Re: Redundant IAS servers

From: James McIllece [MS] (jamesmci_at_online.microsoft.com)
Date: 09/14/04


Date: Tue, 14 Sep 2004 12:32:11 -0700


"Gregg Dalby" <anonymous@discussions.microsoft.com> wrote in
news:2e9e601c46b80$74029a10$a501280a@phx.gbl:

> My intention is to somehow replicate my centrally managed
> remote access policies. I understand how I can create
> additional IAS servers as RADIUS clients to my central IAS
> server but that is not the redundancy I'm after. I need a
> way of continuing to authenticate if my one and only
> primary IAS server is down while maintaining the integrity
> of my central remote access policies for my NAS's.
>
> My environment is Windows2000 in native-mode with a
> majority of Cisco devices authenticating using RADIUS.
>
> I'm not sure if this should be accomplished within IAS or
> using a different Windows2000 administrative tool.
>
> I can be contacted at gdalby at behr dot com as I don't
> often check this newsgroup.
>
> Thank you for your help!
> Gregg
>

Hi there --

Regarding your newsgroup post:

My intention is to somehow replicate my centrally managed
remote access policies. I understand how I can create
additional IAS servers as RADIUS clients to my central IAS
server but that is not the redundancy I'm after. I need a
way of continuing to authenticate if my one and only
primary IAS server is down while maintaining the integrity
of my central remote access policies for my NAS's.

My environment is Windows2000 in native-mode with a
majority of Cisco devices authenticating using RADIUS.

I'm not sure if this should be accomplished within IAS or
using a different Windows2000 administrative tool.

First off, to replicate all of your policies you can just export the
central IAS server configuration to a file, then import the configuration
on as many other IAS servers as you like. Here is the Help topic on this
process:

To copy the IAS configuration to another server
At a command prompt, type netsh aaaa show config <path>\file.txt. This
stores the configuration settings, including registry settings, in a text
file. The path can be relative, absolute, or a UNC path.
Copy the file you created to the destination computer, and at a command
prompt on the destination computer, type netsh exec <path>\file.txt. A
message appears indicating whether the update was successful.
 Note

You do not need to stop IAS on the destination computer to run the netsh
exec command. When the command is run, IAS is automatically refreshed with
the updated configuration settings.
This procedure will not work if the source and destination computer are
running different versions of Windows 2000.
This procedure replicates all IAS, remote access policy, registry, and
logging configuration.
And from a different but related topic:
When you type netsh aaaa show config, it creates a Netsh script file that
is designed to be used with the netsh exec command. The contents of the
display of the netsh aaaa show config command includes:

-- IAS settings
-- RADIUS clients
-- Remote access policies
-- Remote access logging settings

Just FYI, about this statement in your post: "I understand how I can create
additional IAS servers as RADIUS clients to my central IAS
server"

This is true for Windows Server 2003 IAS, but not for W2K IAS. W2K IAS does
not have the capability of configuring IAS as a RADIUS proxy, but WS03 IAS
does.

As for the issue of creating fault tolerance by deploying more than one IAS
server, that's a great idea. :-) The way that you do this is to deploy
multiple IAS servers, and then configure your network access servers (NASs)
to use as many of the IAS servers as you want to.

For example let's say you want to deploy two IAS servers for fault
tolerance. Configure your central server first, and verify that it is
performing as intended. Then export the central server configuration to a
file. Import that file to the backup server and it will automatically be
configured just like the first server -- including the configuration of the
NASs as RADIUS clients. (Don't forget that after you have copied the
configuration, if you alter the configuration on one server you will need
to duplicate the change on the other servers, either manually using the IAS
console or by exporting/importing the configuration again to the other IAS
servers.)

Then at each NAS, configure both IAS servers as authenticating servers
using the RADIUS protocol. During daily operations, if one server is
unreachable, the NAS will send the Access-Request message to the second IAS
server.

-- 
James McIllece, Microsoft
Please do not send email directly to this alias.  This is my online account 
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.


Relevant Pages

  • Re: enterprise RADIUS
    ... There is no hardcoded limit on RADIUS clients. ... > secondary radius server. ... IAS uses AD for user accounts and AD groups. ... >>> authentication of wireless/VPN/Dial infrastructure. ...
    (microsoft.public.internet.radius)
  • Re: Moving IAS to new server
    ... > way to migrate it easily or do I need to simply install IAS on a new ... > Win2000 server and recreate each RAP manually. ... On the old server export the IAS configuration to a file using netsh ... Copy the file you created to the destination computer, and at a command ...
    (microsoft.public.internet.radius)
  • Re: IAS with PEAP and Airespace (now Cisco 1000)
    ... For what it's worth, we also tried using EAP-TLS (I changed the IAS, created ... >> I've gone over our configuration many times, ... > or they do not trust the CA that issued the server certificate to the IAS ...
    (microsoft.public.internet.radius)
  • Re: Cisco Router --> IAS Authentication
    ... > The problem I'm having is when server A's IAS service is started, ... There may be some configuration difference between the two servers. ... Copy the file you created to the destination computer, and at a command ...
    (microsoft.public.internet.radius)
  • Re: Anyone on RAS services???
    ... Sorry about the IAS part. ... >>for Windows Authentication using Server ... >>> RAS configuration and recreated but back to same ...
    (microsoft.public.win2000.ras_routing)