Authentication: Microsoft NPS: Difference between revisions

Authentication: Microsoft NPS, or Network Policy Server, allows you to create and enforce organization-wide network access policies for connection requests, authentication and authorization, including RADIUS authentication. Official Microsoft documentation can be found here.

This service was setup to authenticate Network: Road Warrior VPN on Hardware:SAD-HME-FW01 via RADIUS. In addition to RADIUS authentication, Authentication: Cisco DUO handles multi-factor authentication. These services run from Servers:SAD-AUTH01 and Servers:SAD-DUO01 to provide secure access to sysadminafterdark internal operations.

The steps below were followed to attain a working Microsoft NPS server with RADIUS Authentication:

1. Click the Start button and open Server Manager
2. On the top right, click Manage, then click "Add Roles and Features"
3. The Microsoft "Add Roles And Features Wizard" will open. Click Next to continue.
4. On the installation type screen, proceed with a Role-based or feature-based installation.
5. Click Next to proceed with the installation on the local server on the "Server Selection" screen. If you are using RSAT, you may need to select a different server, or add the server to the pool to proceed with management.
6. On the "Select Server Roles" screen, click the check next to "Network Policy And Access Services". A new window will open asking to also install management tools. Click "Add Features". Then Click Next.
7. Click Next on the "Features" screen.
8. Click Next on the Network Policy and Access Services" screen.
9. On the "Conformation" screen, click Install.

The role is now installed on the server and can be accessed by clicking the start button and launching "Network Policy Server". After Network Policy Server is launched, proceed with configuring the RADIUS server:

1. On the left sidebar, right click "RADIUS Clients", then click "new".
2. Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
3. Input the IP address of the firewall. For example, I am using "10.1.30.1".
   1. WARNING: If you utilize multiple VLANS, set the IP address to the gateway your RADIUS server utilizes! For example, if your RADIUS server is on VLAN 30 with a gateway IP address of 10.1.30.1, DO NOT use 10.1.1.1!
4. Click the Generate radio button, then click "Generate". Copy this password to your password manager for later use.
5. Click OK. The RADIUS server will appear in the list of configured clients.
6. Under Policies, right click Network Policies then click New.
7. Enter the policy name to enable communication to your firewall. For example, I am using "Allow from Firewall"
8. Leave the "Type of network access server" at the default value of "Unspecified" and click Next.
9. On the "Specify Conditions" screen, Click Add. Then Click "User Groups".
10. On the "User Groups" window, click add groups, then type in the name of your Active Directory group that will be utilized to define authorized VPN users. For example, I am using Users and Groups: sg_roadwarrior_vpn_access. Be sure to add the appropriate users to your group in Active Directory. Once the group is added, click Ok, then Click Next.
11. On the "Specify Access Permission" window, select "Access Granted" then click Next.
12. On the "Configure Authentication Methods" window, select all of the "Less secure authentication methods" checkboxes, leaving the last one, "Allow clients to connect without negotiating an authentication method" unticked. Click Next.
13. On the "Configure Constraints" window, you may configure any time of constraints that suits your environment. For example, I set the Idle Timeout to 120 minutes, or two hours. Click Next.
14. On the "Configure Settings" window, click Next.
15. On the "Completing New Network Policy" window click Finish.

Sysadminafterdark utilizes OPNsense which runs on Hardware: SAD-HME-FW01. The below steps were utilized to connect the RADIUS server we created and configured for authentication on this platform:

1. Open a web browser and navigate to your firewall.
2. On the firewall web UI, click System, then click Servers.
3. Give the connection a Descriptive Name. For example, I am using "Road Warrior VPN".
4. Type the IP Address of the Windows RADIUS server into "Hostname or IP Address". In my case, this is 10.1.30.7.
5. Paste in your pre-shared key to "Shared Secret".
6. From the "Services Offered" drop down, select "Authentication"
7. Keep the default 1812 value for "Authentication Port Value", unless you have changed it.
8. Navigate to System > Access > Tester. Input your domain username and password. A blue bar should appear stating the connection was successful.

This setup guide has successfully been deploy to sysadminafterdark production. If you are following step by step to enable RADIUS authentication with a VPN solution, please continue following the procedure located at the page Network: Road Warrior VPN to configure the firewall.