2

Is it possible to use NPS RADIUS as an intermediary between an application that only supports RADIUS authentication and an active directory server which is used for authentication across the network?

I feel like all the settings are very much directed towards network authentication, am I misunderstanding the concept or RADIUS? I also can't find any hint of active directory / LDAP in the NPS settings.

If it's not possible, would there be any other way on a Windows server to achieve the described behaviour?

Edit: I forgot to mention - The application only supports PAP authentication, so that is necessary.

Another edit: I have used and configured (in another application) LDAP authentication. The more I research, the more I get the feeling that RADIUS is not meant to be used how I imagine it. I feel like RADIUS is more network-based as in it controls network access, while LDAP is rather used for in-network user authentication, could that be?

RikuXan
  • 207
  • 1
  • 3
  • 11
  • What have you tried? Where did it fail? By default NPS RADIUS uses AD, so I'm not sure where you're having a problem. – MDMarra Jan 27 '14 at 13:47
  • My biggest problem is that I'm having a hard time filling in the data it asks from me. For example I have no idea what I would set as RADIUS clients, since there is no special networking equipment between server and client that I know of. Then again, I'm not even sure what "type" of RADIUS server I should choose, VPN or dial-up don't seem right to me, wireless neither and wired doesn't seem to be what I think it is. Also, I can't find PAP authentication anywhere, but I need it for the application. – RikuXan Jan 27 '14 at 14:35
  • If the application is RADIUS aware, then the application would be the RADIUS client. You'll likely have to define customer [connection request policies](http://technet.microsoft.com/en-us/library/cc753603(v=ws.10).aspx). You are **sure** that your application supports a RADIUS backend right? Shouldn't it have these things documented? – MDMarra Jan 27 '14 at 14:39
  • I'm confused, because when configuring RADIUS clients in NPS it says quote "RADIUS clients are network access server, such as authenticating switches. RADIUS clients are not client computers.". Now are these simply two different definitions of "client" or is there more to it? As for the application, it lets me define a RADIUS server adress, port and shared secret. I do think that it supports RADIUS, would be strange otherwise. – RikuXan Jan 27 '14 at 14:43
  • Individual applications typically don't support RADIUS - thus the wording that you've mentioned. In this case, your application is indeed the RADIUS client. – MDMarra Jan 27 '14 at 15:05
  • What in the *hell* are you actually trying to do here, and to what application? I'm getting a headache reading your post... it's like hearing someone ask how to get a coconut into the vein in their arm. Just lay out what you're trying to do, and why, and maybe someone can direct you to a better way to do it... you know, before you run out coconuts, or bash your arm off and bleed out. – HopelessN00b Jan 27 '14 at 16:26
  • I feared I would do a bad job at expaining that, let me try again. I have a firewall configuration software with a built-in user-role model that support RADIUS authentication for those users. I also have a big company-wide AD that is used for authentication for all kinds of services. I do not have a RADIUS server that is used for user authentication. I want to set up a RADIUS server that allows me to log into the firewall configuration application with the credentials stored in my AD, but through a RADIUS server (since the application only supports RADIUS). I hope I could make it clearer. – RikuXan Jan 28 '14 at 08:03

2 Answers2

4

I think you need some background on the RADIUS Remote Authentication Dial In User Service) protocol to understand its role in authentication.

RADIUS was originally developed and deployed to authenticate (and authorize and account user access-- features I'm not going to talk about here) users dialing-in to modem pools. Envision a pool of modems accepting incoming calls and a database containing credentials of users authorized to dial-in. RADIUS is the protocol that allowed the hardware running the modem pool to offload authentication requests to a server, thus freeing-up the modem pool hardware from having to have any "knowledge" of credentials (and authentication policy, etc).

The mechanics of the protocol involve the RADIUS server (that is, the server that performs the allowed/denied authentication of the user) receiving requests from the RADIUS client (that is, the modem pool hardware receiving an incoming call) on behalf of the user dialing-in.

The RADIUS protocol is reasonably general, and has been adapted for use in 802.1x and other protocols requiring authentication. That's why you're seeing a lot of references to "network authentication". Nonetheless, RADIUS being a general protocol you could very well have an application that supports authenticating users via the RADIUS protocol. In that case, the application is the RADIUS client. The RADIUS server (the Windows NPS service) will need to be told the IP address that the application will be sending its RADIUS requests from as the RADIUS client IP address.

