Microsoft NPS - RADIUS Configuration with Authentication Manager - RSA Ready Implementation Guide
a year ago

This article describes how to integrate Microsoft NPS with RSA Authentication Manager using RADIUS.

  
Configure RSA Authentication Manager

Perform these steps to configure RSA Authentication Manager using RADIUS.

Procedure

  1. Sign in to the Security Console.
  2. Navigate to RADIUS > RADIUS Servers and make a note of the IP address of the selected RADIUS server. This will be later used in Microsoft NPS configuration.
  3. Navigate to RADIUS > RADIUS Clients and click Add New.
  4. On the Add RADIUS Client page, enter the following:
    1. Client Name: Enter a descriptive name for the RADIUS client.
    2. IPv4 Address: Enter the IP address of the RADIUS client (NPS server).
    3. Make / Model: Select Standard Radius from the drop-down list.
    4. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server. This is the same shared secret that will be used in Microsoft NPS configuration.
  5. Click Save & Create Associated RSA Agent.
  6. On the Add New Authentication Agent page, click Save, and then confirm by clicking Yes, Save Agent.

   

Notes

  • RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.
  • The relationship of the agent host record to the RADIUS client in the Authentication Manager can be 1 to 1, 1 to many, or 1 to all (global).
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

    

Configure Microsoft NPS 

Perform these steps to configure Microsoft NPS as a RADIUS client to RSA Authentication Manager and to configure the Connection Request Policy in NPS.
Procedure

  1. In Server Manager, click Tools, and then click Network Policy Server to open the NPS console.
  2. In the left pane, expand the RADIUS Clients and Servers folder, right-click Remote RADIUS Server Groups, and click New.
  3. On the New Remote RADIUS Server Group dialog box:
    1. In the Group name field, enter a name for the remote RADIUS server group.
    2. Under RADIUS Servers, click Add.
  4. On the Add RADIUS Server dialog box, enter IP address or FQDN of the primary RSA Authentication Manager RADIUS server and click Verify if FQDN is used.
  5. Click the Authentication/Accounting tab.
  6. For Shared secret and Confirm shared secret, enter the same shared secret used for adding RADIUS client in RSA Authentication Manager.
  7. Click the Load Balancing tab.
  8. Increase the timeout value for Number of seconds without response before request is considered dropped to 10 seconds and click OK.

    Note: The default value of 3 seconds for Number of seconds without response before request is considered dropped might be insufficient and users might experience authentication issues. The Windows Security Event log records the authentication failure with Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond and Reason Code: 117. Increase the timeout value appropriately to resolve this issue.
  9. In the left pane, expand Policies, right-click Connection Request Policy, and click New.
  10. Enter a name for Policy name and select the access server type of your deployment from in the Type of network access server drop-down list.
  11. Click Next.
  12. Click Add to specify a new condition to the policy.
  13. Select User Name for the condition and click Add.

  14. Depending on the format of your user login names, enter the common element of the Username (For example, a pattern that matches the e-mail domain). This will signal to Microsoft NPS that usernames in this pattern will match that policy and hence these requests will be sent to RSA RADIUS Server for authentication.
  15. Click OK.
  16. Click Next.
  17. In Settings, under Authentication:
    1. Choose the Forward requests to the following remote RADIUS server group for authentication option.
    2. Select the RADIUS server group configured earlier in the drop-down list.
  18. Click Next. For any request that triggers the policy, the RADIUS request will be forwarded to the RSA RADIUS Server. 
  19. Select Username in the Attribute drop-down list and click Add.
  20. For the Attribute Manipulation Rule, enter the common element of the Username in the Find field and leave the Replace with field blank. 
  21. Click OK and then click Next.

    Note: This step is necessary as the username will be edited by NPS and sent to RSA in the accepted format.  For example, during authentication, the end user enters "username@example.com", but only “username" will be passed to the RSA RADIUS Server. 
  22. Click Finish.
  23. In the main pane of Microsoft NPS, expand RADIUS Client and Servers, right-click RADIUS Clients, and click New.
  24. On the New RADIUS Client screen:
    1. In the Friendly name field, enter a display name for the RADIUS client.
    2. For Address (IP or DNS), enter the IP address of the client (Network Access Server).
    3. For Shared secret and Confirm shared secret, enter the same shared secret used for adding RADIUS client in the RSA Authentication Manager or RSA Cloud Administration Console.
    4. Click OK.
      This RADIUS Client will send the request to NPS that will be later proxied by NPS to RSA RADIUS server for authentication. 

 

The configuration is complete.

Return to Microsoft NPS - RSA Ready Implementation Guide

Related Articles

Trending Articles

Don't see what you're looking for?