Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Authentication: Microsoft NPS: Difference between revisions

From sysadminafterdark docs
No edit summary
No edit summary
Line 26: Line 26:
# On the left sidebar, right click "RADIUS Clients", then click "new".
# On the left sidebar, right click "RADIUS Clients", then click "new".
# Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
# Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
# Input the IP address of the firewall. For example, I am using "10.1.30.1".
# Input the IP address of the firewall. For example, I am using "10.1.1.1".
## WARNING: If you utilize multiple VLANS, set the IP address to the gateway your RADIUS server utilizes! For example, if your RADIUS server is on VLAN 30 with an IP address of 10.1.30.1, DO NOT use 10.1.1.1 for example!
# Click the Generate radio button, then click "Generate". Copy this password to your password manager for later use.
# Click the Generate radio button, then click "Generate". Copy this password to your password manager for later use.
# Click OK. The RADIUS server will appear in the list of configured clients.
# Click OK. The RADIUS server will appear in the list of configured clients.
Line 45: Line 44:
Sysadminafterdark utilizes OPNsense which runs on [[Hardware: SAD-HME-FW01]]. The below steps were utilized to connect the RADIUS server we created and configured for authentication on this platform:
Sysadminafterdark utilizes OPNsense which runs on [[Hardware: SAD-HME-FW01]]. The below steps were utilized to connect the RADIUS server we created and configured for authentication on this platform:


#
# Open a web browser and navigate to your firewall.
# On the firewall web UI, click System, then click Servers.
# Give the connection a Descriptive Name. For example, I am using "Road Warrior VPN".
# Type the IP Address of the Windows RADIUS server into "Hostname or IP Address". In my case, this is 10.1.30.7.
# Paste in your pre-shared key to "Shared Secret".
# From the "Services Offered" drop down, select "Authentication"
# Keep the default 1812 value for "Authentication Port Value", unless you have changed it.
 


== Status ==
== Status ==


This setup guide has successfully been deploy to sysadminafterdark production. If you are following step by step to enable RADIUS authentication with a VPN solution, please continue following the procedure located at the page [[Network: Road Warrior VPN]] to configure the firewall.
This setup guide has successfully been deploy to sysadminafterdark production. If you are following step by step to enable RADIUS authentication with a VPN solution, please continue following the procedure located at the page [[Network: Road Warrior VPN]] to configure the firewall.

Revision as of 02:23, 18 May 2024

History

Authentication: Microsoft NPS, or Network Policy Server, allows you to create and enforce organization-wide network access policies for connection requests, authentication and authorization, including RADIUS authentication. Official Microsoft documentation can be found here.

This service was setup to authenticate Network: Road Warrior VPN on Hardware:SAD-HME-FW01 via RADIUS. In addition to RADIUS authentication, Authentication: Cisco DUO Application Proxy handles multi-factor authentication. These services run from Servers:SAD-AUTH01 and provide secure access to sysadminafterdark internal operations.

Deployment

The steps below were followed to attain a working Microsoft NPS server with RADIUS Authentication:

  1. Click the Start button and open Server Manager
  2. On the top right, click Manage, then click "Add Roles and Features"
  3. The Microsoft "Add Roles And Features Wizard" will open. Click Next to continue.
  4. On the installation type screen, proceed with a Role-based or feature-based installation.
  5. Click Next to proceed with the installation on the local server on the "Server Selection" screen. If you are using RSAT, you may need to select a different server, or add the server to the pool to proceed with management.
  6. On the "Select Server Roles" screen, click the check next to "Network Policy And Access Services". A new window will open asking to also install management tools. Click "Add Features". Then Click Next.
  7. Click Next on the "Features" screen.
  8. Click Next on the Network Policy and Access Services" screen.
  9. On the "Conformation" screen, click Install.

Configuration

The role is now installed on the server and can be accessed by clicking the start button and launching "Network Policy Server". After Network Policy Server is launched, proceed with configuring the RADIUS server:

  1. On the left sidebar, right click "RADIUS Clients", then click "new".
  2. Give the connection a Friendly Name. For example, I am using "SAD-HME-FW01 Road Warrior VPN"
  3. Input the IP address of the firewall. For example, I am using "10.1.1.1".
  4. Click the Generate radio button, then click "Generate". Copy this password to your password manager for later use.
  5. Click OK. The RADIUS server will appear in the list of configured clients.
  6. Under Policies, right click Network Policies then click New.
  7. Enter the policy name to enable communication to your firewall. For example, I am using "Allow from Firewall"
  8. Leave the "Type of network access server" at the default value of "Unspecified" and click Next.
  9. On the "Specify Conditions" screen, Click Add. Then Click "User Groups".
  10. On the "User Groups" window, click add groups, then type in the name of your Active Directory group that will be utilized to define authorized VPN users. For example, I am using Users and Groups: sg_roadwarrior_vpn_access. Once the group is added, click Ok, then Click Next.
  11. On the "Specify Access Permission" window, select "Access Granted" then click Next.
  12. On the "Configure Authentication Methods" window, select all of the "Less secure authentication methods" checkboxes, leaving the last one, "Allow clients to connect without negotiating an authentication method" unticked. Click Next.
  13. On the "Configure Constraints" window, you may configure any time of constraints that suits your environment. For example, I set the Idle Timeout to 120 minutes, or two hours. Click Next.
  14. On the "Configure Settings" window, click Next.
  15. On the "Completing New Network Policy" window click Finish.

Firewall Configuration

Sysadminafterdark utilizes OPNsense which runs on Hardware: SAD-HME-FW01. The below steps were utilized to connect the RADIUS server we created and configured for authentication on this platform:

  1. Open a web browser and navigate to your firewall.
  2. On the firewall web UI, click System, then click Servers.
  3. Give the connection a Descriptive Name. For example, I am using "Road Warrior VPN".
  4. Type the IP Address of the Windows RADIUS server into "Hostname or IP Address". In my case, this is 10.1.30.7.
  5. Paste in your pre-shared key to "Shared Secret".
  6. From the "Services Offered" drop down, select "Authentication"
  7. Keep the default 1812 value for "Authentication Port Value", unless you have changed it.


Status

This setup guide has successfully been deploy to sysadminafterdark production. If you are following step by step to enable RADIUS authentication with a VPN solution, please continue following the procedure located at the page Network: Road Warrior VPN to configure the firewall.