In the lab, to establish a secure VPN connection for clients, a RADIUS server is created to authenticate users that are connecting remotely. Therefore, in Windows Server 2016, Network Policy Server has the purpose of implementing a RADIUS server.
Authentication Method
A RADIUS server by itself is an authentication protocol that uses a shared secret between itself and a Network Access Server (NAS) as the RADIUS client. The data transferred between the client, RADIUS server and NAS is encapsulated with and additional protocol such as EAP and MS-CHAP v2.
RADIUS server consists of several steps in its authentication process. First the client communicate with the NAS by providing their credentials. These sensitive information is transported with the porotocol set in the configuration. Then NAS passes the information to the RADIUS server with a Access-Request message. The information may be in the form of credentials or in some cases can be provided with IP addresses.
The RADIUS will then process the information to give response back to the NAS on the client’s request. Access-Reject message means the user access has been denied due to certain conditions. Access-Accept message grants user access to the network. Access-Challenge message requests additional information back from the client.
Security Policy
The RADIUS server will hold the authenticated users that are allowed to have the connection to the network through the NAS. This could be implemented through a network policy configuration. The policy provide detailed information on how which users should be authenticated or denied.
Security policies hold a strong control on how RADIUS server should respond to the request it is receiving. While it could grant or deny access of users, it can also control users authorization to the server by continuously monitoring on its activity. A policy can manage a timeouts, day and time restrictions to specific authentication methods.
Accounting
Keeping track of logs is one of the main task of a RADIUS server. Fundamentally, there are 4 types of accounting method that could be implemented which are using SQL database, local text file, log simutaneously on both SQL database and local text file and log in SQL database with failover on local. It really depends on how critical the log is for the service but for the most efficient one should be log to SQL database with failover on local file where it takes up less space with additional redundancy.
The information stored in a log can be configured and it consists of accounting and authentication request also both of the periodic status. For the best format of the log file, DTS Compliant has the most efficiency as it is in a XML format which then can be imported to the SQL database. ODBC and IAS is a legacy format where it contains subset of information to be sent to the SQL database. Depending on how heavy the traffic will be on the RADIUS server, the frequency of logs could be configured based on time or size of file.
As in the labs, we did some testing on connecting several users through the VPN which uses RADIUS server. All of the activity of the user requests and connections could be detected. The log files represents a great control where an administrator can observe the user activity and connection status of each of the user. A rejected connection could also be observed in more details and see what causes the issue.
Marcellus's Blog 