Nps Ip Address Assignment

Configure RADIUS Clients

  • 6 minutes to read
  • Contributors

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

You can use this topic to configure network access servers as RADIUS Clients in NPS.

When you add a new network access server (VPN server, wireless access point, authenticating switch, or dial-up server) to your network, you must add the server as a RADIUS client in NPS, and then configure the RADIUS client to communicate with the NPS server.

Important

Client computers and devices, such as laptop computers, tablets, phones, and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers - such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers - because they use the RADIUS protocol to communicate with RADIUS servers, such as Network Policy Server (NPS) servers.

This step is also necessary when your NPS server is a member of a remote RADIUS server group that is configured on an NPS proxy. In this circumstance, in addition to performing the steps in this task on the NPS proxy, you must do the following:

  • On the NPS proxy, configure a remote RADIUS server group that contains the NPS server.
  • On the remote NPS server, configure the NPS proxy as a RADIUS client.

To perform the procedures in this topic, you must have at least one network access server (VPN server, wireless access point, authenticating switch, or dial-up server) or NPS proxy physically installed on your network.

Configure the Network Access Server

Use this procedure to configure network access servers for use with NPS. When you deploy network access servers (NASs) as RADIUS clients, you must configure the clients to communicate with the NPS servers where the NASs are configured as clients.

This procedure provides general guidelines about the settings you should use to configure your NASs; for specific instructions on how to configure the device you are deploying on your network, see your NAS product documentation.

To configure the network access server

  1. On the NAS, in RADIUS settings, select RADIUS authentication on User Datagram Protocol (UDP) port 1812 and RADIUS accounting on UDP port 1813.
  2. In Authentication server or RADIUS server, specify your NPS server by IP address or fully qualified domain name (FQDN), depending on the requirements of the NAS.
  3. In Secret or Shared secret, type a strong password. When you configure the NAS as a RADIUS client in NPS, you will use the same password, so do not forget it.
  4. If you are using PEAP or EAP as an authentication method, configure the NAS to use EAP authentication.
  5. If you are configuring a wireless access point, in SSID, specify a Service Set Identifier (SSID), which is an alphanumeric string that serves as the network name. This name is broadcast by access points to wireless clients and is visible to users at your wireless fidelity (Wi-Fi) hotspots.
  6. If you are configuring a wireless access point, in 802.1X and WPA, enable IEEE 802.1X authentication if you want to deploy PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS.

Add the Network Access Server as a RADIUS Client in NPS

Use this procedure to add a network access server as a RADIUS client in NPS. You can use this procedure to configure a NAS as a RADIUS client by using the NPS console.

To complete this procedure, you must be a member of the Administrators group.

To add a network access server as a RADIUS client in NPS

  1. On the NPS server, in Server Manager, click Tools, and then click Network Policy Server. The NPS console opens.
  2. In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.
  3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.
  4. In New RADIUS Client, in Friendly name, type a display name for the NAS. In Address (IP or DNS), type the NAS IP address or fully qualified domain name (FQDN). If you enter the FQDN, click Verify if you want to verify that the name is correct and maps to a valid IP address.
  5. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.
  6. In New RADIUS Client, in Shared secret, do one of the following:
    • Ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.
    • Select Generate, and then click Generate to automatically generate a shared secret. Save the generated shared secret for configuration on the NAS so that it can communicate with the NPS server.
  7. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.
  8. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.

Configure RADIUS Clients by IP Address Range in Windows Server 2016 Datacenter

If you are running Windows Server 2016 Datacenter, you can configure RADIUS clients in NPS by IP address range. This allows you to add a large number of RADIUS clients (such as wireless access points) to the NPS console at one time, rather than adding each RADIUS client individually.

You cannot configure RADIUS clients by IP address range if you are running NPS on Windows Server 2016 Standard.

Use this procedure to add a group of network access servers (NASs) as RADIUS clients that are all configured with IP addresses from the same IP address range.

All of the RADIUS clients in the range must use the same configuration and shared secret.

To complete this procedure, you must be a member of the Administrators group.

