Privacy Policy

Stella inattivaStella inattivaStella inattivaStella inattivaStella inattiva
 

 

1.Prerequisites:

a.Network Policy and Access Services

b.Windows Firewall disabled or configured to allow RADIUS traffic on port 1812.

2.Ensure that NPS is installed and started.

3.Create a Security Group:

a.Create a security Group on your AD domain controller with a name that is descriptive to you (VPNUsers, for example) and populate it with users who will have VPN access.

4.Open the Server Manager.

5.Tell Windows about the RADIUS Client:

a.Expand Roles -> Network Policy and Access Services -> NPS (Local) -> RADIUS Clients and Servers, and select RADIUS Clients.

b.Right-Click RADIUS Clients and select New RADIUS Client.

c.Check the box to enable the RADIUS Client.

d.Type a friendly name (Firebox) for the RADIUS Client.

e.Add the IP address of the Firebox.

f.Select RADIUS Standard from the Vendor Name list.

g.Choose the “Manual” radio button.

h.Type and confirm the “secret” you entered into the Firebox config in the “Configure the Firebox” section.

i.Make sure both checkboxes at the bottom of the dialog are unchecked and click OK.

6.Configure a Connection Request Policy (NOTE: This step can be skipped in Small Business Server. It does not seem to be necessary.)

  1. Right click on Connection Request Policy and Select “New”
    b. Type in a corresponding name for the Policy, leave the Access Server as “Unspecified” and click Next.
    c. ADD a condition and scroll down to the RADIUS Client and double click “Client Friendly Name”. Type in the name you used for your firebox, (Firebox). Case Matters here. Click OK – Next.
    Note: You could also use “Client IPv4 Address” for step c if you like.
    d. Accept the Defaults and click NEXT.
    e. Leave the Authentication Methods unchecked and click NEXT.
    f. Accept the Defaults for Configure Settings and click NEXT.
    g. Click FINISH to complete the wizard.

7.Configure a RADIUS Authentication Policy:

a.Expand Roles -> Network Policy and Access Services -> NPS (Local) -> Policies -> Network Policies.

b.Right-Click Network Policies and select New.

c.Type a Policy name that will be descriptive to you (RUVPN Connections, for example).

d.Leave the “Type of network access server” set to “Unspecified” and click Next.

e.Click the Add button and double-click “Windows Groups” in the Conditions list.

f.Click the Add Groups button and type or search for the VPN users group you created earlier.

g.Click OK -> OK, which should bring you back to the Specify Conditions dialog.

h.Click the Next button to get to the Specify Access Permission dialog.

i.Leave “Access granted” selected and click Next.

j.Ensure that MS-CHAP-v2 and MS-CHAP are selected, and click Next.

k.Click Next again without configuring any constraints.

l.In the left Windows pane, select Standard under RADIUS Attributes.

m.Remove any existing attributes and click Add.

n.Double-click Filter-ID.

o.Click the Add button.

p.Type “PPTP-Users” (case sensitive) into the “String” field and click OK.

q.Click OK and Close to get back to the Configure Settings dialog.

r.Select Encryption under Routing and Remote Access, and uncheck “No Encryption”.

s.Click Next -> Finish.

t.Right-click you new policy and select “Move Up” repeatedly until it is first in the list.

Test your configuration:

1.Set up a workstation outside the firewall with PPTP VPN.

2.Connect to the VPN with a user who exists in the VPN users group you created in AD.

3.Once the VPN is running, test access to network resources.

Note: It is possible to be connected to the VPN, but still have no resource access if you did not configure the access policy properly, so be sure to test this.

Update:

If you have an older Firebox running WSM 7.x, and wish to use PPTP terminated by the firewall, with RADIUS authenticated by a Windows 2008 server, use these instructions for the firewall side:

Note: You will need to adjust the policy in NPS on the Windows 2008 server to use “pptp_users” instead of “PPTP-Users”. This changed between WSM and Fireware.

Configure a legacy Firebox (WSM 7.x) for Remote User PPTP:

1.Open Policy Manager and select Setup -> Firewall Authentication.

2.Select the radio button for RADIUS Server -> OK -> OK.

3.Enter the IP address of the Windows 2000 server running IAS.

