How to Deploy RADIUS (NAP enforcement for VPN) in server 2008 inviornment ?

Remote Authentication Dial-in User Service (RADIUS) is an Industry standard protocol used to provide network authentication, authorization, and accounting services.
Following components are parts of the RADIUS AAA Infrastructure:
•Access clients
•Access servers (VPN, Dial-up, WAP, 802.1x switches)
•RADIUS Servers (NAP)
•User account databases

NAP is a client health policy creation, remediation and enforcement technology.
When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. You can configure NAP policies in NPS that allow client computers to update their configuration to become compliant with your organization’s network policy. To help protect network access, NAP relies on three processes: policy validation, NAP enforcement and network restriction, and remediation and ongoing compliance.

Lab scenario:
radious (1)
In above diagram server1 is will be configured as a Domain controller with AD and DNS. Server2 is that will be configured as a RADIOUS server with NAP. Server3 is that will be configured as a NAP enforcement client (vpn). CLIENT1 is a client computer running Windows Vista or Windows 7. CLIENT1 will be configured as a VPN client and a NAP client.
Note: You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to perform the tasks.

Configure DC:
Step1: Configure server1 as a domain controller and TCP/IP as given below.

Step2: Create user1 account in Active Directory
This account will be used when logging in to NPS, VPN, and CLIENT1.

Step3: Add user1 to the Domain Admins group

Step4: Grant remote access permission to user1

Step5: Create a security group for NAP client computers

Step6: Add CLIENT1 to the NAP client computers security group

Note: Deploy ADCS on server1 to assign server certificate to server2 for PEAP authentication of VPN clients. Click here to know more about ADCS configuration.
Or you can purchase server certificates from a public trusted root CA that clients trust, such as VeriSign.

Configure NPS:
Step7: Configure TCP\IP on server2 as given below:
Step8: Install the NPS server role and Group Policy Management feature.

Step9: Enable Network Access Protection Agent service.
Open the Group Policy Management console window and create new group policy name it “NAP client settings”. Right click on NAP client settings policy and select Edit. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services. In the details pane, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.

Step10: Enable NAP enforcement clients
In the console tree, open Network Access Protection\NAP Client Configuration\Enforcement Clients. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable.

In the console tree, right-click NAP Client Configuration, and then click Apply.

Step11: Enable Security Center user interface
In the console tree, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center. In the details pane, double-click Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.

Strp12: Configure security filters for the NAP client settings GPO
In the Group Policy Management Console (GPMC) tree, navigate to Forest:\Domains\\NAP client settings. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.

In the details pane, under Security Filtering, click Add. In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP client computers, and then click OK.

Step13: Obtain a computer certificate on NPS:
To provide server-side PEAP authentication, the server running NPS uses a computer certificate stored in its local computer certificate store. Certificate Manager will be used to obtain a computer certificate from the certification authority.
Step14: Configure NAP:
Go to Start>Administrative tools>network policy server> In the details pane select NAP and click configure NAP.

On the Select Network Connection Method for Use with NAP page, under Network connection method, select Virtual Private Network (VPN), and then click Next.

On the Specify NAP Enforcement Servers Running VPN Server page, under RADIUS clients, click Add. In the New RADIUS Client dialog box, under Friendly name, type NAP VPN Server. Under Address (IP or DNS), type Under Shared secret, type secret. click OK, and then click Next.

On the Configure an Authentication Method page, confirm that a computer certificate obtained in the previous procedure is displayed under NPS Server Certificate, and that Secure Password (PEAP-MSCHAP-v2) is selected under EAP types. Click Next.

On the Specify a NAP Remediation Server Group and URL page, click New Group. In the New Remediation Server Group dialog box, under Group Name, type Domain Services, and then click Add. In the Add New Server dialog box, under Friendly name, type main. Under IP address or DNS name, type, and click OK twice, and then click Next.

On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.

And then click Finish.
Step15: Configure system health validators:
In the Network Policy Server console tree, open Network Access Protection, and then click System Health Validators. In the details pane, under Name, double-click Windows Security Health Validator. In the Windows Security Health Validator Properties dialog box, click Configure.

