tunnel-Type. The types of Tunnel protocols to be used. Examples include Ascend Tunnel Management Protocol (ATMP), Layer Two Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and Virtual Tunneling Protocol (VTP).
• Windows Groups. The names of the Windows 2000 groups to which the user attempting the connection belongs. For a native domain-based remote access or IAS server, use universal groups. There is no condition attribute for a specific user name. You cannot use a wildcard (asterisk) in this attribute, and the attribute is not used by Windows 2000 IAS.

You can create a remote access policy and an associated profile under the Remote Access Policies node of the Routing And Remote Access console tree. Right-click the Remote Access Policies node, and then click New Remote Access Policy. In the Add Remote Access Policy dialog box, type the name of the profile in the Policy Friendly Name text box, and then click Next.

To configure a new condition, click the Add button, in the Select Attribute dialog box, click the attribute that you want to add, and then click Add. In the attribute dialog box, enter the information required by the attribute, and then click OK.

In the Permissions section, if you want to grant access to these users, click the Grant Remote Access Permission option, and if you want to deny access to these users, click the Deny Remote Access Permission option.

The profile specifies what kind of access the user will be given if the conditions match. This access will only be granted if the connection attempt does not conflict with the settings of the user account or the profile. There are six different tabs that can be used to configure a profile:

• Dial-In Constraints. These options include settings for idle-time disconnect, maximum session time, day and time, phone number, and media type (ISDN, VPN, etc.).
• IP. These settings configure client IP address assignment and TCP/IP packet filtering. Separate filters can be defined for inbound or outbound packets.
• Multilink. These settings configure multilink and BAP. A line can be dropped if bandwidth drops below a certain level for a given length of time. Multilink can also be set to require the use of BAP.
• Authentication. These settings define the authentication protocols that are allowed for connections using this policy. The protocol selected must also be enabled in the server's properties.
• Encryption. These four settings specify the level of encryption. If you select No Encryption, no data encryption is required. If No Encryption is the only option selected, you cannot connect by using data encryption. If you select Basic, you can use IPSec 56-bit DES or Microsoft Point-to-Point Encryption (MPPE) 40-bit data encryption. If you select Strong, you can use IPSec 56-bit DES or MPPE 56-bit data encryption. If you select Strongest, you can use IPSec triple DES (3DES) or MPPE 128-bit encryption.

• Advanced. This tab allows for the configuration of additional network parameters that could be sent from non_Microsoft RADIUS servers.

You can create a remote access profile from the Add Remote Access Policy dialog box. To edit the policy's profile, click the Edit Profile button. In the Edit Dial-In Profile dialog box, configure the settings on any of the six tabs, and then click OK. Click OK to close the Add Remote Access Policy dialog box.

In this practice, you will create a user with dial-in capabilities. You will then create a global group and add the user to the group.

1. Log on to your domain as Administrator, and open Active Directory Users and Computers.
2. In the console tree, right-click Users, point to New, and then click User.
3. In the New Object - User dialog box, create a user named Rasuser with no password and accept all default settings. Click Next twice, and then click Finish.
4. In the details pane, double-click Rasuser.
5. In the Rasuser Properties dialog box, click the Dial-In tab. Select Allow Access, and then click OK.

1. In the console tree, right-click Users, point to New, and then click Group.
2. In the New Object - Group dialog box, enter the name Rasgroup. Ensure that Global is selected in the Group Scope section, then click OK.
3. In the details pane, right-click Rasuser, and then click Add Members To A Group.
4. In the Select Group dialog box, select Rasgroup, and then click OK.
5. Click OK to close the message box that informs you the operation was successful.

1. Right-click the My Network Places icon and click Properties. Double-click the Virtual Private Network icon.
2. Connect as Rasuser, with no password.
3. Close the connection.

1. In the Active Directory Users And Computers window, double-click Rasuser.
2. In the Rasuser Properties dialog box, click the Dial-In tab.
3. Select the Control Access Through Remote Access Policy option, and then click OK.

1. Double-click the Virtual Private Network icon in the Network And Dial-Up Connections window.
2. Connect using Rasuser and no password.

The Connect Virtual Private Connection dialog box appears informing you that the connection fails.

3. Click Cancel.

1. In the Routing And Remote Access window's console tree, right-click Remote Access Policies, and select New Remote Access Policy.
2. On the Policy Name page, type Allow Rasgroup access in the Policy Friendly Name box. Click Next.
3. On the Conditions page, click Add.
4. In the Select Attribute dialog box, click Windows-Groups, and then click Add.
5. In the Groups dialog box, click Add. In the Select Groups dialog box, select Rasgroup and click Add.
6. Click OK twice.
7. On the Conditions page, click Next.
8. On the Permissions page, select the Grant Remote Access Permission option, and then click Next.
9. On the User Profile page, click Finish.
10. In the details pane, right-click the new policy and select Move Up.

1. Double-click the Virtual Private Connection icon in the Network And Dial-Up Connections window.
2. Connect using Rasuser and no password.

The connection succeeds.

3. Close all open windows and log off.

When you create a remote access policy, you must configure the dial-in settings for users, create a policy and its conditions, and edit the policy's profile. You do not have to complete these in any order or at the same time. To configure a user's dial-in settings on a stand-alone server, use the dial-in settings found on the Dial-In tab of the Properties dialog box for a user account in the Users folder. To configure a user's dial-in settings on a server using Active Directory technology, the dial-in settings are found on the Dial-In tab of the Properties dialog box for a user account in the Active Directory Users And Computers window.

You can create a remote access policy and an associated profile under the Remote Access Policies node of the Routing And Remote Access console tree. In the If A User Matches The Specified Conditions section, if you want to grant access to these users, click the Grant Remote Access Permission option, and if you want to deny access to these users, click the Deny Remote Access Permission option. Finally, you edit the user's policy's profile. The profile specifies what kind of access the user will be given if the conditions match. This access will only be granted if the connection attempt does not conflict with the settings of the user account or the profile.