|
Home > Archive > Radius Server > July 2007 > Radius versus VPN??
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Radius versus VPN??
|
|
| KTSmith 2007-07-14, 1:25 am |
| We have a small office of 50 users and some users use Windows 2003 VPN
capability to log in remotely. I have now been ask to setup wireless on our
network; therefore, I am looking at implementing IAS for wireless access.
After reading and researching, I am a bit confused. In some articles it
states you can use VPN and Radius for VPN access and for wireless access as
it provides more security (how - I guess I got more confuse on this too).
Either way, I still have to authenticate using username and password so what
does RADIUS afford me in the VPN scenario? I can see how it would be for
wireless since VPN doesn't have the facility to accept wireless.
Again, what does IAS provide me for plain VPN? In VPN I already have user
accounts with policies. To me IAS only provides another layer. Correct me
if I am wrong.
| |
| Ryan Hanisco 2007-07-14, 1:25 am |
| KTSmith,
RADIUS is an authentication method that services can use as their source of
authentication. The MS Windows version of Radius is exposed through IAS,
though there are other extensions to standard RADIUS that IAS provides.
When using an appliance or router to create VPNs it will have to have an
authentication source. This can be a RADIUS server, an internal database,
settings in the appliance, or the Active Directory as provided through IAS.
This means, that you can use the AD as the AD source. You also get other two
A's in AAA -- Authorization through RRAS policies matching group membership
to the ability to authenticate as well as logging as the Accounting piece.
This makes IAS very powerful in exposing the Active Directory as a service
to other devices that would require Radius for their AAA.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"KTSmith" wrote:
> We have a small office of 50 users and some users use Windows 2003 VPN
> capability to log in remotely. I have now been ask to setup wireless on our
> network; therefore, I am looking at implementing IAS for wireless access.
> After reading and researching, I am a bit confused. In some articles it
> states you can use VPN and Radius for VPN access and for wireless access as
> it provides more security (how - I guess I got more confuse on this too).
> Either way, I still have to authenticate using username and password so what
> does RADIUS afford me in the VPN scenario? I can see how it would be for
> wireless since VPN doesn't have the facility to accept wireless.
>
> Again, what does IAS provide me for plain VPN? In VPN I already have user
> accounts with policies. To me IAS only provides another layer. Correct me
> if I am wrong.
>
>
>
| |
| KTSmith 2007-07-14, 1:25 am |
| In a nutshell, the IAS does not offer my situation anything. It would only
offer those who have other VPN devices (not Microsoft). Gotcha...geez, why
can't MS simply just state that instead of a "book" - without the whole
elaborate talk.
Thanks.
"Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
news:B14D16AB-A2F4-4F5A-98ED-78245487A917@microsoft.com...[vbcol=seagreen]
> KTSmith,
>
> RADIUS is an authentication method that services can use as their source
> of
> authentication. The MS Windows version of Radius is exposed through IAS,
> though there are other extensions to standard RADIUS that IAS provides.
>
> When using an appliance or router to create VPNs it will have to have an
> authentication source. This can be a RADIUS server, an internal database,
> settings in the appliance, or the Active Directory as provided through
> IAS.
> This means, that you can use the AD as the AD source. You also get other
> two
> A's in AAA -- Authorization through RRAS policies matching group
> membership
> to the ability to authenticate as well as logging as the Accounting piece.
>
> This makes IAS very powerful in exposing the Active Directory as a service
> to other devices that would require Radius for their AAA.
> --
> Ryan Hanisco
> MCSE, MCTS: SQL 2005, Project+
> Chicago, IL
>
> Remember: Marking helpful answers helps everyone find the info they need
> quickly.
>
>
> "KTSmith" wrote:
>
| |
| Mark Dormer 2007-07-14, 1:25 am |
| Using Radius you can authenticate against a domain without the VPN server
being a member of the domain. I suppose this is more secure, if the vpn box
gets hacked they don't automatically have access to the domain.
Also the vpn server doesn't even need to be a Microsoft OS (could be a linux
box or a router)
Possibly there is no advantage depending on your scenario.
Regards
Mark Dormer
"KTSmith" <ktsmith@msn.com> wrote in message
news:ur%23kzwaxHHA.2384@TK2MSFTNGP04.phx.gbl...
> We have a small office of 50 users and some users use Windows 2003 VPN
> capability to log in remotely. I have now been ask to setup wireless on
> our network; therefore, I am looking at implementing IAS for wireless
> access. After reading and researching, I am a bit confused. In some
> articles it states you can use VPN and Radius for VPN access and for
> wireless access as it provides more security (how - I guess I got more
> confuse on this too). Either way, I still have to authenticate using
> username and password so what does RADIUS afford me in the VPN scenario?
> I can see how it would be for wireless since VPN doesn't have the facility
> to accept wireless.
>
> Again, what does IAS provide me for plain VPN? In VPN I already have user
> accounts with policies. To me IAS only provides another layer. Correct
> me if I am wrong.
>
| |
| Ryan Hanisco 2007-07-14, 1:21 pm |
| HI KTSmith,
Yeah, I don't see it offering a lot to the VPN side of things in your
situation. It does do some great things with wireless and 802.1x. Enought
so that they will be offering more comprehensive 802.1x support in server
2008. It is a great tool for wired and wireless access.
Meaning, somone can't just plug a workstation or device into your network
and expect to get ANY services -- not even an IP address.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"KTSmith" wrote:
> In a nutshell, the IAS does not offer my situation anything. It would only
> offer those who have other VPN devices (not Microsoft). Gotcha...geez, why
> can't MS simply just state that instead of a "book" - without the whole
> elaborate talk.
>
>
> Thanks.
>
>
> "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
> news:B14D16AB-A2F4-4F5A-98ED-78245487A917@microsoft.com...
>
>
>
| |
| James McIllece [MS] 2007-07-18, 1:22 am |
| "KTSmith" <ktsmith@msn.com> wrote in
news:ur#kzwaxHHA.2384@TK2MSFTNGP04.phx.gbl:
> We have a small office of 50 users and some users use Windows 2003 VPN
> capability to log in remotely. I have now been ask to setup wireless
> on our network; therefore, I am looking at implementing IAS for
> wireless access. After reading and researching, I am a bit confused.
> In some articles it states you can use VPN and Radius for VPN access
> and for wireless access as it provides more security (how - I guess I
> got more confuse on this too). Either way, I still have to
> authenticate using username and password so what does RADIUS afford me
> in the VPN scenario? I can see how it would be for wireless since VPN
> doesn't have the facility to accept wireless.
>
> Again, what does IAS provide me for plain VPN? In VPN I already have
> user accounts with policies. To me IAS only provides another layer.
> Correct me if I am wrong.
>
>
The primary advantage to using IAS with your VPN servers is that you can
centrally manage network access policies using IAS for both wireless and
VPN. This means that you won't need to create and manage VPN policies and
wireless policies in different places, the policies will all be visible in
IAS and simpler to manage. This is especially true the more VPN and
wireless APs that you add.
In addition, IAS logging provides the ability to log to SQL server rather
as well as to text file.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|
|