Professional Documents
Culture Documents
ConfiguringActiveDirectory(Windows2008ServerR2)RADIUSServerforOpenVPNAccessServer
Lastmodified:12April2012
Introduction
ActiveDirectorycanbeintegratedwithOpenVPNAccessServereasilywiththeuseofWindows2008ServerR2'sRADIUSserver.Thisarticleassumesthatyouhave
Windows2008ServerR2,ActiveDirectoryDomainServices,andNetworkPolicyandAccessServicesrolesalreadyinstalled.
ServerConfiguration
TobeginsettinguptheRADIUSserver,youwillfirstneedtoknowtheIPaddressofyourOpenVPNAccessServer.Ifyoudonotknowwhatthisis,youcanissuean
ifconfigcommandintheterminalofyourOpenVPNAccessServerinstance.
AfteryouhaveobtainedtheIPaddressofyourOpenVPNAccessServer,openServerManagerinyourWindows2008R2machine.NavigatetoNetworkPolicyand
AccessServices,NPS(Local),RADIUSClientsandServers,andlastly,RADIUSClients.Ontherightnavigationbar,clickNewtoaddanewRADIUSclient.
IntheNewRADIUSClientdialog,enterauserfriendlyname(canbeanything),yourOpenVPNAccessServer'sIPaddress,andclicktheGenerate
radiobox.ClicktheGeneratebutton,andcopythegeneratedsecrettoasafeplace(youwillneedthisforconfiguringAccessServerlater).Afterwards,
clicktheOKbutton.
AftertheconfigurationoftheRADIUSClientiscomplete,navigatetotheNetworkPoliciessectionunderneathPolicies.ClickNewontheright
navigationpane.
IntheNewNetworkPolicydialog,enterapolicynameforyournewpolicy(thiscouldbeanynameyou'dlike).LeavetheservertypeasUnspecified
andclicktheNextbutton.
IntheSpecifyConditionsdialog,clicktheAdd...button.
SelectWindowsGroups,andthenclicktheAdd...button.
ClickAddGroups...toaddnewgroupmemberships.
Typethegroupnamesyouwouldwanttoallowaccessto.Inthisexample,thegroupVPNUsersareallowedaccesstotheVPN.ClickOKwhen
finished.
Ifyoudonothaveanymoregroupsyouwouldliketoaddtothelist,clickOKtofinishpopulatingthegrouplist.
NOTE:IfyouhaveotherresourcesonyournetworkbesidesyourVPNserver,youshouldlimitthispolicysothatitwillonlymatchrequestscomingfrom
yourOpenVPNAccessServer.Otherwise,itispossiblethatanyonelistedintheaforementionedgroupswillhaveaccesstoallyourothernetwork
resources.
Todoso,clickAdd...toaddanothercondition,andselectClientIPv4AddressundertheRADIUSClientPropertiesasacondition,andclickAdd....
EntertheIPAddressofyourOpenVPNAccessServer,andthenclicktheOKbutton.
ClicktheNextbuttontofinishdefiningconditions.
Inthefollowingdialog,acceptthedefaultAccessPermissionsandthenclickNext.
IntheConfigureAuthenticationMethodwindow,underEAPTypes:,clicktheAdd...button.
SelectMicrosoft:Securedpassword(EAPMSCHAPv2)andthenclickOK.
ClickOKtofinishconfiguringthelistofauthenticationmethods.
Acceptthedefaultconstraints,andthenclicktheNextbutton.
Acceptthedefaultsettingsforthenetworkpolicy,andclicktheNextbutton.
ClickFinishtoexitoutoftheNewNetworkPolicywizard.
IfyournewnetworkpolicyappearsonthebottomoftheBlockpolicies(denotedwitharedX),yourclientswillnotbeabletoauthenticateagainstthe
server.Tofixthis,youwillneedtoselectthenewlycreatedpolicy,andclicktheMoveUpoptionontherightnavigationpane,untilyourpolicyisabove
thedefaultblockpolicies.
Oncethisisdone,youarereadytoconfigureyourAccessServerforRADIUSaccess!
AccessServerConfiguration
LogontoyourWebAdminUIarea.UnderAuthentication,clicktheRADIUSoption.
IftheRADIUSmoduleisnotalreadyinuse,clicktheUseRADIUSbutton,asspecified.
IntheRADIUSAuthenticationconfigurationpage,selectMSCHAPv2astheauthenticationmethod.Afterwards,enteryourdomaincontroller'sIP
addressintheHostnameorIPAddresstextbox.TheSharedSecretisthelongtextstringthatyouhavecopiedandsavedearlier.Pastethisinthe
correspondingtextboxandclickSaveSettingstocontinue.
ClicktheUpdateRunningServerbuttontofinalizethechanges.YourAccessServersoftwareshouldnowbeintegratedwithActiveDirectoryandyou
canmanageUserPermissionsundertheUserPermissionssectionoftheWebAdminUI.