How to setup Radius for authentication with for example a Cisco VPN Connection.
When opening the Dashboard after logon with the administrator user you have to choose Add roles and features
Choose Role-Based or feature-based installation and click on next
Select the server which get the new feature and click on next
Select network Policy and Access Services add the features
Click on Next
Do NOT change any settings and click on Next
Click on Next
Select Network Policy Server and click on Next
Select Restart if needed ( only when it’s possible to restart ) and click on Install
You can close this window but you can watch it finishing.
Select Tools > Network Policy Server
A new window wil open
Click right on NPS (Local) and select Register server in Active Directory
Click on OK to continue
Click on OK
Click on Radius Clients and Servers > Radius Clients (right click) > New
Add a device with a shared key to connect. And Click on OK
Create a new group in the Active Directory (call it for example VPN)
Create a new Network Policy
Click on Policies > Network Policies (right click) > New
Name the Policy simple and click on Next
Add a new Condition > Select Windows Groups > click on Add
Select the Windows group or groups and click on OK
Click on Next
Select Access Granted and click on Next
Select all options except the last one and click on Next
You get a message if you want to read it click on yes if not click on no.
Keep the settings to default and click on Next
Keep the settings to default and click on Next
Click on finish
nice guide. this page was the 4th ranked page when i googled “server 2012 r2 radius” so i think you may want to consider cleaning up the screenshots. even clicking to the bigger images was like looking at them through a wet paper towel
the pictures are just small. I’ve to redo the pictures which will be done in the up coming days. How ever it’s not much difference with a configuration on Windows server 2008 R2 🙂
Pingback: » How my Wifi is unique
Windows Server 2012 R2 as RADIUS for VPN
http://blog.it-kb.ru/2015/01/21/windows-server-2012-r2-remote-access-configure-l2tp-ipsec-vpn-server-in-nlb-cluster-with-two-factor-authentication-based-on-user-domain-account-and-computer-certificate-with-nps-radius-authorization/
It’s a nice blog unfortunately, I need to use a translator for it to read this blog post 🙂
When you need such setup it’s great to use.
Do you know if it possible to apply certain policies to certain clients, ie I want AD Group X to be able to authenticate on client X and AD group Y to be able to authenticate on client Y and so on?
In the Small Business Server edition of 2008 and 2011 you are able to select where a user can connect to a computer. At the moment I am unable to look for this policy.
It works if the IP-adress in the accept is static, but how to use an adress of an IP-Scope?
Does the server you use need to be a Domain Controller?
no it’s not needed to be a domain controller.
The prompt after clicking “Register Service in Active Directory” says “clients must be authorized to read dial-in properties, etc.” Is it assumed my clients are authorized if they’re in the user list, or should I make sure some other setting is right first? Up until now, we’ve only used AD as authentication for a bunch of Macs to get on Windows Remote Desktop. I don’t want to kick everyone out and have to scramble to undo what I did. Thanks,
Jeff
ps. GREAT GUIDE!
Jeff, there you choose how to say that clients can authenticate. If you create a security group in the Active Directory, it will be easier to maintain. Otherwise you need to change the dial-in properties of every user.
I think the best solution for you is to create a security group > put the users in there > add group to the radius settings and your done. You don’t need to change the dial-in properties.
I hope this will help you.
we use Dlink DWC2000 controller & 8610 AP, on Windows Radius server ” Radius Clients” , should we add all AP ip address or only controller ip is sufficient ?
It depends on the brand. for example a cisco wlan controller it’s not needed while for a netgear wlan controller you need to add all AP’s to the radius setup
what do you recommend, irrespective of bands ? should we add AP also in Radius Clients.
At the moment with controller its working, so cross checking.
If it’s working now only with the controller installated. it’s not need to change it. ulease the vendor expliciet recommends it in it’s documentation for example the AP’s of netger we have running in our office are basically standalone but connected to the wlan controller this is why we need to add the ap’s of netgear to the radius.
users are able to connect to Radius & users gets ip address also, but sometimes users are facing disconnection & connectivity with APIPA Ip address.
What could be reason for users getting APIPA IP, we have sufficient ip address on DHCP pool.
With WPA2 we don’t have such APIPA issue, with radius we are seeing this random APIPA issues.
Should the radius server be a member of the domain it’s passing authentication to ?
Depends on how you want to use it. If you going to use domain user authentication yes. But apperently you can use local users. following this document (from windows 2008) https://technet.microsoft.com/en-us/library/dd197512(v=ws.10).aspx
Thanks Fred .
Hey Fred, nice post. Do you know if you can configure 2012R2 NTP Radius to support One Time Password (OTP) from a radius client? In my case the client would be a NetScaler AAA brokering incoming connections. I know NetScaler supports it but cannot find clear information regarding Radius…
I didn’t know that should check that out when I got the time.
Hey Fred, great guide. I am unable to register server in Active Directory. I am using it to authenticate to Juniper switches and routers, which do not use Active Directory credentials. Can I just skip that part and add clients?