RADIUSconfig SVR2008

____________________________________________________________________
Kent Community Network
Remote Access
RADIUS Installation and

configuration guide – Server
2008
1 Document Control
Author: Marc Turner
Revision History:
Version Date Issued Author Summary of Changes

1.0 26/06/2008 Marc Turner Initial Document Creation
Reviewers:
Company\Dept Name Approval Date

KCC\EIS\KCN Tom Bell 31/06/2008
KCC\EIS\KCN Gavin Hutchinson 31/06/2008
THIS DOCUMENT IS TO BE KEPT UNDER REVISION CONTROL
_____________________________________________________________________
1
____________________________________________________________________
2 Contents
1. DOCUMENT CONTROL ....................................................................................................... 1

2. CONTENTS ........................................................................................................................... 2
3. PURPOSE OF DOCUMENT ................................................................................................. 3
4. INTENDED AUDIENCE ........................................................................................................ 3
5. OVERVIEW ........................................................................................................................... 3
6. INSTALLING NPS ................................................................................................................. 3
7. CONFIGURING NPS ............................................................................................................. 4
8. GRANTING USERS RIGHTS TO AUTHENTICATE VIA RADIUS ...................................... 5
9. PROVIDING DETAILS TO KCN SERVICE DESK ............................................................... 5
_____________________________________________________________________
2
____________________________________________________________________
3. Purpose of Document
This document details the procedure for installing and configuring the Network Policy Server
(NPS) on Windows Server 2008 to provide RADIUS services.
The configuration in this document details what is required to enable the KCN VPN
concentrator to query a locally hosted RADIUS server and successfully authenticate users
against the Active Directory within the establishment.
This document is provided to give enough information to successfully implement local

authentication, the KCN offers no additional support to establishments who are attempting to
configure this apart from this document.
A video walk though to complement this guide is available by following the link below
http://www.eiskent.co.uk/userfiles/media/nps-2008.avi
4. Intended Audience
This document is intended for technical staff within KCN establishments who are tasked with
managing directory services and remote access.
5. Overview
Users who utilise the KCN VPN service are authenticated by two factors.
Firstly, group authentication takes place. The group username and password is what is
included in the PCF file provided to you by the KCN Service Desk.
Once authenticated into a group, the group settings apply. All group settings will request that
user authentication is then requested, by default the authentication request is sent to the KCN
RADIUS server (which establishments have delegated management of).
By following the guide below, user authentication requests will no longer be sent to the KCN
RADIUS server after group authentication. The request will be sent to a RADIUS server
hosted within the local establishment. This means users can use a single login, opposed to
managing multiple logins (one for network and one for VPN)
There are however some factors that need to be considered when implementing local
authentication:
 The web based VPN does not authenticate group first; therefore users will still have
to authenticate to this service using the account details on the KCN RADIUS server.
 If the server(s) that are running RADIUS fail, then you will be unable to authenticate.
However, many RADIUS servers can be specified to ensure redundancy.
 Credentials are not encrypted when passed between the VPN concentrator and the
RADIUS server. The KCN is a private switched network with restricted access to
equipment so this is not a concern, however local access to equipment should be
restricted to ensure mirrored ports etc cannot be configured by a malicious user.
Hubs should certainly NOT be used.
6. Installing NPS
NPS can be provisioned on any member server or domain controller within the forest; we
strongly recommend that at least two instances of NPS are present to provide fault tolerance.
NPS bundled as part of the Server 2008 operating system as a role, although this role will
need to be enabled.
_____________________________________________________________________
3
____________________________________________________________________
To install NPS, please follow these instructions:
1. Click start > Server Manager

2. Select roles from the left hand panel
3. Select Add Roles
4. Click next on the welcome screen
5. Tick the box labelled “Network Policy and Access Services” then click next
6. Read the summary and click next
7. Tick the box labelled “Network Policy Server” then click next
8. Review the installation summary then click install.
A progress bar will display the progress of the installation; once the progress reaches 100%
NPS is installed and running, click close to exit the wizard.
NPS can be accessed via Start > Administrative tools > Network Policy Server
7. Configuring NPS
NPS must be configured to meet the criteria detailed in the instructions below to be
compatible with the KCN VPN concentrator.
Part of the configuration process will require you to specify a shared secret. This is a key that
is specified on the RADIUS server and VPN concentrator to secure communication.
When creating a shared secret you should adhere to general password good practise, your
shared secret should meet the following requirements otherwise your request will be denied.
 At least 10 characters long

