Windows Server Setup RADIUS and NPS For VPN Access Security VIDEO TUTORIAL

Windows Server Setup RADIUS and NPS For VPN Access Security VIDEO TUTORIAL

  When using networked services like VPN we want to be able to control access like we are able to control access to NTFS files/folders. Well by setting up RADIUS and Network Policy Server we are able to ensure that access to or corporate network is controlled a lot better. As an example we can filter based on groups IP addresses, time etc. The videos mention in this video refer to our VPN and CA Service: https://youtu.be/uMtJgN0prME and https://youtu.be/lWZIHoAwu2c  
Transcript (machine generated so it contains errors)
1. 00:00:00:03 / 00:00:05:16 - hello and welcome today's video today's
2. 00:00:03:24 / 00:00:09:03 - video we're going to show you how to set
3. 00:00:05:16 / 00:00:12:21 - up a radius server with the NPS roll on
4. 00:00:09:02 / 00:00:16:37 - it like a network protection never
5. 00:00:12:21 / 00:00:19:94 - policy sorry okay all we need to do is
6. 00:00:16:37 / 00:00:22:19 - basically you can install this if you
7. 00:00:19:94 / 00:00:24:39 - just have one box in your Active
8. 00:00:22:19 / 00:00:27:74 - Directory server with that VPN role
9. 00:00:24:39 / 00:00:31:64 - already there and then add this role to
10. 00:00:27:73 / 00:00:33:86 - otherwise based on your security setup
11. 00:00:31:64 / 00:00:37:92 - you can have this on a separate server
12. 00:00:33:86 / 00:00:41:45 - and that's one option
13. 00:00:37:92 / 00:00:45:87 - another option is have it on the remote
14. 00:00:41:46 / 00:00:47:46 - dial-in server like your VPN server ok
15. 00:00:45:86 / 00:00:50:36 - it just makes connections a little bit
16. 00:00:47:46 / 00:00:53:93 - easier that way but we're having this on
17. 00:00:50:36 / 00:00:56:60 - a separate server over here ok whichever
18. 00:00:53:93 / 00:01:01:58 - method you choose literally what we're
19. 00:00:56:60 / 00:01:09:22 - doing 99.99% is the same ok so just add
20. 00:01:01:59 / 00:01:09:22 - roles and features click Next row next
21. 00:01:12:53 / 00:01:21:75 - okay and then we're clicking on network
22. 00:01:16:53 / 00:01:31:00 - policy access add feature click Next
23. 00:01:21:75 / 00:01:31:00 - click Next Next click install
24. 00:01:36:06 / 00:01:44:53 - okay once the install is finished okay
25. 00:01:39:70 / 00:01:47:29 - II I'll just skim it up for tidiness
26. 00:01:44:54 / 00:01:50:57 - okay all you need to do is get a network
27. 00:01:47:29 / 00:01:53:42 - policy server that will open up this
28. 00:01:50:56 / 00:01:58:00 - window and server 2 doesn't succeed you
29. 00:01:53:42 / 00:02:00:07 - have the complete literally automatic
30. 00:01:58:01 / 00:02:02:66 - configuration system where you just
31. 00:02:00:07 / 00:02:04:34 - tighten a little bit but what we will do
32. 00:02:02:65 / 00:02:06:22 - will go through this way because it's a
33. 00:02:04:34 / 00:02:08:27 - quick way and then we'll show you what
34. 00:02:06:23 / 00:02:12:59 - you would have needed to a manually
35. 00:02:08:27 / 00:02:14:78 - configured on that side ok let's just
36. 00:02:12:59 / 00:02:19:00 - click on that that's fine
37. 00:02:14:78 / 00:02:22:78 - good all right configure give it a name
38. 00:02:19:00 / 00:02:25:15 - it's a VPN connection you can get with
39. 00:02:22:78 / 00:02:30:13 - that the automatic name or give it down
40. 00:02:25:15 / 00:02:37:38 - we are now creating a radius client ok
41. 00:02:30:13 / 00:02:43:51 - give it a friendly name VT and maybe yes
42. 00:02:37:38 / 00:02:48:91 - ok the IP address is you might think the
