RADIUS Authentication with Windows Server

Windows 2008 and later can be configured as a RADIUS server using Microsoft’s Network Policy Server (NPS). This allows authentication for OpenVPN, Captive Portal, the PPPoE server, or even the pfSense GUI itself using Windows Server local user accounts or Active Directory.

Choosing a server for NPS

NPS requires a minimal amount of resources and is suitable for addition to an existing Windows Server in most environments. Microsoft recommends installing it on an Active Directory domain controller to improve performance in environments where NPS is authenticating against Active Directory. It can also be installed on a member server, which may be desirable in some environments to reduce the attack footprint of domain controllers. Each network- accessible service provides another potential avenue for compromising a server. NPS does have a solid security record, especially compared to other services that must be running on domain controllers for Active Directory to function, so this isn’t much of a concern in most network environments. Most environments install NPS on one of their domain controllers. Microsoft recommends running it on each domain controller in the forest and using NPS proxies to share the load for a busy environment.

Installing NPS

On Windows Server 2008:

  • Navigate to Server Manager
  • Click Roles on the left and expand it
  • Click Add Roles on the right
  • Click Next to skip the intro screen

On Server 2012:

  • Open the System Manager Dashboard
  • Click Add Roles and Features
  • Click past Role-based or feature-based installation
  • Click Next once more
  • Select the server from the list
  • Click Next again

On either server version, the remaining steps are similar:

  • Check Network Policy and Access Services on the list of roles
  • Click Add Features if it appears
  • Click Next on each screen until the end of the wizard
  • Click Finish or Install, depending on the windows server version

Configuring NPS

To configure NPS, bring up the Server Manager and either Network Policy and Access Services (2008) or NAP (2012) should be present.

A RADIUS client will be added for pfSense first, then remote access policies will be configured.

Adding a RADIUS Client

Open the NPS configuration:

On Server 2008:

  • Open the Server Manager tree
  • Expand the view under it until RADIUS Clients and Server is visible
  • Click RADIUS Clients

On Server 2012:

  • Open the Server Manager dashboard
  • Click NAP
  • Right click on the server in the server list
  • Click Network Policy Server
  • Expand RADIUS Clients and Server
  • Click RADIUS Clients
../_images/nps-new-radius-client.png

Add New RADIUS Client

Add the new RADIUS client:

  • Right click on RADIUS Clients

  • Click New, as shown in Figure Add New RADIUS Client

  • Enter a Friendly name for the firewall, as shown in Figure Add New RADIUS Client Address. This can be the hostname or FQDN.

  • Enter the Address (IP or DNS) for the firewall, which must be the IP address from which pfSense will initiate RADIUS requests, or a FQDN that will resolve to that IP address.

    Note

    This is the IP address of the firewall interface closest to the RADIUS server. If the RADIUS server is reachable via the firewall LAN interface, this will be the LAN IP address. In deployments where pfSense is not the perimeter firewall, and the WAN interface resides on the internal network where the RADIUS server resides, the WAN IP address is what must be entered.

../_images/nps-new-radius-client-name-address.png

Add New RADIUS Client Address

  • Enter a Shared secret, as shown in Figure Add New RADIUS Client Shared Secret. This shared secret is used by pfSense to authenticate itself when making RADIUS access requests. Windows can automatically create one by clicking Generate.
  • Click OK.
../_images/nps-new-radius-client-shared-secret.png

Add New RADIUS Client Shared Secret

The NPS configuration is now complete. The RADIUS Client is visible as in Figure Listing of the RADIUS Client.

../_images/nps-radius-client-listing.png

Listing of the RADIUS Client

Refer to earlier sections in this book describing the service to be used with RADIUS for more guidance on how to utilize the service. RADIUS can be used in the User Manager (User Management and Authentication) which also enables RADIUS for IPsec and OpenVPN, for Captive Portal (Portal Configuration Using RADIUS Authentication), and the PPPoE server (PPPoE Server), among other places.

Configuring Users and Network Policies

Whether a user can authenticate via RADIUS is controlled through Network Policies. Using Network Policies, an administrator can place a user in a specific Active Directory group to allow VPN access, and also offer more advanced capabilities such as time of day restrictions.

More information on remote access policies can be found in Microsoft’s documentation at http://technet.microsoft.com/en-us/library/cc785236%28WS.10%29.aspx.

Adding a Network Policy

  • Open the NPS configuration window

  • Expand NPS (Local), Policies, then Network Policies

  • Right click on Network Policies

  • Click New

  • Enter Allow from pfSense in the Policy name

  • Leave the Type of network access server set to Unspecified

  • Click Next

  • Click Add in the Specify Conditions window

  • Select Windows Groups

  • Click Add

  • Enter or select the name of the user group which contains VPN users, e.g. VPNUsers

  • Click OK

  • Click Next

  • Choose Access granted

  • Click Next

  • Select additional Authentication Methods as needed for features on pfSense:

    • Leave existing authentication methods selected
    • Select Microsoft: Secured Password (EAP-MSCHAP v2) if this policy will be used for IPsec IKEv2 EAP-RADIUS authentication
    • Select Encrypted Authentication (CHAP)
    • Select Unencrypted Authentication (PAP, SPAP)

    leaving any other methods selected that were already enabled.

  • Click Next

  • Click Decline if a prompt to view a help topic is presented by the wizard

  • Configure any additional access restraints, if necessary

  • Click Next on the remaining screens until the final screen is reached

  • Click Finish

Editing an Existing Network Policy

Existing policies can be altered to change their constraints or other properties. For example, to edit an older policy to enable it for use by IPsec for IKEv2 EAP-RADIUS:

  • Open the NPS configuration window
  • Expand NPS (Local), Policies, then Network Policies
  • Edit the policy currently in use
  • Click the Constraints tab
  • Click Authentication Methods
  • Click Add
  • Select Microsoft: Secured Password (EAP-MSCHAP v2)
  • Click OK
  • Click Apply to restart NPS
  • Click OK

Troubleshooting NPS

If authentication fails, this section describes the most common problems users encounter with NPS.

Verify port

First ensure the default port 1812 is being used by NPS. If the NPS server was previously installed, it may have been configured with non- standard ports.

  • Open the NPS configuration window
  • Right click on NPS (Local) at the top left of the console
  • Click Properties
  • Click the Ports tab
  • Verify the Authentication port configuration. Specify multiple ports by separating them with a comma. (as shown in Figure NPS Ports). Port 1812 must be one of the ports configured for Authentication.
  • Verify the Accounting ports if necessary. If RADIUS accounting is required, port 1813 must be one of the ports specified in this box.
../_images/nps-ports.png

NPS Ports

Check Event Viewer

When a RADIUS authentication attempt is answered by the server, NPS logs to the System log in Event Viewer with the result of the authentication request. If access is denied, the reason it was denied is logged.

In the Description field of the event properties, the Reason line tells why authentication failed. The common two failures are: bad username and password, when a user enters incorrect credentials; and “remote access permission for the user account was denied” when the user account is set to Deny access or the network policies configured in NPS do not allow access for that user. If NPS is logging that authentication was successful, but the client is receiving a bad username or password message, the RADIUS secret configured in NPS and pfSense does not match.

The NPS logs in Event Viewer may be easily found under Custom Views, then Server Roles, and finally Network Policy and Access Services.