ISA and IAS, and IAS.

  • Article

IAS (Internet Authentication Service) - is Microsoft's implementation of a RADIUS server (Remote Authentication Dial In User Service). I tend to use the terms RADIUS and IAS interchangeably.
ISA Server (Internet Security and Acceleration Server) is Microsoft's implementation of a soft and fluffy web proxy server, layered atop a firewall with huge squinty eyes, sharp claws and big teeth.

Short version: With Windows Server 2003, it's easy to authenticate users across multiple disconnected organizations, using The Power Of RADIUS™. It was harder before. Lots of messy trust relationships. Yeck.

Longer version: ISA Server 2004 (SE and EE) adds RADIUS authentication to its list of tricks, both for Web Proxy and VPN client support. I've covered RADIUS support in ISA publishing before, here's the link to search the back catalogue.

When performing RADIUS authentication, all Microsoft RADIUS clients I'm aware of (ISA and RRAS) treat all defined RADIUS servers as being authoritative. In much the same way as all the DNS servers defined on the same adapter are assumed to be equally authoritative, all the RADIUS servers defined for a Microsoft RADIUS client are assumed to hold the same information too. Doesn't matter if they're from six different organizations, the client has no way of telling, so the first one to respond wins. If it says "never heard of 'im" (or more formally, Access-Reject), we don't bother asking any others.

This is fine when you only need to authenticate users from a single organization, but if you need to talk to multiple organizations, just listing them in order won't work. Another solution is needed.

And... Windows Server 2003 ships with a new version of IAS that adds a useful trick to the arsenal: It lets an IAS server act as a proxy for other IAS servers - most usefully (normally) those that aren't part of your own domain.

This feature is part of the Connection Request Policies interface in the IAS MMC, and it's pretty simple to set up - just let the Wizard do the work for you.

In the example I screenshotted, I specified that any user from the realm "otherdomain.example.com" would be forwarded to a fictional group of RADIUS servers elsewhere; I just specified their IP addresses. Any time the username submitted by a RADIUS client (eg, VPN/Dial-Up Server, ISA Server, or any other RADIUS client) matches the username specified in the connection request policy, it'll be dealt with according to that policy's setting. In the picture to the left, we first check that the username doesn't contain a reference to the other domain - in which case we just forward it - and if it doesn't match, we try to handle it ourselves using Windows authentication (either local SAM accounts, or via domain membership and trust relationships).

If you're looking at the description and the feature, thinking "wow, it looks a lot like conditional forwarding for DNS", then top marks to you, it does look a lot like it, doesn't it?

Further Reading
Connection Request Policies (Web version of the Help).