Radius is used for authentication, authorization, and accounting.
Install NPS:
Server Manager -> Add Roles and Features
Server role - Network policy and access services
install-windowsfeature npas-policy-server -includemanagementtools
3.4.1 Configure a RADIUS Server, including Radius proxy
Server Manager - Tools - Network Policy Server (nps.msc)
You can use one
of the standard configuration wizards that will create clients,
connection request policies, network policies, and health policies as
needed: Network Access Protection, Radius server for dialup/VPN
connections, Radius server for 802.1x wireless or wired connections.
You can also use some of the advanced setup tools
Finally, you can just manually configure the server using the appropriate menu items. Menu breakdown:
Radius Clients and Servers -
Radius clients
Remote Radius Server groups (proxy setup)
Policies
Connection Request Policies - used to determine whether requests are handled locally or forwarded to a radius group, as well as some other connection related settings.
Network policies - Network authorization policies, such as auth methods, idle/session timeouts, usage restrictions, IP filters, encryption
Health Policies - Used with NAP System Health Validations to define requirements for clients to connect
NAP
System Health Validators - SHV - settings such as AV and firewall status required for clients
Remediation Server Groups - used to provide updates and services for noncompliant clients
Accounting - Auditing using SQL server or text files
Template Management - save or create configurations to reuse locally or import to other NPS servers
Proxy setup:
http://technet.microsoft.com/en-us/library/dd197525%28v=ws.10%29.aspx
Although clients can be configured with a primary and alternate radius server, a radius proxy server can be used to forward messages to radius servers. A connection policy is configured to forward authentication to a radius server group on the Settings/Authentication menu item of the policy.
A proxy is setup by clicking on "Radius Clients and Servers", "Remote RADIUS Server Group", and creating a new group for a connection policy to use.
Add a radius server
Select an existing template or None
Enter the IP or server name or FQDN for the radius server. Click verify and resolve to choose the correct IP to use for the dns server if it has multiple.
Authentication-Accounting
Choose authentication port(default 1812)
Choose an existing shared secrets template or none
Enter a shared secret for authentication with the radius server
If not using EAP, check the request must contain the message authenticator attribute for extra security.
Accounting-
choose accounting port (1813 default)
Configure shared secret to use same as accounting, or manually configure template and secret as above
Forward network access server start and stop notifications
Load balancing.- lowest priority is preferred. when priorities are the same, weight controls frequency sent to this server
Advanced settings
number of seconds without a response to drop a request.
max number of drop requests before server considered unavailable
number of seconds between requests when a server is identified as unavailable.
3.4.2 configure RADIUS clients
Clients are configured on the "Radius Clients and Servers", "Radius Clients" menu item. These can be manually created or as part of the standard/advanced configuration tools.
Properties -
Settings
Enable this Radius client
Select an existing template
Friendly Name
Address (IP or DNS)
Shared Secret Template
Manual Template creation or use the Generate tool to create a random one.
Advanced - Select the vendor type from the vendor name or use the standard
Access-Request messages must contain the Message-Authenticator attribute - for non-EAP
Radius is NAP-capable - for NAP usage.
3.4.3 configure NPS templates
Simplistic templates that can be exported and imported into other NPS servers to make configuration easier when configuring multiple NPS servers.
Templates -
Shared Secrets
Radius Clients
Remote Radius Servers
IP filters - Ipv4 and Ipv6 input and output
Health Policies
Remediation Server Groups
Templates are exported or imported by right clicking Template Management and selecting Import Templates from a Computer(Another NPS Server), Import Templates from a File, Export Templates to a File
3.4.4 configure RADIUS accounting
NPS server generates an Accounting-Start message to Radius accounting, and accounting sends back an acknowledgement to the client. Client sends Accounting-Stop message when service has been delivered.
Accounting is configured on the Accounting menu by using the "Configure Accounting" wizard.
Logging options:
Log to a SQL server, Log to a text file, Log to SQL and text, Log to SQL and use text as failover.
SQL server logging:
Configure a SQL server to log to
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Logging failure action: If logging is failing, you can choose to discard connections.
Text logging:
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Choose the location for the logfiles to be stored
Logging failure action: If logging is failing, you can choose to discard connections.
3.4.5 configure certificates
http://technet.microsoft.com/en-us/library/cc772401%28v=ws.10%29.aspx
Certificates can be used for authentication.
Certificates are required when using Smart card logons , PEAP-MS-CHAPv2, PEAP-TLS, EAP-TLS.
Both Client and Server should have the appropriate CA cert
Client may need Workstation Auth Cert and Servers the RAS and IAS cert. Both templates need to be enabled on the CA if using auto-enrollment.
Smart card may need a smart card user cert
Certificates can be created with a CA or auto-enrolled via GP.
No comments:
Post a Comment