Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that provides remote access service to communicate with a central server to authenticate dial-in users and authorise their access to the requested system or service. Network Policy Server (NPS) can be configured as a RADIUS Server to allow networks to set up policies that can be applied at a single network point. NPS also performs as a RADIUS proxy to forward connection requests to other RADIUS servers for load balancing. When configured as a RADIUS Server, NPS can be configured to log events to a local file or a remote Microsoft SQL Server. In this article, we take a look at setting up a centralised RADIUS server on AWS and using it to authenticate remote VPN users against an existing user base.
Installing NPS Server on Windows
- To install the NPS Server, open the Server Manager Console.
- Click on the Manage tab and select Add Role and Features.
- On the Add Role and Features wizard console, click the Before you begin tab and click Next.
- On the Add Role and Features wizard console, click the Installation Type tab, select Role-based or feature-based installation and click on Next.
- On the Add Role and Features wizard console, click on the Server Selection tab, and click on Select a server from the server pool. From the list of servers in the server pool box below, click on the server name on which you want to install the Network Policy and Access Service role, and click on Next.
- On the Add Role and Features wizard console, click on the Server Roles tab, and select the Network Policy and Access Services checkbox. Click on Next.
- Click on the Add Features button to add the required feature for NPS. Click on Next to continue.
- On the Add Role and Features wizard console, click on the Features tab, and click on Next.
- On the Add Role and Features wizard console, click on the Network Policy and Access Services. Here, overview information about Network Policy and Access Services is given. Click on Next.
- Click on the Install button to start the installation process. Service components are now installed in the server. Once the installation process is over, the installation result is shown. Click on the Close button to finish installation and exit the window.
- The Network Policy and Access Services has now been installed successfully. However, it needs to be configured to work properly.
Configure RADIUS Server
- Open the Network Policy Server from the Tools menu.
- To register the RADIUS server in the Active Directory Domain, click on the NPS management console, then right-click on NPS Local and select Register server in Active Directory.
- To confirm the successful registration of the RADIUS server in Active Directory, click on OK.
- The RADIUS server has the authority to read the properties of user accounts related to the remote access and the NPS Server will be added to the built-in domain group.
Add RADIUS Client and Create NPS Policies for RADIUS Server
- Under Getting Started, select RADIUS Server for Dial-Up or VPN Connection from the drop-down menu. Click on the Configure VPN or Dial-Up link to add a new RADIUS client.
- On the Select Dial-Up or Virtual Private Network Connections Type console, click on the Virtual Private Network (VPN) Connections button and specify a meaningful name in the Name field. Click on Next.
- On the Specify Dial-Up or VPN Server console, click on the Add button.
- On the New Radius Client console, in the Settings panel, under the Name and Address field add the name of the RADIUS Client in the Friendly Name field. Add the IP Address or FQDN of VPN Server in the Address (IP or DNS) field. Select the Manual button and type a strong shared secret password. Re-enter the shared secret password to confirm the password.
- Click on OK to save the changes.
- Verify the new Radius client entry and click on Next.
- On the Configure Authentication Methods console, select Extensible Authentication Protocol checkbox. From the drop-down menu select Microsoft: Secured password (EAP-MSCHAP v2) and click on Next.
- On the Specify User Groups console, to specify User Groups as a condition to apply this policy, click Add.
- Add a suitable user group name. Click on OK, and then click on Next.
- On the Specify IP Filters console, click on Next.
- On the Specify Encryption Settings console, click on the Strongest encryption (MPPE 128 bit) and click on Next.
- Click on Next and then click Finish to add NPS Policies on the RADIUS Server.
- Once the NPS policy is added, the next step is to configure the VPN server for authentication on the newly installed RADIUS NPS server.
Configure VPN using Remote Access in Windows Server
- On the Add Roles and Features Wizard, click on Open the Getting Started Wizard link.
- The Configure Remote Access page will open. Click on Deploy VPN only.
- The Routing and Remote Access Management Console will open.
- Right click on the Server name and select Configure and Enable Routing and Remote Access.
- On the Welcome to the Routing and Remote Access Server Setup Wizard page, click on Next.
- On the Configuration page, select the Custom configuration radio button. Click on Next.
- On select the service page, check the VPN Access box. Click on Next and then click on Finish.
- To start the service, click on Start service. A green arrow is visible beside the server name to denote that it is configured.
- To configure VPN server properties to specify the IP Address range, right-click on the server name and click on Properties.
- Click on IPv4 Tab and select the Static Address Pool radio button.
- Click on Add. Specify the IP address in the New IPv4 Address Range field. Click OK. (If you do not have a DHCP Server in your environment, add a static IP address pool.)
- Click on Apply and OK to save the changes to the VPN server.
- Once we have configured the VPN server for authentication using Remote Access Service on the newly installed RADIUS NPS server, the next step is to configure the RADIUS Server settings on VPN Server.
Configure RADIUS Server Settings on VPN Server
- On VPN Server, open Server Manager Console. Click on Tools and select Routing and Remote Access.
- Right-click on the server name and select Properties.
- Click on Security Tab. Under the Authentication provider, select RADIUS authentication and then click on Configure.
- Click Add.
- Specify the IP address of the RADIUS Server in the Server name field. Click on Change
- Enter the shared secret password that was created when adding radius client in the New secret field. Confirm the new secret password. Click OK.
- Click OK.
- Click OK.
- Under the Accounting provider, select RADIUS Accounting and then click on Configure.
- Follow the same steps again to specify the RADIUS Server IP Address and Shared Secret password.
- Click on Apply and OK to save the changes.
We have now configured the NPS RADIUS Server for VPN Authentication on Windows Server. Now the VPN server can use the Windows Server NPS RADIUS server for authentication and accounting.