Module 10: RADIUS as a Solution for Remote Access Contents Overview Introducing RADIUS Designing a Functional RADIUS Solution Discussion: Designing a RADIUS Solution 16 Securing a RADIUS Solution 18 Enhancing a RADIUS Design for Availability 28 Optimizing a RADIUS Design for Performance 30 Discussion: Enhancing the RADIUS Solution 32 Lab A: Designing a RADIUS Solution 34 Review 43 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2000 Microsoft Corporation All rights reserved Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions Project Lead: Don Thompson (Volt Technical) Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Jack Creasey, Doug Steen (Independent Contractor) Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Kristen Heller (Wasser) Copy Editor: Kaarin Dolliver (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Test Leads: Sid Benevente, Keith Cotton Test Developer: Greg Stemp (S&T OnSite) Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Manager: Ken Rosen Group Product Manager: Robert Stewart Other product and company names mentioned herein may be the trademarks of their respective owners Module 10: RADIUS as a Solution for Remote Access iii Instructor Notes Presentation: 75 Minutes Lab: 45 Minutes This module provides students with the information and decision-making experiences needed to design a Remote Authentication Dial-In User Service (RADIUS) solution in Microsoft® Windows® 2000 Students will evaluate and create RADIUS solutions to meet the remote access requirements of an organization At the end of this module, students will be able to: Recognize RADIUS as a solution for remote access Identify the functional aspects of a RADIUS design Select the appropriate strategies to secure a RADIUS solution Select the appropriate strategies to enhance RADIUS availability Select the appropriate strategies to improve RADIUS performance Upon completion of the lab, students will be able to design RADIUS solutions that meet the remote access requirements of a variety of organizations Course Materials and Preparation This section provides you with the required materials and preparation tasks that are needed to teach this module Required Materials To teach this module, you need the following materials: Microsoft PowerPoint® file 1562B_10.ppt Preparation Tasks To prepare for this module: Review the contents of this module Read any relevant information in the Windows 2000 Help files, the Windows 2000 Resource Kit, or in documents provided on the Instructor CD Read the relevant RFCs in the Windows 2000 Help files Review discussion material and be prepared to lead class discussions on the topics Complete the lab and be prepared to elaborate beyond the solutions found there Read the review questions and be prepared to elaborate beyond the answers provided in the text iv Module 10: RADIUS as a Solution for Remote Access Module Strategy Use the following strategy to present this module: Introducing RADIUS RADIUS is an industry standard protocol that provides the solution to an organization’s remote access requirements by supporting secured user authentication, and accounting services for remote users In this section: • Explain that the network designer needs to determine the geographic location of remote access users, the number of users at each location, the connection between geographic locations, and the remote access accounting information This information provides the basic decisions for establishing a RADIUS remote access connection • Emphasize that separate remote access and user authentication, remote access client connectivity, remote user authentication and accounting, and integration with the existing networks are the main features supported by RADIUS • Point out that, to extend the user authentication and data encryption feature to mixed operating systems, the RADIUS service integrates with other Windows 2000 networking services Designing a Functional RADIUS Solution A functional Windows 2000 RADIUS remote access solution supports various Internet service providers (ISPs) or corporate remote access users for authentication and accounting schemes In this section: • Emphasize that a RADIUS design requires a minimum of one RADIUS client and one RADIUS server Discuss the placement of RADIUS clients and servers • Emphasize that a RADIUS client can support a dial-up client connection, a virtual private network (VPN)-based client connection, or both types of connections Explain this with reference to the scenario diagram on the slide • Point out that RADIUS supports Transmission Control Protocol/Internet Protocol (TCP/IP), Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), and AppleTalk remote access client protocols • Explain that the selection of connection data rate, persistence, and security level is essential in providing RADIUS client to RADIUS server connections • Emphasize that it is necessary to select the default domain for the RADIUS server to set up a RADIUS remote access solution Discussion: Designing a RADIUS Solution Ensure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses Module 10: RADIUS as a Solution for Remote Access v Securing a RADIUS Solution A secure RADIUS solution ensures that only authorized remote access clients and servers are allowed to participate in a remote access connection In this section: • Emphasize the use of remote access policies to restrict remote user access to the private network • Describe the use of authentication protocols and encryption algorithms for protecting remote access client traffic Point out that the use of these services protects the confidential data from unauthorized users • Explain the use of Microsoft Point-to-Point Encryption (MPPE) and Internet Protocol Security (IPSec) as encryption methods to protect RADIUS client and server traffic Also point out the usage of RADIUS secrets, IPSec machine certificates, and VPN tunnels • Emphasize that the RADIUS clients and servers must be placed in relation to screened subnets so that network traffic is minimized without compromising on security Enhancing a RADIUS Design for Availability A highly available RADIUS solution ensures that remote users can connect to the private network resources whenever required Point out that the availability of a RADIUS design can be improved by including more than one RADIUS client and server in the network design Optimizing a RADIUS Design for Performance The performance of the RADIUS design can be optimized to provide the fastest possible response to remote access clients Point out that using dialup and VPN connections can optimize the performance of a RADIUS client Emphasize that improving the authentication and accounting performance also affects the performance of a RADIUS design Discussion: Enhancing the RADIUS Solution Make sure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses vi Module 10: RADIUS as a Solution for Remote Access Lab Strategy Use the following strategy to present this lab Lab A: Designing a RADIUS Solution In the lab, students will design a RADIUS solution based on specific requirements outlined in the given scenario Students will review the scenario and the design requirements and read any supporting materials They will use this information, and the knowledge gained from the module, to develop a detailed design by using RADIUS as a solution To conduct the lab: Read through the lab carefully, paying close attention to the instructions and to the details of the scenario Consider dividing the class into teams of two or more students Present the lab and make sure students understand the instructions and the purpose of the lab Direct students to use the planning worksheet to record their solutions Remind students to consider any functionality, security, availability, and performance criteria provided in the scenario and how they will incorporate strategies to meet these criteria in their design Allow some time to discuss the solutions after the lab is completed A solution is provided in your materials to assist you in reviewing the lab results Encourage students to critique each other’s solutions and to discuss any ideas for improving their designs Module 10: RADIUS as a Solution for Remote Access Overview Slide Objective To provide an overview of the module topics and objectives Lead-in In this module, you will evaluate and design a RADIUS solution for remote access Introducing RADIUS Designing a Functional RADIUS Solution Discussion: Designing a RADIUS Solution Securing a RADIUS Solution Enhancing a RADIUS Design for Availability Optimizing a RADIUS Design for Performance Discussion: Enhancing the RADIUS Solution Organizations that outsource dial-up remote access, or those that perform joint ventures with other organizations, require authentication of user accounts outside the private network Also, organizations that provide the outsourcing services, such as Internet service providers (ISPs), require remote user connection accounting so that they can charge subscribers Remote Authentication Dial-In User Service (RADIUS) is an industry standard protocol that provides the solution to these authentication and remote user accounting requirements by supporting secured user authentication, and accounting services for remote users At the end of this module, you will be able to: Recognize RADIUS as a solution for remote access Identify the functional aspects of a RADIUS design Select the appropriate strategies to secure a RADIUS solution Select the appropriate strategies to enhance RADIUS availability Select the appropriate strategies to improve RADIUS performance Module 10: RADIUS as a Solution for Remote Access Introducing RADIUS Slide Objective To introduce RADIUS as a solution for remote access in a Windows 2000 network Lead-in Support for RADIUS is provided by the combination of Routing and Remote Access and IAS Design Decisions for a RADIUS Solution RADIUS Features Integration Benefits RADIUS is a client/server protocol that requires a RADIUS client and a RADIUS server to provide remote access In Microsoft® Windows® 2000, support for RADIUS is provided by the combination of Routing and Remote Access and the Internet Authentication Service (IAS) A remote access server is a RADIUS client, and a server running IAS is a RADIUS server To design a strategy for providing remote access by using RADIUS, you must: Identify the design decisions that influence a RADIUS solution Describe the features of RADIUS and how the features support the design requirements for remote access Determine how integrating RADIUS with other networking services benefits the network design Module 10: RADIUS as a Solution for Remote Access Design Decisions for a RADIUS Solution Slide Objective RADIUS Client To introduce the decisions that influence the design of a RADIUS solution Internet Lead-in The first step in designing a RADIUS solution is to identify the decisions that influence the design ISP Active Directory Central Office RADIUS Client Remote Access Clients RADIUS Client Partner Network Geographic Locations of Remote Access Users? Number of Users at Each Location? Connection Between Geographic Locations? Remote User Connection Accounting ? Discuss the bulleted points with students Tell them that these are the questions they need to answer before designing a RADIUS solution Explain the relevance of these decisions with reference to the graphic Windows 2000 uses RADIUS