Microsoft NPS

overview configuring a microsoft radius server provides superior authentication security enables group policy enforcement for network segmentation, and provides record event logs for accounting purposes combining a secure microsoft radius server with certificate solutions creates a network environment that is strongly protected, and a straightforward experience for users prerequisites microsoft nps radius server identity provider administrator rights to nile portal administrator rights to microsoft nps configuring nile authentication server (radius) log onto nile portal https //u1 nile global cloud/ navigate to click on the + (add authentication button) to create a new microsoft nps radius authentication configuration fill in the microsoft nps server information radius server name (any name example se hq nps) up to three radius ip addresses radius authentication port; default 1812/udp radius shared secret (pre shared key that need to same nps client pre shard key) nile geo scope (site) nile supports one radius server per geo scope click on display nas ip’s to get nile service block nas ip address that need to be added as microsoft nps client the result is shown in the entry panel click on save and verify the server added to the authentication device list configuring nps server go to in the console, navigate to in the add/remove snap in window, select in the click the in the add/remove snap in window, click the in the console, navigate to nps (local) side menu in the “standard configuration” panel, select “radius server for 802 1x wireless or wired connections” from the pull down list click on “+ configure 8201 x” link this launches the 802 1x configuration wizard select add “nile” to the beginning of the name click the click the use “nile nsb” as the friendly name fill in “address (ip or dns)” with the nas ip address provided by the nile portal click the enter the secret that matches the one in the nile portal authentication settings click on this policy example allows only domain users;, to add these three conditions click the next button select authentication type – microsoft protected eap (peap) and click on next windows groups – select user groups for the policy in our example, we will select “domain users” groups then click on next for traffic controls, just click on the click on the note this is just an example you can modify the policy to meet your requirements for machine authentication or user authentication using a certificate, please select “microsoft smart card or other certificates ” in the left hand menu, under “policies” select “connection request policies” click the entry “nile secure wireless connections” in the left hand menu, under “policies”, select “network policies” verify the information as shown radius service monitoring and troubleshooting nile supports radius transaction monitoring for service availability, for monitoring, nile will send an authentication request with a dummy user account “user name nile network test”, radius will respond with a rejection which confirms radius service is available an administrator has the option to use an active directory user for monitoring or can run a one time verification for troubleshooting only, nile supports ms chapv2 for radius monitoring and requires an nps policy for verification example to allow nile account verification, we need to have an nps policy that allows ms chap for local nps (127 0 0 1) create a new connection request policy name nile host verifcation create a new network policy name nile host verifcation to verify radius authentication, log onto nile portal https //u1 nile global cloud/ navigate to click on the blue radius hostname (example se hq nps) from radius configuration modification page, click on a new pop up window opens user id ms windows ad user account password user account password save credentials for monitoring (optional to use the account for nile availability monitoring) if the testing account is not saved, nile will use a dummy account for monitoring click on the if authentication is successful, a green circle with an arrow will display beside radius host ip you can verify windows nps logs for success or failure authentication configuring nile segments and wireless ssids (radius) log onto nile portal https //u1 nile global cloud/ navigate to click on  button; this opens a new segment configuration panel in the navigate to click the select (1) all sites, (2) one site, or (3) one zone, using the radio buttons and associated lists select the authentication server from the authentication pull down list select the dhcp server from the dhcp pull down list select the subnet(s) from the subnet pull down list — you may select one or more click the navigate to click on ? button; this creates a new ssid click the enterprise radio button enter the name for the ssid this will be what the aps will use as a beacon select the security type from the security pull down list select the segment created earlier (example nd employee segment) verify that you have entered the correct information press the microsoft nps wireless 802 1x connection test from a wireless capable client device, select nile 802 1x ssid; log in using a domain user member; and, verify that device connects to the ssid note first time clients need to accept the certificate and connect to the network using 802 1x; user needs to click on the verify sign in info and ip address ip needs to be from segment subnet range; in our example 192 168 112 0/26 for nd employee verify nps logs open event viewer, and then, under custom views, select if needed, filter for events that have event id 6273 or 6274 most authentication failures produce these events nile segment mapping with microsoft nps radius server log onto nile portal https //u1 nile global cloud/ navigate to click on the ? (edit) icon next to the name of the ssid, to edit the wireless ssid add an additional segment from the drop down list you may need to go back at look at the definitions of the segments in your list in this example (nile portal ® settings button → segments tab → edit ssid “ nd employee” ® service area subtab), “segment nd employee” is configured with microsoft nps as an authentication server and ip address subnet 192 168 112 0/26 and (nile portal ® settings button ® segments tab ® edit ssid “ nd contractor” ® service area subtab) segment “nd contractor” is configured with microsoft nps as an authentication server and ip address subnet 192 168 116 0/26 in the console, navigate to nps (local) click on the edit button select setting click on the from the click on attribute this will use the tunnel group id radius standard attribute to assign nile segment name to policy members in attribute information, click the enter the segment name into the value field for the attribute the segment name is case sensitive click on the click the verify radius standard attributes click the verify sign in info and ip address ip needs to be from segment subnet rang (in our example 192 168 116 0/26 for nd contractor) note nps is a microsoft windows service adding or changing configs might require restarting the service to restart, in the console, navigate to nps (local), right click on nps (local), select stops nps service to stop nps and then select start nps service