43. 00:02:43:51 / 00:02:53:65 - client is talking about this computer no
44. 00:02:48:91 / 00:02:56:03 - it's actually asking for where there is
45. 00:02:53:65 / 00:02:59:00 - a web service running or your VPN
46. 00:02:56:03 / 00:03:02:71 - service etc ok
47. 00:02:59:00 / 00:03:07:51 - we'll just type in the IP address as we
48. 00:03:02:71 / 00:03:17:73 - know that we could also type in the full
49. 00:03:07:51 / 00:03:17:73 - name if we wanted to ok click verify
50. 00:03:17:94 / 00:03:27:79 - resolve finds it all good if we had set
51. 00:03:23:81 / 00:03:30:53 - up a shared secret template that would
52. 00:03:27:80 / 00:03:32:60 - be fine what a shared secret template I
53. 00:03:30:53 / 00:03:35:44 - mean what a shared secret is it's
54. 00:03:32:59 / 00:03:37:10 - basically collects I we say a password
55. 00:03:35:44 / 00:03:40:88 - on
56. 00:03:37:11 / 00:03:43:68 - this computer and also on the other
57. 00:03:40:88 / 00:03:47:57 - computer that is joining up to this
58. 00:03:43:68 / 00:03:50:28 - radius server and that's a we suggest
59. 00:03:47:58 / 00:03:53:21 - you use a generate because you get a
60. 00:03:50:28 / 00:03:54:81 - huge thing you would want to copy this
61. 00:03:53:21 / 00:03:58:40 - down because there's no way you're going
62. 00:03:54:81 / 00:03:59:90 - to memorize that for this instance what
63. 00:03:58:40 / 00:04:04:31 - we're going to do is just create a
64. 00:03:59:90 / 00:04:07:37 - manual one in case it asks us to type in
65. 00:04:04:31 / 00:04:09:03 - the manual one and that will be later on
66. 00:04:07:37 / 00:04:15:10 - okay so we're just going to create
67. 00:04:09:03 / 00:04:15:11 - something simple that confer conforms to
68. 00:04:20:06 / 00:04:35:63 - policies okay click OK that's been added
69. 00:04:30:58 / 00:04:38:96 - ok we are gonna add in EAP that makes
70. 00:04:35:63 / 00:04:45:75 - everything a lot easier a lot more
71. 00:04:38:97 / 00:04:51:41 - secure and that's it Microsoft protector
72. 00:04:45:75 / 00:04:53:18 - the it last one more secure one
73. 00:04:51:41 / 00:04:56:93 - configure if you want how many
74. 00:04:53:18 / 00:05:03:22 - connection attempts that's fine you can
75. 00:04:56:93 / 00:05:10:85 - also add in the other ones we suggest at
76. 00:05:03:22 / 00:05:13:37 - most you stick with that one then now
77. 00:05:10:85 / 00:05:16:43 - what you would have needed to have done
78. 00:05:13:37 / 00:05:20:56 - is basically on your Active Directory
79. 00:05:16:43 / 00:05:24:00 - computer created a security group and
80. 00:05:20:56 / 00:05:27:54 - within that security group you then add
81. 00:05:24:00 / 00:05:31:16 - your users and this is what the benefit
82. 00:05:27:54 / 00:05:35:06 - of using this NPS radius system actually
83. 00:05:31:16 / 00:05:37:37 - is it's fairly similar to file and
84. 00:05:35:06 / 00:05:41:21 - folder permissions access permissions
85. 00:05:37:37 / 00:05:45:56 - where you can limit those to certain
86. 00:05:41:22 / 00:05:49:05 - groups etc ok you can filter based on
87. 00:05:45:56 / 00:05:50:81 - certain criteria in this you can filter
88. 00:05:49:05 / 00:05:53:57 - based on which group there
89. 00:05:50:81 / 00:05:58:11 - out of what I'd be a dress they are the
90. 00:05:53:57 / 00:06:00:87 - connection method all those things so we
91. 00:05:58:11 / 00:06:05:10 - have already set one up on our Active
92. 00:06:00:87 / 00:06:06:66 - Directory computer we're just going to
93. 00:06:05:10 / 00:06:11:22 - check the nine that's it
94. 00:06:06:66 / 00:06:16:16 - it finds it all good click Next you can
95. 00:06:11:22 / 00:06:16:16 - create some IP filters if you do want to