for network configurations that require user authentication outside the private network Before you design a RADIUS solution (a remote access solution that uses RADIUS), you must identify the decisions that influence the design For designing a RADIUS solution, you need to determine the: Geographic distribution of the remote access users to determine the placement of the RADIUS clients Number of remote access users at each location so that you can determine the number of RADIUS clients to place at each location Network connections between the geographic locations so that you can determine the amount of data that can be transmitted between the locations Organization requirements for tracking remote user connectivity time so that you can determine if RADIUS accounting is required Module 10: RADIUS as a Solution for Remote Access RADIUS Features Slide Objective To describe the features of RADIUS Lead-in When creating a remote access design by using RADIUS, you must understand how the features of RADIUS support the organization’s requirements Separating Remote Access and User Authentication Providing Remote Access Client Connectivity Providing Remote User Authentication and Accounting Integrating Into Existing Networks RADIUS is used for providing authentication, authorization, and accounting services for remote access connectivity When creating a remote access design by using RADIUS, you must identify how the features of RADIUS support the organization’s requirements Separating Remote Access and User Authentication RADIUS separates the remote access server functions from the user authentication server functions The communication between the computer that provides remote access support and the computer that provides user authentication is established by using RADIUS Separating remote access and user authentication allows the: RADIUS client and server to support different operating systems and hardware architectures RADIUS client and server to be geographically separated User accounts to be secure by ensuring that the accounts are located on servers within the private network Encryption of authentication traffic between the RADIUS client and the RADIUS server by using Internet Protocol Security (IPSec) or virtual private network (VPN) tunnels Outsourcing of dial-up remote access to third-party organizations 30 Module 10: RADIUS as a Solution for Remote Access Optimizing a RADIUS Design for Performance Slide Objective To describe the strategies used for optimizing the performance of a RADIUS solution Lead-in To enhance the performance of a RADIUS solution, you must include more than one RADIUS client and server RADIUS Clients ISP Windows 2000 Domain Controller Internet Central Office RADIUS Servers RADIUS Clients Partner Network Remote Access Client Performance Authentication and Accounting Performance You can enhance the performance of a RADIUS solution by including more than one RADIUS client and server in your network design By design, RADIUS clients and servers require minimal management and administration However, over time, changes in the number of remote access clients, changes in WAN technology, and other factors can reduce the performance of RADIUS Remote Access Client Performance Because RADIUS clients manage the remote access client connections, the performance of RADIUS clients directly affects the remote access client performance In your design, to improve the performance for remote access clients for all types of connections, you can: Add additional RADIUS clients Upgrade the hardware resources of existing RADIUS clients Replace existing RADIUS clients with higher performance servers Improving performance of RADIUS clients with dial-up connections To improve the performance of RADIUS clients with dial-up connections, you can: Assign remote access clients different primary and backup telephone numbers This ensures that the remote access clients connect to different RADIUS clients and provide load balancing Upgrade to modems that support a faster transmission rate Upgrade to intelligent communications adapters to offload processing from the RADIUS client Module 10: RADIUS as a Solution for Remote Access 31 Improving performance of RADIUS clients with VPN connections In your design, to improve the performance of RADIUS clients with VPN connections, you can: Use round robin DNS entries to distribute remote access clients across multiple RADIUS clients and to provide load balancing Use Network Load Balancing to distribute remote access clients across multiple RADIUS clients and to provide load balancing Increase the data rate of the connections between the remote access client and the private network Authentication and Accounting Performance RADIUS servers provide authentication and accounting for RADIUS clients, and interact with the authentication servers As a result, the authentication and accounting performance is determined by the RADIUS server performance To improve the authentication and accounting performance in your design, you can: Add additional RADIUS servers Upgrade the hardware resources of the existing RADIUS servers Replace existing RADIUS servers with higher performance servers Reduce the level of detail recorded in RADIUS accounting 32 Module 10: RADIUS as a Solution for Remote Access Discussion: Enhancing the RADIUS Solution Slide Objective To discuss the strategies for enhancing the security, availability, and performance of a RADIUS solution Seattle New York San Francisco Chicago Denver Lead-in You are now revisiting the design that you initially created for the bioelectronics maintenance company Washington DC Los Angeles Phoenix Atlanta Dallas Anchorage Miami Honolulu Delivery Tip Read the