A WPA-2 Enterprise network is incomplete without a RADIUS server, thanks to its triple role of Authentication, Accounting, and Authorization (AAA). Any robust network security demands all three functions for smoother functioning of the entire network infrastructure, given the sharp increase in the incidents of authentication failure owing to the prevalence of on-premise setups.
Microsoft has been proactively updating its RADIUS servers since the inception of the Windows 2003 server. We have discussed a great deal about the configuration of 2008/12 in depth in our earlier blogs, and now we will help you configure the Windows 2016 server, which is the eighth edition of the prestigious Windows server and was developed in parallel with the Windows 10 operating system.
Before configuring the Windows Server 2016, ensure that you meet the following requirements for successfully configuring the Windows 2016 server.
Prerequisites for Windows RADIUS Server 2016:
❖ System Requirements:
- Processor: You need a processor of at least 1.4 GHz clock frequency for x64 processors.
- RAM: The minimum requirement of RAM is 512 MB. But Microsoft recommends using 2GHz for smooth functioning and Servers with a Desktop Experience installation option.
- Disk space: You need a minimum disk space of 32 GB or more, but Microsoft usually recommends using 40 GB or more disk space. Also, the disk space requirements vary with the processor and RAM used in the system.
❖ Active Directory Setup:
You must update the Active Directory environment before adding the domain controller.
❖ Server Core Installation:
Unlike Windows Server 2008 version, the admin need not select the Full Installation or Server Core Installation option beforehand in Windows Server 2012/16.
These features are merged in the 2012/16 version to give three optional features which the admin can install or uninstall at will.
❖ Network adapter requirements:
- An Ethernet adapter with a minimum throughput of 1 Gigabit per second.
- An Ethernet adapter that conforms to the PCI Express architectural standard.
❖ Miscellaneous Requirements:
- System and firmware that is based on UEFI 2.3.1c and support secure boot.
- A graphics card and a display with at least Super VGA (1024 x 768) resolution.
- Turn off your antivirus software, as the installation process can be hampered by virus protection software. For instance, checking each file that is copied locally to your computer might significantly slow down the installation.
- Ensure that the Windows Firewall is enabled by default.
- Ensure that all the relevant data and information are appropriately backed up before the configuration.
Overview of Windows RADIUS Server 2016 Configuration:
- Install and set up Windows Server 2016.
- Install Active Directory Domain Services (ADDS) to configure the new domain.
- Install Certificate Authorities (CA) with Active Directory Certificate Services (ADCS).
- Install NPS ( Network Policy Server).
- Configure Certificate Authorities (CA), i.e., Active Directory Certificate Services (ADCS) for Certificates.
- Configure NPS ( Network Policy Server) for the authentication protocol.
- Configure RADIUS.
- Define Network policies for users/devices.
- Configure Access Point.
- Set up zero clients, and select 802.1x authentication.
- Configure Wireless Connection Request.
Configure Windows 2016 RADIUS Server:
Now we will see each step involved in configuring Windows 2016 server in detail:
Install and Configure AD DS:
For configuring ADDS, follow the given instructions:
- Navigate to Windows Server 2016.
- Click Start.
- Click Server Manager.
- Navigate to Role Summary.
- Click Add Roles and Features.
- Select Role-based or Feature-based installation.
- Navigate to the Before You Begin page and click Next.
- Navigate to the Select Server Roles page.
- Select the Active Directory Domain Services.
- Click Next.
- Click Install on the Confirm Installation Selections
- Navigate to the Installation Results page and click Close.
ADDS is installed.
Install AD CS and NPS :
For configuring ADDS, follow the given instructions:
- Navigate to Server Manager.
- Select Roles and Click Add Roles.
- Click Next on the Before you Begin page.
- Select Active Directory Certificate Services (AD CS) and Network Policy and Access Services.
- Click Next.
- Click Next on Network Policy and Access Services
- Navigate to Role Services and select Network Policy Server.
- Click Next.
- Select Create a self-signed certificate for SSL encryption and click Next.
- Click Next on the Introduction to Active Directory Certificate Services
- Select Certification Authority on the Select Role Services page and click Next.
- Select Enterprise on Specify Setup Page and Click Next.
- Select Root CA on Specify CA Type Page and Click Next.
- Select Create a new private key on the Set Up Private Key Page and Click Next.
- Click Next on Configure Cryptography for CA.
- Enter details on Configure CA Name page and click Next.
- Enter the validity period on the Set Validity Period page and click Next.
- Click Next on Configure Certificate Database page.
- Click Next on the Web Server (IIS) page.
- Click Next on the Select Role Services page.
- Click Install on the Confirm Installation Selection page.
- Click Close.
Now the AD CS (Active Directory Certificate Services), Web Server (IIS), and NPS are installed successfully.