96. 00:06:16:37 / 00:06:23:81 - we're gonna go with the highest
97. 00:06:19:64 / 00:06:27:00 - encryption click Next well name is not
98. 00:06:23:81 / 00:06:32:89 - really needed but you can type it in if
99. 00:06:27:00 / 00:06:37:11 - you want to and we're literally finished
100. 00:06:32:89 / 00:06:38:39 - before we go on to our VPN server we're
101. 00:06:37:11 / 00:06:43:02 - just actually going to quickly show you
102. 00:06:38:39 / 00:06:45:14 - how that group needs to be set up okay
103. 00:06:43:01 / 00:06:47:21 - we open up server manager and then we
104. 00:06:45:14 / 00:06:51:53 - just clicked on Active Directory users
105. 00:06:47:22 / 00:06:54:45 - and computers and within our domain we
106. 00:06:51:54 / 00:06:56:40 - basically created our own organizational
107. 00:06:54:44 / 00:06:59:18 - unit you don't really need to do that
108. 00:06:56:39 / 00:07:04:04 - you could literally just click on here
109. 00:06:59:18 / 00:07:06:95 - and then new and then basically group it
110. 00:07:04:05 / 00:07:10:59 - would be a security group global give it
111. 00:07:06:95 / 00:07:12:20 - a name and then just like what we've
112. 00:07:10:58 / 00:07:14:15 - done we've created an organizational
113. 00:07:12:20 / 00:07:17:63 - unit we created that security group and
114. 00:07:14:16 / 00:07:25:05 - then we have a user that has silent
115. 00:07:17:63 / 00:07:27:20 - access and is a member of that group ok
116. 00:07:25:05 / 00:07:31:47 - these are the only things you need to
117. 00:07:27:20 / 00:07:36:41 - have within Active Directory users and
118. 00:07:31:47 / 00:07:39:96 - computers ok so now we'll move on to our
119. 00:07:36:42 / 00:07:43:47 - VPN server and show you how to configure
120. 00:07:39:95 / 00:07:45:44 - it over there on our VPN server we
121. 00:07:43:47 / 00:07:49:95 - basically click over here click on
122. 00:07:45:44 / 00:07:53:87 - server manager and then that opens up
123. 00:07:49:94 / 00:07:56:51 - there go to tools click on remote
124. 00:07:53:87 / 00:07:59:61 - routing and remote access we can close
125. 00:07:56:51 / 00:08:01:21 - that down and over here we click on
126. 00:07:59:61 / 00:08:04:28 - properties
127. 00:08:01:22 / 00:08:06:35 - and how do we ensure that we're actually
128. 00:08:04:27 / 00:08:11:29 - using radius as you can see it's
129. 00:08:06:35 / 00:08:14:39 - automatically chosen that we are
130. 00:08:11:30 / 00:08:18:37 - actually where we added it before but
131. 00:08:14:38 / 00:08:21:68 - we'll just show you how to do that let's
132. 00:08:18:37 / 00:08:27:31 - remove that okay let's add the server
133. 00:08:21:68 / 00:08:27:31 - name was thirteen one sixth
134. 00:08:30:73 / 00:08:54:08 - Louie okay let's just go over there
135. 00:08:41:76 / 00:08:58:75 - the secret okay
136. 00:08:54:08 / 00:09:01:87 - always use message Authenticator if
137. 00:08:58:75 / 00:09:03:83 - you're using EAP basically that's not
138. 00:09:01:87 / 00:09:10:27 - really required but for some the older
139. 00:09:03:83 / 00:09:12:29 - ones yes okay click ok that'll do a
140. 00:09:10:27 / 00:09:14:44 - little bit of checking to make sure it's
141. 00:09:12:28 / 00:09:18:73 - all good
142. 00:09:14:45 / 00:09:23:77 - hopefully it is we'll click on OK and
143. 00:09:18:73 / 00:09:27:83 - now we should just quickly go to our VPN
144. 00:09:23:76 / 00:09:32:98 - users computer ok where the Windows 10
145. 00:09:27:83 / 00:09:38:47 - computer that wants to connect up to our
146. 00:09:32:98 / 00:09:42:11 - VPN and show you that it should work and
147. 00:09:38:47 / 00:09:45:52 - here we are in our Windows 10 if you