To set up RADIUS clients by IP address range

  1. On the NPS server, in Server Manager, click Tools, and then click Network Policy Server. The NPS console opens.
  2. In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.
  3. In New RADIUS Client, in Friendly name, type a display name for the collection of NASs.
  4. In Address (IP or DNS), type the IP address range for the RADIUS clients by using Classless Inter-Domain Routing (CIDR) notation. For example, if the IP address range for the NASs is 10.10.0.0, type 10.10.0.0/16.
  5. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.
  6. In New RADIUS Client, in Shared secret, do one of the following:
    • Ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.
    • Select Generate, and then click Generate to automatically generate a shared secret. Save the generated shared secret for configuration on the NAS so that it can communicate with the NPS server.
  7. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if all of your NASs support use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.
  8. Click OK. Your NASs appear in the list of RADIUS clients configured on the NPS server.

For more information, see RADIUS Clients.

For more information about NPS, see Network Policy Server (NPS).

SBS 2011 Essentials – Configuring VPN access

It has been pointed out that SBS 2011 Essentials does not have the familiar wizards to create VPN access to the server.  Though a better and MUCH more secure option is to make use of Remote Web Access, or add a VPN capable router that supports an IPSec client, on occasion there are reasons to still make use of the native Windows VPN feature.  Where SBS has traditionally supported the PPTP protocol for its VPN, this article will address creating similar service.

Add the RRAS Role:

The first step is to add the RRAS (Routing and Remote Access) role.  To do so open the Server Manager under Administrative Tools, click on roles, scroll down to the Network Policy And Access Service role, and choose Add Role Services.

In the resulting window add the RRAS services.

Click Next, and Install.

Configure RRAS:

Open the newly created RRAS console, under Administrative Tools, and then right click on the server name and choose Configure and Enable Routing and Remote Access.  Select Next, and then choose Custom Configuration, and Next.

Select VPN Access and LAN Routing in the next window.

Choose Next, Finish, accept the notification that a default Network Policy Server policy has been created, confirm to start the service (RRAS), and wait for it to complete.

SBS Essentials is not the DHCP server for the network in a default configuration. Though you may be able to configure a DHCP relay it is simplest to create a static address pool for VPN clients from which they can obtain an IP address.  To do so in the RRAS console right click on the server name and choose properties. Under the IPv4 tab select Static Address Pool, Add, and then enter a range of IP’s to be assigned to the VPN clients. Make sure you have enough to support the total number of simultaneous VPN clients you will have.  This range needs to be part of the same subnet as the server itself, and the IP’s selected cannot overlap with any existing DHCP scopes or statically assigned devices on the network.

You also need to verify the number of available PPTP ports is sufficient to support the maximum number of simultaneous VPN connections.  The default with SBS Essentials is 50, which should be more than enough. However if you wish to make adjustments it can be set from 1 and 128. You can also reduce the number of ports for other protocols not in use if you like, though there is no need.  To configure right click on Ports in the RRAS console below the server name, and choose properties.  To make changes highlight the port type and click Configure:

Add a Group:

Next we will create a group for VPN users.  Only members of this group will be granted access to the server using the VPN connection. Open Active Directory Users and Computers, expand your domain, right click on Users and choose New, then Group.

Enter a name for your group such as “VPN Users” and select Global & Security. Click OK.

You can now double click on the newly created group and add members by adding individual users or existing groups. For example you might want to add the Domain Users group, if you want to allow all users access. You can manually type these in and click Check Names, or choose Advanced and Find to browse and locate users and groups.

Configure NPS:

The final server configuration is to add a policy to define who has access to the server using the VPN. In server 2003 and earlier, if RADIUS was not configured, the common way of allowing access was to simply select “Allow Access” in each user’s profile.  This still works, but it is better to make use of NPS and have polices defining protocols, user, hours of access, and more, so I suggest leaving this set as Control Access through NPS Network Policy”.

Again under Administrative Tools, open the Network Policy server console, expand Policies, and click on Connection Request Policies.  You will note to the right, configuring Radius has already created the default Microsoft Routing and Remote Access Service Policy.

We will add a new Network Policy.  Right click on Network Policies and choose New, enter a policy name such as “ VPN User Access”, select Remote Access Server (VPN Dial-up), and Next

In the Specify Conditions window scroll down to find the User Groups option, click Add, Add Groups, enter the name of the group you created earlier (VPN Users), and OK.

In the next two windows you can accept defaults;

Under Configure Constraints choose NAS port type, then under Configure Dial-up and VPN tunnel types select Virtual (VPN), which will automatically check the same under Other.

Accept defaults under Configure Settings, click Next and Finnish.

Though you can add many restrictions within the policy, I recommend configuring with the SBS standards as above and thoroughly testing your VPN before tightening security.  You can also create multiple policies with different restrictions for different groups if needed.

