RAS allows dial-up connections (modem connections, or on-demand connections such as ADSL) to be used for TCP/IP networking and routing. The following sections describe Windows 2000’s RAS features and the utilities used to configure RAS settings.
You can configure RAS settings using the Routing and Remote Access snap-in to MMC, which was described earlier in this chapter as used for IP Routing configuration. The majority of RAS settings are contained within one or more remote access policies.
A policy specifies remote access settings for a configurable group of users. A default policy is included to allow access to any user with the dial-in permission set in their user policy. You can modify this policy or add separate policies to modify RAS settings.
The policy Properties dialog allows you to grant or deny permissions based on a number of conditions. You can use the Edit Profile button to edit the full range of RAS settings for the policy. The Profile dialog is divided into a number of property pages, described in the following sections.
The Dial-in Constraints page allows you to restrict the use of dial-up connections. The following options are available:
- Disconnect if idle for
If this option is enabled, the user will be disconnected after the specified number of minutes with no network activity.
- Restrict maximum session to
If this option is enabled, the user will be disconnected after the specified number of minutes, regardless of activity.
- Restrict access to the following days and times
Specify dates and times to allow access.
- Restrict dial-in to this number only
If multiple numbers are in use, select this option to allow the user access to only one specified number.
- Restrict dial-in media
If this option is enabled, you can choose dial-up media (DSL, ISDN,VPN, etc.) that can be used by the policy’s users.
This page includes IP addressing options. You can choose whether the server always supplies an IP address or only does so when requested by the client. You can also define packet filters to be used for the policy’s users.
The multilink feature allows two or more modem devices to be aggregated into a single higher-bandwidth link. This page allows you to enable or disable multilink for the policy’s users.
This page also includes settings for Bandwidth Allocation Protocol (BAP). This protocol allows you to reduce the number of multilink lines available to this policy’s users when the dial-up line usage exceeds a specified level for a specified amount of time.
This page allows you to choose the types of authentication allowed for the policy’s users when dialing in. You can choose one or more of the following authentication methods:
- CHAP (Challenge Handshake Authentication Protocol)
An Internet-standard protocol that exchanges encrypted tokens for authentication.
- MS-CHAP
Microsoft’s proprietary version of CHAP, supported by Windows and Windows NT.
- MS-CHAP v2
A new version of MS-CHAP, available only to Windows 2000 clients and servers.
- Extensible Authentication Protocol (EAP)
A dynamic authentication protocol that can use certificates, smart cards, or other authenticated methods.
- Unencrypted authentication
Allows use of the PAP (Password Authentication Protocol) and SPAP (Shiva PAP) protocols, which provide authentication using plain-text passwords.
- Unauthenticated access
If this option is enabled, clients can complete PPP connections with no authentication. It is disabled by default and is a serious security risk.
Which types of authentication you allow will depend on your need for security and the types of systems you are supporting. In a Windows network, MS-CHAP and MS-CHAP v2 will support all clients securely. If you need to support Unix clients, you may need to enable CHAP, PAP, or perhaps even unauthenticated access, but each of these you enable reduces security.
Windows 2000 includes a number of options for encrypting TCP/IP dial-up and VPN connections for enhanced security. The following sections describe the encryption protocols available and their intended use.
Windows 2000 RAS can use DHCP to assign IP addresses. Although clients cannot directly issue DHCP requests or receive responses from a DHCP server, the RRAS service leases addresses from DHCP in groups of ten and assigns them to clients.
You can modify the number of IP addresses RRAS leases at a time. This value is stored in the registry under this subkey:
SystemCurrentControlSetServicesRemoteAccessParametersIp
Within this subkey, the
InitialAddressPoolSize
key stores the number of addresses to
lease.