148. 00:09:42:11 / 00:09:51:11 - want to see how we set up our VPN server
149. 00:09:45:52 / 00:09:54:50 - and also the client and VPN certificates
150. 00:09:51:11 / 00:09:56:30 - etc please look at our previous two
151. 00:09:54:50 / 00:09:58:33 - videos the link should be in the
152. 00:09:56:29 / 00:10:02:38 - description so all you need to do just
153. 00:09:58:33 / 00:10:04:67 - to test it's all working is it go so the
154. 00:10:02:38 / 00:10:08:65 - first time you ever connect it will do a
155. 00:10:04:66 / 00:10:11:75 - little bit of extra like checking going
156. 00:10:08:65 / 00:10:15:00 - backwards from this computer to the VPN
157. 00:10:11:75 / 00:10:18:51 - server from the VPN server to the radius
158. 00:10:15:00 / 00:10:23:19 - server radio server to Active Directory
159. 00:10:18:51 / 00:10:27:57 - all verified passes forward all okay and
160. 00:10:23:19 / 00:10:32:13 - then it allows connection now that we've
161. 00:10:27:57 / 00:10:34:83 - done this let's go back to our NPS
162. 00:10:32:13 / 00:10:37:18 - server and actually talk through the
163. 00:10:34:83 / 00:10:42:14 - different things on the manual method
164. 00:10:37:17 / 00:10:46:87 - okay so we use this automatic
165. 00:10:42:14 / 00:10:48:61 - configuration system basically if you
166. 00:10:46:87 / 00:10:51:78 - were doing it you need to work your way
167. 00:10:48:61 / 00:10:54:62 - down this list manually so basically
168. 00:10:51:78 / 00:10:58:05 - what you would do is come over here and
169. 00:10:54:62 / 00:11:00:12 - then create a new radius client give it
170. 00:10:58:05 / 00:11:03:81 - a friendly name just like me gave over
171. 00:11:00:12 / 00:11:08:42 - here VPN radius the IP address of that
172. 00:11:03:82 / 00:11:12:61 - VPN server or that HTTP server of yours
173. 00:11:08:42 / 00:11:16:31 - okay then shared secret manual or
174. 00:11:12:61 / 00:11:19:99 - generate the complex one okay advanced
175. 00:11:16:32 / 00:11:23:05 - you can access request messages must
176. 00:11:19:99 / 00:11:26:62 - contain the message Authenticator as
177. 00:11:23:04 / 00:11:29:94 - root just like we had said if you're
178. 00:11:26:62 / 00:11:36:02 - using the EAP it's not really required
179. 00:11:29:94 / 00:11:39:21 - however you can take that that's fine so
180. 00:11:36:02 / 00:11:44:43 - sorry my mistake is on just showing you
181. 00:11:39:22 / 00:11:47:98 - as a demo basically this is what you
182. 00:11:44:44 / 00:11:52:14 - would do if it's Nick and that's exactly
183. 00:11:47:98 / 00:11:57:22 - what happened over here okay we'll just
184. 00:11:52:14 / 00:12:01:05 - click that and then i remote radius
185. 00:11:57:22 / 00:12:06:16 - server groups if we had one we would and
186. 00:12:01:05 / 00:12:09:60 - that in policies okay this is basically
187. 00:12:06:15 / 00:12:12:78 - where we have used windows
188. 00:12:09:61 / 00:12:16:05 - authentication let's just disable that
189. 00:12:12:78 / 00:12:19:83 - one this is the one that was
190. 00:12:16:04 / 00:12:22:29 - automatically configured okay and it
191. 00:12:19:83 / 00:12:26:94 - basically was configured to use a mask
192. 00:12:22:29 / 00:12:28:62 - port what we shall show you is just go
193. 00:12:26:94 / 00:12:31:32 - to properties
194. 00:12:28:62 / 00:12:33:78 - how it looks is if you click new you'd
195. 00:12:31:33 / 00:12:40:60 - go through the whole thing
196. 00:12:33:78 / 00:12:42:81 - oops okay give the policy name click
197. 00:12:40:60 / 00:12:47:08 - policy is enabled make sure it's neat
198. 00:12:42:82 / 00:12:49:21 - the end and then conditions would be an
199. 00:12:47:08 / 00:12:51:19 - a sport how do you get there
