Windows Server Setup RADIUS and NPS For VPN Access Security VIDEO TUTORIAL
When using networked services like VPN we want to be able to control access like we are able to control access to NTFS files/folders. Well by setting up RADIUS and Network Policy Server we are able to ensure that access to or corporate network is controlled a lot better. As an example we can filter based on groups IP addresses, time etc.
The videos mention in this video refer to our VPN and CA Service:
Transcript (machine generated so it contains errors)
Hello and welcome today's video today's video work and I show you how to set up a radius server with the NPS role on it like a network protection policies are okay. Am all we need to do is basically, you can install this if you have one box in your active directory server with that VPN role. Already there and then add this role to otherwise based on your security, setup, you can have is on a separate server and that's one option. Another option is have a on the remote dial in server like a VPN server. Okay, it just makes connections a little bit easier that way, but were having is on a separate server over here, which are method you choose literally what were doing 99.99% is Exodus add roles and features. Click next role next cayenne and were click clicking on network policy access and feature, click next play next next install okay. Once the insole is finished. Okay, the eldest up for tidiness okay, all you need to do is go network policy server that will open up this window and service 16, you have the's complete literally automatic configuration system where you must take note of it. But what we will do will ghost this way because a quick way and then will show you what you would have needed to have manually configure okay let's show us click on that, that's fine. Good direct configure the learn name. It's a VPN connection you can go without a domain name argument down. We are now creating a radius client okay.
Given the friendly name VPN range the house okay the IP address is you might think. The client is talking about this computer. Now it actually asking for where there is a web service running or your VPN service, et cetera okay, we'll just type in the IP address as we know that we can also type in the full name. If we want to carry click verify resolve finds it all good. If we had set up a shared secret template that would be fine. Worse yet, secret template and were shared secret is is basically like shall we say a password on this computer and also on the other computer that is joining up to this radius server and that's it. We suggest you use the generate because you get he you thing you would want a copy this down because is no way you can rise up for this instance, what do is just quit a manual one in case it asks us to tighten the manual one hand that will be later. Okay, so it is create something simple that confer conforms to policies. Okay, okay, that's been added okay. We are gonna add in EAP that makes everything a lot easier a lot more secure and that's it. Microsoft protected earlier this, the last one more secure one configure if you want, how many connection attempts, that's fine. You can also add in the other ones.
We suggest an mostly stick with that one than now one you would have needed to have done is basically on your active directory computer created a security group, and within that security group. You then add your users, and this is what the benefit of using this NPS radius system actually is. It's fairly similar to file and folder permissions, access permissions, we can limit those two certain groups, et cetera okay, you can filter based on certain criteria. In this, you can filter based on which group they're part of what IP address they are the connection method all those things, so we have already set one up on our active directory computer nine. That said, it finds it all good. Click next, you can create some IP filters if you do want to work on a girl with the highest encryption makes realm name is not really needed, but you can type it in. If you want to, and were literally finished before we go on to our VPN server with the setting and are quickly show you how that group needs to be set up okay. We open up server manager and then we just clicked or an active directory users and computers and within our domain. We basically created our own organisational unit. You don't really need to do that, you could literally just click on year and then new and then basically group it would be a security group global given a name and then just like what we've done with create an organisational unit. We train that security group and then we have a user that has dial in access and is a member of that group eight. These are the only things you need to have within active directory users and computers so now will move on to our VPN server and show you how to configure it over on our VPN server we basically, click here. Click on ServerManager and then that opens up there are tools, click on remote routing and remote access to that than and over here we click on properties. And how do we ensure that were actually using radius as you can see it is automatically chosen that we are actually why we added before bad, but the show you how to do that, let's remove that Nicolas add the server name was the start will say Cisco over their the secret okay, always use message authenticator if you're using EAP.
