Looking for instructions to configure Radius server on Windows server 2016? This article will guide you in detail on how to do that. Scroll down to read!
Since Radius Server was born, it has brought much more convenience to Windows users. Most of us don’t see what this tool looks like, but we use its applications almost every day.
In today’s article, we will tell you more about this tool, then walk you through the instructions on how to configure Radius server on Windows Server 2016 in detail. Let’s kick right in!
Radius Server And Its Features
In the first part, let’s get to know what this tool is and its main features!
Radius Server Windows
RADIUS is an abbreviation for Remote Authentication in Dial-In User Service. It is known as a protocol used for authenticating and collecting data from the connected resources. RADIUS works by sending information from the headquarters to network devices and vice versa. Users can therefore access the central service to authorize the dial-in devices or services remotely.
Main Features Of Radius Server
There are many positive features about the Radius server. Let’s check one by one:
- Wireless Authentication: The version IEEE 802.11 authentication offers access control to wireless routers, access points, hotspots in EAP/WPA-Enterprise/WPA2-Enterprise modes.
- Multiple authentication backends: The Radius server also supports multiple authentications. It may authenticate against local windows groups, Windows domains, LDAP directories.
- Advanced Radius proxy: The incoming and outgoing forwarded packets are applied for Radius requests.
- Built-in account management: This means using the Radius server, you can modify, add, delete users’ accounts within the database.
- Radius server provides dynamic authorization extensions
- It offers third-party billing system integration as the ClearBox Server may be integrated with SQL-based systems of billing to support the RADIUS server authentication process.
- The protocol offers multiple accounting consumer
- Users can enjoy the cloud integration service by using this protocol
How To Configure Radius Server On Windows Server 2016-Detailed Guide
In this part, we are going to focus on how to set up a RAdius server on the Windows Servers 2016 operating system. In addition, users can find here instructions for verification of this program on Cisco devices. Let’s take a closer look!
Setting Up The Radius Server (NPS) Role
To prepare for installing Radius server roles, users are suggested to make a new group of security in the AD domain named RemoteSiscoUsers. After that, add all the users who are going to be involved in Cisco router authentication.
Creating a security group
The point is that from Windows version 2008 R2, the Radius server sets up with the Network Policy Services (NPS) function. This feature helps users authorize faraway clients against AD with the help of the Radius component.
Now, we will guide you on how to setup the radius server function on the Windows Server 2016 operating system. First, open the Service Manager function before launching the Add Roles and Features wizard. You will see a screen open on your desktop; choose the Network Policy and Access Services option.
The thing is you also can use the order statement to install the NPS role by using PowerShell: Install-WindowsFeature NPAS -IncludeManagementTools
After the installation process is accomplished, log in to the Network Policy Server (nps.msc) located in the bar “Tools”.
Choosing Network Policy Server option
The next step is registering your server within the Active Directory. Under the NPS option, click on the right mouse of the root before selecting the Register server within the Active Directory option.
Selecting the Register server in the Active Directory option
Then, users should confirm this process of registration
Another way of registering the NPS server inside the Active directory is using the order statement: netsh ras add registered server. Hence, the server will join in the built-in group of domains. And it will be given the authority to read the features of Active Directory user accounts.
The server is added in the domain group IAS and RAS Servers
Next, you can put in the Radius client. In this case, your client can be an address for wi-fi accessing, a router, or a switch.
Adding a new Radius client
A setting screen will appear, and it requires users to fill in the necessary information. Users should pay attention to the passwords that were applied in the configuration in the previous stage for the Cisco router.
Filling in the necessary information
Head to the Advanced menu on the right of setting one, choose the Vendor name as Cisco.
Choosing the name of the vendor
You can apply the PowerShell instead of using NPS GUI for the adding function, apply the New-NpsRadiusClient PowerShell cmdlet. New-NpsRadiusClient –Address “192.168.31.1” –Name “cisco2960” –SharedSecret “Zb+kp^JUy]v\ePb-h.Q*d=weya2AY?hn+npRRp[/J7d”.
