in

Bunker Hollow

Matt Williamson's home on the web, welcome.

Matt Williamson's Blog

Personal discoveries of an IT professional.

Configuring Server 2008 for RADIUS Authentication

| Share

I like connecting to my network using my pfSense firewall's built-in VPN server.  Following these steps, I can configure Windows Server 2008 to provide the authentication credentials for pfSense via RADIUS.  I figured this out using this great guide that I referenced for Windows Server 2003...

Enable "reversible password encryption" for your domain users.
Globally:

  1. Admin Tools - Group Policy Management
  2. Choose your forest, domain and then right click your Default Domain Policy and choose Edit.
  3. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Store passwords using reversible encryption = Enabled.

Per User:

  1. I prefer doing it globally, but you can do it on a per user basis by opening your domain user's properties and checking "Store password using reversible encryption" on the Account tab.

*Restart the domain controller after these Group Policy changes.

Enable Windows Server 2008 Network Policy Server (NPS)

  1. Add the "Network Policy and Access Services" role to your domain controller.
  2. Enable these role services during installation:
    Network Policy Server
    Routing & Remote Access Services
       Remote Access Service
       Routing

Verify the RADIUS Port Numbers

  1. Server Manager -> Roles -> Network Policy and Access -> Right-click NPS (Local) -> Properties -> Ports Tab.
  2. Verify the defaults for Authentication are 1812,1645.
  3. Verify the defaults for Accounting are 1813, 1646.
  4. The 18 set is for a secure connection, or vice-versa.  You can change things to match your RADIUS client, but the defaults should be fine.

Add a new RADIUS Client

  1. NPS (Local) -> RADIUS Clients and Servers -> RADIUS Clients -> Right-click Add new Client.
  2. Add a name, the ip address of your client and create a shared secret.

Add a new Network Policy

  1. NPS (Local) -> Policies -> Right-click Network Policies -> Add new.
  2. Enter a name and leave Type of network access server as Unspecified.  Click Next.
  3. Add a condition.  Choose Windows Groups.  Add a Group ("Domain Users" for example).  Click OK, then Next.
  4. Choose Access Granted.  Click Next.
  5. Leave the default Authentication Methods.  Click Next.
  6. Leave the Default Constraints.  (Although they look like some cool new features you may want to use.)  Click Next.
  7. Leave the Default Settings.  Click Next.
  8. Click Finish.

Granting or Denying Access to Users

  1. Right click a domain user -> Properties -> Dial-in tab.
  2. You can Grant or Deny here, but I just leave the NPS Policy we setup earlier to allow all domain users through.

Configure your RADIUS Client

  1. In this case, I enable a PPTP VPN server on my pfSense firewall and point it to my domain controller/NPS services machine where we just configured everything.  Input the shared secret and then login from anywhere!

Happy VPN'ing!

Published Jun 04 2008, 03:36 PM by Matt Williamson
Filed under: , , , , ,

Comments

 

Wayne said:

Sweet!  I'm glad I saw this post.  I always wanted to do this, but never got around to doing the research.  Now in about 10 minutes I've got pfSense PPTP users authenticating against the domain.  Thanks for the great post!

June 5, 2008 10:23 PM
 

Windows 2008 for radius authentication said:

Pingback from  Windows 2008 for radius authentication

December 4, 2008 3:54 PM
 

Yury said:

Is there any way to limit ports opened for authentication (such as in RADIUS) to authenticate in domain but not use reversible password encryption which is obviously a hole.

February 2, 2009 2:23 AM
 

Matt Williamson said:

I don't know the answer to that but, how big of a hole is reversible password encryption?

February 2, 2009 8:41 AM
 

Auto said:

 In my opinion it is a huge hole. Enabling "reversible password encryption" means you are not encrypting the password with a one-way hash so it is essentially the same as clear text.

February 9, 2009 11:31 AM
 

Bryan said:

This was the best how to on Win 2K8 Radius. Better than the how to's on Microsoft's sites.

Good job.

March 4, 2009 6:57 AM
 

ErikN said:

Hi,

I have setup an RADIUS server in combination with a SonicWALL firewall the latter provides VPN client software and is unfortunately managed by another company.

I almost got it working. The client authenticate ok, but then the clients do not receive an IP address of the internal DHCP server. I do NOT want to use the DHCP provided by the SonicWALL.

I think I am missing something in my configuration but I do not know what. IP settings are set to "Allow clients to request an IP" but they do not seem to be able to reach the internal DHCP server. Do I have to configure some kind of DHCP relay on the server?

DHCP service is installed on a different server then where the NPS service is installed on. Any hints/help is very appreciated

March 6, 2009 5:06 PM
 

Matt Williamson said:

Hi Erik.  I would think some RADIUS clients would allow you to specify a DHCP server, but I checked mine and it does not.  It only allows me to specify a range of IP's that will be handed out automatically.  You should probably contact your vendor, if they forward all your regular DHCP requests to a server of your choice, I would think they could send these along as well.

March 6, 2009 6:07 PM
 

james said:

does anyone know? root domain with 2 subdomains and need to auth users from each domain. current firewall has ad integration but the implementation of smb doesnt support subdomains so i cant use that method. is there a way to do this using radius or do the users have to exist in the domain where radius is installed?

June 26, 2009 7:18 AM

Leave a Comment

(required)  
(optional)
(required)  
Add
Powered by Community Server (Non-Commercial Edition), by Telligent Systems