Basically, that's not really required, but for some the older ones. Yes, okay, click okay do a little bit of checking to make sure it's all good. Hopefully it is will click on okay, and now we suggest quickly go to our VPN is user's computer. Okay, where are the windows 10 computer that wants to connect up to our VPN and show you that it should work and here we are in our windows 10. If you Wanna see how we set up our VPN server and also the client and VPNs. To begin, et cetera please look at our previous two videos. The link should be in the description. So all you need to do just a test is all working is a guest the first time you ever connect, it will do a little bit of extra acolyte calm checking going back words from this computer to the VPN server the VPN server to the radius server. A radius server to active directory. All their five passes for all okay and then it allows connection now that we've done this, let's go back to our NPS server and actually talked through the different things in the manual. Okay, so we use this automatic configuration. You system. Basically, if you were doing it, you need to work your way down this list manually. So basically what you would do is come over here and then credit new radius client given a friendly name, just like we gave over here VPN radius IP address of that VPN server or that HTTP server of yours. Okay then shared secret manually generate complex one okay advance, you can access request messages must contain the message authenticator attribute display we had said, if you're using the EAP is not really required. However, you can take that, that's fine, so sorry my mistake. His arms are showing you as a demo. Basically, this is what you would do if it's and that's exactly what happened over here like a religious click that and then a remote radius server groups if we had one keyword add that in policies. Okay, this is basically where we have use windows authentication, let's just disable that one. This is the one that word is automatically configure okay and it basically was configured to use an escort what we shall show you the news disco the properties, how it looks as if you click now you go through the whole thing pops okay. Give the policy name.
Click policy is enabled, make sure it's VPN and then conditions would be in our sport how you get there. It's just add scroll all the way down last port, and then you click add and then make sure it's VPN, click okay and that's pretty much it so that source that side out. AuthenticationMethod's everything is automatic authentication to using the best of the server, that's fine. Accounting basically, if you Wanna create log files with information you can create that okay realm name just lie in the autoconfiguration within user romance that was fine radius attributes that they required, then a specific also. Nothing required as the council that so that showed you the first thing you need to set up that now is like a vpn. okay, that policies are all just disable these two disable the use can have enabled the sable is the one that we automatically configured and basically the swan is where it used the now sport that we created previously and i were user group security group in active directory okay, let's click on properties. this is what you would do policy name okay. click policy enabled grant access okay ignore user account dial in properties buying okay. make sure it's vpn conditions as you can see we have added in basically a user group, click add and then add group, and it was exactly like automatic system is type in the group name that you create with the users and it okay with this council that there any con strains. we chose to have eap the case of us there. i wouldn't go too far down at most. this if you really are really still dealing with xp funding. then you go a lot further okay are idle timeout leading specific with their session timeout. all these are just literally completely blank are right. okay, so you say a vpn service type framed nothing specific okay. this is how you would look ip filters we not configure any over their encryption. remember, we gave it maximum so that was there, ip settings, server settings determine ip address assignment, that's fine.
You also could assign static ip addresses. if you wanted to from within. here, that's fine. but we are giving it from server so that's their nap. accounting is where it creates a log file and to be careful because if you are you lots and lots of users connecting et cetera it can get quite big so you might want perl i.e. viewing deleted after a while, et cetera as long as no issues in their or make backups of them in a backup location similar. you can use sql server if you wanted to as an option. okay, 10 plates can create your own templates arm like a shared secret template, which is nothing special. okay, you template name, and you create your the password for generates and that's that. so when you're creating your radius server radius client the beginning, you wouldn't have two okay, so there's nothing really, really special again. the main thing is that you are actually want to think about is actually's network policies are first policy that we set up over here is basically based on user groups. okay, so if you're part of a user group you're allowed in. you may want to start adding more and more like, for example, based on ip so just as an example will go forward, given the names so filter okay network. it's the vpn, click next. okay, click add and then you can goad day and time client ip addresses authentication tie and then all sorts the other options if you wanted to you machine groups create all those in the more and more policies you have there are cumulative, so they add on to each other so they all must be met before access is granted. so, just like i said in the beginning. this is a system that is similar to file and folders access permissions okay in ntfs arm. hopefully this has helped our it has been a long video bad. i'm sure you should benefit from it and have a great day. thank you for watching
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.