« Forklift upgrade | Main | Death in the Family »

Remote Access Authentication

Your users wants to have VPN access to access stuff on the road. The VPN tunnel stops at the appliance. You loathe create an access control list just for that box. Not to mention internal audit is going to you hell for static passwords. The solution is RADIUS

RADIUS or Remote Authentication Dial In User Service is used to connect banks of modems to a central authentication servers. Nowadays it is used to connect VPN gateways and firewalls to a central authentication service like Active Directory.

Radius Servers that connects to authentication service are available in Microsoft Windows. In NT, 2000 and 2003 it is called the Internet Authentication Service. In Windows 2008, it is part of the Network Policy Server.

This post is mean as a guide to create a Radius solution using Windows 2008.

1. Enable your VPN box to use Radius as authentication. This varies from vendor to vendor. Please see vendor documentation.
2. On the Windows 2008 server, add the role of Network Policy and Access Service. Check Network Policy Server.
3. Under Administrative Tools, launch the Network Policy Server MMC.
4. Create a Radius client in the server. This is for the communication with the VPN box or firewall.
5. Create a new Connection Policy. Add a time condition for the access.
6. Create a new Network Policy. Leave type as unknown. Add a condition pointing to desired Windows group, eg VPN users.
7. Add your users to the Windows group.
8. Test and check for errors in the log files. Using this to guide you.

If you did not create a Connection Policy, the authentication will pass, (4142 0) and it will be rejected (4142 49), "Did not match connection request policy".


This page contains a single entry from the blog posted on December 1, 2008 11:10 PM.

The previous post in this blog was Forklift upgrade.

The next post in this blog is Death in the Family.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type