UEU-co logo


Previous Page Next Page

Understanding RADIUS and the Network Policy Server

A RADIUS (Remote Authentication Dial-In User Service) server provides authentication of remote access users and also provides an accounting system for tracking access to your RAS server. RADIUS servers are typically used by Internet service providers to authenticate and track remote users. The Windows Server 2008 RRAS implementation provides the Network Policy Server, which can use RADIUS for authentication.

Installing the Network Policy Server

RADIUS comes in a number of different third-party software vendor flavors and runs on various network operating system platforms. You can use RADIUS authentication in your domain without buying additional RADIUS software; the Windows Server 2008 Network Policy Server can be configured as a RADIUS server. This means that all RAS remote client requests for authentication in the domain are forwarded from the RRAS server to the server running NPS.

The Network Policy Server can be installed when you add the Network Policy and Access Services role (as discussed earlier in the hour). If you did not add the NPS during the installation of the role (say, for example, you installed only the Routing and Remote Access Services role), you can add the NPS service to the Network Policy and Access Service role from the Sever Manager.

Follow these steps:

1. In the Server Manager, expand the Roles node and then select the Network Policy and Access Services node.

2. In the Details pane click, Add Role Services. The Add Roles Services Wizard opens with a list of the services associated with the Network Policy and Access Services role (see Figure 17.16).

Figure 17.16. Select the Network Policy Server check box.

[View full size image]

3. Select the Network Policy Server check box and then click Next.

4. The confirmation page opens. Click Install.

When the installation is complete, you can click Close to close the Add Role Services Wizard. After the NPS service is installed, you can then configure NPS for RADIUS authentication.

Configuring the NPS Server

To get NPS up and running as a RADIUS server, you must configure NPS; you can configure NPS from the Server Manager: Expand the Network Policy and Access Services node and then select the NPS node. You can also use the Network Policy Server snap-in in the MMC (Start, Administrative Tools, Network Policy Server) to configure your NPS settings. Follow these steps:

1. In the NPS snap-in (in the Server Manger or MMC), click the Standard Configuration drop-down list in the Details pane. Select Radius Server for Dial-Up or VPN Connections from the list.

2. Click Configure VPN or Dial-Up. The Configure VPN or Dial-Up Wizard opens (see Figure 17.17).

Figure 17.17. You can configure the NPS for VPN or dial-up.

[View full size image]

3. For sake of discussion (and because VPN is now used more the dial-in) select the Virtual Private Network (VPN) Connections option button. This also places Virtual Private Network (VPN) Connections in the Name box. You can go with this default name or change the name as needed. Click Next.

4. On the next wizard page, you must specify the VPN (or dial-in) RAS servers that will use RADIUS for authentication. These servers would be designated as RADIUS clients. Click the Add button. The New Radius Client dialog box opens.

5. In the New Radius Client dialog box, specify the friendly name or the IP address of the server. You must also enter a shared secret password and confirm the shared secret. You also need to supply the shared secret when you configure the RAS server as a VPN server that uses RADIUS for authentication. Click OK to add the VPN server. You can add other VPN servers as needed. When you return to the Configure VPN or Dial-Up Wizard (after listing your VPN servers), click Next to continue.

By the Way

The shared secret is used to verify the RAS VPN server to the NPS (RADIUS) Server. You need to enter the same shared secret password when you configure NPS (as we are doing in this section) and when you use the Routing and Remote Access Server Setup Wizard to configure the RAS server as a VPN server that will take advantage of RADIUS authentication.

6. On the next wizard page, you select the authentication methods for the server (see Figure 17.18). MS-CHAP v2 is the default. If you plan on using smart cards or certificates for client authentication, you should choose EAP. You can select more than one authentication method if necessary. Then click Next.

Figure 17.18. Select the authentication method to be used.

[View full size image]

By the Way

RADIUS embraces the same authentication protocols (such as EAP and CHAP) that can be set for the Windows authentication of remote clients. If you deploy NPS or have another RADIUS platform running on your network, select RADIUS as your authentication method when you use the Routing and Remote Access Server Setup Wizard to configure the RAS server.

7. On the next page, you are given the option of supplying the names of specific user groups (from the Active Directory) that are provided with remote access (or not), based on the network policy access permission. You can add groups as needed. If you do not add any groups, all users are allowed or denied remote access based on the network policy access permission. Click Next.

8. On the next wizard page, you can specify IP filters that control the type of IP packets (both IPv4 and IPv6) that are sent on the VPN server’s network interface. You can also create filters that limit the type of IP packets received on the interface. IP filters are based on TCP/IP protocol stack transport protocols such as TCP, UDP, and ICMP. A filter for incoming packets would specify the destination network by network IP address and subnet mask. The specific protocol would also be specified (or you can select Any for all transport protocols). After specifying IP filters, click Next.

By the Way

Using incoming filters could help protect the network against a Denial of Service attack where the RAS server is inundated with requests via a transport protocol such as UDP. For a primer on the TCP/IP protocol stack, see Hour 7, “Working with the TCP/IP Network Protocol.”

9. On the next wizard page, you can select the type of encryption that should be used for communication between the clients and the RAS server. By default (see Figure 17.19), three encryption methods are selected: Basic Encryption, Strong encryption, and Strongest Encryption. You can disable any or all of these encryption settings. The settings that you choose must match the encryption settings that you select when configuring your RAS server (in the RRAS snap-in). After selecting the encryption type or types, click Next.

Figure 17.19. Select the encryption methods to be used.

[View full size image]

10. On the next wizard page, you can specify your realm name (this is optional). The realm name is specified by your ISP, and is a portion of the username that has been assigned to your network by your ISP. The realm name is used to route traffic to your network. Enter the realm name (you do not have to enter a realm name if you have not been assigned one by your ISP) in the Realm Name box. Then click Next.

11. The Completion page appears. You are ready to complete the setup of the NPS RADIUS settings. Click Finish.

Access to your RAS server is now authenticated by the NPS (RADIUS) server. The NPS and also the Network Access Protection provided by an NPS server are ultimately controlled by network policies. The network policies for your NPS server can be accessed via the Network Policies node in the NPS snap-in. Double-click a policy to open and edit that policy’s properties.

Security and access are tightly wound with policies on your server. These policies, also known as Group Policy Objects (or GPOs), are configured in the Group Policy Object Editor (although you can access NPS policies from the NPS snap-in). Hour 11 provides an overview of both GPOs (such as the Network Policy Server GPO) and the new Network Access Protection feature provided by Windows Server 2008.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_now Pepperstone Group Limited