RSS logo

Technical Support - User Guides

User Guides are our way of advising schools about any changes they may need to carry out and instructions as to how to make those changes.

Ref: SB - Juniper
Title: Juniper RADIUS Installation & Configuration Guide - Server 2012 & R2
Created: 30/5/14   Modified: 30/5/14

Purpose of This Guide

This guide details the procedure for installing and configuring the Network Policy Server (NPS) on Windows Server 2012 and Windows 2012 R2 to provide RADIUS services.

The configuration in this guide details what is required to enable the Schools Broadband Juniper SSL VPN to query a locally hosted RADIUS server and successfully authenticate users against the Active Directory within your establishment.

This guide is provided to give sufficient information to successfully implement local authentication, the Schools Broadband team offers no additional support to establishments who are attempting to configure this apart from the directions contained within this document.

Intended Audience

This document is intended for technical staff within establishments connected to the Schools Broadband network, who are tasked with managing directory services and remote access.

Overview

By following this guide, access is enabled via a SSL webpage and single factor authentication applies. Users login credentials are sent to a RADIUS server hosted within the local establishment.

This means users can use a single login as opposed to managing multiple logins (one for network and one for VPN)

There are however, some factors that need to be considered when implementing local authentication.

  • If the server(s) that are running RADIUS fail, then you will be unable to authenticate. However, multiple RADIUS servers can be specified to ensure redundancy.
  • Ensure that users enabled for remote access have strong passwords. With single factor authentication the user’s login credentials are all that is required to gain full remote access to your network.

Installing NPS

NPS can be provisioned on any member server or domain controller within the forest; we strongly recommend that two instances of NPS are present to provide fault tolerance. NPS is bundled as part of the Server 2012 operating system as a role, although this role will need to be enabled.

To install NPS, please follow these instructions:

  1. Click start > Server Manager
  2. Click Manage
  3. Select Add Roles and Features
  4. Click next on the welcome screen
  5. Tick the box labelled “Network Policy and Access Services” then click Add Feature, click Next
  6. Tick the box labelled “Network Policy Server” then click Next
  7. Review the installation summary then click install.

A progress bar will display the progress of the installation, once the progress reaches 100% NPS is installed and running, click Close to exit the wizard.
NPS can be accessed via Start > Administrative tools > Network Policy Server.

Configuring NPS

NPS must be configured to meet the criteria detailed in the instructions below to be compatible with the Schools Broadband Juniper SSL VPN.

Part of the configuration process will require you to specify a Shared Secret. This is a key that is specified on the RADIUS server and Juniper SSL VPN to secure communication.
When creating a shared secret you should adhere to general password good practise, your shared secret should meet the following requirements otherwise your request will be denied by the Schools Broadband Service Desk;

  • At least 10 characters long
  • Contain both uppercase and lowercase characters (at least 2 of each)
  • Contain at least 1 symbol and 1 numeric character
  • Not resemble a dictionary word

Make a note of the shared secret you use as this will be required by the Schools Broadband Service Desk.

To configure your NPS server correctly, please follow these instructions:

  1. Click Start > Administrative tools > Network Policy Server to launch NPS
  2. Right click on NPS (local) and select “Register Server in Active Directory” and acknowledge the messages
  3. Expand RADIUS Clients and Servers
  4. Right click RADIUS clients and select New
  5. Specify both the friendly name and IP address to “juniper.schools.kpsn.net”
  6. Specify the shared secret and confirm it
  7. On the Advanced tab, Select “Radius Standard” from the Vendor Name drop down box.
  8. Click ok – The client should now be listed.

The Juniper SSL VPN has now been specified as a RADIUS client and is able to communicate with the NPS server.

To specify the methods that the Juniper SSL VPN can communicate with the RADIUS server, a remote access policy must be configured, follow the instructions below to configure these settings.

  1. Expand policies from the left hand panel
  2. Select network policies
  3. Right click the policy named “connections to other access servers” and select move up
  4. Double click on the “connections to other access servers” policy
  5. Select “Grant Access”
  6. Select the Constraints tab
  7. Under “Authentication Methods” un-tick all options apart from Unencrypted Authentication (PAP, SPAP)
  8. Select the Settings tab
  9. Select Encryption from the settings panel
  10. Un-tick all encryption methods apart from strong encryption
  11. Click ok
  12. Right click on NPS (local) and select stop NPS service, wait ten seconds, then right click and select start service.

NPS is now installed and configured correctly to be used by the Juniper SSL VPN

Granting users rights to authenticate via RADIUS

Granting users rights to authenticate via RADIUS is achieved via the Dial-up tab of the user’s properties within the Active Directory Users and Computers MMC.

To enable a user to authenticate, find the user in active directory, and then double click on the username. Select the dialup tab to view remote access properties, the first option allows you to specify either “allow access” or “deny access”.

Caution should be taken when selecting users who are allowed to authenticate from outside the LAN, for example do not permit temporary accounts or service accounts to authenticate via RADIUS.

It is also strongly recommended that any user given remote access signs an enhanced AUP to ensure passwords are complex and changed on a regular basis.

Providing details to the Schools Broadband Service Desk

Additional configuration is required on the Juniper MAG to enable authentication using the local RADIUS server.
This work is carried out by the Schools Broadband Service Desk who will require some information to configure this.
Please use the e-mail template below to ensure the service desk have all the information they require: (schools.broadband@eis.kent.gov.uk)
The Service desk will confirm via email when this change is complete.

Dear Schools Broadband Service Desk

Please could you enable Juniper SSL VPN authentication against my local RADIUS server.
I have configured my NPS server as per your documentation. I understand that I must ensure user’s credentials meet security requirements, and no default accounts (service accounts, test users etc) will be permitted access to dial in.

I also understand that should the RADIUS servers I have configured fail, I will not be able to log into the VPN.

Please find RADIUS details below [copy for each server specified]

DCSF No: [XXXX]
RADIUS Server OS: [Server XXXX XX]
IP [XX.XXX.XXX.XXX]
Shared Secret [XXXXXXXXXX]

Regards

[Your Name]
[Date]