Always On VPN – Install and Configure the NPS Server
You can use this section to install the Network Policy Server (NPS) and perform configuration for Always On VPN.
NPS server processing of connection requests that are sent by the VPN server includes performing authorization – to verify that the user has permission to connect; performing authentication – to verify the user’s identity; and performing accounting – to log the aspects of the connection request that you chose when you configured RADIUS accounting in NPS.
The steps in this section allow you to complete the following items.
- On the computer or VM that is planned as the NPS server, and that is installed on the corporate network, you can install NPS.
If you already have one or more NPS servers on your network, you do not need to perform NPS Server installation – instead, you can use this topic to update the configuration of an existing NPS server.
- On the corporate NPS server, you can configure NPS to perform as a RADIUS server that processes the connection requests that are received from the VPN server.
You can use this section to install Network Policy Server (NPS) by using either Windows PowerShell or the Server Manager Add Roles and Features Wizard.
NPS is a role service of the Network Policy and Access Services server role.
By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all installed network adapters. If Windows Firewall with Advanced Security is enabled when you install NPS, firewall exceptions for these ports are automatically created during the installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your network access servers are configured to send RADIUS traffic over ports other than these defaults, remove the exceptions created in Windows Firewall with Advanced Security during NPS installation, and create exceptions for the ports that you do use for RADIUS traffic.
Membership in Administrators, or equivalent, is the minimum required to perform these procedures.
To perform this procedure by using Windows PowerShell, run Windows PowerShell as Administrator, type the following command, and then press ENTER.
Install-WindowsFeature NPAS -IncludeManagementTools
You can use the following procedure to install NPS using Server Manager.
- In Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.
- In Before You Begin, click Next.
The Before You Begin page of the Add Roles and Features Wizard is not displayed if you have previously selected Skip this page by default when the Add Roles and Features Wizard was run.
- In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.
- In Select destination server, ensure that Select a server from the server pool is selected. In Server Pool, ensure that the local computer is selected. Click Next.
- In Select Server Roles, in Roles, select Network Policy and Access Services. A dialog box opens asking if it should add features that are required for Network Policy and Access Services. Click Add Features, and then click Next
- In Select features, click Next, and in Network Policy and Access Services, review the information that is provided, and
then click Next.
- In Select role services, click Network
Policy Server. In Add features that are required for Network
Policy Server, click Add Features. Click Next.
- In Confirm installation selections, click Restart the destination server automatically if required. When you are prompted to confirm this selection, click Yes, and then click Install. The Installation progress page displays status during the installation process. When the process completes, the message “Installation succeeded on ComputerName” is displayed, where ComputerName is the name of the computer upon which you installed Network Policy Server. Click Close.
NPS handles all authentication, authorization, and accounting duties for connection requests that it receives from the VPN server.
To configure NPS, you must perform the following tasks.
- Register the NPS Server in Active Directory
- Configure RADIUS Accounting for your NPS Server
- Add the VPN Server as a RADIUS Client in NPS
- Configure Network Policy in NPS
- Autoenroll the NPS Server certificate
The following sections provide instructions on completing these tasks.
After you install NPS, you must register the server in Active Directory so that it has permission to access user account information while processing connection requests.
To register the NPS Server in Active Directory
- In Server Manager, click Tools, and then click Network Policy Server. The NPS console opens.
- In the NPS console,
right-click NPS (Local), and then click Register server in Active Directory. The Network Policy Server dialog box opens.
- In the Network Policy Server dialog box, click OK twice.
For alternate methods of registering NPS, see Register an NPS Server in an Active Directory Domain.
There are three types of logging for Network Policy Server (NPS):
- Event logging. Used primarily for auditing and troubleshooting connection attempts. You can configure NPS event logging by obtaining the NPS server properties in the NPS console.
- Logging user authentication and accounting requests to a local file. Used primarily for connection analysis and billing purposes. Also useful as a security investigation tool because it provides you with a method of tracking the activity of a malicious user after an attack. You can configure local file logging using the Accounting Configuration wizard.
- Logging user authentication and accounting requests to a Microsoft SQL Server XML-compliant database. Used to allow multiple servers running NPS to have one data source. Also provides the advantages of using a relational database. You can configure SQL Server logging by using the Accounting Configuration wizard.
To learn how to
configure NPS Accounting, see Configure Network Policy Server Accounting.
You can use this section to configure the VPN server as a RADIUS Client in NPS.
When you add a new network access server (VPN server, wireless access point, authenticating switch, or dial-up server) to your network, you must add the server as a RADIUS client in NPS so that NPS is aware of and can communicate with the network access server.
To add the VPN Server as a RADIUS client in NPS
You can use this procedure to configure a new RADIUS client in NPS.
In the previous deployment step using the topic Configure the Remote Access Server for Always On VPN, you installed and configured your VPN server. During VPN server configuration, you added a RADIUS shared secret on the VPN server. Now you need to use the same shared secret text string to configure the VPN server as a RADIUS client in NPS. You must use the same text string that you used on the VPN server, or communication between the NPS server and VPN server will fail.
- On the NPS server, in Server Manager,
click Tools, and then click Network Policy Server. The NPS console opens.
- In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New. The New
RADIUS Client dialog box
- In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.
- In New RADIUS Client, in Friendly name, type a display name for the VPN server. In Address (IP or DNS), type the NAS IP address or fully qualified domain name (FQDN). If you enter the FQDN, click Verify if you want to verify that the name is correct and maps to a valid IP address.
- In New RADIUS Client, in Shared
secret, do the following:
- Ensure that Manual is selected, and then in Shared secret, type the strong text string that you also entered on the VPN server. Retype the shared secret in Confirm shared secret.
