Radius with Windows Policy Server
Document Number
ENG-010620
Introduction
This document will explain how to get the Tellabs NAC to interoperate with the Windows Policy Server when it is used as the RADIUS server for authentication.
Applies To
Tellabs 1134/OLT6/1150 running FP29.2 or above.
Windows Network Policy Server
Network Policy Server (NPS) allows you to centrally configure and manage network access authentication, authorization, and accounting with the following features:
- RADIUS server. NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database. For more information, see RADIUS server.
- RADIUS proxy. When you use NPS as a RADIUS proxy, you configure connection request policies that tell the NPS which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group. To configure NPS as a RADIUS proxy server, see the following topics. For more information, see RADIUS proxy.
- Configure Connection Request Policies
- RADIUS accounting. You can configure NPS to log events to a local log file or to a local or remote instance of Microsoft SQL Server. For more information, see NPS logging.
NPS can be used with the Tellabs Network Access Controller (NAC) engine to control access to network resources via RADIUS Authentication. For the basics of RADIUS authentication, see the document:
The Tellabs NAC serves as the Authenticator serving as a PAE or Port Authentication Entity. It sends RADIUS requests to the Windows Network Policy Server which is serving as the RADIUS server and Policy Engine. It authenticates users via RADIUS and assigns policies based on their authentication credentials. This document explains how to configure the Windows NPS to work with Tellabs OLAN NAC.
Starting Network Policy Server
The Network Policy Server typically is not started by default and needs to be started. It can be started using the following steps:
- Open Server Manager
- Click on Tools
- Click on Network Policy Server
- NPS Console opens
Create a Connection Request Policy
A connection request policy needs to be created to define how to handle connection request. This policy defines how to recognize the request, via conditions in the message, and what attributes to include in the response back to the Tellabs OLAN equipment. The attributes tell the OLAN OLT how to configure the Ethernet port on the system. Different Policies can be crafted for different device types and access methods and specify different profiles to be applied. To create a Connection Request Policy.
Go to Policies-> Connection Request Policies, then right click New.
Name your policy and configure it as shown below:
Press Next and then you will be prompted as follows:
Press Add to add the conditions:
Select Ethernet as the NAS Port Type:
This defines it as an Ethernet Port that is wired.
Select Framed as the service type on the Common Dial up and VPN Tunnel types.
This rule will now apply to all Wired Ethernet ports.
Click Next and the user will be prompted with the option for Authentication. This defines the allowed authentication methods.
Select Override Network Policy Authentication Settings:
Select the Authentication Method based on the authentication method / methods that will be used at this site based on local polcies. This example shows enabling the following three authentication methods, which are listed in priority order:
- EAP-MSCHAPv2
- EAP(PEAP)
- MD5 Challenge
Use defaults for the Attribute section and click Next on the Configure Settings Screen:
On the standard RADIUS attributes screen, you need to add to add Filter-ID to be added to the Access-Accept Response:
Press the Add button, and select Filter-ID:
Then add the attribute value for the Filter ID:
This example uses the profile match feature to pick the local Data VLAN profile on the Tellabs OLAN Ethernet port being authenticated. See the document ENG-010428 Configuring Policy via Radius Authentication for more details about this feature.
The following shows adding an ACL profile to Permit all traffic to the Ethernet Port. This can be utilized to either deny or permit certain types of traffic based on the user’s login and local policies.
The IF-ALIAS will define the string that will be displayed on the port in the EMS GUI which allows the port to dynamically reflect information that will identify the port:
Once all the necessary ACLs, Service Profile references and any IF ALIAS names are added, select OK to add to the Connection Request Policy.
It is also recommended that the Termination Action and Timeout be specified to explicitly set the reauthentication period. This defines how often the client needs to re-authenticate to keep the port authenticated and running.
Select Termination-Action with a Value of RADIUS-Request
Select Session timeout and set the value to 50400 in seconds. This example sets the re-auth period to 14 hours.
Click on the Add button to add the session timeout value.
Filled out example:
Press the Next button as no Vendor Specific Attributes are needed at this time:
Press the Finish buttono Accept the Connection Policy:
Completed Policy
Next, the OLT needs to be added to allow it as a RADIUS Client so that the Network Policy Server will allow RADIUS requests from the Tellabs OLAN system.
Under RADIUS Clients and Servers > RADIUS Clients, right-click new and create the RADIUS client.
Under the Advanced Tab, ensure that you select Additional Options -> Access-Request messages must contain the Message-Authenticator attribute.
The Windows Network Policy Server should now accept requests from the Tellabs OLT and send back Filter-ID information, ACL policies, and be able to name the connections on the ports dynamically to help document the active connections on the system.