How to Setup a Windows RADIUS Server
The secret is out: pre-shared key-backed networks do not provide enough of a defense against hackers and data thieves. A survey found that 74% of IT decision-makers whose data had been breached in the past say that the hack involved privileged access credential abuse. Even complex credentials are susceptible to over-the-air credential theft.
Backing your network with a RADIUS server can help close these security gaps. If you’re using Windows, NPS is a common RADIUS solution.
Using NPS as a RADIUS Server
A RADIUS server authenticates users’ identities and authorizes them for network use. A user becomes authorized for network access after enrolling for a certificate from the PKI ( Public Key Infrastructure) or confirming their credentials. Each time the user connects, the RADIUS confirms they have the correct certificate or credentials and prevents any unapproved users from accessing the network. Check out how a SecureW2 client upgraded their network infrastructure to eliminate any risk of MITM attacks with a RADIUS-backed network.
If you’re using Windows, RADIUS servers are typically implemented through NPS (Network Policy Server). Originally created to enforce network access policies, NPS is frequently used as a RADIUS server itself.
NPS allows you to authenticate clients using Active Directory (AD) through a wide variety of access points, including the following:
- 802.1x switches
While the integration between NPS and AD is more or less manageable, it’s an aging technology that is difficult to integrate into more modern infrastructures. This is especially noteworthy if you’re working in the cloud, which Microsoft doesn’t offer a RADIUS solution for.
How To Set Up Windows RADIUS with NPS
This walkthrough will guide you through installing RADIUS server roles in Windows server 2019.
1. Set up a Security Group
In the Active Directory domain, create a security group. Add all of the users that will authenticate through your new RADIUS.
2. Add Network Policy and Access Services Role
The Server Manager console contains the Add Roles and Features wizard. That wizard handles the installation and configuration of all of the optional Windows Server features, including NPS. Select the Network Policy and Access Services role.
After the role installation is completed, open the Network Policy Server (nps.msc) in the Tools menu.
3. Snap-In NPS to AD
Find the root labeled “NPS (Local)” and right-click on it. Choose “Register server in Active Directory”.
Select OK in the confirmation dialogue box that pops up.
4. Add RADIUS Client to NPS
In your NPS console tree, there should be a RADIUS Clients and Servers folder. To add the new RADIUS client, expand the RADIUS Clients and Servers section in the NPS console tree and select New on the RADIUS Clients item.
On the Settings tab, fill the following fields. “Friendly Name” is your client nickname, “Address” can be the IP or DNS name, and “Shared Secret” should have been determined when you configured the access point.
Note: Shared secrets are a weak form of authentication security. Digital certificates offer the best security. Certificates are similarly easy to authorize. Add your access point certificate to the personal certification store on the Local Machine, then request and import the certificate to the NPS server.
SecureW2 allows you to easily generate a custom private CA and export the .p12 to then import into NPS. Or, you can import your AD CS certificates and use SecureW2 to enroll end-user devices to self-service themselves for client certificates for your AD CS Certificate Authority.
If you’re using a major access point vendor, such as Aruba or Cisco, navigate to the advanced tab and select the vendor from the “Vendor Name” list.
Your Windows Server RADIUS is now ready to go! Users will need to be manually added and removed from the security group unless you use an onboarding solution like the one offered by SecureW2. Click here to check out our world-class automatic enrollment suite JoinNow.
Cloud RADIUS + Windows: A Better Solution
A major issue with NPS is that using it essentially locks you into using Windows as your vendor. NPS is only compatible with Active Directory through the LDAP protocol. While you can use third-party vendors to overcome this hurdle, it creates unnecessary complications for your infrastructure, putting your network at risk.
Furthermore, NPS was designed to be used as an on-premise solution with AD, because it was made long before cloud solutions were so prevalent. There is no native ability to connect NPS with cloud directories. It doesn’t even work with Microsoft’s own cloud platform, Azure.
Forward-thinking companies know that the future is in the cloud, so your RADIUS should be, too.
Cloud RADIUS is a turnkey solution that allows you to bridge the gap between on-prem and cloud without the expensive forklift upgrade you would need with Azure. SecureW2’s RADIUS and Managed PKI Services integrate seamlessly with every major vendor. We’ve worked with countless organizations to migrate to an all-cloud environment using Azure with Cloud RADIUS. Check out our pricing page to see how we can help you.