Beruflich Dokumente
Kultur Dokumente
Remote Access
1 Document Control
Revision History:
Reviewers:
_____________________________________________________________________
1
Kent Community Network
____________________________________________________________________
2 Contents
_____________________________________________________________________
2
Kent Community Network
____________________________________________________________________
3. Purpose of Document
This document details the procedure for installing and configuring the Network Policy Server
(NPS) on Windows Server 2008 to provide RADIUS services.
The configuration in this document details what is required to enable the KCN VPN
concentrator to query a locally hosted RADIUS server and successfully authenticate users
against the Active Directory within the establishment.
http://www.eiskent.co.uk/userfiles/media/nps-2008.avi
4. Intended Audience
This document is intended for technical staff within KCN establishments who are tasked with
managing directory services and remote access.
5. Overview
Users who utilise the KCN VPN service are authenticated by two factors.
Firstly, group authentication takes place. The group username and password is what is
included in the PCF file provided to you by the KCN Service Desk.
Once authenticated into a group, the group settings apply. All group settings will request that
user authentication is then requested, by default the authentication request is sent to the KCN
RADIUS server (which establishments have delegated management of).
By following the guide below, user authentication requests will no longer be sent to the KCN
RADIUS server after group authentication. The request will be sent to a RADIUS server
hosted within the local establishment. This means users can use a single login, opposed to
managing multiple logins (one for network and one for VPN)
There are however some factors that need to be considered when implementing local
authentication:
The web based VPN does not authenticate group first; therefore users will still have
to authenticate to this service using the account details on the KCN RADIUS server.
If the server(s) that are running RADIUS fail, then you will be unable to authenticate.
However, many RADIUS servers can be specified to ensure redundancy.
Credentials are not encrypted when passed between the VPN concentrator and the
RADIUS server. The KCN is a private switched network with restricted access to
equipment so this is not a concern, however local access to equipment should be
restricted to ensure mirrored ports etc cannot be configured by a malicious user.
Hubs should certainly NOT be used.
6. Installing NPS
NPS can be provisioned on any member server or domain controller within the forest; we
strongly recommend that at least two instances of NPS are present to provide fault tolerance.
NPS bundled as part of the Server 2008 operating system as a role, although this role will
need to be enabled.
_____________________________________________________________________
3
Kent Community Network
____________________________________________________________________
A progress bar will display the progress of the installation; once the progress reaches 100%
NPS is installed and running, click close to exit the wizard.
NPS can be accessed via Start > Administrative tools > Network Policy Server
7. Configuring NPS
NPS must be configured to meet the criteria detailed in the instructions below to be
compatible with the KCN VPN concentrator.
Part of the configuration process will require you to specify a shared secret. This is a key that
is specified on the RADIUS server and VPN concentrator to secure communication.
When creating a shared secret you should adhere to general password good practise, your
shared secret should meet the following requirements otherwise your request will be denied.
Make a note of the shared secret you use as this will be required by the KCN service desk.
1. Click Start > Administrative tools > Network Policy Server to launch NPS
2. Right click on NPS (local) and select “Register Server in Active Directory” and
acknowledge the messages
3. Expand RADIUS Clients and Servers
4. Right click RADIUS clients and select new RADIUS client
5. Specify the friendly name of “KCN VPN Concentrator” and an IP Address of
“172.31.240.26”
6. Select “Cisco” from the vendor name drop down box.
7. Specify the shared secret and confirm it, alternatively use the automatic generation
feature
8. Click ok – The client should now be listed.
The KCN VPN concentrator has now been specified as a RADIUS client and is able to
communicate with the IAS server.
To specify the methods that the concentrator can communicate with the RADIUS server, a
remote access policy must be configured, follow the instructions below to configure these
settings.
_____________________________________________________________________
4
Kent Community Network
____________________________________________________________________
NPS is now installed and configured correctly to be used by the KCN VPN Concentrator.
Granting users rights to authenticate via RADIUS is achieved via the Dial-up tab of the user’s
properties within the Active Directory Users and Computers MMC.
To enable a user to authenticate, find the user in active directory, and then double click on the
username. Select the dialup tab to view remote access properties, the first option allows you
to specify either “allow access” or “deny access”
Precaution should be taken when selecting users who are allowed to authenticate from
outside the LAN, do not for example permit temporary accounts or service accounts to
authenticate via RADIUS.
It is also strongly recommended that any user given remote access signs an enhanced AUP
to ensure passwords are complex and changed on a regular basis.
Please use the e-mail template below to ensure the service desk have all the information they
require: (kcn.helpdesk@kent.gov.uk)
The KCN Service desk will confirm via email when this change is complete.
Please find RADIUS details below [copy for each server specified]
Regards
[Your Name]
_____________________________________________________________________
5
Kent Community Network
____________________________________________________________________
[Date]
_____________________________________________________________________
6
Kent Community Network