Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Authentication: Microsoft NPS: Difference between revisions

From sysadminafterdark docs
No edit summary
No edit summary
Line 24: Line 24:
The role is now installed on the server and can be accessed by clicking the start button and launching "Network Policy Server". After Network Policy Server is launched, proceed with configuring the RADIUS server:
The role is now installed on the server and can be accessed by clicking the start button and launching "Network Policy Server". After Network Policy Server is launched, proceed with configuring the RADIUS server:


# On the left sidebar, right clcik "RADIUS Clients", then click "new".
# On the left sidebar, right click "RADIUS Clients", then click "new".
# Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
# Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
# Input the IP address of the firewall. For example, I am using "10.1.1.1".
# Input the IP address of the firewall. For example, I am using "10.1.1.1".

Revision as of 01:53, 18 May 2024

History

Authentication: Microsoft NPS, or Network Policy Server, allows you to create and enforce organization-wide network access policies for connection requests, authentication and authorization, including RADIUS authentication. Official Microsoft documentation can be found here.

This service was setup to authenticate Network: Road Warrior VPN on Hardware:SAD-HME-FW01 via RADIUS. In addition to RADIUS authentication, Authentication: Cisco DUO Application Proxy handles multi-factor authentication. These services run from Servers:SAD-AUTH01 and provide secure access to sysadminafterdark internal operations.

Deployment

The steps below were followed to attain a working Microsoft NPS server with RADIUS Authentication:

  1. Click the Start button and open Server Manager
  2. On the top right, click Manage, then click "Add Roles and Features"
  3. The Microsoft "Add Roles And Features Wizard" will open. Click Next to continue.
  4. On the installation type screen, proceed with a Role-based or feature-based installation.
  5. Click Next to proceed with the installation on the local server on the "Server Selection" screen. If you are using RSAT, you may need to select a different server, or add the server to the pool to proceed with management.
  6. On the "Select Server Roles" screen, click the check next to "Network Policy And Access Services". A new window will open asking to also install management tools. Click "Add Features". Then Click Next.
  7. Click Next on the "Features" screen.
  8. Click Next on the Network Policy and Access Services" screen.
  9. On the "Conformation" screen, click Install.

Configuration

The role is now installed on the server and can be accessed by clicking the start button and launching "Network Policy Server". After Network Policy Server is launched, proceed with configuring the RADIUS server:

  1. On the left sidebar, right click "RADIUS Clients", then click "new".
  2. Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
  3. Input the IP address of the firewall. For example, I am using "10.1.1.1".
  4. Click the Generate radio button, then click "Generate". Copy this password to your password manager for later use.
  5. Click OK. The RADIUS server will appear in the list of configured clients.
  6. Under Policies, right click Network Policies then click New.
  7. Enter the policy name to enable communication to your firewall. For example, I am using "Allow from Firewall"
  8. Leave the "Type of network access server" at the default value of "Unspecified" and click Next.
  9. On the "Specify Conditions" screen, Click Add. Then Click "User Groups".
  10. On the "User Groups" window, click add groups, then type in the name of your Active Directory group that will be utilized to define authorized VPN users. For example, I am using Users and Groups: sg_roadwarrior_vpn_access. Once the group is added, click Ok, then Click Next.
  11. On the "Specify Access Permission" window, select "Access Granted" then click Next.
  12. On the "Configure Authentication Methods" window, select all of the "Less secure authentication methods" checkboxes, leaving the last one, "Allow clients to connect without negotiating an authentication method" unticked. Click Next.
  13. On the "Configure Constraints" window, you may configure any time of constraints that suits your environment. For example, I set the Idle Timeout to 120 minutes, or two hours. Click Next.
  14. On the "Configure Settings" window, click Next.
  15. On the "Completing New Network Policy" window click Finish.

Status

This setup guide has successfully been deploy to sysadminafterdark production. If you are following step by step to enable RADIUS authentication with a VPN solution, please continue following the procedure located at the page Network: Road Warrior VPN to configure the firewall.