Authenticating from Active Directory using RADIUS/NPS¶
Windows 2008 and later can be configured as a RADIUS server using Microsoft’s Network Policy Server (NPS). This allows authentication for OpenVPN, Captive Portal, the PPPoE server, or even the pfSense® GUI itself using Windows Server local user accounts or Active Directory.
Choosing a server for NPS¶
NPS requires a minimal amount of resources and is suitable for addition to an existing Windows Server in most environments. Microsoft recommends installing it on an Active Directory domain controller to improve performance in environments where NPS is authenticating against Active Directory. It can also be installed on a member server, which may be desirable in some environments to reduce the attack footprint of domain controllers. Each network- accessible service provides another potential avenue for compromising a server. NPS does have a solid security record, especially compared to other services that must be running on domain controllers for Active Directory to function, so this isn’t much of a concern in most network environments. Most environments install NPS on one of their domain controllers. Microsoft recommends running it on each domain controller in the forest and using NPS proxies to share the load for a busy environment.
Installing NPS¶
On Windows Server 2008:
Navigate to Server Manager
Click Roles on the left and expand it
Click Add Roles on the right
Click Next to skip the intro screen
On Server 2012:
Open the System Manager Dashboard
Click Add Roles and Features
Click past Role-based or feature-based installation
Click Next once more
Select the server from the list
Click Next again
On either server version, the remaining steps are similar:
Check Network Policy and Access Services on the list of roles
Click Add Features if it appears
Click Next on each screen until the end of the wizard
Click Finish or Install, depending on the windows server version
Configuring NPS¶
To configure NPS, bring up the Server Manager and either Network Policy and Access Services (2008) or NAP (2012) should be present.
A RADIUS client will be added for pfSense first, then remote access policies will be configured.
Adding a RADIUS Client¶
Open the NPS configuration:
On Server 2008:
Open the Server Manager tree
Expand the view under it until RADIUS Clients and Server is visible
Click RADIUS Clients
On Server 2012:
Open the Server Manager dashboard
Click NAP
Right click on the server in the server list
Click Network Policy Server
Expand RADIUS Clients and Server
Click RADIUS Clients
Add New RADIUS Client¶
Add the new RADIUS client:
Right click on RADIUS Clients
Click New, as shown in Figure Add New RADIUS Client
Enter a Friendly name for the firewall, as shown in Figure Add New RADIUS Client Address. This can be the hostname or FQDN.
Enter the Address (IP or DNS) for the firewall, which must be the IP address from which pfSense will initiate RADIUS requests, or a FQDN that will resolve to that IP address.
Note
This is the IP address of the firewall interface closest to the RADIUS server. If the RADIUS server is reachable via the firewall LAN interface, this will be the LAN IP address. In deployments where pfSense is not the perimeter firewall, and the WAN interface resides on the internal network where the RADIUS server resides, the WAN IP address is what must be entered.
Add New RADIUS Client Address¶
Enter a Shared secret, as shown in Figure Add New RADIUS Client Shared Secret. This shared secret is used by pfSense to authenticate itself when making RADIUS access requests. Windows can automatically create one by clicking Generate.
Click OK.
Add New RADIUS Client Shared Secret¶
The NPS configuration is now complete. The RADIUS Client is visible as in Figure Listing of the RADIUS Client.
Listing of the RADIUS Client¶
Refer to other sections in this documentation describing the service to be used with RADIUS for more guidance on how to utilize the service. RADIUS can be used in the User Manager (User Management and Authentication) which also enables RADIUS for IPsec and OpenVPN, for Captive Portal (Portal Configuration Using RADIUS Authentication), and the PPPoE server (PPPoE Server), among other places.
Configuring Users and Network Policies¶
Whether a user can authenticate via RADIUS is controlled through Network Policies. Using Network Policies, an administrator can place a user in a specific Active Directory group to allow VPN access, and also offer more advanced capabilities such as time of day restrictions.
More information on remote access policies can be found in Microsoft’s documentation at http://technet.microsoft.com/en-us/library/cc785236%28WS.10%29.aspx.
Adding a Network Policy¶
Open the NPS configuration window
Expand NPS (Local), Policies, then Network Policies
Right click on Network Policies
Click New
Enter
Allow from pfSensein the Policy nameLeave the Type of network access server set to Unspecified
Click Next
Click Add in the Specify Conditions window
Select Windows Groups
Click Add
Enter or select the name of the user group which contains VPN users, e.g.
VPNUsersClick OK
Click Next
Choose Access granted
Click Next
Select additional Authentication Methods as needed for features on pfSense:
Leave existing authentication methods selected
Select Microsoft: Secured Password (EAP-MSCHAP v2) if this policy will be used for IPsec IKEv2 EAP-RADIUS authentication
Select Encrypted Authentication (CHAP)
Select Unencrypted Authentication (PAP, SPAP)
leaving any other methods selected that were already enabled.
Click Next
Click Decline if a prompt to view a help topic is presented by the wizard
Configure any additional access restraints, if necessary
Click Next on the remaining screens until the final screen is reached
Click Finish
Editing an Existing Network Policy¶
Existing policies can be altered to change their constraints or other properties. For example, to edit an older policy to enable it for use by IPsec for IKEv2 EAP-RADIUS:
Open the NPS configuration window
Expand NPS (Local), Policies, then Network Policies
Edit the policy currently in use
Click the Constraints tab
Click Authentication Methods
Click Add
Select Microsoft: Secured Password (EAP-MSCHAP v2)
Click OK
Click Apply to restart NPS
Click OK
Troubleshooting NPS¶
If authentication fails, this section describes the most common problems users encounter with NPS.
Verify port¶
First ensure the default port 1812 is being used by NPS. If the NPS server was previously installed, it may have been configured with non-standard ports.
Open the NPS configuration window
Right click on NPS (Local) at the top left of the console
Click Properties
Click the Ports tab
Verify the Authentication port configuration. Specify multiple ports by separating them with a comma. (as shown in Figure NPS Ports). Port
1812must be one of the ports configured for Authentication.Verify the Accounting ports if necessary. If RADIUS accounting is required, port
1813must be one of the ports specified in this box.
NPS Ports¶
Check Event Viewer¶
When a RADIUS authentication attempt is answered by the server, NPS logs to the System log in Event Viewer with the result of the authentication request. If access is denied, the reason it was denied is logged.
In the Description field of the event properties, the Reason line tells why authentication failed. The common two failures are: bad username and password, when a user enters incorrect credentials; and “remote access permission for the user account was denied” when the user account is set to Deny access or the network policies configured in NPS do not allow access for that user. If NPS is logging that authentication was successful, but the client is receiving a bad username or password message, the RADIUS secret configured in NPS and pfSense does not match.
The NPS logs in Event Viewer may be easily found under Custom Views, then Server Roles, and finally Network Policy and Access Services.