Network & Security Windows

Microsoft RADIUS Server Configuring

February 11, 2025
admin

Setting up a Microsoft RADIUS (Remote Authentication Dial-In User Service) server involves configuring a Network Policy Server (NPS), which is the Microsoft implementation of RADIUS. NPS allows you to centralize authentication, authorization, and accounting for network access requests.

Here’s a step-by-step guide to configuring a Microsoft RADIUS server using Network Policy Server (NPS) in Windows Server:

Prerequisites:

  1. Windows Server (any version from 2008 onward).
  2. Administrator access to the Windows Server.
  3. NPS Role installed on the server.
  4. Active Directory (if using AD authentication).

Step 1: Install the NPS Role

  1. Open Server Manager.
  2. Click Manage and then select Add Roles and Features.
  3. In the Add Roles and Features Wizard, select Role-based or feature-based installation.
  4. Select the server you want to install the NPS role on.
  5. On the Select Server Roles page, expand Network Policy and Access Services.
  6. Select Network Policy Server and click Next.
  7. Proceed through the wizard and click Install.

Step 2: Configure NPS as a RADIUS Server

  1. Open the NPS console:
    • Press Win + R, type nps.msc, and press Enter.
  2. In the NPS console, right-click NPS (Local) and select Register server in Active Directory. This step is necessary to ensure NPS can authenticate users using Active Directory.
  3. Click OK to confirm the registration.

Step 3: Add a RADIUS Client

The RADIUS client is the device (such as a wireless access point, VPN server, or network switch) that will send authentication requests to the NPS server.

  1. In the NPS console, go to RADIUS Clients and Servers > RADIUS Clients.
  2. Right-click RADIUS Clients and choose New RADIUS Client.
  3. Enter a Friendly Name (any name to identify the device).
  4. Enter the IP address of the client (the device you want to authenticate).
  5. Set a Shared Secret. This is a password that the RADIUS client and the NPS server will use for encryption. Make sure to configure the client device with the same shared secret.
  6. Click OK to save.

Step 4: Configure Network Policies

Network policies determine who can access the network and under what conditions.

  1. In the NPS console, expand Policies and then click Network Policies.
  2. Right-click Network Policies and select New.
  3. On the General tab, provide a Policy Name and set the Type of network access server (for example, Remote Access Server (VPN) or IEEE 802.1X Wireless).
  4. Click Next.
  5. On the Conditions tab, you can define conditions like:
    • User group (e.g., only members of a certain AD group can authenticate).
    • Connection type (e.g., VPN, wireless).
    • Client IP address, etc.
    Select the desired conditions and click Next.
  6. On the Constraints tab, you can configure additional settings like:
    • Encryption levels.
    • Authentication methods (e.g., EAP, MS-CHAP).
    Choose the appropriate options and click Next.
  7. On the Settings tab, you can define settings like:
    • Accounting settings.
    • Idle timeout.
    • Bandwidth constraints.
    Set the required settings and click Next.
  8. Review your settings and click Finish to create the policy.

Step 5: Configure Connection Request Policies (Optional)

Connection request policies determine how incoming RADIUS requests are processed.

  1. In the NPS console, expand Policies and then click Connection Request Policies.
  2. Right-click Connection Request Policies and select New.
  3. On the General tab, provide a name for the policy.
  4. On the Conditions tab, specify conditions (like client type or IP address).
  5. On the Actions tab, specify whether to forward requests to another RADIUS server (if you have a multi-tier setup).
  6. Click Next and then Finish.

Step 6: Configure RADIUS Accounting (Optional)

You can enable RADIUS accounting to log authentication attempts, successes, and failures.

  1. In the NPS console, go to RADIUS Accounting.
  2. Right-click RADIUS Accounting and select Properties.
  3. Under the Log File tab, you can configure where accounting data will be logged (e.g., SQL Server, text file).
  4. Under the Log on Success and Log on Failure tabs, configure how to log events.
  5. Click OK to save your settings.

Step 7: Test the RADIUS Server

Once everything is configured, test the RADIUS server by attempting to authenticate through the client device (for example, by connecting to a VPN or Wi-Fi network).

  1. Verify that the NPS server is reachable from the client device.
  2. Check the Event Viewer for any logs related to authentication attempts.
    • Open Event Viewer (type eventvwr.msc).
    • Navigate to Windows Logs > Security to see authentication events.
  3. If any errors occur, review the configuration steps to ensure the shared secret, policies, and conditions are correctly set up.

Leave a Reply

Your email address will not be published. Required fields are marked *