scenario to the students and review the questions as a group Give the students time to consider their answers and then lead a discussion based on their responses Remind the students that there can be more than one possible solution to the scenario After you have provided a basic remote access solution by using RADIUS, you need to examine the security, availability, and performance requirements for the solution During the discussion, note any ideas presented by other students in the class that are relevant to the RADIUS solution The following scenario describes the requirements for enhancing the remote access solution of a bioelectronics maintenance company Read the scenario and answer the questions Be prepared to discuss your answers with the rest of the class Scenario The bioelectronics maintenance company has contacted you to review the current status of your remote access solution The company just acquired contracts to support almost twice the amount of equipment with the same number of field offices As a result, the number of field engineers has doubled as well In addition, since the initial deployment, a number of security breaches have occurred Module 10: RADIUS as a Solution for Remote Access 33 Questions What recommendations would you make for securing the confidential data transmitted over the Internet? You could make the following recommendations: • Encrypt data between the RADIUS clients and servers To encrypt data between the RADIUS clients and servers, you must: o o Encrypt all data between locations by using either MPPE 128bit encryption for PPTP tunnels or IPSec 3DES encryption for L2TP tunnels and IPSec tunnel mode o Specify routing filters for each location that only accept incoming packets from the other locations o • Specify that the RADIUS clients and servers connect to each other by using IPSec or VPN tunnels Configure firewalls to allow traffic between the RADIUS client and servers by using a specific VPN or IPSec tunnel address Specify remote access policies to enforce compulsory VPN tunnels when tunnels are not available between the RADIUS clients and servers Due to the nature of the medical profession, the field engineers need to access the Web-based maintenance application 24-hours-a-day, 7-days-aweek What precautions can you incorporate into your design to ensure the highest possible availability for remote access? You could specify redundant RADIUS clients for each region serviced by the ISP, with each RADIUS client having a unique phone access number You could specify redundant RADIUS servers at the Phoenix office You could also recommend redundant connections to the Internet at the Phoenix office for maximum protection With the addition of the new field engineers, the increase in network traffic is severely degrading the remote access performance What strategies could you use to improve the performance of the remote access design? If the RADIUS clients are saturated, you could specify multiple RADIUS clients at each ISP to provide load balancing across the multiple RADIUS clients If the RADIUS servers are saturated, you could specify multiple RADIUS servers to distribute authentication, accounting, and remote access traffic You could specify multiple connections to the Internet at the Phoenix location to distribute traffic between the connections 34 Module 10: RADIUS as a Solution for Remote Access Lab A: Designing a RADIUS Solution Slide Objective To introduce the lab Lead-in In this lab, you will design a RADIUS solution for a consortium of aerospace companies Objectives After completing this lab, you will be able to: Evaluate an existing scenario to determine the requirements that affect a remote access design by using RADIUS Design a remote access solution for the given scenario by using RADIUS Prerequisites Before working on this lab, you must have: Knowledge of the design decisions required to create a RADIUS design Knowledge of strategies to enhance the security, availability, and performance of a RADIUS solution Estimated time to complete this lab: 45 minutes Module 10: RADIUS as a Solution for Remote Access 35 Exercise Designing a RADIUS Solution In this exercise, you are presented with the task of creating a RADIUS solution for a consortium of aerospace companies This consortium has a headquarters and a number of research facilities Your instructor will assign you to either the headquarters or one of the research facilities You will work either individually, or in a team, to use RADIUS to design a remote access solution that supports the consortium’s remote access requirements You will record your solution on a specific design worksheet for your assigned location Review the scenario, the design requirements and limitations, and the diagram for your assigned location Follow the Instructions to complete the RADIUS Design Worksheet At the end of the exercise, be prepared to report your results to the class, and to participate in a discussion of the collective results Circle your assignment: a Consortium Headquarters b Research and Development Facility Scenario A group of international aerospace companies have formed a consortium to work on a satellite launch vehicle The management of the consortium is a board of directors consisting of employees from each of the companies and is located in Bonn The members of the consortium have research and development facilities in London, San Jose, Madrid, Moscow, and Paris The research facilities are where the launch vehicle development occurs Each member of the consortium has appointed a team of engineers that is assigned to the development of the launch vehicle The engineers travel between research facilities as the project progresses and