interview question and answer

August 8, 2012

Configuring Server 2008 for RADIUS Authentication

Configuring Server 2008 for RADIUS Authentication

I like connecting to my network using my pfSense firewall's built-in VPN server. Following these steps, I can configure Windows Server 2008 to provide the authentication credentials for pfSense via RADIUS. I figured this out using this great guide that I referenced for Windows Server 2003...




Enable "reversible password encryption" for your domain users.

Globally:



1.Admin Tools - Group Policy Management

2.Choose your forest, domain and then right click your Default Domain Policy and choose Edit.

3.Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Store passwords using reversible encryption = Enabled.

Per User:



1.I prefer doing it globally, but you can do it on a per user basis by opening your domain user's properties and checking "Store password using reversible encryption" on the Account tab.

*Restart the domain controller after these Group Policy changes.



Enable Windows Server 2008 Network Policy Server (NPS)



1.Add the "Network Policy and Access Services" role to your domain controller.

2.Enable these role services during installation:

Network Policy Server

Routing & Remote Access Services

Remote Access Service

Routing

Verify the RADIUS Port Numbers



1.Server Manager -> Roles -> Network Policy and Access -> Right-click NPS (Local) -> Properties -> Ports Tab.

2.Verify the defaults for Authentication are 1812,1645.

3.Verify the defaults for Accounting are 1813, 1646.

4.The 18 set is for a secure connection, or vice-versa. You can change things to match your RADIUS client, but the defaults should be fine.

Add a new RADIUS Client



1.NPS (Local) -> RADIUS Clients and Servers -> RADIUS Clients -> Right-click Add new Client.

2.Add a name, the ip address of your client and create a shared secret.

Add a new Network Policy



1.NPS (Local) -> Policies -> Right-click Network Policies -> Add new.

2.Enter a name and leave Type of network access server as Unspecified. Click Next.

3.Add a condition. Choose Windows Groups. Add a Group ("Domain Users" for example). Click OK, then Next.

4.Choose Access Granted. Click Next.

5.Leave the default Authentication Methods. Click Next.

6.Leave the Default Constraints. (Although they look like some cool new features you may want to use.) Click Next.

7.Leave the Default Settings. Click Next.

8.Click Finish.

Granting or Denying Access to Users



1.Right click a domain user -> Properties -> Dial-in tab.

2.You can Grant or Deny here, but I just leave the NPS Policy we setup earlier to allow all domain users through.

Configure your RADIUS Client



1.In this case, I enable a PPTP VPN server on my pfSense firewall and point it to my domain controller/NPS services machine where we just configured everything. Input the shared secret and then login from anywhere!

No comments: