Authentication: Microsoft NPS: Difference between revisions

Authentication: Microsoft NPS, or Network Policy Server, allows you to create and enforce organization-wide network access policies for connection requests, authentication and authorization, including RADIUS authentication. Official Microsoft documentation can be found here.

This service was setup to authenticate Network: Road Warrior VPN on Hardware:SAD-HME-FW01 via RADIUS. In addition to RADIUS authentication, Authentication: Cisco DUO Application Proxy handles multi-factor authentication. These services run from Servers:SAD-AUTH01 and provide secure access to sysadminafterdark internal operations.

The steps below were followed to attain a working Microsoft NPS server with RADIUS Authentication:

1. Click the Start button and open Server Manager
2. On the top right, click Manage, then click "Add Roles and Features"
3. The Microsoft "Add Roles And Features Wizard" will open. Click Next to continue.
4. On the installation type screen, proceed with a Role-based or feature-based installation.
5. Click Next to proceed with the installation on the local server on the "Server Selection" screen. If you are using RSAT, you may need to select a different server, or add the server to the pool to proceed with management.
6. On the "Select Server Roles" screen, click the check next to "Network Policy And Access Services". A new window will open asking to also install management tools. Click "Add Features". Then Click Next.
7. Click Next on the "Features" screen.
8. Click Next on the Network Policy and Access Services" screen.
9. On the "Conformation" screen, click Install.

The role is now installed on the server and can be accessed by clicking the start button and launching "Network Policy Server". After Network Policy Server is launched, proceed with configuring the RADIUS server:

1. On the left sidebar, right clcik "RADIUS Clients", then click "new".
2. Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
3. Input the IP address of the firewall. For example, I am using "10.1.1.1".
4. Click the Generate radio button, then click "Generate". Copy this password to your password manager for later use.
5. Click OK. The RADIUS server will appear in the list of configured clients.
6. Under Policies, right click Network Policies then click New.
7. Enter the policy name to enable communication to your firewall. For example, I am using "Allow from Firewall"
8. Leave the "Type of network access server" at the default value of "Unspecified" and click Next.
9. On the "Specify Conditions" screen, Click Add. Then Click "User Groups".
10. On the "User Groups" window, click add groups, then type in the name of your Active Directory group that will be utilized to define authorized VPN users. For example, I am using Users and Groups: sg_roadwarrior_vpn_access. Once the group is added, click Ok, then Click Next.
11. On the "Specify Access Permission" window, select "Access Granted" then click Next.
12. On the "Configure Authentication Methods" window, select all of the "Less secure authentication methods" checkboxes, leaving the last one, "Allow clients to connect without negotiating an authentication method" unticked. Click Next.