Configuring Server 2008 for RADIUS Authentication

http://hi.baidu.com/sxsyyq/blog/item/13989cf3c9ed47ce0a46e0a7.html

 http://www.google.com.hk/search?hl=zh-CN&newwindow=1&safe=strict&rlz=1R2GGLL_zh-CNCN383&q=Windows+2008+R2%E5%AE%9E%E6%88%98&btnG=Google+%E6%90%9C%E7%B4%A2&aq=f&aqi=&aql=&oq=&gs_rfai=

http://security.ctocio.com.cn/117/9455617.shtml

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

 

 

I like connecting to my network using my pfSense firewall's built-in VPN server.  Following these steps, I can configure Windows Server 2008 to provide the authentication credentials for pfSense via RADIUS.  I figured this out using this great guide that I referenced for Windows Server 2003...

Enable "reversible password encryption" for your domain users.
Globally:

  1. Admin Tools - Group Policy Management
  2. Choose your forest, domain and then right click your Default Domain Policy and choose Edit.
  3. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Store passwords using reversible encryption = Enabled.

Per User:

  1. I prefer doing it globally, but you can do it on a per user basis by opening your domain user's properties and checking "Store password using reversible encryption" on the Account tab.

*Restart the domain controller after these Group Policy changes.

Enable Windows Server 2008 Network Policy Server (NPS)

  1. Add the "Network Policy and Access Services" role to your domain controller.
  2. Enable these role services during installation:
    Network Policy Server
    Routing & Remote Access Services
       Remote Access Service
       Routing

Verify the RADIUS Port Numbers

  1. Server Manager -> Roles -> Network Policy and Access -> Right-click NPS (Local) -> Properties -> Ports Tab.
  2. Verify the defaults for Authentication are 1812,1645.
  3. Verify the defaults for Accounting are 1813, 1646.
  4. The 18 set is for a secure connection, or vice-versa.  You can change things to match your RADIUS client, but the defaults should be fine.

Add a new RADIUS Client

  1. NPS (Local) -> RADIUS Clients and Servers -> RADIUS Clients -> Right-click Add new Client.
  2. Add a name, the ip address of your client and create a shared secret.

Add a new Network Policy

  1. NPS (Local) -> Policies -> Right-click Network Policies -> Add new.
  2. Enter a name and leave Type of network access server as Unspecified.  Click Next.
  3. Add a condition.  Choose Windows Groups.  Add a Group ("Domain Users" for example).  Click OK, then Next.
  4. Choose Access Granted.  Click Next.
  5. Leave the default Authentication Methods.  Click Next.
  6. Leave the Default Constraints.  (Although they look like some cool new features you may want to use.)  Click Next.
  7. Leave the Default Settings.  Click Next.
  8. Click Finish.

Granting or Denying Access to Users

  1. Right click a domain user -> Properties -> Dial-in tab.
  2. You can Grant or Deny here, but I just leave the NPS Policy we setup earlier to allow all domain users through.

Configure your RADIUS Client

  1. In this case, I enable a PPTP VPN server on my pfSense firewall and point it to my domain controller/NPS services machine where we just configured everything.  Input the shared secret and then login from anywhere!

Happy VPN'ing!

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值