Configuring a Windows Server 2008 for RADIUS Authentication

This Help topic provides instructions for users who wish to configure a Windows Server 2008 to provide RADIUS authentication. It includes steps for configuring Network Policy Server (NPS), and for creating users in Active Directory. Policy Manager has been designed to work with a RADIUS server for authentication. The NPS implements the RADIUS protocol, and provides authentication of users connecting to the network via LAN, virtual private network (VPN), and dial-up technology.

It is recommended that you begin by reading the Policy Manager Authentication Configuration Guide for general authentication instructions prior to following the steps here. Windows Server 2008 users should follow the steps in this topic, instead of the Installing and Configuring the RADIUS Server section in the Authentication Configuration Guide.

The recommended sequence for performing the configuration is listed below. When you have completed these instructions, refer back to the sections Configuring RADIUS in Policy Manager and Testing Authentication in the Authentication Configuration Guide for instructions on how to use Policy Manager to configure authentication parameters on your devices, and verify that the users created in Active Directory can authenticate to the network.

For more information on Windows Server 2008, access the Microsoft Windows Server 2008 Step-by-Step Guides and review the Windows Server 2008 Network Policy Server (NPS) Operations Guide.

  NOTE: The following instructions assume that you already have NPS installed on your computer.

Instructions on:

  1. Configuring Network Policy Server (NPS)
    1. Specifying RADIUS Port Numbers
    2. Adding RADIUS Client Devices
    3. Adding a New Remote Access Policy
    4. Registering NPS
    5. Stopping and Restarting NPS
  2. Creating Users in Active Directory
    1. Creating a User
    2. Specifying User Permissions
  3. Configuring Devices and Testing Authentication

Configuring Network Policy Server (NPS)

Specifying RADIUS Port Numbers

Use the following steps to specify the RADIUS authentication and accounting port numbers.

  1. Select Start > Programs > Administrative Tools > Network Policy Server. The Network Policy Server window opens.
  2. Right click on "NPS (Local)" and select Properties.
  3. In the Ports Tab, set the ports according to your RADIUS requirements.
  4. Click OK.

Adding RADIUS Client Devices

Follow these steps to add RADIUS clients (Policy Manager devices, not end users) to the server.

  1. In the Network Policy Server window (Start > Programs > Administrative Tools > Network Policy Server), expand the RADIUS Clients and Servers folder.
  2. Right-click on "RADIUS Clients" and select New RADIUS Client.
  3. In the New RADIUS Client window, enter a Friendly name.
  4. Enter the IP address of the RADIUS client and select a Client Vendor (e.g. RADIUS Standard).
  5. Enter a Shared Secret. A shared secret is a string of characters that will be used to encrypt and decrypt communications between the RADIUS server and the device (RADIUS client). Without the shared secret, the server and client will be unable to communicate, and authentication attempts will fail. The shared secret must be at least 6 characters long; 16 characters is recommended. Dashes are allowed in the string, but spaces are not. Be sure to write the shared secret down, as you will be adding it to the RADIUS client devices later.
  6. Click OK.
  7. Repeat until all of your Policy Manager devices have been added.

Adding a New Remote Access Policy

Follow these steps to add a new Remote Access Policy. A Remote Access Policy is a set of actions which is applied to a group of users that meet a specified set of conditions. The selections in the following steps can be used as an example; for more specific options, review the Windows Server 2008 Network Policy Server (NPS) Operations Guide.

  NOTE: For information on configuring end user VLAN ID attributes (in compliance with RFC 3580) to be used in conjunction with VLAN to Role Mapping, refer to your device firmware and RADIUS server documentation.
  1. In the Network Policy Server window (Start > Programs > Administrative Tools > Network Policy Server), expand the Policies node. Right click on "Connection Request Policies" and select New.
  2. The New Connection Request Policy wizard opens.
    1. Enter a Policy name and then click Next.
    2. In the Specify Conditions panel click Add.
    3. Select the condition "Day and Time Restrictions" and click Add.
    4. In the Day and Time Restrictions window select the Permitted radio button. Click OK. Click Next.
    5. In the Specify Connection Request Forwarding panel, select "Authentication." Select the appropriate settings for your RADIUS server and click Next.
    6. In the Specify Authentication Methods panel, click Next.
    7. In the Configure Settings panel, click Next.
    8. In the Completing Connection Request Policy Wizard panel, verify that the settings are correct and click Finish.
  3. Back in the Network Policy Server window, right-click on "Network Policy" and select New.
  4. The New Network Policy wizard opens.
    1. Enter a Policy name and click Next.
    2. In the Specify Conditions panel, click Add.
    3. Select the condition "Window Groups" and click Add.
    4. In the Windows Groups window click Add Groups.
    5. In the Select Group window, enter the object name to select. Click OK.
    6. Click OK in the Window Groups window. Click Next.
    7. In the Specify Access Permission Panel, select "Access Granted" and click Next.
    8. In the Configure Authentication Methods panel, select the appropriate settings for your authentication requirements and click Next.
    9. In the Configure Constraints panel, click Next.
    10. In the Configure Settings panel, select "RADIUS Attributes Standard" and remove all parameters, such as "Server-Type" and "Framed-Protocol."
    11. Click Add to add a Filter-Id attribute.
    12. In the Add Standard RADIUS Attribute window, select "Filter-Id" and then click Add.
    13. In the Attribute Information window, click Add.
    14. In the Attribute Information window, enter the attribute value:
      Enterasys:version=1:mgmt=su:policy=[role]
      where [role] is the role name to be applied to this user.
       CAUTION:Include :mgmt=su in the string only for users who should have administrative privileges and the ability to telnet to devices and/or use local management on devices when authentication is enabled. For other users, leave it out.
    15. Click OK and Close to close the windows and click Next.
    16. In the Completing New Network Policy window, verify the settings are correct and click Finish.

Registering NPS

Follow these steps to register the Network Policy Server in the Active Directory, which enables NPS to authenticate users in the Active Directory.

  1. In the Network Policy Server window (Start > Programs > Administrative Tools > Network Policy Server), right click on "NPS (Local)" and select Register server in Active Directory.
  2. Click OK.

Stopping and Restarting NPS

After completing the above steps to configure the Network Policy Server, you must stop and restart the service.

  1. In the Network Policy Server window (Start > Programs > Administrative Tools > Network Policy Server), right click on "NPS (Local)" and select Stop NPS Service.
  2. Right click on "NPS (Local)" and select Start NPS Service.

Creating Users in Active Directory

Use these steps to create users and specify user permissions.

Creating a User

Create a new object for each user who will be authenticating.

  1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window opens.
  2. Right click on the "Users" folder and select New > User.
  3. Proceed through the windows, entering the user name, password, and other relevant information. Click Finish.

Specifying User Permissions

For Windows Server 2008, user permission is specified in the Remote Access Policy that is configured in the Network Policy Server.

  1. Right click on a user and select Properties. The User Properties window opens.
  2. In the Dial-In tab, select the "Control access through NPS Network Policy" radio button in the Network Access Permission section.
  3. Click OK.

Configuring Devices and Testing Authentication

When you have completed the above instructions, refer to the sections Configuring RADIUS in Policy Manager and Testing Authentication in the Authentication Configuration Guide for instructions on how to use Policy Manager to configure authentication parameters on your devices, and verify that the users created in Active Directory can authenticate to the network.

Related Information

For information on related concepts:

For information on related tasks:

top