Configure a Radius server on Windows Server to authenticate Cisco VPN users

A Virtual Private Network (VPN) allows to connect to a private network through the Internet, from anywhere in the world.

It may be very helpful to business users willing to access from outside the internal resources of their company.

In this post we’ll see how you can allow Active Directory users to perform the login to a VPN, configured on a Cisco router.

The setup includes a Cisco 1801 router, configured with a Road Warrior VPN, and a server with Windows Server 2012 R2 where we installed and activated the domain controller and Radius server role.

To facilitate the management of the users with the permission to access through VPN, we are going to create a specific group called VpnAuthorizedUsers:

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

 

Assign the user who needs the VPN access to the group VpnAuthorizedUsers:

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

Launch Server Manager and select Add Roles and Features:

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

 

Select the server where to install the role:

Radius Windows Server 2012 R2 Vpn Cisco

 

Select the role Network Policy and Access Services:

Radius Windows Server 2012 R2 Vpn Cisco

 

Install the required features:

Radius Windows Server 2012 R2 Vpn Cisco

 

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

 

Select Network Policy Server:

Radius Windows Server 2012 R2 Vpn Cisco

 

Press Install to start the installation of the role:

Radius Windows Server 2012 R2 Vpn Cisco

 

Press Close to exit from the wizard:

Radius Windows Server 2012 R2 Vpn Cisco

 

Procced with the configuration of the Radius server selecting NAP, then right-click on the server name and press Network Policy Server:

Radius Windows Server 2012 R2 Vpn Cisco

 

Right-click on NPS and select Register server in Active Directory:

Radius Windows Server 2012 R2 Vpn Cisco

 

Collapse the Radius menu and right-click on RADIUS Clients:

Radius Windows Server 2012 R2 Vpn Cisco

 

Specify the name and the IP address of the peripheral that will forward the authentication requests to the Radius. Also specify a password for the connection:

Radius Windows Server 2012 R2 Vpn Cisco

 

Expande Policies and right-click on Connection Request Policies:

Radius Windows Server 2012 R2 Vpn Cisco

 

Specify a policy name:

Radius Windows Server 2012 R2 Vpn Cisco

 

Add a Client Friendly Name condition:

Radius Windows Server 2012 R2 Vpn Cisco

 

Specify the same name used for the Radius Clients:

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

Click Next:

Radius Windows Server 2012 R2 Vpn Cisco

Select the attribute User-Name and click Next:

Radius Windows Server 2012 R2 Vpn Cisco

 

 

Right-click on Network Policies:

Radius Windows Server 2012 R2 Vpn Cisco

 

Specify the policy name:

Radius Windows Server 2012 R2 Vpn Cisco

 

Specify the UserGroups condition:

Radius Windows Server 2012 R2 Vpn Cisco

 

Add the group VpnAuthrizedUsers that you’ve precedently created:

Radius Windows Server 2012 R2 Vpn CiscoRadius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

 

Enable the PAP,SPAP access:

Radius Windows Server 2012 R2 Vpn Cisco

 

Press NO at the following dialog:

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn Cisco

Radius Windows Server 2012 R2 Vpn CiscoRadius Windows Server 2012 R2 Vpn Cisco

Once the Road Warrior VPN has been configured on the Cisco router, you have to enable the authentication of the VPN users through Radius.

The local command allow local users of the router to connect even if the Radius server is offline:

conf t
aaa authentication login vpnuser group radius local

Be sure the crypto map command has the same name of aaa authentication:

Radius Windows Server 2012 R2 Vpn Cisco

Access in configuration mode (Configure  terminal) and specify the radius parameter with the IP address and the password specified at the beginning of the tutorial:

radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key password xxxxxxxxx