Microsoft Network Policy Server

Geometry

Adding RADIUS Clients

A RADIUS client is installed on the dial-up device and initiates the dial-up request, which is sent in the form of an access request packet to an authenticator (e.g., a WiFi access point or a firewall/proxy server). The authenticator has no information of its own about the dial-up resources and forwards the packet to the RADIUS server.

To add a RADIUS client to the NPS Server, double-click RADIUS Clients and Servers , right-click RADIUS Clients , and select New from the context menu (Figure 2). Now assign a display name for the client and the IP address or DNS name and manually create a pre-shared key (PSK), generate a PSK, or select one from a PSK template. In the Advanced tab, you can also select the RADIUS client manufacturer to enable manufacturer-specific settings, if necessary.

Figure 2: Configuring a RADIUS client requires a PSK.

Control by Remote Server Groups

With remote RADIUS server groups, you specify where connection requests are forwarded if the local NPS server is configured as a RADIUS proxy. If you configure the local NPS server as a RADIUS proxy, you need to create a new connection request policy. This policy uses NPS to determine which connection requests are forwarded to other RADIUS servers. Also, you can configure the connection request policy by specifying a remote RADIUS server group that contains one or more RADIUS servers. The policy tells the local NPS server where to send the connection requests that match the connection request policy.

To create a new remote RADIUS server group, navigate to RADIUS Clients and Servers , right-click RADIUS Remote Server Groups , and select New in the menu. Assign a group name and then add all the RADIUS servers to this group.

For each RADIUS server, you can configure the authentication and account management options in the same way you would for a normal RADIUS client. In the Load Balancing tab, you define priority orders and weightings. The priority order shows the server's status (e.g., a primary server has a priority of 1 ). Weighting determines how often requests are sent to a specific server in a group of servers with the same priority.

Configuring Policies

Network Policy Server policies control access to local or remote NPS servers and configure requirements and conditions under which a connection can be established by a RADIUS client. NPS provides two types of policies:

  • Connection request guidelines
  • Network policy

Connection request policies allow you to determine whether connection requests are processed locally or forwarded to remote RADIUS servers. To create one of these policies, click on the Policies node, right-click Connection Request Policies , and select New from the context menu. Assign a name for the new policy and specify the type of network access server. You can choose from Remote Desktop Gateway or RAS Server (VPN Dial-up) or configure a policy without a template. If the network access server is an 802.1X authentication switch or wireless access point, select Not Specified .

Next, specify the conditions that are used to evaluate the connection request policy for a connection request. You must choose at least one condition from the many presented, including IP addresses, usernames, protocols, service and tunnel types, and day and time restrictions, among other conditions. On the next tab, you can then specify whether the RADIUS requests will be authenticated on the local NPS server, whether the requests will be forwarded to a RADIUS remote server group, or whether users will be accepted without verifying their credentials. Account management information can be stored on the local NPS server or forwarded to a RADIUS remote server group.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • FreeRADIUS for WiFi Hotspots

    Tired of contending with shared passwords for wireless networks? Use WPA Enterprise and a FreeRADIUS server to set up a user password solution for wireless users.

  • FreeRADIUS for WiFi hotspots
    Tired of contending with shared passwords for wireless networks? Use WPA Enterprise and a FreeRADIUS server to set up a user password solution for wireless users.
  • DNS filtering with authentication
    Filtering HTTP connections and employing traditional proxy servers can protect users from web threats but also increase latency. DNS filters would be a better option, but they lacked authentication – until NxFilter came along.
  • Protect privileged accounts in AD
    Granular protection for highly privileged accounts is granted by the Protected Users group in Active Directory and Kerberos authentication policies.
  • Policy-based DNS in Windows Server 2016
    Inflexible DNS name resolution was solved in Windows Server 2016, thanks to policy-based DNS.
comments powered by Disqus