http://hi.baidu.com/sxsyyq/blog/item/13989cf3c9ed47ce0a46e0a7.html
http://security.ctocio.com.cn/117/9455617.shtml
http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
I like connecting to my network using my pfSense firewall's built-in VPN server. Following these steps, I can configure Windows Server 2008 to provide the authentication credentials for pfSense via RADIUS. I figured this out using this great guide that I referenced for Windows Server 2003...
Enable "reversible password encryption" for your domain users.
Globally:
-
Admin Tools - Group Policy Management
-
Choose your forest, domain and then right click your Default Domain Policy and choose Edit.
-
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy ->Store passwords using reversible encryption = Enabled.
Per User:
-
I prefer doing it globally, but you can do it on a per user basis by opening your domain user's properties and checking "Store password using reversible encryption" on the Account tab.
*Restart the domain controller after these Group Policy changes.
Enable Windows Server 2008 Network Policy Server (NPS)
-
Add the "Network Policy and Access Services" role to your domain controller.
-
Enable these role services during installation:
Network Policy Server
Routing & Remote Access Services
Remote Access Service
Routing
Verify the RADIUS Port Numbers
-
Server Manager -> Roles -> Network Policy and Access -> Right-click NPS (Local) -> Properties -> Ports Tab.
-
Verify the defaults for Authentication are 1812,1645.
-
Verify the defaults for Accounting are 1813, 1646.
-
The 18 set is for a secure connection, or vice-versa. You can change things to match your RADIUS client, but the defaults should be fine.
Add a new RADIUS Client
-
NPS (Local) -> RADIUS Clients and Servers -> RADIUS Clients -> Right-click Add new Client.
-
Add a name, the ip address of your client and create a shared secret.
Add a new Network Policy
-
NPS (Local) -> Policies -> Right-click Network Policies -> Add new.
-
Enter a name and leave Type of network access server as Unspecified. Click Next.
-
Add a condition. Choose Windows Groups. Add a Group ("Domain Users" for example). Click OK, then Next.
-
Choose Access Granted. Click Next.
-
Leave the default Authentication Methods. Click Next.
-
Leave the Default Constraints. (Although they look like some cool new features you may want to use.) Click Next.
-
Leave the Default Settings. Click Next.
-
Click Finish.
Granting or Denying Access to Users
-
Right click a domain user -> Properties -> Dial-in tab.
-
You can Grant or Deny here, but I just leave the NPS Policy we setup earlier to allow all domain users through.
Configure your RADIUS Client
-
In this case, I enable a PPTP VPN server on my pfSense firewall and point it to my domain controller/NPS services machine where we just configured everything. Input the shared secret and then login from anywhere!
Happy VPN'ing!