Thursday, June 5, 2014

Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication


Overview
 
This article describes how you can configure Windows Server 2008 as a RADIUS Server and integrate it with Cyberoam.
 
Scenario
Configure Windows Server 2008 as RADIUS Server with MS-CHAP v2 authentication and integrate Cyberoam as a RADIUS Client.
 
Configuration
You can configure Windows Server 2008 by following the steps given below. Configuration is to be done from Windows Server Manager.
Note:
Prior to configuration, make sure that:
 
-         You have setup Active Directory Services, and Network Policies and Access Services (NPS) Roles.
-         The NPS Roles are integrated with the Active Directory.
 

Step 1: Add Cyberoam as RADIUS Client

·         Login to Windows Server 2008 using Administrator profile.
·         Go to Start à Administrative Tools à Server Manager .
·         On the left panel, expand Roles à Network Policy and Access Services à NPS (Local) à RADIUS Clients and Servers and right click onRADIUS Clients. Click New RADIUS Client to create a new client according to parameters given below.
 
 
 
 
Parameter Description
Parameter
Value
Description
Friendly name
Cyberoam
Name to identify the RADIUS Client
Address (IP or DNS)
172.16.16.1
Address of the RADIUS Client. Here, we have specified Cyberoam LAN IP Address.
Vendor name
RADIUS Standard
Specify the RADIUS Client Vendor name from the list
Shared secret
Manual
Select whether shared secret is to be manually set or auto-generated.
Secret
cyberoam
Specify the secret
 
 
 
 
 
Click OK to create the RADIUS Client.
 
 
 
Step 2: Configure Network Policies
On the left panel, expand Roles à Network Policy and Access Services à NPS (Local)à Policies and right-click Network Policies. Click Newto open the New Network Policy Wizard.
 
 
 
 
·         Mention Policy Name and click Next.
 
 
 
·         Click Add under Specify Conditions to add conditions that determine whether this network policy is evaluated for a connection request. Here, we have added 2 conditions: 
        -         User Group as Marketing
        -         NAS IP address as Cyberoam LAN IP address
 
 
 
 
·         The Select Condition Window opens. Select the first type of condition as User Groups and click Add.
 
 
 
 
·         The User Groups Window opens. Click Add Groups... to add user groups.
 
 
 
 
·         The Select Group Window opens. Mention the Group Marketing under Enter the object name to select and click OK.
 
 
 
 
 
 
·         The user group condition is added. Now click Add... again to add the second condition.
 
 
 
 
·         Under Gateway section, select NAS IPv4 Address to specify the IP address of the Network Access Server (NAS) and click Add.
 
 
 
 
·         Mention Cyberoam’s LAN IP address as NAS address.
 
 
 
 
·         Click OK to save settings. The following screen is displayed showing configured conditions. Click Next.
 
 
 
 
·         The Specify Access Permission screen appears. Select Access granted and click Next.
 
 
 
 
·         The Configure Authentication Methods screen appears. Select the authentication as Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Unencrypted authentication (PAP, SPAP). Click Next.
 
      Note:
      PAP authentication method is required because Cyberoam uses PAP to test connectivity with the RADIUS Server. 
 
 
 
·         The Configure Constraints screen appears. Retain default constraints. Click Next.
 
 
 
 
·         The Configure Settings screen appears. Retain default settings. Click Next.
If you want to configure Tight Integration between RADIUS Server and NAS, then add Filter ID as one of the attributes by clicking Add.... 
 
 
 
·         The Completing New Network Policy appears which displays the summary of the policy you have configured. Click Finish to create the policy.
 
 
 

Step 3: Allow Network Access to Users

Once Network Policies are configured, ensure that users, belonging to the User Group defined in the Policy, are allowed network access. Here, we have enabled network
access of a user named John Smith who belongs to the CYBEROAM"Marketing User Group. You can enable network access by following instructions given below. 
 
On the left panel, expand through Roles à Active Directory Domain Services à Active Directory Users and Computers à cyberoam.localand click Users  
to display a list of existing users. Right click user John Smith and click Properties from the pop up.
 
 
 
In the Properties window, switch to Dial-in tab, under Network Access Permission select Allow access to allow network access to user John Smith.
 

 
 
Click OK to save settings.

Step 4: Integrate Cyberoam with RADIUS Server

Integrate Cyberoam with the RADIUS Server configured above such that it uses the Server for user authentication. To know how you can configure Cyberoam
to use RADIUS Server, refer to the article Configure Cyberoam to use RADIUS Server for Authentication.
 
The above configuration configures the Windows Server 2008 as a RADIUS Server with Cyberoam as the Client. Cyberoam uses this RADIUS Server for user authentication.