Configure a Remote Access Policy

To enable the default policy

• Do not perform these steps if you plan to create a common or custom remote access policy, described next.

1. To enable the default policy, do one of the following:
   
   
   • If you use Windows authentication, on the answering router open Routing and Remote Access, and, if necessary, double-click Routing and Remote Access and the server name. (Use Windows authentication for a site-to-site only connection.)
   • If you use RADIUS authentication, on the IAS server open Internet Authentication Service, and, if necessary, double-click Internet Authentication Service. (Use either Windows or RADIUS authentication if the answering router for the site-to-site connection also supports remote access users.)
2. In the console tree, click Remote Access Policies. In the details pane, right-click the default policy Connections to Microsoft Routing and Remote Access server, and then click Properties.
3. Select Grant remote access permission. (The default selection is Deny remote access permission.)

To add a common or custom remote access policy

• Do not perform these steps if you plan to use the default policy, described earlier.

1. To add a common or custom remote access policy, do one of the following:
   
   
   • If you use Windows authentication, open Routing and Remote Access, and, if necessary, double-click Routing and Remote Access and the server name.
   • If you use RADIUS authentication, open Internet Authentication Service, and, if necessary, double-click Internet Authentication Service.
2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy. Use the New Remote Access Policy wizard to create a common policy, as shown

Policy Configuration Method:

Select Use the wizard to set up a typical policy for a common scenario, and then type an appropriate name for the policy, such as Authenticate BranchOfficeRouters.

Access Method:

Select VPN or Dial-up, as appropriate.

User or Group Access:

Click Group, click Add, and then type the group name you created earlier, such as BranchOfficeRouters.

Authentication Methods:

Either accept the default method, MS-CHAP v2, or choose Extensible Authentication Protocol (EAP) and specify its type (either MD5-Challenge orSmart card or other certificate).

Policy Encryption Level:

Select Strongest encryption, and clear any other selections.


Creating a Custom Remote Access Policy by Using the New Remote Access Policy Wizard

Policy Configuration Method:

                                                   Select Set up a custom policy, and then type an appropriate name for the policy, such as Authenticate BranchOfficeRouters.

Policy Conditions:

                                                 If this is a dial-up (non-VPN) connection:

1. Click Add.
2. Select Windows-Groups, click Add twice, and then specify the group name you created earlier (such as BranchOfficeRouters). Click OK twice to return to the Policy Conditions page.
3. Click Add, and select NAS-Port-Type. Click Add, and select the appropriate device type, such as Async (Modem), ISDN Async V.100, ISDN Async V.120, or ISDN Sync. Then click Add.
4. Click Add, select Authentication Type, click Add, select either MS-CHAP v2 or EAP, and then click Add.
5. Select and configure any other attributes for which you want to specify a setting.

-or-

If this is a VPN connection:

1. Click Add.
2. Select Windows-Groups, click Add twice, and then specify the group name you created earlier (such as BranchOfficeRouters). Click OK twice to return to the Policy Conditions page.
3. Click Add, select NAS-Port-Type, click Add, select Virtual VPN, and then click Add.
4. Click Add, select Tunnel-Type, click Add, select either Point-to-Point Tunneling Protocol or Layer 2 Tunneling Protocol (as appropriate), and then click Add.
5. Click Add, select Authentication-Type, select either MS-CHAP v2 or EAP, and then click Add.
6. Select and configure any other attributes for which you want to specify a setting.

Permissions:

                    Select Grant remote access permission.

Profile:

                   If you want to change the defaults, click Edit Profile, and then make the desired changes. For example, click Edit Profile, select the Encryption tab, select Strongest encryption, and clear any other selections.