Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Overview   This article describes how you can configure Windows Server 2008 as a RADIUS Server and integrate it with Cyberoam.   Scenario Configure Windows Server 2008 as RADIUS Server with MS-CHAP v2 authentication and integrate Cyberoam as a RADIUS Client.   Configuration You can configure Windows Server 2008 by following the steps given below. Configuration is to be done from Windows Server Manager. Note: Prior to configuration, make sure that:   -         You have setup Active Directory Services, and Network Policies and Access Services (NPS) Roles. -         The NPS Roles are integrated with the Active Directory.   Step 1: Add Cyberoam as RADIUS Client ·         Login to Windows Server 2008 using Administrator profile. ·         Go to Start à Administrative Tools à Server Manager . ·         On the left panel, expand Roles à Network Policy and Access Services à NPS (Local) à RADIUS Clients and Servers and right click onRADIUS Clients. Click New RADIUS Client to create a new client according to parameters given below.         Parameter Description Parameter Value Description Friendly name Cyberoam Name to identify the RADIUS Client Address (IP or DNS) 172.16.16.1 Address of the RADIUS Client. Here, we have specified Cyberoam LAN IP Address. Vendor name RADIUS Standard Specify the RADIUS Client Vendor name from the list Shared secret Manual Select whether shared secret is to be manually set or auto-generated. Secret cyberoam Specify the secret           Click OK to create the RADIUS Client.       Step 2: Configure Network Policies On the left panel, expand Roles à Network Policy and Access Services à NPS (Local)à Policies and right-click Network Policies. Click Newto open the New Network Policy Wizard.         ·         Mention Policy Name and click Next.       ·         Click Add under Specify Conditions to add conditions that determine whether this network policy is evaluated for a connection request. Here, we have added 2 conditions:          -         User Group as Marketing         -         NAS IP address as Cyberoam LAN IP address         ·         The Select Condition Window opens. Select the first type of condition as User Groups and click Add.         ·         The User Groups Window opens. Click Add Groups... to add user groups.         ·         The Select Group Window opens. Mention the Group Marketing under Enter the object name to select and click OK.             ·         The user group condition is added. Now click Add... again to add the second condition.         ·         Under Gateway section, select NAS IPv4 Address to specify the IP address of the Network Access Server (NAS) and click Add.         ·         Mention Cyberoam’s LAN IP address as NAS address.         ·         Click OK to save settings. The following screen is displayed showing configured conditions. Click Next.         ·         The Specify Access Permission screen appears. Select Access granted and click Next.         ·         The Configure Authentication Methods screen appears. Select the authentication as Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Unencrypted authentication (PAP, SPAP). Click Next.         Note:       PAP authentication method is required because Cyberoam uses PAP to test connectivity with the RADIUS Server.        ·         The Configure Constraints screen appears. Retain default constraints. Click Next.         ·         The Configure Settings screen appears. Retain default settings. Click Next. If you want to configure Tight Integration between RADIUS Server and NAS, then add Filter ID as one of the attributes by clicking Add....        ·         The Completing New Network Policy appears which displays the summary of the policy you have configured. Click Finish to create the policy.       Step 3: Allow Network Access to Users Once Network Policies are configured, ensure that users, belonging to the User Group defined in the Policy, are allowed network access. Here, we have enabled network access of a user named John Smith who belongs to the CYBEROAM"Marketing User Group. You can enable network access by following instructions given below.    On the left panel, expand through Roles à Active Directory Domain Services à Active Directory Users and Computers à cyberoam.localand click Users   to display a list of existing users. Right click user John Smith and click Properties from the pop up.       In the Properties window, switch to Dial-in tab, under Network Access Permission select Allow access to allow network access to user John Smith.       Click OK to save settings. Step 4: Integrate Cyberoam with RADIUS Server Integrate Cyberoam with the RADIUS Server configured above such that it uses the Server for user authentication. To know how you can configure Cyberoam to use RADIUS Server, refer to the article Configure Cyberoam to use RADIUS Server for Authentication.   The above configuration configures the Windows Server 2008 as a RADIUS Server with Cyberoam as the Client. Cyberoam uses this RADIUS Server for user authentication.