Configure Radius VPN server with NPS authentication policy

Lets talk about a couple of things

Radius: Remote Authentication Dial-In Service (Radius). This is a protocol that is used to authenticate remote users. The Radius server looks at the access request to determine if the authentication method is allowed and if the shared secret (from the Radius Client) is correct. For this blog post I created the Radius Client and Radius Server on the same server so really the shared secret is kind of mute, really comes into play when the VPN and Radius server are on different servers. The Radius Server then takes the username in the access request and verifies that it exists in its database (or in AD) then checks the Dial-in properties of the user to determine if the user can access the Network.

NPS: Network Policy Server (NPS) allows you to create and enforce organization-wide network policies for connection request and authorization. You can configure NPS server as a Radius server which is what we will do for this blog post. When the Radius Server checks the requestor’s Dial-in properties we are going to select “Use NPS”.

Where are going is that by doing this we can add Azure MFA to the authentication process later.

Setup VPN

This Msft doc has steps for the RAS/VPN server setup.

Setup NPS

This Msft doc has steps for the NPS creation and deployment. Stop at “Configure NPS as a Radius for VPN Connections”.

What we are going to do is to create an NPS policy to allow users to login.

Create a Global Security group called “MyOrgVPNUsers”, add the users you want to give VPN access.

Go to the NPS server, click on Network policies. Give the policy a name, select the following options

Click on conditions and select to use groups

Click on Constraints and select the following authentication methods

Click settings, for standard select the follow attributes

Click ok and finish

Dial-up

Go to your Windows 10 Client and Add a VPN connection to the Server using the credentials of the user that is the VPN group.