Use this wizard page to configure the source of authentication for RRAS.
- If you select No, then the RRAS server performs its own authentication. The user credentials sent by users attempting connections are authenticated using typical Windows authentication mechanisms, and the connection attempt is authorized using the remote client’s user account properties and network policies. The remote access server must be joined to a domain to authenticate with Active Directory Domain Services (AD DS). Permissions for VPN and dial-up users are configured in Active Directory Users and Computers, on the Dial-in tab of the User Properties dialog box. By default, the Active Directory setting refers to Network Policy Server (NPS), but can be configured to allow or deny access to a user account.
- If you select Yes, then Remote Authentication Dial-In User Service (RADIUS) performs authentication for the RRAS server. User credentials and parameters for the connection request are sent as RADIUS request messages to a RADIUS server. The RADIUS server receives a user-connection request from the RRAS server and authenticates and authorizes the connection attempt. The RADIUS server must be joined to a domain to authenticate with AD DS.
If you have more than one remote access server, instead of administering the network policies of all the remote access servers separately, you can configure a single server with NPS as a RADIUS server and configure the remote access servers as RADIUS clients. The server running NPS provides centralized remote access authentication, authorization, accounting, and auditing.