200. 00:12:49:21 / 00:12:54:97 - it's just add scroll all the way down
201. 00:12:51:19 / 00:12:58:21 - last port and then you click Add and
202. 00:12:54:97 / 00:13:00:22 - then make sure it's CPN click OK and
203. 00:12:58:21 / 00:13:04:42 - that's pretty much it
204. 00:13:00:22 / 00:13:07:74 - so that sort stop sideout authentication
205. 00:13:04:41 / 00:13:10:95 - methods everything is automatic
206. 00:13:07:74 / 00:13:15:48 - authentication using the request of this
207. 00:13:10:96 / 00:13:18:75 - server that's fine accounting basically
208. 00:13:15:48 / 00:13:25:42 - if you want to create log files with
209. 00:13:18:75 / 00:13:31:12 - information you can create that ok well
210. 00:13:25:41 / 00:13:32:88 - name just like in the auto configuration
211. 00:13:31:12 / 00:13:36:27 - we didn't use a real name so that was
212. 00:13:32:88 / 00:13:39:15 - fine radius s routes nothing required
213. 00:13:36:27 / 00:13:43:53 - then just as a big also nothing required
214. 00:13:39:15 / 00:13:46:68 - ok so I'm just going to cancel that so
215. 00:13:43:53 / 00:13:49:59 - that shown you the first thing you need
216. 00:13:46:69 / 00:13:52:84 - to set up that knavish ok
217. 00:13:49:60 / 00:14:03:42 - VPN ok network policies
218. 00:13:52:84 / 00:14:07:14 - I'll just disable these to disable these
219. 00:14:03:41 / 00:14:09:51 - you can have them enabled disabled this
220. 00:14:07:14 / 00:14:14:39 - is the one that we automatically
221. 00:14:09:51 / 00:14:18:54 - configured and basically this one is
222. 00:14:14:39 / 00:14:24:61 - where it used the NASS port that we
223. 00:14:18:54 / 00:14:28:19 - created previously and our user group
224. 00:14:24:61 / 00:14:33:49 - has security group in Active Directory
225. 00:14:28:20 / 00:14:37:39 - ok let's click on properties this is
226. 00:14:33:49 / 00:14:42:12 - what you would do policy name ok click
227. 00:14:37:38 / 00:14:45:00 - policy enabled grant access ok
228. 00:14:42:12 / 00:14:49:99 - ignore user account talent properties
229. 00:14:45:00 / 00:14:53:51 - fine okay make sure it's VPN conditions
230. 00:14:49:99 / 00:14:58:45 - as you can see we have added in
231. 00:14:53:51 / 00:15:01:12 - basically a user group click Add and the
232. 00:14:58:45 / 00:15:04:36 - add group and it was exactly like has
233. 00:15:01:12 / 00:15:06:82 - automatic system is type in the group
234. 00:15:04:36 / 00:15:07:14 - name that you create with the users in
235. 00:15:06:82 / 00:15:10:83 - it
236. 00:15:07:14 / 00:15:16:38 - okay we'll just cancel that then any
237. 00:15:10:83 / 00:15:20:65 - constraints we chose to have EAP okay so
238. 00:15:16:38 / 00:15:23:74 - that's their I wouldn't go too far down
239. 00:15:20:64 / 00:15:27:18 - at mostest if you really are really
240. 00:15:23:74 / 00:15:30:61 - still dealing with XP or something then
241. 00:15:27:19 / 00:15:30:88 - yeah you go a lot further that ok all
242. 00:15:30:61 / 00:15:33:31 - right
243. 00:15:30:87 / 00:15:36:26 - idle time are nothing specific over
244. 00:15:33:30 / 00:15:40:52 - there session time at all these are just
245. 00:15:36:26 / 00:15:45:63 - literally completely blank
246. 00:15:40:52 / 00:15:50:94 - alright ok so it's a PvP and service
247. 00:15:45:63 / 00:15:52:26 - type framed nothing specific ok this is
248. 00:15:50:95 / 00:15:55:15 - how it would look
249. 00:15:52:26 / 00:15:55:48 - IP filters we'd not configure any over
250. 00:15:55:14 / 00:15:58:99 - there
251. 00:15:55:48 / 00:16:02:20 - encryption remember we gave it maximum
252. 00:15:58:99 / 00:16:04:89 - so that was their IP settings server
253. 00:16:02:20 / 00:16:09:64 - setting this urban IP address assignment
