Remote Authentication Dial-In User Service (RADIUS) is a client-server networking protocol that safeguards networks against unauthorized access. Along with a RADIUS Client or Network Access Server (NAS), that is used to authenticate users, and a RADIUS Server that runs on a UNIX or Windows server, that maintains user profiles in a central database, you have control over who can connect with your network.
When you configure Network Policy Server (NPS server) as a RADIUS proxy, to authenticate, authorize, and account (AAA) server groups, it offers a way to select a group of the configured server hosts and use them for a specific service.
If you have a larger network or more complex infrastructure, a simple installation of NPS may not suffice. You will most likely have to install multiple RADIUS servers so that your network can deliver a better performance.
RADIUS Server Groups
A RADIUS server group is a group of RADIUS servers that are similar. When you configure a device as a RADIUS proxy to forward connection requests to RADIUS servers, process the requests, authenticate and authorize the users or computer accounts located in the database, it allows you to group existing server hosts that have different operational characteristics.
When multiple RADIUS servers exist in your network, you can configure RADIUS clients to either use a primary RADIUS server or an alternate RADIUS server. This means that, if the primary RADIUS server becomes unavailable, the request is sent to the alternate RADIUS server.
Configuring RADIUS Servers for a group
A remote RADIUS server group, as the name suggests, contains one or more RADIUS servers. To configure more than one server, it is important to specify the load balancing settings of each RADIUS Server. This is to avoid one or more servers getting overloaded with too many connection requests. The solution is to decide the order in which the servers are used by the proxy or by allotting the flow of RADIUS messages across all servers in the group.
In some cases, RADIUS Server groups comprise of multiple host entries for the same server. Under such circumstances, each host entry would have a unique name/address. The unique identifier can be the combination of an IP address or a name resolved to the IP address, such as a UDP port number.
The unique identifier authorizes different UDP ports, providing a specific AAA service, and allows RADIUS requests to be sent to different UDP ports on a server at the same IP address.
Priority: The RADIUS Server group members are given a priority setting to enable load balancing. This represents the order of importance of the RADIUS server to the NPS proxy server. The member of the group who is set as the primary server is given a priority setting of 1 and so on and so forth. So, the lesser the number of the server, the higher the priority it has. The NPS proxy sends connection requests to the RADIUS server with priority 1. If that server is not available, then NPS sends connection requests to RADIUS server with priority 2, and so on.
Weight: If multiple RADIUS servers are allotted with the same priority, then they are given a secondary group setting to load balance between them. The secondary group setting is used to find out how often RADIUS messages are sent to each server. Weight setting is a value represented by a percentage and is assigned a value between 1 and 100. In cases where two servers are assigned the same priority and weight, the connection requests are spread equally among the two servers.
Additional settings: The NPS can be configured using additional advanced settings to detect when a group member becomes unavailable and when it becomes available. The advanced settings determine when it considers the server is not available and sends the requests to the next RADIUS server.
There are situations where two separate host entries belonging to a RADIUS server are configured for the same service. For instance, if both the host entries are configured for authorization, the second host entry always acts as a backup to the first host entry. So, even if the first host entry fails to perform authorization, the network access server attempts the service on the second host entry.
Authentication requests and accounting requests (or both) can be forwarded to each remote RADIUS server group member.
Once the Remote RADIUS Server Group has been configured, the group in the authentication and accounting settings of a connection request policy can be specified. This means that you can first configure the remote RADIUS server group. The connection request policy to use the newly configured remote RADIUS server group can be configured next. On the other hand, you can use the New Connection Request Policy Wizard to create a new remote RADIUS server group while you are generating the connection request policy.
Adding a new remote RADIUS server group in Windows NPS Server
When the NPS is configured as a RADIUS proxy, a new connection request policy is created. The NPS uses this policy to determine which connection requests need to be forwarded to other RADIUS servers. The NPS also uses this policy to specify the precise remote RADIUS server group where the connection requests that match the connection request policy need to be sent and to decide which RADIUS servers will perform the authentication and authorization of connection requests that the NPS server receives from RADIUS clients.
In this example im going to use our Cloud RADIUS Server in AWS.
Once you have logged into the AWS Cloud RADIUS server, you are now ready to add a new remote RADIUS server group in the Windows NPS Server:
- Login to your Windows Radius Server and click on the Server Manager. On the Server Manager tab, click Tools and select Network Policy Server. Then click Network Policy Server. The NPS console opens.
- Expand the NPS console tree, select RADIUS Clients and Servers and double-click. You’ll be moved to the Remote RADIUS Server Groups where you should right-click, and then click New.
- On the New Remote RADIUS Server Group dialog box type in the name assigned for the remote RADIUS server group.
- In RADIUS Servers, click Add. The Add RADIUS Servers dialog box opens. Type the IP address of the RADIUS server that you want to add to the group, or type the Fully Qualified Domain Name (FQDN) of the RADIUS server, and then click Verify.
- In the Add RADIUS Servers, click the Authentication/Accounting tab. In Shared secret and Confirm shared secret, type the shared secret. Make sure to use the same shared secret when you configure the local computer as a RADIUS client on the remote RADIUS server.
- Please note that EAP uses the Message-Authenticator attribute by default. So, in case you are not using Extensible Authentication Protocol (EAP) for authentication, click Request must contain the message authenticator attribute.
- Check the authentication and accounting port numbers and see whether they are correct.
- In case the shared secret for accounting is different, go to the Accounting tab and clear the Use the same shared secret for authentication and accounting check box. Then type the accounting shared secret in Shared secret and Confirm shared secret.
- If you do not want to forward network access server start and stop messages to the remote RADIUS server, clear the Forward network access server start and stop notifications to this server check box.
- Select the Load Balancing tab.
- Specify how often requests are sent to a specific server in a group by specifying the weight assigned to the server.
- Click OK to close the Add RADIUS Server dialog box.
- Click OK to close the New Remote RADIUS Server group.