Windows Firewall:

The above configuration should have automatically configured the necessary Firewall Exceptions for RRAS, but to verify compare to the following.

In the Windows Firewall console:

In the Windows Firewall with advanced Security console (Note: The L2TP-In policy was created, but is not necessary for our configuration.):

Router Configuration:

You will also have to manually configure your router to forward the PPTP protocol and enable GRE pass-through.  In an ideal world if UPnP is enabled on the router (which I don’t recommend) the SBS will configure port forwarding for port 1723, but it will not address GRE.  Configuring a router to forward VPN traffic is done in a  multitude of different ways depending on the router used.  Most of the inexpensive SOHO routers are configured by forwarding port 1723 to the IP address of the SBS, and under the firewall section select “allow PPTP pass-through”.  Some others allow you to forward the PPTP service rather than the port, which both forwards port 1723 and enables GRE pass-through.  Still others have different methods or require manual commands.  Keep in mind GRE is a protocol (protocol 47) and not port 47 so it cannot be configured with a forwarding rule. You can test if port forwarding is properly configured by entering 1723 in the “port” box at http://www.canyouseeme.org/ however this will not test for GRE pass-through.  If the VPN connection fails with a 721 or 806 error, it usually indicates GRE is blocked.  Keep in mind GRE and/or PPTP can be blocked by third party security software on your server, or an ISP that does not support the protocol.

While on the subject of routers, it was mentioned above when creating the static address pool in RRAS that; “the IP’s selected cannot overlap with any existing DHCP scopes or statically assigned devices on the network”.  I strongly recommend verifying that the router’s DHCP address range available to clients does not conflict with that of the static address pool.  If your router supports exclusions, add the RRAS static address range, or in the example above we used 192.168.22.200-219 for the static address pool, so set the router’s DHCP range to something like 192.168.22.100-199.  Again make sure neither conflict with any devices that may have a static address such as a printer.

A note about routing: An important fact to note that is that when traffic is sent from one network segment to another, as is done with a VPN, that all segments in the path between the client and host must use a different network ID (Subnet) for routing to take place. For example, if the remote client and server sites both were to use 192.168.0.X locally, the VPN will connect, but you cannot access resources. This is important to be aware of since SBS Essentials defaults to having the router determine the subnet, and if the default router settings are used, it is common to have them overlap with the client site. It is always best to use uncommon subnets for the corporate site. Therefore avoid the common/default subnets listed below and use something like 192.168.123.x when setting up the SBS site.

  • Avoid the following subnets as they are common router or user defaults with the first two being extremely common: 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x, 192.168.111.x, 10.0.0.x, 10.0.1.x, 10.1.1.x, 10.10.10.x, 172.16.1.x

Client Configuration:

Creating client access is very straight forward. Open the Network and Sharing Center in control panel, and click on Connect to a workplace, and Next.

Choose No, create a new connection, and in the next window select Use my Internet connection (VPN).  In the resulting window enter the public IP or the FQDN of your SBS site, and a ‘friendly’ name for the connection.   Select allow other people to use this connection, and/or don’t connect now, if you wish.

In the final window enter a user name (member of your VPN User Group) and password.  I do not recommend choosing the save password option, for security reasons.  Then click connect.  If all is in place you should now be able to connect to the server and other resources on the network.  You may wish to test by Pinging the server IP.

Name Resolution:

You will likely not be able to access resources using either their NetBIOS or DNS name. At this point you are best to connect using the IP address such as  \\192.168.123.123\ShareName.  If you wish to use DNS names you need to configure the VPN (Virtual NIC) under adapter settings to point to the SBS for DNS, and add the DNS suffix.  For more details see: VPN client name resolution

Connection Manager:

With SBS 2003 there was an option to create a deployable VPN client named “Connection Manager”. This was a fully configured client that did allow you access to the server using DNS names, and was very easy for clients to install on their remote computer.  This is not longer available but if interested you can create your own installation package, with connection and DNS options pre-configured, using CMAK (Connection Manager Administration Kit). For details see:  http://technet.microsoft.com/en-us/library/cc753977(WS.10).aspx

Updated Jan 31/2011:

After the first client has connected by VPN, check the DNS management console and see if the VPN’s virtual adapter IP has been added under Interfaces. If so you need to uncheck it, or client machines will receive this as their DNS server IP. You can find the VPN IP by running IPconfig and look next to the PPP adapter.

Tagged with:

0 Replies to “Nps Ip Address Assignment”

Lascia un Commento

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *