Configuring Active Directory (Windows 2008 Server R2) RADIUS Server for OpenVPN Access Server


Active Directory can be integrated with OpenVPN Access Server easily with the use of Windows 2008 Server R2's RADIUS server. This article assumes that you have Windows 2008 Server R2, Active Directory Domain Services, and Network Policy and Access Services roles already installed.

Server Configuration

To begin setting up the RADIUS server, you will first need to know the IP address of your OpenVPN Access Server. If you do not know what this is, you can issue an ifconfig command in the terminal of your OpenVPN Access Server instance.

After you have obtained the IP address of your OpenVPN Access Server, open Server Manager in your Windows 2008 R2 machine. Navigate to Network Policy and Access Services, NPS (Local), RADIUS Clients and Servers, and lastly, RADIUS Clients. On the right navigation bar, click New to add a new RADIUS client.

In the New RADIUS Client dialog, enter a user friendly name (can be anything), your OpenVPN Access Server's IP address, and click the Generate radio box. Click the Generate button, and copy the generated secret to a safe place (you will need this for configuring Access Server later). Afterwards, click the OK button.

After the configuration of the RADIUS Client is complete, navigate to the Network Policies section underneath Policies. Click New on the right navigation pane.

In the New Network Policy dialog, enter a policy name for your new policy (this could be any name you'd like). Leave the server type as Unspecified and click the Next button.

In the Specify Conditions dialog, click the Add... button.

Select Windows Groups, and then click the Add... button.

Click Add Groups... to add new group memberships.

Type the group names you would want to allow access to. In this example, the group VPN Users are allowed access to the VPN. Click OK when finished.

If you do not have anymore groups you would like to add to the list, click OK to finish populating the group list.

NOTE: If you have other resources on your network besides your VPN server, you should limit this policy so that it will only match requests coming from your OpenVPN Access Server. Otherwise, it is possible that anyone listed in the aforementioned groups will have access to all your other network resources.

To do so, click Add... to add another condition, and select Client IPv4 Address under the RADIUS Client Properties as a condition, and click Add....

Enter the IP Address of your OpenVPN Access Server, and then click the OK button.

Click the Next button to finish defining conditions.

In the following dialog, accept the default Access Permissions and then click Next.

In the Configure Authentication Method window, under EAP Types:, click the Add... button.

Select Microsoft: Secured password (EAP-MSCHAP v2) and then click OK.

Click OK to finish configuring the list of authentication methods.

Accept the default constraints, and then click the Next button.

Accept the default settings for the network policy, and click the Next button.

Click Finish to exit out of the New Network Policy wizard.

If your new network policy appears on the bottom of the Block policies (denoted with a red X), your clients will not be able to authenticate against the server. To fix this, you will need to select the newly created policy, and click the Move Up option on the right navigation pane, until your policy is above the default block policies.

Once this is done, you are ready to configure your Access Server for RADIUS access!

Access Server Configuration

Logon to your Web Admin UI area. Under Authentication, click the RADIUS option.

If the RADIUS module is not already in use, click the Use RADIUS button, as specified.

In the RADIUS Authentication configuration page, select MS-CHAP v2 as the authentication method. Afterwards, enter your domain controller's IP address in the Hostname or IP Address text box. The Shared Secret is the long text string that you have copied and saved earlier. Paste this in the corresponding text box and click Save Settings to continue.

Click the Update Running Server button to finalize the changes. Your Access Server software should now be integrated with Active Directory and you can manage User Permissions under the User Permissions section of the Web Admin UI.