User Guides are our way of advising schools about any changes they may need to carry out and instructions as to how to make those changes.
Purpose of This Guide
This guide details the procedure for installing and configuring the Network Policy Server (NPS) on Windows Server 2008 to provide RADIUS services.
The configuration in this guide details what is required to enable the Schools Broadband Juniper SSL VPN to query a locally hosted RADIUS server and successfully authenticate users against the Active Directory within your establishment.
This guide is provided to give sufficient information to successfully implement local authentication, the Schools Broadband team offers no additional support to establishments who are attempting to configure this apart from the directions contained within this document.
This document is intended for technical staff within establishments connected to the Schools Broadband network, who are tasked with managing directory services and remote access.
Users who utilise the current Schools Broadband Cisco Concentrator VPN service are authenticated by two factors.
Firstly, Group Authentication takes place. The group username and password is transparently contained within the PCF file provided to you originally by the Schools Broadband Service Desk.
Once authenticated into a group, user login credentials details are required to complete the authentication process. By default the authentication request is sent to the Schools Broadband Cisco ACS RADIUS server (which establishments have delegated management of).
By following this guide, access is enabled via a SSL webpage and single factor authentication applies. Users login credentials are sent to a RADIUS server hosted within the local establishment. This means users can use a single login as opposed to managing multiple logins (one for network and one for VPN)
There are however some factors that need to be considered when implementing local authentication
- If the server(s) that are running RADIUS fail, then you will be unable to authenticate. However, multiple RADIUS servers can be specified to ensure redundancy.
- Ensure that users enabled for remote access have strong passwords. With single factor authentication the user’s login credentials are all that is required to gain full remote access to your network.
NPS can be provisioned on any member server or domain controller within the forest; we strongly recommend that two instances of NPS are present to provide fault tolerance.
NPS is bundled as part of the Server 2008 operating system as a role, although this role will need to be enabled.
To install NPS, please follow these instructions:
- Click start > Server Manager
- Select Roles from the left hand panel
- Select Add Roles
- Click next on the welcome screen
- Tick the box labelled “Network Policy and Access Services” then click Next
- Read the summary and click Next
- Tick the box labelled “Network Policy Server” then click Next
- Review the installation summary then click install.
A progress bar will display the progress of the installation, once the progress reaches 100% NPS is installed and running, click Close to exit the wizard.
NPS can be accessed via Start > Administrative tools > Network Policy Server.
NPS must be configured to meet the criteria detailed in the instructions below to be compatible with the Schools Broadband Juniper SSL VPN.
Part of the configuration process will require you to specify a Shared Secret. This is a key that is specified on the RADIUS server and Juniper SSL VPN to secure communication.
When creating a shared secret you should adhere to general password good practise, your shared secret should meet the following requirements otherwise your request will be denied by the Schools Broadband Service Desk;
- At least 10 characters long
- Contain both uppercase and lowercase characters (at least 2 of each)
- Contain at least 1 symbol and 1 numeric character
- Not resemble a dictionary word
Make a note of the shared secret you use as this will be required by the Schools Broadband Service Desk.
To configure your NPS server correctly, please follow these instructions:
- Click Start > Administrative tools > Network Policy Server to launch NPS
- Right click on NPS (local) and select “Register Server in Active Directory” and acknowledge the messages
- Expand RADIUS Clients and Servers
- Right click RADIUS clients and select new RADIUS client
- Specify both the friendly name and IP address to “juniper.schools.kpsn.net”
- Select “Radius Standard” from the Vendor Name drop down box.
- Specify the shared secret and confirm it, alternatively use the automatic generation feature
- Click ok – The client should now be listed.
The Juniper SSL VPN has now been specified as a RADIUS client and is able to communicate with the NPS server.
To specify the methods that the Juniper SSL VPN can communicate with the RADIUS server, a remote access policy must be configured, follow the instructions below to configure these settings.
- Expand policies from the left hand panel
- Select network policies
- Right click the policy named “connections to other access servers” and select move up
- Double click on the “connections to other access servers” policy
- Select “Grant Access”
- Select the Constraints tab
- Under “Authentication Methods” un-tick all options apart from Unencrypted Authentication (PAP, SPAP)
- Select the Settings tab
- Select Encryption from the settings panel
- Un-tick all encryption methods apart from strong encryption
- Click ok
- Right click on NPS (local) and select stop NPS service, wait ten seconds, then right click and select start service.
NPS is now installed and configured correctly to be used by the Juniper SSL VPN
Granting users rights to authenticate via RADIUS
Granting users rights to authenticate via RADIUS is achieved via the Dial-up tab of the user’s properties within the Active Directory Users and Computers MMC.
To enable a user to authenticate, find the user in active directory, and then double click on the username. Select the dialup tab to view remote access properties, the first option allows you to specify either “allow access” or “deny access”
Caution should be taken when selecting users who are allowed to authenticate from outside the LAN, for example do not permit temporary accounts or service accounts to authenticate via RADIUS.
It is also strongly recommended that any user given remote access signs an enhanced AUP to ensure passwords are complex and changed on a regular basis.
Providing details to the Schools Broadband Service Desk
Additional configuration is required on the VPN Concentrator to enable authentication using the local RADIUS server.
This work is carried out by the Schools Broadband Service Desk who will require some information to configure this.
Please use the e-mail template below to ensure the service desk have all the information they require: (email@example.com)
The Service desk will confirm via email when this change is complete.
Dear Schools Broadband Service Desk
Please could you enable Juniper SSL VPN authentication against my local RADIUS server.
I have configured my NPS server as per your documentation. I understand that I must ensure user’s credentials meet security requirements, and no default accounts (service accounts, test users etc) will be permitted access to dial in.
I also understand that should the RADIUS servers I have configured fail, I will not be able to log into the VPN.
Please find RADIUS details below [copy for each server specified]
DCSF No: [XXXX]
RADIUS Server OS: [Server XXXX XX]
Shared Secret [XXXXXXXXXX]