{"id":1339,"date":"2019-05-17T09:57:56","date_gmt":"2019-05-17T06:57:56","guid":{"rendered":"https:\/\/helia.ee\/koolitus\/?page_id=1339"},"modified":"2019-05-17T09:57:56","modified_gmt":"2019-05-17T06:57:56","slug":"setup-nps-for-radius-authentication-in-active-directory","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=1339","title":{"rendered":"Setup NPS for RADIUS authentication in Active Directory"},"content":{"rendered":"\n

The Network Policy Services<\/strong> (NPS) is a service included in Windows Server 2008 acting as RADIUS<\/strong> to authenticate remote clients against Active Directory.<\/p>\n\n\n\n

In Active Directory<\/strong> environment is possible to setup the authentication process through RADIUS<\/strong> with existing accounts configured in the network setting NPS service properly.<\/p>\n\n\n\n

\"radiusad02\"\/<\/figure>\n\n\n\n

Installing NPS service<\/h2>\n\n\n\n

First step is the installation of the NPS service<\/strong> on the Windows 2008 R2 server. Open the Server Manager<\/strong> and click the option Add Roles<\/strong> to add the new role to the server.<\/p>\n\n\n\n

\"radiusad03\"\/<\/figure>\n\n\n\n

Click Next<\/strong>.<\/p>\n\n\n\n

\"radiusad04\"\/<\/figure>\n\n\n\n

Select Network Policy and Access Services<\/strong> and click Next<\/strong>.<\/p>\n\n\n\n

\"radiusad05\"\/<\/figure>\n\n\n\n

Click Next<\/strong>.<\/p>\n\n\n\n

\"radiusad06\"\/<\/figure>\n\n\n\n

Select Network Policy Server<\/strong> option and click Next<\/strong>.<\/p>\n\n\n\n

\"radiusad07\"\/<\/figure>\n\n\n\n

To perform the installation, click the Install<\/strong> button.<\/p>\n\n\n\n

\"radiusad08\"\/<\/figure>\n\n\n\n

Service components<\/strong> are installed in the server.<\/p>\n\n\n\n

\"radiusad09\"\/<\/figure>\n\n\n\n

Once the procedure ends, the installation result<\/strong> is shown. Click Close<\/strong> button to exit the window.<\/p>\n\n\n\n

\"radiusad10\"\/<\/figure>\n\n\n\n

The service is now installed but needs to be configured<\/strong> to properly work.<\/p>\n\n\n\n

NPS configuration<\/h2>\n\n\n\n

To proceed with the configuration, access the service from Start > Administrative Tools > Network Policy Server<\/strong>.<\/p>\n\n\n\n

\"radiusad11\"\/<\/figure>\n\n\n\n

Right click on RADIUS Client<\/strong> item to create a new client and select option New<\/strong>.<\/p>\n\n\n\n

\"radiusad12\"\/<\/figure>\n\n\n\n

In the Settings<\/strong> panel, enable the client by flagging option Enable this RADIUS client<\/strong>. Assign a Friendly Name<\/strong> and the server\/router VPN Address (IP or DNS)<\/strong>. To generate the shared secret<\/strong> for the RADIUS <-> Server VPN communication, use the option Generate<\/strong> to automatically create the key paying attention to VPN server specifications because sometimes long strings keys could create some problems. Use option Manual<\/strong> to enter a manual string instead.<\/p>\n\n\n\n

\"radiusad13\"\/<\/figure>\n\n\n\n

Click Advanced<\/strong> and set value RADIUS Standard<\/strong> as Vendor name<\/strong> if the VPN server vendor didn\u2019t provide different advices.<\/p>\n\n\n\n

\"radiusad14\"\/<\/figure>\n\n\n\n

Once the client has been created, from main window of NPS right-click item Network Policies<\/strong> and select option New<\/strong> to create a new policy.<\/p>\n\n\n\n

\"radiusad15\"\/<\/figure>\n\n\n\n

In Policy Name<\/strong> field specify the new policy name. Leave default Unspecified<\/strong> value in Type of network access server<\/strong> field. Click Next<\/strong> to continue.<\/p>\n\n\n\n

\"radiusad16\"\/<\/figure>\n\n\n\n

Click Add<\/strong> button to specify what conditions are evaluated during authentication process.<\/p>\n\n\n\n

\"radiusad17\"\/<\/figure>\n\n\n\n

If the account is authenticated through Active Directory group membership<\/strong>, select Windows Groups<\/strong> item and click Add<\/strong>.<\/p>\n\n\n\n

\"radiusad18\"\/<\/figure>\n\n\n\n

Click Add Groups<\/strong> button to specify the AD group.<\/p>\n\n\n\n

\"radiusad19\"\/<\/figure>\n\n\n\n

Insert AD group and click OK<\/strong>.<\/p>\n\n\n\n

\"radiusad20\"\/<\/figure>\n\n\n\n

Selected AD group is now on the list of Windows Groups<\/strong>. Click OK<\/strong> to continue.<\/p>\n\n\n\n

\"radiusad21\"\/<\/figure>\n\n\n\n

To setup additional conditions, click Add<\/strong> button.<\/p>\n\n\n\n

\"radiusad22\"\/<\/figure>\n\n\n\n

In order to limit authentication requests<\/strong> to a specific VPN server, select condition Client IPv4 Address<\/strong> and click Add<\/strong>.<\/p>\n\n\n\n

