Description
This article describes how to configure Microsoft network policy server as a RADIUS server.
In case of implementing wired or wireless 802.1x with active-directory user authentication.
Related link:
https://docs.fortinet.com/document/fortinac/8.6.0/administration-guide/214558/radius
Scope
- Microsoft NPS server needs to be joined to AD domain to be used for AD authentication.
- Network policy needs to be configured with support for PAP, MSCHAPv2 and PEAP.
- Microsoft NPS server role can be installed on a domain controller or dedicated Microsoft Windows server that is joined to AD domain.
Solution
1) Add FNAC to 'RADIUS Clients' in MS NPS configuration (select 'RADIUS Clients' and select 'New').
This article describes how to configure Microsoft network policy server as a RADIUS server.
In case of implementing wired or wireless 802.1x with active-directory user authentication.
Related link:
https://docs.fortinet.com/document/fortinac/8.6.0/administration-guide/214558/radius
Scope
- Microsoft NPS server needs to be joined to AD domain to be used for AD authentication.
- Network policy needs to be configured with support for PAP, MSCHAPv2 and PEAP.
- Microsoft NPS server role can be installed on a domain controller or dedicated Microsoft Windows server that is joined to AD domain.
Solution
1) Add FNAC to 'RADIUS Clients' in MS NPS configuration (select 'RADIUS Clients' and select 'New').
2) Enter FNAC RADIUS client details.
- Make sure 'Enable this RADIUS client' box is checked.
- Enter 'Friendly name', IP address and secret (same secret as it was configured on FNAC).
- The rest can be default.
3) Create 'Connection Request Policy' for FNAC (select 'Connection Request Policies' and select 'New').
3) Create 'Connection Request Policy' for FNAC (select 'Connection Request Policies' and select 'New').
4) Specify 'Policy name' and select next.
5) Under 'Specify Conditions' select 'Add…' and select 'Client IPv4 Address' and specify the IP address from FNAC.
- When finished confirm the settings with 'OK' and 'Add…'.
- Select 'Next' when done and rest can be default. Continue selecting 'Next' and 'Finish' at the last step.
6) Create a 'Network Policy' for access requests coming from FNAC (select 'Network Policies' and select 'New').
- Select 'Next' when done and rest can be default. Continue selecting 'Next' and 'Finish' at the last step.
6) Create a 'Network Policy' for access requests coming from FNAC (select 'Network Policies' and select 'New').
7) Specify 'Policy name' and select next.
8) Under 'Specify Conditions select 'Add…' and select 'Windows Groups' select 'Add Groups…' and enter AD group name.
- When finished confirm the settings with 'OK' and 'Add…'.
- Select 'Next' when done.
- Select 'Next' when done.
9) Specify access permission and select 'Next' when done.
10) Configure authentication methods.
- In EAP Types add 'Microsoft: Protected EAP (PEAP)'.
- Make sure MS-CHAP v2 and PAP is checked.
- Make sure MS-CHAP v2 and PAP is checked.
- Select 'OK' and 'Next' when done and rest can be default. Continue clicking 'Next' and 'Finish' at the last step.
Troubleshooting.
1) Verify the logs in 'Event Viewer' on MS NPS server where details for each RADIUS query coming from FNAC are visible.
2) If PEAP MS-CHAPv2 authentication is failing, check if the right certificate is selected from the 'drop down' menu in 'Network policy' for PEAP authentication.
