RADIUS is the industry standard for authenticating users to a network. In this video, learn how to install Network Policy Server, the Windows Server role for RADIUS, and prepare it to authenticate users connecting to your VPN or to local network connections like Wi-Fi.
- [Instructor] In the last chapter, we set up two different kinds of VPNs, both using a local list of users to authenticate remote connections. In this chapter, we're going to work on a method of authentication that doesn't require us to keep a list of our users and their passwords on the server that sits on the border of our network with one nick facing the outside world. Remote access dial-in user service or RADIUS is an industry standard for doing this. RADIUS is used to authenticate users so the gateway doesn't have to.
This could be what we need because we don't want the gateway to keep this information as in the example of a VPN gateway. But, RADIUS is also used to authenticate user connections to a secure Wi-Fi access point. Most access points don't have incredible security built in, or at least not the ability to manage a list of users with varying permissions. But, whichever scenario you're looking at, a RADIUS server can bridge the gap between a gateway to the network and the list of users.
In our case, the gateway is our VPN server and the user list will be our domain's active directory database. Installing RADIUS on a Windows server is easy enough, it's a role that can be added to any server. Because our list of users is an active directory, I'm going to install it on the domain controller. You could just as easily install it on any member server, but I'm trying to control the number of virtual servers in this demonstration. So, here I have the domain controller in the landonhotels.com domain and I'm going to go to the server manager and under the manage menu I'm going to add a role to this server.
Many of you have probably checked the box to skip this page by default and so you aren't seeing this screen anymore. So, I'm going to go ahead and join you in that. It is a role-based installation, it's not for remote desktop environments. I am trying to install the role on this specific machine, and the role that I'm going to add is network policy and access services. After I accept the administrative tools and any other prerequisites, you'll be able to see from the description to the right that this role safeguards your network.
It does this by defining who can access and how, which is the function of RADIUS. There are no additional features to install, and some roles give you helpful information or ask you to make some choices before the installation begins, but network policy server is not one of those roles, I guess it does tell us where to configure it later and that's important, but there's really nothing else to do at this point, so I'm going to click next and install so NPS or network policy services can install. As with other roles and features, this installation could take a few minutes.
Mine took a little less than a minute, which is not too bad, and it's now complete. So, I'm going to close this, and we'll see that the installation added a new tool to the tools menu. What we're looking for is network policy server. The configuration of NPS is going to be different depending on what you want to accomplish. So, most of this configuration is going to happen across the next few videos, but there is one thing that we need to do right away. I mentioned before that we want this server to be a go-between from the VPN gateway and LDAP, in our case, active directory.
I'm going to right-click on the very top of this tree and select register in active directory so Windows can create the necessary link between this network policy server and the active directory database. This is giving us a heads-up that we are about to authorize this computer to read active directory information, specifically the dial-in properties of users in this domain, and that's kind of why we're installing this, so I am going to say okay. And there's our confirmation that we are now authorized to read users properties from the active directory domain.
Nice that they gave us another notification, I guess, or maybe it's just one more thing to click on. If you are installing this on a member server or if you are logged in as someone less than a domain admin, you would've needed to provide new credentials at that point. Since I'm on the domain controller and logged in as the administrator, it was able to complete without prompting me for those credentials. Over the remainder of this chapter, we're going to make the rest of the connections needed to allow this NPS server to function as a RADIUS server on our network.
- NAT implementation
- Site-to-site and remote access VPNs
- VPN protocols
- Remote Access Gateways
- NPS configuration
- RRAS configuration
- RADIUS proxies and clients
- RADIUS authentication
- RADIUS accounting
- NPS templates
- NPS policies
- Connection request and connection-specific policies
- DirectAccess server requirements and certificates
- DirectAccess installation and configuration