NPS Configure a RADIUS server

NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections.

When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.

Install Network Policy Server

In Add Roles and Features > Network Policy and Access Services. On Roles services page, select Network Policy server.

The powershell command, to install just network policy server:
Install-WindowsFeature -Name NPAS,NPAS-Policy-Server -includeManagementTools

A Network Policy server cannot be install on server core or a failover cluster.

 

Configure

  • In Server Manager click on Tools > Network Policy Server
  • Under Standard Configuration select “RADIUS server for Dial-Up or VPN Connections” and click Configure VPN or Dial-up
  • Select the require option Dial-Up Connections or VPN Connections
  • This is where you configure a new RADIUS client, which is a VPN server (not a windows client machine)
    Click on Add and fill out RADIUS client details with Shared secret
  • Select the Authentication methods, these can include:
    • Extensible Authentication Protocol, including Smart card or other certificate, Protected EAP (PEAP) or Secure password (EAP-MSCHAP v2)
    • MS-CHAP v2   (more secure, mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving.)
    • MS-CHAP (mainly used in windows 2000 and only provided 1-way authentication)
  • Specify User groups, add the security groups that are allow to connect.
  • Specify IP Filters, specify input and output filters for IP, can filter source or destination network ranges and protocols that will be allowed or disallowed.
  • Specify Encryption Settings, this is the encryption between the network policy server and the access clients.
  • Specify a Realm Name, this is used by ISPs

This wizard, creates the following:

  • The radius client(s) under RADIUS Clients
  • Connection request policy
  • Network Policy

 

Leave a Reply

Your email address will not be published. Required fields are marked *