Configure NPS ( Network Policy Server) and RADIUS authentication.
- Click on the Start button and select Administrative tools.
- Click NPS on the Network Policy Server.
- Select Register Server in Active Directory and click OK.
- Click OK.
- On the NPS (Local) page, select RADIUS server for 802.1x Wireless or Wired Connections.
- Click Configure 802.1x.
- Select Secure Wireless connections on the Configure 802.1x page.
- Type Name and click Next.
- Add RADIUS clients on the Configure 802.1x page and click Next.
- Type the following details on the New RADIUS Client page.
- Name
- IP Address
- Shared Secret (Manual)
- Click OK and click Next.
- Select Microsoft Protected EAP (PEAP) on the Configure 802.1x
- Click Configure.
- Select Secured password on the Edit Protected EAP Properties page and click Edit.
- Enter the Number of authentication retries and click OK and click Next.
- Select Groups and click Next.
- Click Next again and click Finish.
- Restart NPS again.
Define Network Policies for users/devices.
You can follow the given steps for Defining the network policies.
- Navigate to the NPS console and click NPS (local).
- Click and expand Policies.
- Select Network Policies.
- Click New.
- Enter a Policy Name.
- Select the Type of Network Access Server to Unspecified while using Netscaler or RCdevs OpenLDAP while using OTP.
- Click Add in Specify Conditions
- Select Windows Groups and click Add.
- Click Add Groups and click OK.
- Select NAS Identifier in the Select Conditions
- Enter a Name and select Next to continue.
- Select Access Granted in Specify Access Permission
- Under Configure Authentication Method, select MS-CHAP v2 for maximum security.
- Click Next.
- Select RADIUS attributes as Standard in Configure Settings.
- Click Add.
- Enter the attribute value in String and click OK.
- Click Next and click Finish.
You can use the Network Policy Wizard to create and add new conditions, constraints, and setting to the network policies.
Administrators can define and implement a wide range of policies using our Cloud RADIUS, including lookup policies applied at the moment of authentication. For instance, depending on the time of day, you can decide whether to accept or reject people and devices. You may also restrict access to devices running a specific operating system.
Set up Zero Clients, and Select 802.1x Authentication
- Navigate to the Control panel and open the Network and Sharing center.
- Click Change adapter settings.
- Select Local Area Connection and click Properties.
- Select Authentication and click Enable IEEE 802.1x authentication.
- Select the desired protocol in the dropdown button.
Configure Wireless Connection Request
- Navigate to the Control panel and open the Network and Sharing center.
- Click Manage Wireless Networks.
- Select Manually Create a network profile.
- Enter your SSID in Network Name and click Next.
- Click Change Connection settings.
- Select Security and click Settings.
- Select the Trusted Root CA and click OK.
- Navigate to Advanced Settings.
- Select Specify Authentication Mode and click OK.
Drawbacks of On-Premise RADIUS Server
Traditional RADIUS servers housed on an organization’s premises are prone to numerous security vulnerabilities. On-premise infrastructure commonly uses Windows RADIUS servers, built from NPS, which have many susceptibilities of their own that hackers frequently exploit in zero-day attacks. On top of that, they need a great deal of time and expertise to set up.
Additionally, due to its physical accessibility, the NPS server’s location on-premises expose it to a variety of physical security risks, including break-ins, natural disasters, or even simple power outages. Rarely does on-premise RADIUS prove to be more affordable than cloud RADIUS, given the price of maintaining highly secure physical sites!
NPS is not natively compatible with any cloud infrastructure, including Microsoft’s own cloud solutions, such as Azure AD. Even with other Microsoft-owned cloud-based solutions like Azure AD, cloud integration of NPS, which was created especially for on-premise AD deployments, has serious drawbacks. A separate authentication server or proxy is necessary if you wish to utilize Azure with NPS in order to streamline the procedure. These procedures are not only complex and time-consuming but also rather pricey.
Cloud RADIUS: The Way Ahead
The move to the cloud offers several benefits over the risky on-premises environment full of security threats, and what’s better than utilizing our ground-breaking Cloud RADIUS? You can solve virtually all the problems of on-premise RADIUS servers by employing a cloud-based server like Cloud RADIUS, supported by SecureW2.
Our Cloud RADIUS is designed for vendor neutrality, so you can use it with any IDP (including cloud directories). You can enforce policies with real-time user lookup against Azure, Okta, & Google Workspace.
Also, integrating with Securew2 gives you more options for customization with our many innovative features like Azure MFA auth, Intune auto revocation, Windows Hello for Business login, and more. Our RADIUS services can be set up quickly, cost a fraction of what on-prem solutions do, and has no infrastructure costs because of its cloud presence.
If you are interested in taking that first step towards security for your organization, look no further and click here to inquire about pricing.