 Contain both uppercase and lowercase characters (at least 2 of each)
 Contain at least 1 symbol and 1 numeric character
 Not resemble a dictionary word
Make a note of the shared secret you use as this will be required by the KCN service desk.
To configure your NPS server correctly, please follows these instructions:
1. Click Start > Administrative tools > Network Policy Server to launch NPS
2. Right click on NPS (local) and select “Register Server in Active Directory” and
acknowledge the messages
3. Expand RADIUS Clients and Servers
4. Right click RADIUS clients and select new RADIUS client
5. Specify the friendly name of “KCN VPN Concentrator” and an IP Address of
“172.31.240.26”
6. Select “Cisco” from the vendor name drop down box.
7. Specify the shared secret and confirm it, alternatively use the automatic generation
feature
8. Click ok – The client should now be listed.
The KCN VPN concentrator has now been specified as a RADIUS client and is able to
communicate with the IAS server.
To specify the methods that the concentrator can communicate with the RADIUS server, a
remote access policy must be configured, follow the instructions below to configure these
settings.
1. Expand policies from the left hand panel

2. Select network policies
3. Right click the policy named “connections to other access servers” and select move
up
4. Double click on the “connections to other access servers” policy
5. Select “Grant Access”
_____________________________________________________________________
4
____________________________________________________________________
6. Select the constraints tab

7. Under “Authentication Methods” un-tick all options apart from Unencrypted
Authentication (PAP, SPAP)
8. Select the settings tab
9. Select Encryption from the settings panel
10. Un-tick all encryption methods apart from no encryption
11. Click ok
12. Right click on NPS (local) and select stop NPS service, wait ten seconds, then right
click and select start service.
NPS is now installed and configured correctly to be used by the KCN VPN Concentrator.
8. Granting users rights to authenticate via RADIUS
Granting users rights to authenticate via RADIUS is achieved via the Dial-up tab of the user’s
properties within the Active Directory Users and Computers MMC.
To enable a user to authenticate, find the user in active directory, and then double click on the
username. Select the dialup tab to view remote access properties, the first option allows you
to specify either “allow access” or “deny access”
Precaution should be taken when selecting users who are allowed to authenticate from
outside the LAN, do not for example permit temporary accounts or service accounts to
authenticate via RADIUS.
It is also strongly recommended that any user given remote access signs an enhanced AUP
to ensure passwords are complex and changed on a regular basis.
9. Providing details to KCN service desk
Additional configuration is required on the VPN Concentrator to enable authentication using

the local RADIUS server.
This work is carried out by the KCN service desk; they will require some information to
configure this.
Please use the e-mail template below to ensure the service desk have all the information they
require: (kcn.helpdesk@kent.gov.uk)
The KCN Service desk will confirm via email when this change is complete.
Dear KCN Service Desk
Please could you enable VPN authentication against my local RADIUS

server.
I have configured my IAS server as per your documentation. I
understand that I must ensure user’s credentials meet security
requirements, and no default accounts (service accounts, test users
etc) will be permitted access to dial in.
I also understand that should the RADIUS servers I have configured

fail, I will not be able to log into the VPN.
Please find RADIUS details below [copy for each server specified]
DCSF No: [XXXX]

RADIUS Server OS: [Server XXXX XX]
IP [XX.XXX.XXX.XXX]
Shared Secret [XXXXXXXXXX]
Regards
[Your Name]
_____________________________________________________________________
5
____________________________________________________________________
[Date]
_____________________________________________________________________
6

RADIUSconfig SVR2008

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

RADIUSconfig SVR2008

Diunggah oleh

Hak Cipta:

Format Tersedia

____________________________________________________________________

Kent Community Network

RADIUS Installation and

Author: Marc Turner

Version Date Issued Author Summary of Changes

Company\Dept Name Approval Date

THIS DOCUMENT IS TO BE KEPT UNDER REVISION CONTROL

1. DOCUMENT CONTROL ....................................................................................................... 1

This document is provided to give enough information to successfully implement local

To install NPS, please follow these instructions:

1. Click start > Server Manager

 At least 10 characters long

To configure your NPS server correctly, please follows these instructions:

1. Expand policies from the left hand panel

6. Select the constraints tab

8. Granting users rights to authenticate via RADIUS

9. Providing details to KCN service desk

Additional configuration is required on the VPN Concentrator to enable authentication using

Dear KCN Service Desk

Please could you enable VPN authentication against my local RADIUS

I also understand that should the RADIUS servers I have configured

DCSF No: [XXXX]

Anda mungkin juga menyukai