In this post, I will go through the steps to configure to deploy Network Policy Server (NPS) based RADIUS server to authenticate and authorize the remote access connections coming from RRAS based VPN server. I will try to go through different policy parameters in order to point you to various important policy options in NPS server role. However for your deployment, you may be adding/deleting more these depending upon your requirements.
Radius server is used to perform AAA i.e. authentication, authorization and accounting of the remote access user. This post gives details on Network Policy server (NPS) role acting as RADIUS server – installed on a different machine from the one running RRAS server.
3.1 Installation of server role
Let us try to configure NPS server role as a RADIUS server on a Windows server 2008 R2 machine. To do that, you need to first install the NPS server role:
- Open “Server Manager”. Click on “Roles”, “Add Roles”. Click “Next”. Select “Network Policy and Access Services”. Click on “Network Policy Server. Click “Next” to install the same.
3.2 Configuration of Radius server
To configure NPS based Radius server to authenticate VPN based remote access connection, follow these steps:
- Open Network Policy Server MMC by clicking on “Start”->”All Programs”->”Administrative Tools”->”Network Policy Server”. This launches the NPS MMC snap-in.
- Click on left pane - “RADIUS Client and Servers”. Click on “RADIUS Client”. This is used to configure the information of RADIUS clients (i.e. RRAS based VPN server in this scenario) that sends authentication and accounting request to this radius server. Right click “New” to create a new entry and enter the RADIUS client information (i.e. IP address and shared secret of the RADIUS client machine i.e. RRAS server machine).
Note: This needs to be configured only if the RADIUS Client and NPS server are running on separate machines.
- Click on “Remote RADIUS Server Group”. This is used when this machine is running as a RADIUS PROXY - configure the information about the RADIUS server to which this machine will forward authentication and accounting requests.
For this example scenario where RADIUS server is authentication the connection locally, skip this configuration.
- Click on “Policies”, then click on “Connection Request Policies”. CRP allows you to designate whether connection requests are processed locally or forward to remote RADIUS server group.
Right click New – to create a new CRP. The specific fields in Connection Request policy of interest are: -
- “Type of network access server” - set it to “Remote Access Server (VPN-Dial up)”
- “Forwarding Connection Request” Authentication – Select “Authenticate requests on this server” if you are authenticating request locally. OR select “Forward requests to the following remote RADIUS Server group – if getting forwarded” if you this machine is acting as RADIUS proxy and forwarding the request to some other machine running RADIUS server.
For this example scenario where RADIUS server is authentication the connection locally, select “Authenticate requests on this server”.
- “Authentication Methods” – this can be set at the CRP level or at the network policy level. If set at CRP level – this will override the authentication setting at the individual policy level.
For this example scenario, let the authentication methods be set at the policy level.
- Click on “Policies” node, then click on ”Network Policies” node. Network policies allow you to designate who is authorized to connect to the network and the circumstance under which they can or cannot connect.
Right click New – to create a new network policy. A network access policy has different fields, however some of the common fields are given below: -
Note: The mandatory ones that are required for remote access connection to pass through are highlighted in bold: -
- “Type of network access server” - set it to “Remote Access Server (VPN-Dial up)” – to specify the type of Radius client which can match this policy.
- “Access Permission” – should be set to “Grant access” – to specify the access permission if conditions and constraints of the policy match against the connection request.
- Condition: If ALL the conditions match against the connection request, NPS uses this policy to authorize the connection request, else skips this policy and evaluates other policies (if configured)
- “Operating System” – specifies the OS for remote access client computer to match this policy
- “Windows Groups” – This condition specifies the remote access user’s group inside Active directory.
- Constraints: If ALL the constraints are not matched by the connection request, the network access is denied for the connection.
- “Authentication Methods” – select access **only** to those remote access clients that authenticate with specific authentication protocols
Note: This list MUST match the authentication methods configured inside RRAS server.
- “Day and time restrictions” – Allow access to remote access users **only** on these days and at these times
- Settings: If conditions and constraints match the connection request and the policy grants access, then the settings are applied on top of the connection.
- “Idle Timeout” – specify the maximum time to remain idle before connection is disconnected.
- “IP Filters” – To be applied to the VPN connection to restrict the remote access user to specify IP addresses.
- “NAP Enforcement” – specify whether you want to enforce NAP for this policy. Note: This will require additional configuration as highlighted in this step-by-step guide.
- Click on “Accounting” – to select your preference on the logging store for the accounting data –SQL or a file.
3.3 Further Readings
Senior Program Manager
[This posting is provided “AS IS” with no warranties, and confers no rights.]