\"radiusad23\"\/<\/figure>\n\n\n\n

Enter the VPN server IP Address <\/strong>and click OK<\/strong>.<\/p>\n\n\n\n

\"radiusad24\"\/<\/figure>\n\n\n\n

Completed all the entries, click Next<\/strong> to continue.<\/p>\n\n\n\n

\"radiusad25\"\/<\/figure>\n\n\n\n

Click option Access Granted<\/strong> to enable the access to the system.<\/p>\n\n\n\n

\"radiusad26\"\/<\/figure>\n\n\n\n

In this screen, you define the protocol type<\/strong> used for authentication. Check vendor specifications of your VPN server to select required authentication protocols. To perform EAP authentication for instance, EAP Types<\/strong> must be configured by clicking the Add<\/strong> button.<\/p>\n\n\n\n

\"radiusad27\"\/<\/figure>\n\n\n\n

Select required protocol then click OK<\/strong>.<\/p>\n\n\n\n

\"radiusad28\"\/<\/figure>\n\n\n\n

When authentication protocols have been entered, click Next<\/strong>.<\/p>\n\n\n\n

\"radiusad29\"\/<\/figure>\n\n\n\n

Specify Constraints<\/strong> if requested. Click Next<\/strong>.<\/p>\n\n\n\n

\"radiusad30\"\/<\/figure>\n\n\n\n

From Settings<\/strong> window, set additional attributes requested by the VPN server. For example, Watchguard<\/a> firewalls require Filter-ID<\/strong> attribute to grant VPN access. Click Add<\/strong> button to add a new attribute.<\/p>\n\n\n\n

\"radiusad31\"\/<\/figure>\n\n\n\n

From attributes list select value Filter-ID<\/strong> and click Add<\/strong>.<\/p>\n\n\n\n

\"radiusad32\"\/<\/figure>\n\n\n\n

Click Add<\/strong> to define the attribute information requested by the VPN server for the attribute previously selected.<\/p>\n\n\n\n

\"radiusad33\"\/<\/figure>\n\n\n\n

From the VPN server vendor instructions, insert the right Attribute Information<\/strong> (L2TP-Users in the example) and click OK<\/strong> to confirm.<\/p>\n\n\n\n

\"radiusad34\"\/<\/figure>\n\n\n\n

If some attributes are not longer needed, select and remove them with Remove<\/strong> button.<\/p>\n\n\n\n

\"radiusad35\"\/<\/figure>\n\n\n\n

When the setup is complete, click OK<\/strong>.<\/p>\n\n\n\n

\"radiusad36\"\/<\/figure>\n\n\n\n

configuration summary<\/strong> is shown with policy conditions and settings. Click Finish<\/strong> to complete the procedure.<\/p>\n\n\n\n

\"radiusad37\"\/<\/figure>\n\n\n\n

To process in the right way the just created policy, move it at the top of the list.<\/strong><\/p>\n\n\n\n

\"radiusad38\"\/<\/figure>\n\n\n\n

For the correct functionality of RADIUS authentication, server must be registered in Active Directory. From main screen of NPS right-click NPS (local)<\/strong> and select option Register server in Active Directory<\/strong>.<\/p>\n\n\n\n

\"radiusad39\"\/<\/figure>\n\n\n\n

Click OK<\/strong> to authorize the local server in AD.<\/p>\n\n\n\n

\"radiusad40\"\/<\/figure>\n\n\n\n

Click OK<\/strong> to complete the server registration step.<\/p>\n\n\n\n

\"radiusad41\"\/<\/figure>\n\n\n\n

RADIUS server configuration<\/strong> is now complete.<\/p>\n\n\n\n

Enable RADIUS authentication<\/h2>\n\n\n\n

To enable VPN clients authentication in the system, the RADIUS authentication type<\/strong> must be configured in the VPN server.<\/p>\n\n\n\n

\"radiusad42\"\/<\/figure>\n\n\n\n

Enable and insert the correct IP Address<\/strong> of your RADIUS server. Type the Shared Secret<\/strong>previously created. Be careful that typed characters in the Secret field must be the same as defined in the RADIUS server settings otherwise authentication process will fail.<\/p>\n\n\n\n

\"radiusad43\"\/<\/figure>\n\n\n\n

When a VPN connection starts, the client is authenticated through the RADIUS<\/strong> server checking the Active Directory group membership and granting the network access as shown in the Windows log<\/strong>.<\/p>\n\n\n\n

\"radiusad44\"\/<\/figure>\n\n\n\n

If some authentication issues<\/strong> are experienced, looking at the Windows log you can identify where the problem reside.<\/p>\n\n\n\n

\"radiusad45\"\/<\/figure>\n\n\n\n

This solution allows a good authentication management<\/strong> process of remote clients giving the network a higher security level.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Network Policy Services (NPS) is a service included in Windows Server 2008 acting as RADIUS to authenticate remote clients against Active Directory. In Active Directory environment is possible to setup the authentication process through RADIUS with existing accounts configured in the network setting NPS service properly. Installing NPS service First step is the installation of the NPS service on the Windows 2008 R2 server. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":1304,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-1339","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1339"}],"version-history":[{"count":1,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1339\/revisions"}],"predecessor-version":[{"id":1340,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1339\/revisions\/1340"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1304"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}