254. 00:16:04:89 / 00:16:11:47 - that's fine you also could assign static
255. 00:16:09:63 / 00:16:13:72 - IP addresses if you wanted to from
256. 00:16:11:47 / 00:16:18:89 - within here that's fine but we're giving
257. 00:16:13:72 / 00:16:22:33 - it from our server so that's there now
258. 00:16:18:89 / 00:16:25:95 - accounting is where it creates a log
259. 00:16:22:33 / 00:16:28:41 - file and to be careful because if you're
260. 00:16:25:96 / 00:16:32:56 - having a lots and lots of users
261. 00:16:28:40 / 00:16:36:54 - connecting etc it can get quite big so
262. 00:16:32:55 / 00:16:39:21 - you might want to curl a view it delete
263. 00:16:36:54 / 00:16:41:52 - it after a while etc as long as no
264. 00:16:39:22 / 00:16:43:89 - issues in there or make backups put them
265. 00:16:41:52 / 00:16:46:53 - in a backup location somewhere that you
266. 00:16:43:89 / 00:16:50:94 - can use sequel server if you wanted to
267. 00:16:46:53 / 00:16:53:04 - that's an option ok templates you can
268. 00:16:50:95 / 00:16:55:54 - create your own templates um like a
269. 00:16:53:04 / 00:16:56:28 - shared secret template which is nothing
270. 00:16:55:53 / 00:16:58:99 - special
271. 00:16:56:28 / 00:17:01:20 - oh okay just give a template name and
272. 00:16:58:99 / 00:17:05:58 - you create your own little password or
273. 00:17:01:20 / 00:17:08:74 - you generate and that's that so when
274. 00:17:05:58 / 00:17:11:34 - you're creating your radius server
275. 00:17:08:74 / 00:17:14:40 - radius climb in the beginning you
276. 00:17:11:34 / 00:17:18:15 - wouldn't have to ok so there's nothing
277. 00:17:14:40 / 00:17:20:31 - really really special okay the main
278. 00:17:18:16 / 00:17:22:12 - things that you are actually wanting to
279. 00:17:20:31 / 00:17:24:84 - think about is actually these network
280. 00:17:22:11 / 00:17:28:38 - policies our first policy that we set up
281. 00:17:24:84 / 00:17:31:05 - over here is basically based on user
282. 00:17:28:39 / 00:17:34:12 - groups okay so if you're a part of a
283. 00:17:31:05 / 00:17:37:05 - user group you're allowed in you may
284. 00:17:34:11 / 00:17:41:94 - want to start adding more and more like
285. 00:17:37:05 / 00:17:44:64 - for example based on IP so just as an
286. 00:17:41:95 / 00:17:52:66 - example we'll go forward give it a name
287. 00:17:44:65 / 00:17:56:91 - so another filter okay set of network
288. 00:17:52:66 / 00:18:01:54 - it's the VPN click Next okay click Add
289. 00:17:56:91 / 00:18:05:49 - and then you can go day and time client
290. 00:18:01:53 / 00:18:11:71 - IP addresses authentication type and
291. 00:18:05:49 / 00:18:14:50 - then all sorts of other options if you
292. 00:18:11:71 / 00:18:17:86 - wanted to you have machine groups create
293. 00:18:14:50 / 00:18:20:38 - all those and the more and more policies
294. 00:18:17:85 / 00:18:24:35 - you have there are cumulative so they
295. 00:18:20:38 / 00:18:28:60 - add on to each other so they all must be
296. 00:18:24:35 / 00:18:30:72 - met before access is granted so just
297. 00:18:28:59 / 00:18:34:56 - like I said in the beginning this is a
298. 00:18:30:73 / 00:18:40:04 - system that is similar to file and
299. 00:18:34:56 / 00:18:44:34 - folders access permissions okay in NTFS
300. 00:18:40:04 / 00:18:47:58 - hopefully this has helped uh it has been
301. 00:18:44:34 / 00:18:49:92 - a slightly long video but I'm sure you
302. 00:18:47:58 / 00:18:53:54 - should benefit from it and have a great
303. 00:18:49:92 / 00:18:53:54 - day and thank you for watching
Visit our YouTube channel: https://www.youtube.com/channel/UCFj1BHYIUYfPWPb1Xn5qFIg