may be in a facility for three to six months at a time 36 Module 10: RADIUS as a Solution for Remote Access Design Limitations and Requirements By examining existing documentation, and conducting interviews with the consortium personnel, you have established the design requirements that must be achieved Make sure your solution meets or exceeds these requirements Applications The launch vehicle consortium uses a number of applications to conduct the day-to-day operations To create a solution for the consortium, your design must provide: Support for a mission-critical Web-based application that provides project status and reporting for engineers working for the consortium Private network access to all shared folders and Web-based applications at the consortium headquarters and research facilities Authentication of field engineers by using accounts contained in the domain controllers within the consortium member private network at each research facility Active Directory for the consortium headquarters and the consortium-shared network at each research facility Remote access response times such that the application response time is not reduced Pilot tests on approved computers indicate that each RADIUS client can support no more than 85 remote access clients while providing performance within the given application response times Support for all mission-critical applications to be available 24-hours-a-day, 7-days-a-week Connectivity The applications used by the consortium require connectivity between the consortium headquarters and the research facilities To create a solution for the consortium, your design must provide: Support for the research facilities to connect to the consortium headquarters by using dedicated connections over the Internet Support for the consortium engineers to connect to their respective companies by using dedicated connections over the Internet from the consortium headquarters Support for the consortium engineers to connect to their respective companies by using dedicated connections over the Internet from any of the research facilities Isolation of the consortium-shared network and the consortium member’s private network within each research facility Isolation of the consortium headquarters and the research facilities from the Internet Encryption of all data transmitted over the Internet Module 10: RADIUS as a Solution for Remote Access This is the high-level diagram of the launch vehicle consortium network Additional detail for the consortium headquarters and research facilities is shown in subsequent diagrams 37 38 Module 10: RADIUS as a Solution for Remote Access Instructions To complete the RADIUS Design Worksheet for the section assigned to you or your team, you need to: Designate a name for the RADIUS computer You will use this name when specifying RADIUS options Record this under RADIUS name Specify the subnet on which you will place the RADIUS computer Record this under RADIUS placement Explain your reasons for the placement of the RADIUS computer Record this under Reason for placing RADIUS computer Specify the RADIUS-specific options required to achieve the criteria in the scenario Record this under RADIUS options Explain the reason why you added the RADIUS-specific options to the RADIUS design Record this under Reason for specifying option Module 10: RADIUS as a Solution for Remote Access This is the existing network at the consortium headquarters in Bonn 39 40 RADIUS Design Worksheet – Consortium Headquarters RADIUS placement Reason for placing RADIUS computers RADCLI2 Subnet E Subnet E To allow VPN remote access to research facilities To create a redundant VPN server as a backup to RADCLI1 Reason for specifying option Specify VPN ports for remote access Allow users within the headquarters to connect to research facilities Specify RADSVR1 and RADSRV2 for authentication and accounting RADCLI1 RADIUS options Allow users to be authenticated by using accounts from each research facility Specify IPSec tunnel with RADSVR1 and RADSVR2 Specify VPN ports for remote access Authenticate RADIUS clients and servers, and encrypt all data Specify RADSVR1 and RADSRV2 for authentication and accounting Allow users to be authenticated by using accounts from each research facility Specify IPSec tunnel with RADSVR1 and RADSVR2 Authenticate RADIUS clients and servers, and encrypt all data Allow users within the headquarters to connect to research facilities Module 10: RADIUS as a Solution for Remote Access RADIUS name Module 10: RADIUS as a Solution for Remote Access This is the existing network at all of the research and development facilities All facilities have the same network configuration 41 RADCLI3 RADIUS placement Subnet I Reason for placing RADIUS computers To allow engineers at the research facilities to remotely access their company’s private network RADIUS options Reason for specifying option Specify VPN ports for remote access Allow users within the headquarters to connect to research facilities Specify RADSVR1 and RADSRV2 for authentication and accounting Allow users to be authenticated by using accounts from each research facility Authenticate RADIUS clients and servers, and encrypt all data RADSVR1 RADSVR2 Subnet I Subnet K Subnet K To provide redundancy for RADCLI3 To provide authentication and accounting for RADCLI1, RADCLI2, RADCLI3, and RADCLI4 To provide redundancy for RADSVR1 Specify VPN ports for remote access Allow users within the headquarters to connect to research facilities Specify RADSVR1 and RADSRV2 for authentication and accounting RADCLI4 Allow users to be authenticated by using accounts from each research facility Specify IPSec tunnel with RADSVR1 and RADSVR2 Specify