Setting Up NPS Policies On The Radius Server
Using NPS policies will help users verify their faraway guests and give permission to access to utilize the NPS role. Also, by applying these policies, users can have a connection to Radius clients’ records, as well as a group of domain security. Policies on the Radius server is grouped into two categories:
- Connection request policies: These include the conditions that allow Radius servers to verify connection requests from its clients.
- Network policies: These policies include settings and conditions that accept you to authorize the network that can link to your server. These are implemented from the beginning to the bottom one by one.
In our situation, we will apply the policies of NPS Network. Here are the details on how to do it. Follow the route Policies > Network Policies option and choose New:
Choosing the new option
Next, select the name of the Policy, and make sure the sort of network server remains unchanged.
Verifying the Policy name
After that, put in the conditions of Radius that you want to apply. Here you have two conditions:
- Authorized user ought to be a part of a group of a domain security
- The wanted access device must have a name.
Here, you can use adding functions to make new conditions by choosing the type of Windows Group and authorizing the Client Friendly Name. Pay attention to the fact that this name is different from the name of the DNS of your device, as it will be used in the upcoming time to identify specific network equipment.
Another screen will pop up on your desktop; choose the option Access Granted!
Choosing the access granted option
Then, select the fourth option, let other options be not chosen.
Selecting the fourth option
Now, leave the next step and head into the configure setting board. Follow the route RADIUS Attributes > Standard section. Remove the existing attributes before choosing the adding button. Then, selecting Access type > All, then Service-Type > Add. Specify Others = Login.
Setting up the attributes information
To put in a new attribute to the Radius Attributes, users have to choose the Vendor-Specific section. Add Cisco below the Vendor. And the value, choose the following: shell: priv-lvl = 15. This value stands for your Cisco device will allow a maximum of 15 administrative accesses from authorized users.
Adding the value of attributes
A screening board will appear with all the chosen NPS policy settings.
The accomplished setting
In case users want to back up the current configuration of the NPS server to the XML file, follow the order statement: Export-NpsConfiguration -Path c:\ps\backup_nps.xml. If they want to restore NPS configuration from a previous backup, they can use the coding line: Import-NpsConfiguration -Path c:\ps\backup_nps.xml
The factors that impact the order of Radius policies are quite important.
The policies will be implemented from the beginning to the bottom. If all the conditions in the following policy are met, it will lead to the termination of the upcoming processes. To avoid this scenario, users can use the Processing Order value to make the priorities of policy changed.
The list of policy
To activate the account, you will have to open the Active Directory Users and Computers console (dsa.msc). Next, find the users before heading to its properties and choose functions like in the below photo:
Verifying Radius Setting On Cisco Devices
Following the setup Radius server, verifying the Radius setting on Cisco devices is the next step. Because the domain accounts are applied for the process of authorization, the credentials must be changed into encrypted forms. All you have to do here is disabling the telnet component on the switch before activating SSHv2 on Cisco applying the order statement:
- configure terminal
- crypto key generate rsa modulus 1024
- ip ssh version 2
– So the process will work in the way that in case the response of the server might not be received, the client device will summarize the authentication was unsuccessful. Therefore, you should make a local user: username cisco_local password [email protected]
– Next, to make SSH mandatory to use as well as disable faraway access, you should use Telnet and implement the following code lines:
line vty 5 15
transport input ssh
– You can have a look at a configuration process example of a Radius server utilized for Cisco Catalyst Switch:
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
radius-server host 192.168.1.16 key Sfs34e#sf
#Specify your RADIUS server IP address and key for encryption (the shared secret that we specified on the RADIUS server)
# Enable password encryption
If you have several Radius servers, add them to the group:
aaa group server radius radius_srv_group
The Bottom Line!
After a long time using, we prefer the Radius server because users can use a single centralized authentication system in their domain. Besides, there are many benefits that users can get.
Via this article, we hope you have known how to configure Radius server on Windows Server 2016 operating system. Although the process looks a bit complicated, it is possible to implement. If there are any related questions, don’t hesitate to send us a message. Good luck!