Tutorial: Configure Active Directory (Windows Server) RADIUS Protocol for Access Server
This guide provides information for configuring Access Server to authenticate against Active Directory (AD) using the Remote Authentication Dial-in
Overview
This guide provides information for configuring Access Server to authenticate against Active Directory (AD) using the Remote Authentication Dial-in User Service (RADIUS) protocol.
Your Access Server's public IP address.
Tip
If you don't know the public IP address, issue an
ifconfig
command in the terminal of your Access Server instance.Windows Server, Active Directory Domain Services, and Network Policy and Access Services roles installed.
Important
Be aware that using auto-login profiles doesn’t trigger RADIUS authentication and RADIUS accounting requests.
Begin by configuring your RADIUS server.
Add a new RADIUS client
Open Server Manager on your Windows Server.
Click Tools > Network Policy Server.
Under NPS, expand RADIUS Clients and Servers.
Right-click RADIUS Clients and click New.
Enter the information for your new RADIUS client:
Friendly name: Enter a descriptive name such as "Access Server."
Address (IP or DNS): Enter the public IP address of your Access Server.
Shared Secret: Click the Generate radio button, then click Generate below.
Click OK.
Add a Network Policy
From the Network Policy Server window, expand Policies, right-click on Network Policies, and click New.
Enter the information for your new network policy:
Policy name: Enter a descriptive name such as "Access Server Policy."
Type of network access server: Leave this unspecified.
Click Next.
In the Specify Conditions window, click Add...
Click Windows Groups and click Add...
Click Add Groups... to add new group memberships.
Specify the group names you want to grant access to; for example, we allow access to the group “VPN Users.” You can add multiple groups.
Click OK for the Select Group window and OK for the Windows Groups window.
From the Specify Conditions window, click Add… to (optionally) also specify the IP address of the RADIUS client that forwards connection requests to the network policy server.
Under RADIUS Client Properties, click Client IPv4 Address and click Add…
Specify your Access Server's IP address and click OK.
From the Specify Conditions window, click Next.
Leave the default permissions selected with Access granted and click Next.
In the Configuration Authentication Methods window, under EAP Types click Add…
Click Microsoft: Secured password (EAP-MSCHAP V2) and click OK.
From the Configure Authentication Methods windows, click Next.
Accept the default constraints and click Next.
Accept the default settings for the network policy and click Next.
Click Finish to complete the new network policy.
Tip
We recommend including the Client IPv4 Address condition in your network policy, especially if you have other resources on your network besides your VPN server. Otherwise, it’s possible anyone listed in the group(s) added to the Windows Groups condition can access all your other network resources.
Ensure your policy is accessible
From the Network Policy Server window, ensure that your new policy is listed above any blocked policy. A blocked policy is denoted with a red X. If your new policy appears at the bottom of the blocked policies, your clients can’t authenticate against the server. To fix this:
Right-click on the new policy.
Click Move Up until your policy is above the blocked policies.
Now you’re ready to configure your Access Server for RADIUS access.
Sign in to your Admin Web UI.
Click Authentication > RADIUS.
If RADIUS isn't enabled, set Enable RADIUS Authentication to Yes.
Enter your RADIUS settings:
Hostname or IP Address: Enter your domain controller's IP address.
Shared Secret: Enter the long text string shared secret saved from earlier.
Verify Message-Authenticator Attribute: Set to No.
Message-Authenticator not currently supported
At the time of publication, this RADIUS service doesn't currently return a Message-Authenticator as part of its response.
Under RADIUS Authentication Method set MS-CHAP v2 to Yes.
Access Server should now authenticate users against your Active Directory users.
Important
Be aware that using auto-login profiles doesn’t trigger RADIUS authentication and RADIUS accounting requests. The first time a user signs in to download an auto-login connection profile, they can authenticate against the RADIUS server, but after that, auto-login connection profiles authenticate using only a certificate and bypass credential-based authentication of the RADIUS server.