default domain as the domain within the consortium member private network Authenticate RADIUS clients and servers, and encrypt all data Specify IPSec tunnels between all RADIUS clients Authenticate RADIUS clients and servers, and encrypt all data Specify default domain as the domain within the consortium member private network Not require remote users to explicitly specify authentication or realm Specify IPSec tunnels between all RADIUS clients Authenticate RADIUS clients and servers, and encrypt all data Not require remote users to explicitly specify authentication or realm Module 10: RADIUS as a Solution for Remote Access RADIUS name 42 RADIUS Design Worksheet – Research and Development Facility Module 10: RADIUS as a Solution for Remote Access 43 Review Slide Objective To reinforce module objectives by reviewing key points Lead-in The review questions cover some of the key concepts taught in the module Introducing RADIUS Designing a Functional RADIUS Solution Discussion: Designing a RADIUS Solution Securing a RADIUS Solution Enhancing a RADIUS Design for Availability Optimizing a RADIUS Design for Performance Discussion: Enhancing the RADIUS Solution An organization has a geographically distributed work force that requires remote access to resources within the organization’s private network How could you use RADIUS to solve the organization’s remote access requirements? The organization could outsource the dial-up connections for the remote users to an ISP The organization could then implement RADIUS servers within the private network and use RADIUS clients owned by the ISP When remote users connect to the ISP, the users are authenticated by using user accounts and passwords provided by the organization You are evaluating a remote access design for an organization The organization has remote users who connect to the private network resources through dial-up VPN-based connections by using a variety of ISPs The organization is currently supporting 30 Routing and Remote Access VPN-based servers that support the remote access clients The remote access users are experiencing difficulty in connecting to the private network because the remote access policies for the VPN servers are not consistent How could you use RADIUS to solve the problem the organization is experiencing? RADIUS could be implemented to centralize the management of the remote access policies for the VPN servers Implement two or more RADIUS servers with the same remote access policies Configure the existing RADIUS clients to use the new RADIUS servers for authentication 44 Module 10: RADIUS as a Solution for Remote Access You are designing a RADIUS solution for an organization that has remote access users who connect through their own ISPs to the private network by using a VPN tunnel The remote access clients run a variety of operating systems including Windows 95, Windows 98, Windows NT 4.0, and Windows 2000 Professional The organization requires that all data transferred between the remote access clients and the private network is encrypted How would your design reflect the security requirements? You would specify that all RADIUS clients support VPN tunnels by using PPTP because PPTP is the VPN tunnel that is supported by all of the remote access clients You would also specify remote access policies that would require remote users to use PPTP and encryption The remote access policies would be applied to the RADIUS servers in the solution An organization is involved in a joint venture with a partner organization Users in the partner organization need to access resources in the organization’s private network How could RAIDUS solve this remote access requirement? You could create the following design: • Place RADIUS client(s) that support VPN-based remote access client connections within the partner network • Place RADIUS server(s) within the private network • Specify a VPN tunnel between the RADIUS client(s) in the partner network and a Routing and Remote Access–based router within the private network The Routing and Remote Access–based router could be RADIUS server(s) • Specify that the VPN tunnel must use mutual authentication by using MS-CHAP v2 and encrypt data by using MPPE or IPSec • Specify user account(s) for the partner network user(s) who require access to the private network • Specify remote access policies on the RADIUS servers that require all remote users from the partner network to connect by using encrypted VPN tunnels You are evaluating a RADIUS design for an organization The remote access users are experiencing performance problems and often are unable to connect to the private network because of RADIUS client outages What recommendations would you make to the organization? You could specify that the organization add additional RADIUS clients to provide additional resources to improve the performance In addition, you could specify that the RADIUS clients be load-balanced by using Network Load Balancing The addition of RADIUS clients and Network Load Balancing also addresses the availability issues that the organization is currently experiencing ... authentication or realm Module 10: RADIUS as a Solution for Remote Access RADIUS name 42 RADIUS Design Worksheet – Research and Development Facility Module 10: RADIUS as a Solution for Remote Access. .. that RADIUS traffic and remote access traffic can be exchanged What domain the RADIUS server uses by default to authenticate remote access users 8 Module 10: RADIUS as a Solution for Remote Access. .. available RADIUS clients ensures that the remote access clients are always connected to the private network Module 10: RADIUS as a Solution for Remote Access 29 Improving availability for RADIUS