- OK. The VPN Server appears in the list of RADIUS clients that are
configured on the NPS server.
You can use this procedure to configure NPS as a RADIUS server on your network.
On the NPS server, you must define a policy that allows only users in a specific group to access the Corporate network through the VPN Server – and then only when using a valid user certificate in a PEAP authentication request.
To configure the NPS Network Policy on the NPS server
- On the NPS server, in Server Manager, click Tools, and then click Network Policy Server.
- In Standard Configuration, ensure that RADIUS server for Dial-Up or VPN Connections is selected, and then click Configure VPN or Dial-Up.
The Configure VPN or Dial-Up wizard opens.
- In the Configure VPN or Dial-Up wizard, in Select Dial-up or Virtual Private Network Connections Type page, click Virtual Private Network (VPN) Connections, and then click Next.
- In Specify Dial-Up or VPN Server, in RADIUS clients, click the name of the VPN Server that you
added in the previous step. For example, if your VPN server NetBIOS name is
RAS1, click RAS1. Click Next.
- In Configure Authentication Methods, complete the following steps:
a. Deselect the Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check box.
b. Select the Extensible Authentication Protocol check box.
c. Click Type (based on method of access and network configuration), and then click Microsoft: Protected EAP (PEAP). d. Click Configure. The Edit Protected EAP Properties dialog box opens.
e. In Edit
Protected EAP Properties,
click Remove to remove the Secured Password (EAP-MSCHAP v2) EAP type.
f. Click Add. The Add EAP dialog box opens. In Add EAP, click Smart
Card or other certificate,
and then click OK.
g. Click OK to close Edit Protected EAP Properties.
- Click Next.
- In Specify User Groups, complete the following steps:
a. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box opens.
b. In Select
Users, Computers, Service Accounts, or Groups, type VPN
Users, and then click OK.
c. Click Next.
- In Specify IP Filters, click Next.
- In Specify Encryption Settings, do not make any changes. These settings apply only to
Microsoft Point-to-Point Encryption (MPPE) connections, which this scenario
doesn’t support. Click Next.
- In Specify a Realm Name, click Next.
- Click Finish to close the
You can use this procedure to manually refresh Group Policy on the local NPS server. When Group Policy is refreshed, if certificate autoenrollment is configured and functioning correctly, the local computer is autoenrolled a certificate by the certification authority (CA).
Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes.
Membership in Administrators, or equivalent, is the minimum required to complete this procedure.
- On the computer where NPS is installed, open Windows PowerShell.
- At the Windows PowerShell prompt, type gpupdate, and then press ENTER.
The Network Policy Server (NPS) extension for Azure MFA adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. With the NPS extension, you can add phone call, text message, or phone app verification to your existing authentication flow without having to install, configure, and maintain new servers.
This extension was created for organizations that want to protect VPN connections without deploying the Azure MFA Server. The NPS extension acts as an adapter between RADIUS and cloud-based Azure MFA to provide a second factor of authentication for federated or synced users.
When using the NPS extension for Azure MFA, the authentication flow includes the following components:
- NAS/VPN Server receives requests from VPN clients and converts them into RADIUS requests to NPS servers.
- NPS Server connects to Active Directory to perform the primary authentication for the RADIUS requests and, upon success, passes the request to any installed extensions.
- NPS Extension triggers a request to Azure MFA for the secondary authentication. Once the extension receives the response, and if the MFA challenge succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim, issued by Azure STS.
- Azure MFA communicates with Azure Active Directory to retrieve the user’s details and performs the secondary authentication using a verification method configured to the user.
- Download the NPS Extension from the Microsoft Download Center.
- Copy the binary to the Network Policy Server you want to configure.
- Run setup.exe and follow the installation instructions. If you encounter errors, double-check that the two libraries from the prerequisite section were successfully installed.
If you have users that aren’t enrolled for MFA, you can determine what happens when they try to authenticate. Use the registry setting REQUIRE_USER_MATCH in the registry path HKLM\Software\Microsoft\AzureMFA to control the feature behavior. This setting has a single configuration option:
|REQUIRE_USER_MATCH||TRUE/FALSE||Not set (equivalent to TRUE)|
The purpose of this
setting is to determine what to do when a user is not enrolled for MFA. When
the key does not exist, is not set, or is set to TRUE, and the user is not enrolled,
then the extension fails the MFA challenge. When the key is set to FALSE and
the user is not enrolled, authentication proceeds without performing MFA. If a
user is enrolled in MFA, they must authenticate with MFA even if
REQUIRE_USER_MATCH is set to FALSE.
The installer creates a
PowerShell script in this location:
C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your
installation drive). This PowerShell script performs the following actions each
time it is run:
- Create a self-signed certificate.
- Associate the public key of the certificate to the service principal on Azure AD.
- Store the cert in the local machine cert store.
- Grant access to the certificate’s private key to Network User.
- Restart the NPS.
Unless you want to use your own certificates (instead of the self-signed certificates that the PowerShell script generates), run the PowerShell Script to complete the installation. If you install the extension on multiple servers, each one should have its own certificate.
- Run Windows PowerShell as
- Change directories.
cd "C:\Program Files\Microsoft\AzureMfa\Config"
- Run the PowerShell script created by the installer.
- Sign in to Azure AD as an administrator.
- PowerShell prompts for your tenant ID. Use the Directory ID GUID that you copied from the Azure portal in the prerequisites section.
- Enter Directory id
- PowerShell shows a success message when the script is finished.
Repeat these steps on any additional NPS servers that you want to set up for load balancing.