Understanding and Configuring Network Policy and Access Services in Server 2012 (Part 3)

by [Published on 27 March 2013 / Last Updated on 27 March 2013]

In this Part 3 of our article series, we’re going to discuss the process of setting up RADIUS servers.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the orther parts in this article series please go to:

Introduction

In Part 1 of this series, we took a look at how the Network Policy and Access Services in Windows 2012, and particularly Network Access Protection (NAP) can help to protect your network when VPN clients connect to it by validating health requirements that you institute as part of a health enforcement plan. In Part 2, we shared some tips on actually deploying NAP on Windows Server 2012. In Part 3, we’re going to discuss the process of setting up RADIUS servers.

A brief review of RADIUS: What it does

In Windows Server 2012, the Network Policy Service (NPS) can do more than just Network Access Protection (NAP). It can also function as a RADIUS server or a RADIUS proxy, as we mentioned in Part 1 of this series. RADIUS has been around since the early 1990s and is an IETF standard. It was defined in by RFCs 2058 and 2059, which have since been made obsolete by new standards. A good starting point when you’re planning to deploy RADIUS in your organization is RFC 6158, Radius Design Guidelines, published in March 2011.

RADIUS is an open source client/server protocol designed to give network administrators the capability of managing authentication, authorization and account (AAA) from a centralized location. These three functions work together to provide control over remote users and computers by first authenticating their identities to determine whether they are allowed to access the network, then authorizing them to use specific network services or connect to specific network resources and proving an accounting so you can track the use of the services. RADIUS servers verify identity through a database on the RADIUS server, the Active Directory database, an LDAP server, Kerberos, a SQL database or other means. Because RADIUS keeps accounting records, it makes it possible to collect statistical information about usage or even to bill users, departments or organizations according to their usage.

A brief review of RADIUS: How it works

The RADIUS AAA process works as follows:

  1. Remote user/computer sends a request to the remote access server to access specific network resources contained on a network access server.
  2. The network access server prompts for credentials (e.g., user name and password).
  3. User provides credentials.
  4. The remote access server sends a request to the RADIUS server for authentication and authorization, which includes the credentials (password is encrypted).     
  5. The RADIUS server examines the request and responds by rejecting the request (if no or incorrect credentials are provided), challenge the request by asking for more information (PIN, Smart Card, etc.), or accepting the request by authenticating the user’s/machine’s identity.
  6. If the request is accepted, the RADIUS server checks the database to determine which resources the user is allowed to use and authorizes the user to use the requested resources if they are on the list.
  7. Begins tracking when the network access server sends an Accounting Start packet.
  8. Receives interim update packets from the network server during the active session. Information can include the amount of time and data used.
  9. Receives an Accounting Stop packet when the session ends.

RADIUS uses UDP packets to communicate, over ports 1645 and 1646. It can use a number of different authentication methods.

Configuring RADIUS

To configure RADIUS authentication for your network, you start by opening the NPS management console that’s shown in Figure 1, which you’ll find in the administrative tools menu after you’ve installed the NPS server role (as we showed you in a previous installment in this article series).

You can use either the Standard or Advanced Configuration option to configure RADIUS. The Standard Configuration option will start a configuration wizard, so we’ll look at it first. 

Image
Figure 1

You have two choices under the Standard Configuration option:

  • You can configure a RADIUS server for dial-up or VPN connections
  • You can configure a RADIUS server for 802.1x wireless or wired connection

In our scenario, we’ll configure the RADIUS server for dial-up or VPN connections, since we have already set up a VPN server. Click the Configure VPN or Dial-up link.

On the next page, you’ll be asked to select the type of connection (Dial-up or VPN). In this case, we’ll choose Virtual Private Network (VPN) Connections. NPS will be able to authenticate and authorize the connection requests from VPN clients. On this page, you also need to provide a name to be used as part of the policy name for policies that the wizard will create. This dialog box is shown in Figure 2.

Image
Figure 2

On the next page, you need to add the RADIUS clients. These are the network access servers that will forward connection requests from remote clients to the RADIUS server. Click the ADD button, shown in Figure 3,to add your RADIUS clients and fill in the dialog box fields asking for a friendly name, IP address or DNS, and a shared secret template if you’re using one. You can also manually type a shared secret if you prefer, or you can have a shared secret automatically generated, by clicking the appropriate button.

Image
Figure 3

On the following page of the wizard, you will configure the authentication method(s) to be used by RADIUS. The default selection is Microsoft Encrypted Authentication version 2 (MS-CHAPv2). You can also select MS-CHAP if the operating systems on your network do not support MS-CHAPv2, but this is not recommended as it’s not as secure. The other choice is to use the Extensible Authentication Protocol (EAP). If you choose EAP, you can use a secured password (EAP-MSCHAPv2) or Microsoft Protected EAP (PEAP), or you can use a smart card or certificate. This is the most secure authentication method. Note that you can select multiple protocols, as shown in Figure 4. 

Image
Figure 4

The next step is to select user groups, the members of which will be allowed or denied access to the network access servers through the VPN, based on the network policy Access Permission setting. Click the Add button to add user groups. This will invoke a dialog box through which you can select the groups, as shown in Figure 5. 

Image
Figure 5

The next page in the wizard allows you to configure IPv4 and IPv6 IP filters to control what types of network traffic can be sent and received through the VPN server. You can configure input and output filters for each IP protocol here, as you can see in Figure 6. We discussed input and output filters in a previous installment of this article series.

Image
Figure 6

The next page of the wizard is where you specify the encryption settings to determine the minimum encryption strength(s) that will be allowed between the access clients and the network access servers.

Your choices include:

  • Basic encryption (MPPE 40 bit)
  • Strong encryption (MPPE 56 bit)
  • Strongest encryption (MPPE 128 bit)

You can select multiple encryption strengths and the server and clients will negotiate the strongest supported by both. All strengths are allowed by default, as shown in Figure 7. You can unchecked the lower strength encryption choices to force connections only when the more secure encryption can be supported. If you uncheck all of the boxes, the traffic from the clients to the network access server will not be encrypted, so this is not recommended.

Image
Figure 7

The next page of the wizard asks you to specify a realm name, which is part of the user name that the ISP uses to identify the connection requests that route to this server. It is not required that you specify a realm name; you can leave this field blank if you don’t know the realm name or don’t care about it. If you do specify a realm name, you should leave the box checked that says Before authentication, remove the realm name form the user name, as shown in Figure 8, so Windows will be able to authenticate the connection request.

Image
Figure 8

This completes the wizard and when you click Finish on the next page, it will automatically create two policies: a network policy and a connection request policy. The names of these policies will use the name that you assigned earlier in the wizard. The RADIUS clients will also be configured. There is a link labeled Configuration Details by which you can see a summary of the configuration settings (it opens in your default web browser) so you can review it and make sure everything is right before you click the Finish button.

After you click Finish, the new policies will show up in the Policies nodes of the NPS management console, under Connect Request Policies and Network Policies, as you can see in Figure 9.

Image
Figure 9

Your RADIUS clients that you configured through the wizard will show up in the RADIUS Clients node.

Summary

In Part 3 of this multi-part series on Understanding and Configuring NPAS in Windows Server 2012, we began our discussion of RADIUS and how to configure the NPS to act as a RADIUS server. We covered the steps of the configuration wizard this time, and next time we’ll talk about how to use the Advanced Configuration option, how to configure RADIUS server groups and how to configure a RADIUS proxy.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the orther parts in this article series please go to:

Advertisement

Featured Links