How to configure Radius Server on Windows Server 2016? – TheITBros (2023)

RADIUS (Remote Authentication in Dial-Up User Service) is a network protocol for implementing authentication, authorization, and information collection about resources in use. It is designed to transfer information between the central platform and the clients/devices on the network. Your RADIUS (Remote Access) server can communicate with a central server/service (for example, an Active Directory domain controller) to authenticate remote clients over the phone and authorize them to access certain services or network resources. This allows you to use a centralized authentication system on your domain.

In this article, we show how to configure RADIUS host server based on Windows Server 2022, 2019 or 2016 operating systems and how to configure RADIUS authentication on Cisco devices using the Network Policy Server (NPS) service. In this example, RADIUS uses AD to authenticate remote users and authorize them to access Cisco and Mikrotik switches/routers (acting as RADIUS clients) from the command line.

Installing the Radius Server (NPS) role on Windows Server 2022/2019/2016

First create a new onesafety equipmentin the Active Directory domain (for example, RemoteCiscoUsers) where you need to add all users who can authenticate to Cisco routers and switches (How toAdd AD user to group with PowerShell?).

Starting with Windows Server 2008 R2, RADIUS server functionality has been implemented with the Network Policy Services (NPS) role. The NPS feature allows you to authenticate external clients to Active Directory using the Radius protocol.

Therefore, you need to install the RADIUS server role on Windows Server 2022/2019/2016. open itserver administratorconsole and run itAdd roles and featuresmagician. The RADIUS (Remote Authentication Dial-In User Service) protocol in Windows Server is part of the Network Policy Server role. In the wizard that appears, select it.Network policies and access servicesrole in the role selection step.

Observation. You can also install NPS features and management tools from an elevated PowerShell console:
Instalar-WindowsFeature NPAS –IncludeManagementTools

Make sure the NPAS role is installed on the Windows Server host:

Get-WindowsFeature -Nombre NPAS

After the role is installed, open Network Policy Server (nps.msc) from the Tools menu.

To use the NPS server in the domain, you must register it in Active Directory. In the NPS module, right-click a root folder and selectRegister server in Active Directory.

Confirm the server's registration in Active Directory.

You can also register your NPS server in Active Directory with a command:

netsh ras add registered server

In this case, the server has permission to read the Active Directory user account properties to authenticate users. The server is added to the built-in domain groupRAS- on IAS servers.

You can now add the Radius client. The Radius client is the device from which your server receives authentication requests. In this example, it could be a Cisco router, switch, Wi-Fi access point, etc.

To add the new Radius client, expand itRADIUS-clients en-serversin the NPS console tree and selectYoungin itRADIUS clientsgentle.

Fill in the fields on the Settings tabfriendly name, clientADDRESS(you can specify IP address or DNS name) andsecret to you+Sharing Confirmationpassword (you will use this password in your Cisco switch/router configuration).

Observation. The shared secret password is rarely used in large enterprise networks due to shared key distribution issues. Instead of shared passwords, it is recommended to use certificates. If you have implemented an enterprise CA to implement your PKI infrastructure, you can request and import a *.p12 certificate for your Radius/NPS server. Simply add the certificate to the local computer's personal certificate store.

On the Advanced tab, select Vendor Name - Cisco.

You can use the PowerShell command instead of the NPS GUI to add a new RADIUS client. In this case, you can use the New-NpsRadiusClient PowerShell cmdlet:

New-NpsRadiusClient – ​​Call "192.168.31.1" - Call "cisco2960" -SharedSecret

Configure NPS policies on the RADIUS server

NPS policies allow you to authenticate external users and grant them access rights configured in the NPS role. NPS access policies allow you to associate RADIUS client records and the domain security group that determines the level of access to CISCO devices.

There are two types of policies on a RADIUS server:

• Login Request Policy— This policy defines a set of conditions that determine which RADIUS servers must authenticate and authorize connection requests from RADIUS clients.
• Network Policy— a set of conditions and settings that allow you to determine who is authorized to connect to your network and a list of assigned access rights. These policies are processed sequentially from top to bottom.

In our case, we only use the NPS network policy. fold itPolicy>Network Policybranch and chooseYoung:

Specify the policy name, the network access server type should remain unchanged (unspecified).

in the next stepIdentify the conditions, you must add the conditions under which this RADIUS policy applies. Let's add two conditions: the authorized user must be a member of a specific domain security group, and the device they want to access has a specific name. use itAdditionoption to create a new condition by clicking onWindows teamwrite (add group RemoteCiscoUsers) and specify itFriendly name for the client(Cisco_*).

Observation. The Client Friendly Name field may differ from the DNS name of your device. We need it in later steps to identify a specific network device when creating a remote access policy. For example, you can use this name to specify a mask that allows a single access policy to handle multiple RADIUS clients.

On the next screen, select Access Granted.

The Cisco switch only supports the unencrypted authentication method (PAP, SPAP), so we disabled all other options.

Skip the next step for configuration restrictions.

In Configure Settings, go to RADIUS Attributes > Default. Delete the existing features there and click the Add button.

Select Access Type > All, then Service Type > Add. Specify other = Login.

Now add a new attribute under RADIUS Attributes > Vendor Specific. Select Cisco under Provider and click Add. Here you need to add information about the feature. Click Add and enter the following value:

shell: priv-lvl=15;

This value means that the user authorized by this policy has a maximum of (15) administrative access rights to the Cisco device.

The last screen shows all the selected NPS policy settings. Click Finish.

