Microsoft NPS
Configuring a Microsoft RADIUS server provides superior authentication security: enables group policy enforcement for network segmentation, and provides record event logs for accounting purposes.
Combining a secure Microsoft RADIUS server with certificate solutions creates a network environment that is strongly protected, and a straightforward experience for users.
- Microsoft NPS RADIUS Server
- Identity Provider
- Administrator rights to Nile Portal
- Administrator rights to Microsoft NPS
- Log onto Nile Portal:https://u1.nile-global.cloud/
- Navigate to
- Click on the + (add authentication button) to create a new Microsoft NPS RADIUS authentication configuration:
- Fill in the Microsoft NPS server information:
- RADIUS server Name (Any name example SE HQ NPS)
- Up to three RADIUS IP addresses
- RADIUS Authentication Port; default 1812/UDP
- RADIUS Shared secret (pre-shared key that need to same NPS client pre-shard key)
- Nile Geo scope (Site): Nile supports one RADIUS server per Geo scope.
- Click on DISPLAY NAS IP’S to get Nile Service Block NAS IP address that need to be added as Microsoft NPS client.
- The result is shown in the entry panel:
- Click on Save and verify the server added to the Authentication device list
- Go to
- In the Console, navigate to
- In the Add/Remove Snap-in window, select
- In the
- Click the
- In the Add/Remove Snap-in window, click the
- In the Console, navigate to NPS (Local) side menu
- In the “Standard Configuration” panel, select “RADIUS server for 802.1x Wireless or Wired Connections” from the pull-down list
- Click on “+ Configure 8201.X” link: this launches the 802.1x configuration wizard.
- Select
- Add “Nile” to the beginning of the name
- Click the
- Click the
- Use “Nile NSB” as the Friendly name
- Fill in “Address (IP or DNS)” with the NAS IP address provided by the Nile Portal
- Click the
- Enter the secret that matches the one in the Nile Portal Authentication settings.
- Click on
- This policy example allows only domain users;, to add these three conditions click the Next button
- Select Authentication Type – Microsoft: Protected EAP (PEAP) and click on Next
- Windows Groups – select user groups for the policy. In our example, we will select “Domain Users” groups. Then click on Next.
- For traffic controls, just click on the
- Click on the
Note: This is just an example. You can modify the policy to meet your requirements.
For Machine Authentication or user authentication using a certificate, please select “Microsoft: Smart Card or other certificates.”
- In the left-hand menu, under “Policies” select “Connection Request Policies”
- Click the entry “Nile Secure Wireless Connections”.
- In the left-hand menu, under “Policies”, select “Network Policies”.
- Verify the information as shown.
- Nile supports RADIUS transaction monitoring for service availability, For monitoring, Nile will send an authentication request with a dummy user account “user name nile-network-test”, RADIUS will respond with a rejection which confirms RADIUS service is available.
- An administrator has the option to use an active directory user for monitoring or can run a one-time verification for troubleshooting only, Nile supports MS-CHAPv2 for RADIUS monitoring and requires an NPS policy for verification. Example: to allow Nile account verification, we need to have an NPS policy that allows MS-CHAP for local NPS (127.0.0.1)
- Create a new connection request policy name Nile_Host_Verifcation
- Create a new Network policy name Nile_Host_Verifcation
- To verify RADIUS authentication, log onto Nile Portal:https://u1.nile-global.cloud/
- Navigate to
- Click on the blue RADIUS hostname (Example SE HQ NPS)
- From RADIUS configuration modification page, click on
A new pop-up window opens.
- User Id: MS Windows AD User account
- Password: User account password
- Save credentials for monitoring (Optional to use the account for Nile availability monitoring) if the testing account is not saved, Nile will use a dummy account for monitoring.
- Click on the
- If authentication is successful, a green circle with an arrow will display beside RADIUS host IP.
- You can verify Windows NPS logs for success or failure authentication.
- Log onto Nile Portal:https://u1.nile-global.cloud/
- Navigate to
- Click on button; this opens a new Segment configuration panel
- In the
- Navigate to
- Click the
- Select (1) all sites, (2) one site, or (3) one zone, using the radio buttons and associated lists
- Select the authentication server from the Authentication pull-down list.
- Select the DHCP server from the DHCP pull-down list.
- Select the subnet(s) from the Subnet pull-down list — you may select one or more
- Click the
- Navigate to
- Click on ? button; this creates a new SSID
- Click the Enterprise radio button
- Enter the Name for the SSID: this will be what the APs will use as a beacon
- Select the security type from the Security pull-down list
- Select the segment created earlier. (Example ND_Employee segment)
- Verify that you have entered the correct information
- Press the
- From a Wireless-capable client device, select Nile 802.1x SSID; log in using a domain user member; and, verify that device connects to the SSID.Note: First-time clients need to accept the certificate and connect to the network using 802.1x; user needs to click on the
- Verify sign-in info and IP address. IP needs to be from segment subnet range; in our example 192.168.112.0/26 for ND_Employee
Verify NPS logs:
- Open Event Viewer, and then, under Custom views, select
- If needed, filter for events that have Event ID 6273 or 6274. Most authentication failures produce these events.
- Log onto Nile Portal:https://u1.nile-global.cloud/
- Navigate to
- Click on the ? (edit) icon next to the name of the SSID, to edit the wireless SSID
- Add an additional segment from the drop-down list.
You may need to go back at look at the definitions of the segments in your list. In this example (Nile Portal ® Settings button → Segments tab → edit ssid “ND_Employee” ® Service area subtab), “segment ND_Employee” is configured with Microsoft NPS as an authentication server and IP address Subnet 192.168.112.0/26:
and (Nile Portal ® Settings button ® Segments tab ® edit ssid “ND_Contractor” ® Service area subtab) segment “ND_Contractor” is configured with Microsoft NPS as an authentication server and IP address Subnet 192.168.116.0/26:
- In the Console, navigate to NPS (Local)
- Click on the Edit button.
- Select Setting
- click on the
- From the
- Click on attribute
- This will use the tunnel group ID RADIUS standard attribute to assign Nile segment name to policy members.
- In Attribute Information, click the
- Enter the segment name into the value field for the attribute. The segment name is case sensitive.
- Click on the
- Click the
- Verify RADIUS standard attributes.
- Click the
- Verify sign-in info and IP address. IP needs to be from segment subnet rang (in our example 192.168.116.0/26 for ND_Contractor)
Note: NPS is a Microsoft Windows service. Adding or changing configs might require restarting the service. To restart, in the Console, navigate to NPS (Local), right-click on NPS (local), select Stops NPS Service to stop NPS and then select Start NPS Service.
