Configure Radius Server

Configuring a Windows RADIUS Server (typically via NPS – Network Policy Server) in a deep and secure way involves more than just installing the role and creating a basic policy. You’ll want to cover advanced aspects like:

---

🔧 1. NPS (RADIUS) Server Installation and Registration

• Install NPS Role: powershellCopyEditInstall-WindowsFeature NPAS -IncludeManagementTools
• Register with Active Directory: powershellCopyEditnetsh ras add registeredserver This allows NPS to read user account information.

---

🔐 2. Secure RADIUS with Certificates (EAP-TLS)

• Use PEAP or EAP-TLS for wireless or VPN authentication.
• NPS certificate should be issued from a trusted internal CA:
  • Open mmc.exe → Add Certificates (Local Computer) → Request certificate with Server Authentication EKU.
  • Bind it under:
    NPS → Policies → Network Policies → Constraints → Authentication Methods → EAP → Properties → Select certificate

---

🔄 3. Define RADIUS Clients (Switches, WAPs, VPNs)

• Go to NPS → RADIUS Clients and Servers → RADIUS Clients
• For each device:
  • Friendly Name
  • IP or DNS
  • Shared Secret (Use a strong, unique one per device. Rotate regularly.)
  • Consider using templates if managing many.

---

📜 4. Create Connection Request Policies

• Controls who can send requests to this server.
• Set conditions like:
  • NAS IP
  • NAS Port Type
  • Time of Day
• Forward to another RADIUS if needed (proxy mode)

---

📋 5. Create Network Policies

This defines who is allowed, with what conditions, and with what restrictions.

Key Conditions:

• User Group (from AD)
• NAS Port Type (e.g., Wireless, Ethernet, VPN)
• Windows Group Membership
• Time constraints

Constraints:

• Authentication methods (e.g., PEAP/MSCHAPv2, EAP-TLS)
• Idle Timeout
• Session Timeout
• Called Station ID/Calling Station ID filters

Settings:

• RADIUS Attributes:
  • Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID for VLAN assignment
  • Filter-Id for downloadable ACLs (if supported by NAS)
  • Vendor-Specific Attributes (VSA) for Cisco, Aruba, etc.

---

🛠️ 6. Advanced Tuning

Logging:

• Enable Accounting and log to:
  • Local SQL Server
  • Remote SQL Server
  • Text Files (careful with privacy/data handling)

Load Balancing:

• Deploy NPS in redundant mode (multiple NPS servers)
• Use RADIUS proxy or network devices with multiple RADIUS target options

Health Monitoring:

• Use Event ID 6272 (Successful) and 6273 (Failed) for diagnostics
• Export logs to SIEM (Splunk, Sentinel, etc.)

---

📊 7. High-Security Practices

• Require EAP-TLS with client certificates (no passwords)
• Issue short-lived certs via Intune or Auto-enrollment
• Disable MSCHAPv2 if not needed
• Use Network Device Enrollment Service (NDES) for non-domain devices
• Rotate shared secrets on RADIUS clients quarterly

---

🧠 Optional: PowerShell Automation

You can script some aspects of configuration, for example:

powershellNew-NpsRadiusClient -Name "Cisco-Switch1" `
    -Address "10.1.1.10" `
    -SharedSecret "SuperSecret123" `
    -VendorName "Cisco" `
    -State "Enabled"