Your users want to have VPN access to access stuff on the road. The VPN tunnel stops at the appliance. You loathe creating an access control list just for that box. Not to mention internal audit is going to give you hell for static passwords. The solution is RADIUS
RADIUS or Remote Authentication Dial-In User Service is used to connect banks of modems to a central authentication server. Nowadays it is used to connect VPN gateways and firewalls to a central authentication service like Active Directory.
Radius Servers that connect to authentication service are available in Microsoft Windows. In NT, 2000 and 2003 it is called the Internet Authentication Service. In Windows 2008, it is part of the Network Policy Server.
This post is meant as a guide to creating a Radius solution using Windows 2008.
1. Enable your VPN box to use Radius as authentication. This varies from vendor to vendor. Please see vendor documentation.
2. On the Windows 2008 server, add the role of Network Policy and Access Service. Check Network Policy Server.
3. Under Administrative Tools, launch the Network Policy Server MMC.
4. Create a Radius client in the server. This is for communication with the VPN box or firewall.
5. Create a new Connection Policy. Add a time condition for access.
6. Create a new Network Policy. Leave the type as unknown. Add a condition pointing to desired Windows group, eg VPN users.
7. Add your users to the Windows group.
8. Test and check for errors in the log files. Using this to guide you.
If you did not create a Connection Policy, the authentication will pass, (4142 0) and it will be rejected (4142 49), “Did not match connection request policy”.