RADIUS Server 2012R2

Hello all,

Today I was ask to install and configure a new Radius server that will act as a central authentication solution for Cisco network switch’s.

So before we start let me just explain what is a Radius server and how when would I used it.

The role in Server 2012R2 name is : NPS

Network Policy Server (NPS) can be used as a Remote Authentication Dial-In User Service (RADIUS) server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be an access server, such as a dial-up server or wireless access point, or a RADIUS proxy. When NPS is used as a RADIUS server, it provides the following:

A central authentication and authorization service for all access requests that are sent by RADIUS clients.
NPS uses a Microsoft® Windows NT® Server 4.0 domain, an Active Directory® Domain Services (AD DS) domain, or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts. NPS uses the dial-in properties of the user account and network policies to authorize a connection.

  • A central accounting recording service for all accounting requests that are sent by RADIUS clients.
  • Accounting requests are stored in a local log file or a Microsoft® SQL Server™ database for analysis.

The following illustration shows NPS as a RADIUS server for a variety of access clients, and also shows a RADIUS proxy. NPS uses an AD DS domain for user credential authentication of incoming RADIUS Access-Request messages.

 

When NPS is used as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:

  1. Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients.
  2. The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server.
  3. The NPS server evaluates the Access-Request message.
  4. If required, the NPS server sends an Access-Challenge message to the access server. The access server processes the challenge and sends an updated Access-Request to the NPS server.
  5. The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.
  6. The connection attempt is authorized with both the dial-in properties of the user account and network policies.
  7. If the connection attempt is both authenticated and authorized, the NPS server sends an Access-Accept message to the access server.
    If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server.
  8. The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged.
  9. The NPS server sends an Accounting-Response to the access server.

 

So for my case I will install it for A central accounting recording service for all accounting requests that are sent by RADIUS clients (Cisco Switch’s).

Installation :

1. Install Server 2012R2

2.Install the Roles…

The first step is to start the Add Roles Wizard, because we will be adding certain Server Roles, which are needed for a RADIUS server to function.

This will be the second page of the Add Server Roles Wizard. Again, the DNS Server must be installed with Active Directory, but here we will select to add the DHCP and Network Policy and Access Services. Once it is selected, the user will press Next and continue on to the next prompt.

The following screen will be the Network Policy and Access Services screen.

3.Open the Management Console :

 

4. This window will allow us to add the Access Point we want to use.

here we will click Add to input the settings of our access point.

More detail info can be found here :

https://www.mafiasecurity.com/access-control/step-by-step-radius-server-guide/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s