Cómo configurar el servidor RADIUS (NPS) en Windows Server – TrucosInformaticos

Windows Server

RADIO (Autenticación remota en el servicio de usuario de acceso telefónico) es un protocolo de red que proporciona administración centralizada de autenticación, autorización y contabilidad (AAA) y está diseñado para intercambiar información entre una plataforma central y los dispositivos del cliente. El servidor RADIUS puede comunicarse con un servidor central (por ejemplo, un controlador de dominio de Active Directory) para autenticar clientes de acceso telefónico remoto y autorizarlos a acceder a servicios o recursos de red específicos.

El Servidor de políticas de red (NPS) La función implementa la función del servidor RADIUS en el entorno Windows y le permite autenticar clientes remotos en Active Directory. En este artículo, mostraremos cómo configurar un servidor RADIUS en Windows Server 2022/2019/2016 y cómo configurar la autenticación RADIUS en dispositivos de red Cisco y MikroTic (clientes RADIUS) en cuentas de usuario de AD.

Instalación del servidor de políticas de red (RADIUS) en Windows Server

Windows Server con la función NPS (RADIUS) reenvía las solicitudes de autenticación de usuarios al controlador de dominio de Active Directory, que realiza la autenticación de usuarios. Por lo tanto, la presencia de un Active Directory local es un requisito obligatorio antes del inicio de una implementación de NPS.

Ahora puede instalar la función del servidor RADIUS en su Windows Server 2022/2019/2016. Abre el Administrador del servidor consola, ejecute el Agregar roles y características asistente > seleccione el Servicios de acceso y políticas de red role.

Nota. Además, puede instalar herramientas de administración y funciones de NPS desde una consola PowerShell elevada:

Install-WindowsFeature NPAS –IncludeManagementTools

Compruebe si la función NPAS está instalada en su host de Windows Server:

Get-WindowsFeature -Name NPAS

Una vez completada la instalación de la función, abra el Servidor de políticas de red (nps.msc) en el menú Herramientas.

servidor de radio de windows

Haga clic derecho en un nodo raíz de la consola NPS y haga clic Registrar servidor en Active Directory.

radio del servidor de Windows

Confirme el nuevo registro del servidor NPS en Active Directory.

configurar nps para autenticación de radio

Además, puede registrar su servidor NPS en Active Directory con un comando:

netsh ras add registeredserver

La cuenta de la máquina AD en el servidor NPS recibe permiso para leer las propiedades de las cuentas de usuario de Active Directory para autenticar a los usuarios. Su cuenta de computadora host NPS se agregará al grupo de dominio integrado Servidores RAS e IAS.

configuración del radio del servidor Windows 2022

A continuación, cree un nuevo grupo de seguridad en el dominio de Active Directory (por ejemplo, Usuarios remotos de Cisco) y agregue a este grupo todos los usuarios a los que se les permitirá autenticarse en enrutadores y conmutadores Cisco.

servidor radio windows

El siguiente paso es agregar el cliente Radius. El cliente Radius es el dispositivo desde el cual su servidor puede recibir solicitudes de autenticación. Podría ser un enrutador, conmutador, punto de acceso Wi-Fi de Cisco, etc.

Ampliar la Clientes y servidores RADIUS > Clientes de RADIUS, seleccionar Nuevo.

configuración del radio del servidor de Windows

En la pestaña Configuración, complete los campos Nombre amigablecliente DIRECCIÓN (puede especificar la dirección IP o el nombre DNS), y Secreto compartido + Confirmar compartido contraseña (usará esta contraseña en la configuración del conmutador/enrutador Cisco).

Nota. La contraseña secreta compartida rara vez se utiliza en grandes redes corporativas debido a los problemas con la distribución de secretos compartidos. Se recomienda utilizar certificados en lugar de contraseñas compartidas. Si tiene una autoridad de certificación (CA) corporativa implementada para implementar la infraestructura PKI, puede solicitar un certificado *.p12 para el servidor Radius/NPS. Simplemente importe el certificado al almacén de certificación personal de la máquina local.

Configuración del servidor Radius paso a paso.

En el Avanzado pestaña, seleccione Nombre del proveedor – cisco.

configuración del servidor radio de Windows

Puede utilizar el comando PowerShell en lugar de la GUI de NPS para agregar un nuevo cliente RADIUS. En este caso, puede utilizar el Nuevo cliente NpsRadius Cmdlet de PowerShell:

New-NpsRadiusClient –Dirección "192.168.31.1" –Nombre "cisco2960" –SharedSecret "Zb+kp^JUy]v\ePb-hQ*d=weya2AY?hn+npRRp[/J7d"

Note. On Windows Server Datacenter edition you can add RADIUS clients to NPS by IP address range. This allows to add a large number of RADIUS clients (such as wireless access points) rather than adding them individually. You can specify the IP range using the format 10.1.0.0/22.

By default, NPS uses the following UDP ports to send and receive RADIUS traffic: 1812, 1813, 1645, and 1646. When you install the NPS role on Windows Server, rules for these ports are automatically created and enabled in Windows Defender Firewall. You can list these Windows Firewall rules using PowerShell:

Get-NetFirewallRule -DisplayGroup "Network Policy Server"

If your RADIUS client is located in a DMZ network or an external security perimeter, you must create the appropriate firewall rules on your network firewall.

Configure NPS Policies on the RADIUS Server

NPS policies allow you to authenticate remote users and grant them access permissions configured in the NPS role. NPS access policies allow you to associate the RADIUS client to the domain security group that determines the user privileges on CISCO devices.

There are two types of policy on a RADIUS server:

  • Connection request policies — determine which RADIUS servers should authenticate and authorize connection requests received from RADIUS clients;
  • Network policies — allow you to specify who is authorized to connect to your network and a list of assigned privileges.

In our case, we will use only the NPS Network policies. Expand the Policies > Network Policies branch and select New:

windows radius

Specify the Policy name, the type of network access server should remain unchanged (Unspecified).

how to configure radius server in windows server step by step

In the Specify conditions step, you need to add the conditions under which this RADIUS policy will be applied. Let’s add two conditions — the authorized user must be a member of a specific domain security group, and the device you want to access has a specific name. Use the Add option to create a new condition by selecting the Windows Group type (add the RemoteCiscoUsers group) and specifying the Client Friendly Name (Cisco_*).

Note. The Client Friendly Name field may differ from the DNS name of your device. We will need it in the further steps to identify a specific network device when creating a Remote Access Policy. For example, you can use this name to specify a mask through which several different RADIUS clients are processed by a single access policy.

setup radius server 2022

On the next screen, select Access Granted.

configure radius server

My Cisco switch only supports Unencrypted authentication methods (PAP, SPAP), so I’ve disabled all other options.

radius server on domain controller

Skip the next configuration Constraints step.

In the Configure Settings section, go to the RADIUS Attributes > Standard section. Delete the existing attributes there and click the Add button.

Select Access type > All, then Service-Type > Add. Specify Others = Login.

radius server configuration

Now add a new attribute in the RADIUS Attributes > Vendor Specific section. Under Vendor, select Cisco, and click Add. Here you need to add information about the attribute. Click Add and specify the following value:

shell: priv-lvl = 15

This value means that the user authorized by this policy will be granted a maximum (15) administrative access privileges on the Cisco device.

setup radius server

The last screen displays all selected NPS policy settings. Click Finish.

radius windows

If you have created several network policies in the NPS console, please note that they are processed from top to bottom, so the order of the policies is important. Further processing will stop if all conditions in the next policy are met. You can change the priority of policies in the NPS console using the Processing Order value.

how to configure radius server

By default, all AD accounts can be used to authenticate using RADIUS. You can check this using the Active Directory Users and Computers snap-in (dsa.msc). Open any user properties, go to the Dial-In tab, and check that the Control access through NPS Network Policy option in enabled in the Network Access Permission section.

radius server windows 2019

Or you can reset msNPAllowDialin attribute for all users in the specific Active Directory OU using the LDAP filter:

Get-ADUser -SearchBase "ou=Users,ou=Paris,dc=theitbros,dc=com" -LDAPFilter "(msNPAllowDialin=*)" | % {Set-ADUser $_ -Clear msNPAllowDialin}

Configuring RADIUS Authentication on Cisco Devices

Once you have created the NFS policy, you can proceed to configure your Cisco routers or switches for authentication on the newly installed RADUIS server.

As it is insecure to send unencrypted user credentials over the network, you should disable the Telnet protocol on your Cisco devices. To disable Telnet and enable SSH, use the following commands in Configuration Mode on the Cisco device:

configure terminal

crypto key generate rsa modulus 1024

ip ssh version 2

You should create a local user on your Cisco device to avoid losing access to it if the RADIUS server or AD is unavailable. Create a local user with the following command:

username cisco_local password $UPerrP@ssw0rd

To make the use of SSH mandatory and disable remote access using Telnet, execute the following commands:

line vty 5 15

transport input ssh

Below is an example of the configuration for authorizing a Radius server for the Cisco Catalyst Switch:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

radius-server host 192.168.1.16 key Sfs34e#sf

#Specify your RADIUS server IP address and key for encryption (the shared secret that we specified on the RADIUS server)

service password-encryption

# Enable password encryption

If you have several Radius servers, add them to the group:

aaa group server radius radius_srv_group

server 192.168.1.16

server 192.168.101.16

This completes the minimum switch configuration and you can try to check Radius authentication on your Cisco device.