Clear all check boxes except A firewall is enabled for all network connections.

Click OK to close the Windows Security Health Validator dialog box, and then click OK.
Step16: Configure VPN1 as a NAP-capable RADIUS client.
In the NPS console tree, under RADIUS Clients and Servers, click RADIUS Clients. In the details pane, double-click NAP VPN Server, on the Settings tab, select the RADIUS client is NAP-capable check box.

Click OK and Close the Network Policy Server console.
Step17: Allow ping on NPS1:
Click Start, click Run, type wf.msc, and then press ENTER. In the Windows Firewall with Advanced Security console tree, right-click Inbound Rules, and then click New Rule. Select Custom, and then click Next.

Select All programs, and then click Next.

Next to Protocol type, select ICMPv4, and then click Customize. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.

In the Action window, verify that Allow the connection is selected, and then click Next.

Click Next to accept the default profile.

In the Name window, under Name, type ICMPv4 echo request, and then click Finish.

Configure VPN:
Step18: Configure TCP/IP on server3 as given below.

Step19: Install the Routing and Remote Access server role:

Step20: Configure Routing and Remote Access:
Click Start, click Run, type rrasmgmt.msc, and then press ENTER. In the Routing and Remote Access console, right-click VPN1, and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard.

Click Next, select Remote access (dial-up or VPN), and then click Next.

Select the VPN check box, and then click Next.

Click the network interface with an IP address of Clear the check box next to Enable security on the selected interface by setting up static packet filters, and then click Next. This ensures that CLIENT1 will be able to ping VPN1 when attached to the Internet subnet without having to configure additional packet filters for ICMP traffic.

On the IP Address Assignment page, select From a specified range of addresses, and then click Next.

On the Address Range Assignment page, click New. Type next to Start IP address and next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next.
radious (38)
On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server, and then click Next.

On the RADIUS Server Selection page, type next to Primary RADIUS server, and type secret next to Shared secret.

Click Next, and then click Finish.
Step21: Configure authentication methods on VPN
In the Routing and Remote Access console, right-click VPN, and then click Properties. Click the Security tab. Click Authentication Methods and verify that Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) are selected. Click EAP Methods, and verify that Protected EAP (PEAP) is one of the installed EAP methods.

Step22: Allow ping on VPN1
Follow same process as NAP system which is mentioned in step17.
Configure CLIENT1 on windows 7
Step23: Join CLIENT1 to the domain.
Step24: Verify Group Policy settings
In the command window, type netsh nap client show grouppolicy and Verify that the Admin status of the EAP Quarantine Enforcement Client is Enabled.

In the command window, type netsh nap client show state and Verify that the Initialized status of the EAP Quarantine Enforcement Client is Yes.

Step25: Configure TCP/IP and test connectivity with DC as given below.

Step26: Configure a VPN connection:
Go to Start> control panel> Network and sharing centre> click on setup a new connection or network> select connect to a workplace and click next.

Select No, create a new connection and click next.

Click to Use my Internet connection (VPN) option under how do you want to connect page .

Select Let me decide later option under before You connect page and click next.

Add Internet address and destination name under type the internet address to connect page and click next.

Add user name, password and domain name under type your user name and password page and click create.

After creating a VPN connection, Go to Start> control panel> Network and sharing centre>change adopter setting>select server>properties>select security tab>select EAP under authentication option and click properties>select validate server certificate and enforce network protection option.

Step27: Test the new VPN connection
Go to notification area >Click on Network icon > select server under dial-up and VPN and click connect.

Verifying NAP functionality
Step28: Verification of NAP auto-remediation:
Disable windows firewall and Connect VPN Connection. You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off. Click this message for more detailed information about the health status of CLIENT1.

The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets security standards defined by your network administrator.

Step29: Verification of NAP policy enforcement
Verify that the response reads “Reply from” CLIENT1 is able to ping this IP address because IP filters were applied in network policy to ensure that traffic from noncompliant clients can reach DC.
radious (054)
The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s