4.Change the Port number to 1812 and enter your shared secret -> OK

5.Click Network -> Remote User -> PPTP tab.

6.Check the checkboxes for Activate Remote User and Use Radius Authentication.

7.Click the Add button, select Host IP Address and enter the first IP address you allocated for use by the Firebox -> OK.

8.Repeat this until all of your allocated IP addresses have been entered.

Note: You can copy/paste into the IP address field.

Note: You may wish to enable logging here if you have any difficulty getting this to work.

9.Click OK.

Configure a legacy Firebox Access Rule for RUVPN:

1.Add a service to allow traffic from VPN Users:

a.Click Edit -> Add Service. Expand Packet Filters and select “Any”.

b.Click the Add button. Change the name to “Any-RUVPN”.

Note: If you change this name, I recommend against using spaces.

c.On the Incoming tab, select “Enabled and Allowed” from the selection list.

d.Click the Add button in the “From” area and add the “pptp_users” group.

Note: If the “pptp_users” group is not available to be selected here, you can click “Add other”, drop down and select “Radius User or Group” and type pptp_users in. I had to do this with a Firebox. Once I had uploaded the config and firmware to the firebox, then pulled down a fresh config file from the firebox, the pptp_users that I had typed in became the special Firebox group and took on the icon with the two head with a red thing behind them, indicating that it recognized the special group. Your mileage may vary.

e.Click the Add button in the “To” area and add “Trusted”.

f.Go to the Outgoing tab.

g.Add “Trusted” to the “From” area and “pptp_users” to the “To” area.

h.Finish the rule and upload the configuration to the Firebox.

If you have a Windows 2003 server and wish to use IAS for RADIUS authentication for a Watchguard Firebox, here are the steps:

Install and Configure IAS on Windows 2003:

Note: You must either disable SMB Signing or use Firebox Software version 7.30-B2938 or later!

1.In Add/Remove programs -> Windows Components -> Networking Services, check “Internet Authentication Service” and finish the wizard.

2.Open the Services applet and stop, then restart the IAS service. Refresh the screen and ensure that the service continues to show “running” status. Some applications (the Symantec antivirus management console, for example) interfere with IAS by using port 1812. If this is the case you will need to configure IAS on a different server.

3.Open Administrative Tools -> Internet Authentication Service and select Radius Clients in the left pane.

4.Click Action -> New Radius Client. Enter “Firebox” for the friendly name.

Note: If you change this name, I recommend against using spaces or non-alpha characters.

5.Enter the Trusted IP address of the Firebox for the Client Address and click Next.

6.Verify that RADIUS Standard is the selected protocol.

7.Enter and confirm a “shared secret” of your choice.

Note: I recommend Uppercase, Lowercase, and Numbers – but not non-alpha characters.

8.Verify that RADIUS Standard is the selected Client-Vendor.

9.Verify that the box for “Request must contain the Message Authenticator attribute” is NOT checked, and click Finish.

10.Select Remote Access Policies and click Action -> New Remote Access Policy.

11.Select the option for “Set up a custom policy”.

12.Enter VPNUsers for the friendly name of the policy.

Note: If you change this name, I recommend against using spaces or non-alpha characters.

13.Click Next -> Add -> select Windows-Groups -> Add -> Add -> select your VPNUsers group -> OK -> OK -> Next.

14.Select the radio button for “Grant remote access permission” -> Next.

15.Click the Edit Profile button -> Authentication tab.

16.Verify that the checkboxes for “Microsoft Encrypted Authentication version 2 (MS-CHAP v2)” and MS-CHAP are checked.

17.Go to the Encryption Tab and clear the check box next to “No Encryption”.

18.Click the Advanced tab and remove “Framed-Protocol” and “Service-Type”.

19.Click Add -> Filter-Id -> Add -> verify that “string” is selected and type “pptp_users” into the attribute field.

Note: For Fireware Pro 8.2 the string must be set to “PPTP-Users” (case sensitive).

Note: Other documentation may suggest that you type something else here, like your group name. DON’T. The Firebox wants to see “pptp_users” or “PPTP-Users” in this attribute, just as it is typed here – lowercase, underscore or hyphen and all.

20.Click whatever combination of OK, Next, and/or Finish is required to complete the config. If it prompts you to view help topics, say no.

 

C e r t i f i c a z i o n i