Suggestion. You can backup the current NPS server configuration to the XML file with the command:
Export-NpsConfiguration - Pad c:\ps\backup_nps.xml

If you need to restore the NPS configuration from a previously created backup file, do the following:

Import-NpsConfiguration - Pad c:\ps\backup_nps.xml

When creating and planning RADIUS policies, keep in mind what is important in their order. Policies are processed from top to bottom and when it is determined that all conditions of the next policy are met, further processing is stopped. You can change the policy priorities in the NPS console by using the process order value.

To ensure that the user account can be used for Radius authentication, open itActive Directory Users and Computers Snap-in(dsa.msc),find the user, open its properties, go to itCall totab and select itControl access through NPS network policieschoice inNetwork access permissionUnit.

You can also check the value of the current option using PowerShell:

Get-ADUser richard.doe -Propiedades msNPAllowDialin -Servidor dc1.theitbros.com

If the above command did not return any output (empty), it means that the default "Access control via NPS Network Policy" is used.

To reset this user-defined attribute to its default state, use the command:

Set-ADUser richard.doe -Remove msNPAllowDialin -Server dc1.theitbros.com

Or you can reset this attribute for all users in the specificActive Directory-OUthe habitsLDAPfilter:

Get-ADUser -SearchBase "ou=Users,ou=Paris,dc=theitbros,dc=com" -LDAPFilter "(msNPAllowDialin=*)" | % {Set-ADUser $_ -Clear msNPAllowDialin}

Configure RADIUS Settings on Cisco Devices

After creating the policy, you can proceed to configure your Cisco routers or switches to authenticate to the newly installed Radius NPS server.

Because we use domain accounts for authorization, user credentials must be sent over the network in encrypted form. To do this, disable telnet on the switch and enable SSHv2 on Cisco using the following commands in configuration mode:

set terminal encryption key to generate rsa 1024ip ssh version 2 module

AAA works as follows: if the response from the server is not received, the client assumes the authentication failure. Be sure to create a local user in case the RADIUS server is unavailable for some reason.

You can create a local user with the following command:

username cisco_local password $UPerrP@ssw0rd

Run the following commands to require the use of SSH and disable remote access via Telnet:

line vty 5 15transport ssh input

The following is an example of the configuration to authorize a Radius server for the Cisco Catalyst Switch:

aaa new model aaa authentication login default group radio local aaa authorization exec default group radio ) password encryption# enable password encryption

If you have multiple Radius servers, add them to the group:

aaa group server radio radius_srv_groupserver 192.168.1.16servidor 192.168.101.16

This completes the minimal configuration of the switch and you can attempt to verify Radius authentication on your Cisco device.

How to configure RADIUS authentication on Microtik devices (RouterOS)?

In this part, we will show you how to configure RADIUS authentication for VPN user connections through a Mikrotik router (based on RouterOS).

Open the Network Policy Server console (nps.msc) and create a new Radius client.

ChooseNew RADIUS clientand configure the following settings:

• Enable this RADIUS client.
• Friendly Name – Enter the name of your Mikrotik router here.
• Address: specifically the IP address of the Mikrotik router.
• Enter your pre-shared secret key.

Create a new network policy with the following settings:

• User Groups— specify the name of the domain user group that can authenticate to the Mikrotik router.
• Authentication type— MS‑CHAPv2;
• tunnel type— Point-to-Point Tunneling Protocol (PPTP).
• Rights of access- Access granted?
• In itConfigure authentication methodswindow, she was left aloneMS-CHAPv2and allow users to change expired passwords (User can change password after it expiresselection);
• Bandwidth and Multilink Allocation Protocol (BAP)– Do not allow multilink connections.
• In itmodel to followsection, remove Service-Type – Framed and leave only Framed-ProtocolPPS;
• encryptions— Leave only the most secure encryption method (128-bit MPP).

After creating a new policy, open Network Policy Server Configuration.

Allow only the following UDP ports for RADIUS server communication:

• Authentication — 1812;
• Accounting - 1813.

Make sure these UDP ports are open in the Microsoft Defender Firewall rules. If not, open them manually.

Now you need to configure the connection settings for Windows Server RADIUS in the Mikrotik settings (we assume that the PPP VPN server is already configured in RouterOS for the user connection).

In the PPTP server settings, just check itmschap2can be used for authentication.

Now we need to configure the connection to the Radius NPS server. Select New Radius Server and specify the following options:

• Service: ppn;
• Address: IP address of the RADIUS server.
• Secret: Pre-shared key that you specified in the network policy settings.
• Src/Address: Mikrotik IP address from which traffic is sent to NPS.
• Authentication Port: 1812;
• Accounting portal: 1813.

Add appropriate access rules to Mikrotik Firewall.

then go tosecret>Authentication and accounting PPPand change ituse the lightningselection.

It remains to configure a PPTP VPN connection to your Mikrotik VPN on the users' computers. To authenticate to Mikrotik, users can use their Active Directory accounts (the accounts must be added to the AD group you specified when creating the Miktotik network policy in NPS).

How do I check NPS/RADIUS logs in Windows?

To enable NPS RADIUS server authentication logging, you must enable the network policy server audit policy. You can enable this policy through the Local Group Policy Editor or with the following commands:

auditpol /get /subcategory:"Network Policy Server" auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

You can now open the Event Viewer console (eventvwr.msc), go to Windows Logs > Security, and filter the event by Event ID 6272.

The network policy server has granted access to a user.

To find all NPS authorization events for the specific user (Richard.Doe in this example), use the following PowerShell script:

$Query = @"*[EventData[Data[@Name='SubjectUserName'] en (Data=theitbros\richard.doe')]] is*[System[(EventID='6272')]]"@$events = Get-WinEvent -FilterXML $Query$ipaddr = @{ label=" IP"; Expression={$_.properties[9].value} }$events | select $ipaddr | group "IP" | format Table count, name - autosize