Post by D K...
Post by James McIllece [MS]When you create a remote access policy in IAS, you base the policy on
with other words - the IAS maps the certificate to the User/Computer
account and handles the groups like with username/password and not
with some markers within the certiuficate!?
D.K.
The first step in the process is that IAS uses the properties of the
connection request (which is the Access-Request message) and compares them
to the properties and settings of remote access policies until it finds a
policy whose properties match those of the connection request. It will
process all policies in order until it finds a match, and if it does not
find a match it rejects the connection request.
If the connection request properties match the properties and settings of
the remote access policy, IAS uses the policy to authorize the connection
request. (In other words, to determine whether the user has permission to
access the network on that day and time and under the existing conditions
of the connection.)
In the remote access policy, the allowed authentication methods are
specified. So the client and the IAS server negotiate an authentication
method and determine which one they agree to use for the connection.
When authentication occurs, if a certificate-based authentication method is
in use (like PEAP-TLS or EAP-TLS), the client and server exchange
certificates to prove their identities. IAS examines the client computer
certificate to determine whether or not the certificate is valid and meets
the minimum requirements for a client/user cert. IAS checks to see if the
cert is revoked or not. And IAS checks to ensure that the cert was issued
by a trusted CA and that the cert chains to a trusted root CA.
The manner in which IAS processes a connection request is detailed in the
IAS Technical Reference, in the section "How IAS Technology Works: Internet
Authentication Service (IAS)" at http://technet.microsoft.com/en-
us/library/cc773343.aspx.
That is a pretty long topic, just search on the page for the sentence "When
you configure IAS as a RADIUS server, Access-Request messages are processed
locally." That will take you to the numbered list of processing steps when
IAS is configured as a RADIUS server (as opposed to being configured as a
proxy that forwards connection requests to other servers.) The proxy
pipeline is detailed farther down the page.
HTH...
***************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.