When pursuing an MCSE or MCSA designation, you will come across a few questions about Internet Authentication Services (IAS). The more you know the better and understanding how the remote access authentication process works when an IAS server is involved can increase your chances of correctly answering related questions.

So your network uses IAS and your remote access servers have been configured as RADIUS clients. The process that occurs when a RADIUS client receives a connection request from a remote access client is outlined below.

• A user attempts to establish a remote access connection with a remote access server configured as a RADIUS client.
• The RADIUS client creates an Access-Request message and sends it to the IAS server.
• The IAS server evaluates the Access-Request message.
• The connection attempt is evaluated against the conditions of the remote access policies.
• The credentials of the remote access user are verified and the Dial-in properties for the user’s account are obtained from a domain controller.
• The IAS server determines if the remote access user has been granted remote access. Remember remote access can be granted through the user account properties and through the remote access policy.
• If the user has permission, the profile settings of the policy and the Dial-in settings of the user account are evaluated against the connection attempt.
• If the connection attempt is granted, an Access-Accept message is sent to the Radius client. Conversely, an Access-Reject message is sent if the connection attempt is not authorized.
• The remote access server completes the connection attempt if the user has been authorized.
• An Accounting-Request message is sent to the IAS server once the connection has been completed where it is logged.

In Windows Server 2003, an IAS server can also be configured to act as a RADIUS proxy. In this configuration, it will forward connection requests to other servers depending on the connection request processing rules. When IAS is configured as a RADIUS proxy, it will receive Access-Request messages from RADIUS clients and forward them to the appropriate RADIUS server based on the connection processing rules that have been configured.