Configuring Active Directory (Windows Server) RADIUS Protocol for OpenVPN Access Server
This guide provides information for configuring OpenVPN Access Server to authenticate against Active Directory (AD) using the remote authentication dial-in user service (RADIUS) protocol.
Before you begin:
- Ensure you know the IP address of your OpenVPN Access Server. If you don’t know it, issue an ifconfig command in the terminal of your OpenVPN Access Server instance.
- Ensure you have Windows Server, Active Directory Domain Services, and Network Policy and Access Services roles installed.
- Be aware that using auto-login profiles doesn’t trigger RADIUS authentication and RADIUS accounting requests.
Windows Server Configuration
Begin by configuring your RADIUS server.
Add a new RADIUS client
- Open Server Manager on your Windows Server.
- Click Tools > Network Policy Server.
- Under NPS, expand RADIUS Clients and Servers, right-click RADIUS Clients and click New.
- Enter the information for your new RADIUS client:
- Friendly name: Enter a descriptive name such as “OpenVPN Access Server”.
- Address (IP or DNS): Enter the IP address of your Access Server.
- Shared Secret: Click the Generate radio button, then click Generate below.
- Click OK.
Add a Network Policy
- From the Network Policy Server window, expand Policies, right-click on Network Policies and click New.
- Enter the information for your new network policy:
- Policy name: Enter a descriptive name such as “OpenVPN Access Server Policy”.
- Type of network access server: Leave this unspecified.
- Click Next.
- In the Specify Conditions window, click Add…
- Click Windows Groups and click Add…
- Click Add Groups… to add new group memberships.
- Specify the group names you want to grant access; for example, we allow access to the group, “VPN Users.” You can add multiple groups.
- Click OK for the Select Group window and OK for the Windows Groups window.
- From the Specify Conditions window, click Add… to (optionally) also specify the IP address of the RADIUS client that forwards connection requests to the network policy server.
- Under RADIUS Client Properties, click Client IPv4 Address and click Add…
- Specify the IP address of your Access Server and click OK.
- From the Specify Conditions window, click Next.
- Leave the default permissions selected with Access granted and click Next.
- In the Configuration Authentication Methods window, under EAP Types click Add…
- Click Microsoft: Secured password (EAP-MSCHAP V2) and click OK.
- From the Configure Authentication Methods windows, click Next.
- Accept the default constraints and click Next.
- Accept the default settings for the network policy and click Next.
- Click Finish to complete the new network policy.
Note: We recommend including the Client IPv4 Address condition in your network policy, especially if you have other resources on your network besides your VPN server. Otherwise, it’s possible anyone listed in the group(s) added to the Windows Groups condition can access all your other network resources.
Ensure your policy is accessible
From the Network Policy Server window, ensure that your new policy is listed above any blocked policy. A blocked policy is denoted with a red X. If your new policy appears at the bottom of the blocked policies, your clients can’t authenticate against the server. To fix this:
- Right-click on the new policy.
- Click Move Up until your policy is above the blocked policies.
Access Server Configuration
Now you’re ready to configure your Access Server for RADIUS access.
- Sign in to your Admin Web UI.
- Click Authentication > RADIUS.
- If RADIUS is not enabled already, click Use RADIUS to set it as the default authentication method, or set Allow RADIUS authentication for assigned users and groups to allow RADIUS as an additional authentication method.
- Under RADIUS Authentication Method set MS-CHAP v2 to Yes.
- Enter your RADIUS settings:
- Hostname or IP Address: Enter your domain controller’s IP address.
- Shared Secret: Enter the long text string shared secret saved from earlier.
- Click Save Settings and Update Running Server.
Your Access Server should now authenticate users against your Active Directory users.
Note: Be aware that using auto-login profiles doesn’t trigger RADIUS authentication and RADIUS accounting requests. The first time a user signs in to download an auto-login connection profile, they can authenticate against the RADIUS server, but after that, auto-login connection profiles authenticate using only a certificate and bypass credential-based authentication of the RADIUS server.