How to Enable MikroTik (RouterOS) User Authentication via RADIUS

In this part, we will show you how to configure RADIUS authentication for VPN user connections on a MikroTik router (RouterOS based).

Open the Network Policy Server console (nps.msc) and create a new Radius client.

Select New RADIUS Client and configure the following settings:

  • Enable this RADIUS Client;
  • Friendly Name — enter the name of your MikroTik router;
  • Address — specific the IP address of the MikroTik router;
  • Specify your Pre-shared secret key.

windows radius server configuration

Create a new Network Policy with the following settings:

  • User Groups — specify the name of the domain user group that is allowed to authenticate on your MikroTik router;
  • Authentication Type — MS-CHAPv2;
  • Tunnel Type — Point-to-Point Tunneling Protocol (PPTP);
  • Access Permissions — Access granted;
  • In the Configure Authentication Methods window, leave only MS-CHAPv2 and allow users to change expired passwords (User can change password after it has expired option);
  • Multilink and Bandwidth Allocation Protocol (BAP) – Do not allow Multilink connections;
  • In the Standard section, remove Service-Type – Framed and leave only Framed-Protocol PPP;
  • Encryptions — leave only the strongest encryption (MPP 128-bit) method.

radius server windows server

Once you have created a new policy, open the Network Policy Server settings.

Leave only the following UDP ports for the RADIUS server communications:

  • Authentication — 1812;
  • Accounting — 1813.

radius server on windows

Check if these UDP ports are open in Microsoft Defender Firewall Rules. If not, open them manually.

Now you need to configure the connection settings for Windows Server RADIUS in the MikroTik configuration (we assume that PPP VPN Server is already configured on RouterOS).

Check in the PPTP server settings that only mschap2 is allowed to use for authentication.

configure radius server with active directory

Now we need to configure the connection to Radius NPS server. Select New Radius Server and specify the following options:

  • Service: ppp;
  • Address: IP address of the RADIUS server;
  • Secret: pre-shared key that you specified in the network policy settings;
  • Src/ Address: MikroTik IP address from which traffic will be sent to NPS;
  • Authentication Port: 1812;
  • Accounting Port: 1813.

radius server setup

Add appropriate access rules to MikroTik Firewall.

Then go to Secrets > PPP Authentication and Accounting and enable the Use Radius option.

radius on windows server

It remains to configure a PPTP VPN connection to your MikroTik VPN on users’ computers. Users can use their Active Directory account credentials to authenticate against Mikrotik (accounts must be added to the AD group that you have specified when creating the MiktoTik Network Policy on NPS).

How to View the NPS/RADIUS Event Logs on Windows?

To enable NPS Server Radius Authentication logging, you need to enable the Network Policy Server audit policy via the local Group Policy Editor (gpedit.msc). Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff > Audit Network Policy Server and check the option to audit both success and failure logon attempts.

active directory radius server

Or you can enable this NPS audit policy with the following commands:

auditpol /get /subcategory:"Network Policy Server"

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

configure radius server windows

Now you can open the Event Viewer console (eventvwr.msc), go to the Windows Logs > Security, and filter the event by the Event ID 6272.

Network Policy Server granted access to a user.

how to setup a radius server

If the user has entered an incorrect password or is not authorized to log on through the RADIUS Client, Event ID 6272 is displayed:

Network Policy Server denied access to a user.

If the user has entered an incorrect user name and password, an event will be displayed in the Event Viewer:

Authentication failed due to a user credentials mismatch

If the user is not a member of the correct security group, or if Network Access Permission= Deny is set in the AD user properties on the Dial-in tab, the following event will occur:

The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the use

If a user enters an incorrect password multiple times, their account will be locked out in accordance with your Account Lockout Policy in AD.

Event ID: 6279

Network Policy Server locked the user account due to repeated failed authentication attempts.

If you need to find all NPS authorizations events for the specific user (Richard.Doe in this example), use the next PowerShell script:

$Query = @"

<QueryList>

<Query Id="0" Path="Security">

<Select Path="Security">

*[EventData[Data[@Name="SubjectUserName"] y (Datos=theitbros\richard.doe')]]y    *[System[(EventID='6272')]]   "@ $events = Get-WinEvent -FilterXML $Query $ipaddr = @{ label="IP"; Expresión={$_.properties[9].valor} } $eventos |  seleccione $direcciónIP |  grupo "IP" |  formato-tabla Recuento, Nombre -autosize

5/5 - (33 votos)

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *