How to Use IAS and Cisco Hardware to Limit a Network Connection to a Specific IP Address (283829)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q283829

SUMMARY

This article describes how to configure Internet Authentication Service (IAS) and Cisco hardware to restrict network access based on IP address. You can do this by using an access list (as long as each user or group of users has a known IP address) and specific Remote Authentication Dial-In User Service (RADIUS) attributes.

MORE INFORMATION

To set up restricted network access that is based on IP address, you must change the configuration of both IAS and the Cisco network access server (NAS). The configuration for your environment varies depending on your specific hardware and software versions.

To configure the Cisco NAS, you must use the commands specific to your hardware and the Cisco Internetwork Operating System (IOS) version. For more information about how to configure the Cisco NAS, visit the following Cisco Web sites: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
To configure IAS RADIUS settings on the Windows 2000-based server, use either of the following methods:
  • Use a vendor-specific attribute.

    -or-
  • Use a standard RADIUS attribute filter-ID.
The following sections describe these methods in more detail.

Method 1: Use a Vendor-Specific Attribute

  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. Click Remote Access Policies, right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
  3. Click Edit Profile, click the Advanced tab, and then click Add.
  4. In the list of available RADIUS attributes, click Cisco-AV-Pair, click Add, and then click Add.
  5. In the Attribute value box, type ip:access-list 120 permit tcp any host 1.1.1.1 eq 23.

    Note This example shows a configuration that uses the access list 120 and the Telnet port 23. Your configuration will vary.

    After you perform this procedure, any traffic other than telnet traffic is denied.

Method 2: Use a Standard RADIUS Attribute Filter-ID

  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. Click Remote Access Policies.
  3. Right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
  4. Click Edit Profile, click the Advanced tab, and then click Add.
  5. In the list of available RADIUS attributes, click Filter-ID, click Add, and then click Add.
  6. In the Enter the attribute value in box, click String, and then type 120.in.

    Note This example uses the access list 120. Your configuration will vary.
After you configure the Cisco NAS and IAS settings, when a user dials in, the RADIUS attributes that are configured for their user or group Windows 2000 remote access policies and the settings at the NAS device limits traffic on the specified port (port 23 in this case) to a specific IP address.

For additional information about how to configure vendor-specific attributes for a remote access policy, click the following article number to view the article in the Microsoft Knowledge Base:

319824 HOW TO: Configure Vendor-Specific Attributes for a Remote Access Policy in Windows 2000

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Modification Type:MajorLast Reviewed:1/26/2005
Keywords:kbhowto KB283829 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.