Configuring Server 2008 for RADIUS Authentication

聂柔洁

　　http://hi.baidu.com/sxsyyq/blog/item/13989cf3c9ed47ce0a46e0a7.html
　　http://www.google.com.hk/search?hl=zh-CN&newwindow=1&safe=strict&rlz=1R2GGLL_zh-CNCN383&q=Windows+2008+R2%E5%AE%9E%E6%88%98&btnG=Google+%E6%90%9C%E7%B4%A2&aq=f&aqi=&aql=&oq=&gs_rfai=
　　http://security.ctocio.com.cn/117/9455617.shtml
　　http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
　　
　　
　　I like connecting to my network using my pfSense firewall's built-in VPN server. Following these steps, I can configure Windows Server 2008 to provide the authentication credentials for pfSense via RADIUS. I figured this out using this great guide that I referenced for Windows Server 2003...
　　Enable "reversible password encryption" for your domain users.
Globally:

• Admin Tools - Group Policy Management
  
• Choose your forest, domain and then right click your Default Domain Policy and choose Edit.
  
• Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy ->Store passwords using reversible encryption = Enabled.
  

　　Per User:

• I prefer doing it globally, but you can do it on a per user basis by opening your domain user's properties and checking "Store password using reversible encryption" on the Account tab.
  

　　*Restart the domain controller after these Group Policy changes.
　　Enable Windows Server 2008 Network Policy Server (NPS)

• Add the "Network Policy and Access Services" role to your domain controller.
  
• Enable these role services during installation:
  Network Policy Server
  Routing & Remote Access Services
  Remote Access Service
  Routing
  

　　Verify the RADIUS Port Numbers

• Server Manager -> Roles -> Network Policy and Access -> Right-click NPS (Local) -> Properties -> Ports Tab.
  
• Verify the defaults for Authentication are 1812,1645.
  
• Verify the defaults for Accounting are 1813, 1646.
  
• The 18 set is for a secure connection, or vice-versa. You can change things to match your RADIUS client, but the defaults should be fine.
  

　　Add a new RADIUS Client

• NPS (Local) -> RADIUS Clients and Servers -> RADIUS Clients -> Right-click Add new Client.
  
• Add a name, the ip address of your client and create a shared secret.
  

　　Add a new Network Policy

• NPS (Local) -> Policies -> Right-click Network Policies -> Add new.
  
• Enter a name and leave Type of network access server as Unspecified. Click Next.
  
• Add a condition. Choose Windows Groups. Add a Group ("Domain Users" for example). Click OK, then Next.
  
• Choose Access Granted. Click Next.
  
• Leave the default Authentication Methods. Click Next.
  
• Leave the Default Constraints. (Although they look like some cool new features you may want to use.) Click Next.
  
• Leave the Default Settings. Click Next.
  
• Click Finish.
  

　　Granting or Denying Access to Users

• Right click a domain user -> Properties -> Dial-in tab.
  
• You can Grant or Deny here, but I just leave the NPS Policy we setup earlier to allow all domain users through.
  

　　Configure your RADIUS Client

• In this case, I enable a PPTP VPN server on my pfSense firewall and point it to my domain controller/NPS services machine where we just configured everything. Input the shared secret and then login from anywhere!
  

　　Happy VPN'ing!