The RADIUS protocol requires a shared secret value (called the Authenticator) to validate that incoming requests really are coming from an authorized client (and not just some attacker trying to use the RADIUS server to brute-force passwords). Likewise, the authenticator is used by RADIUS clients to validate that responses are really coming from the RADIUS server (and not an attacker spoofing the server's identity). You will also need to configure this value.

You will need to configure the Windows NPS service with a policy to support the required authentication protocol (PAP, as you state) that the application requires. The Windows NPS service doesn't have any configuration relating to "LDAP" because it uses Windows' built-in authentication APIs, which back-end to Active Directory. Basically, you get authentication against Active Directory "for free" by using the Windows NPS service.

Be sure to check out the Wikipedia article on RADIUS for more in-depth information about the protocol, and Microsoft's documentation for the NPS service for background on configuring the Windows Server side.

Edit:

Here's the feeling I'm getting.

I found this Seimens "Security Module" documentation that describes configuration of RADIUS authentication for some of their "security integrated" Ethernet products. These things look like little firewalls, with IPSEC, NAT, etc.

I suspect that the "Security Configuration Tool" is used to configure the "security modules". To upload configurations to the security module (and, no doubt, to perform other administrative activities) a user would need to authenticate to the security module. This is where the RADIUS configuration appears to come in.

The diagram on page 80 of that document looks like exactly what I'd expect-- user authentication to the security module is forwarded to the RADIUS server, which returns an allow/deny decision to the security module. The client computer isn't involved in the RADIUS portion of the authentication at all.

It looks fairly straightforward, albeit I say that having had a lot of experience using RADIUS. Insofar as the particulars of using the Microsoft NPS RADIUS server (and your query re: "...dial-up, VPN, Wireless and Wired...") all I can say is that I'd eschew using an "Wizard" to configure the NPS service and walk thru the configuration manually. Again, having had a lot of experience with RADIUS this just looks like an exercise in trial-and-error to me, but it's probably going to be a bit more daunting to you. I definitely can't give you a click-for-click "recipe" because I don't have one of these devices available to me (though I'd love to see one-- it looks like it would be fun to do a security assessment of them).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thank you very much for your answer, you solidified my notion that RADIUS is not really meant to do what I want to. Nontheless, if I really wanted to (gotta check if there are maybe any other options) would it be possible to configure NPS correctly? The problems I'm still having are: 1. I don't know what client adresses will connect to the RADIUS server as the application will run on a user's PC, not a server, so I would have to be able to set a wildcard for clients, right? I actually don't even want to restrict client access, but I guess I have to. – RikuXan Jan 28 '14 at 08:12
  • 2. Which type of authentication to use? There is dial-up, VPN, Wireless and Wired in NPS. I would guess that Wired makes the most sense since everything happens over a wired connection but I still have a feeling that it's rather meant for authentication via switches and network equipment that support RADIUS. So basically I would have to find out, what type of RADIUS authentication my application is using would that be right? Are there maybe more types like a "User Authentication only" mode that is just not possible to choose in NPS? Or are all modes the same thing and should all work? – RikuXan Jan 28 '14 at 08:17
  • Getting some details on the specific firewall configuration software you're talking about (which you mentioned in another comment response) would help out. I strongly suspect, if this is anything like similar software I've worked with, that the firewall device itself will be the RADIUS client, not the individual computers that are running the configuration software. The architecture of those kind of applications is typically such that the client software forwards authentication requests to the device being configured, which can then forward those requests to a RADIUS server. – Evan Anderson Jan 28 '14 at 16:27
  • The software is Siemens Security Configuration Tool (SCT), but I'm quite sure that the authentication is indeed for the SCT project file itself since there are predefined roles for it, namely "administrator (radius)" and "standard (radius)". The "firewalls" aren't actually big ones like Cisco etc. but single-device firewalls with one input and output port and I'm pretty sure they don't support RADIUS (especially since the functionality was added in a SCT update without any firmware update whatsoever, also the firewalls aren't advertised as supporting RADIUS). – RikuXan Jan 28 '14 at 17:18
  • Siemens has the worst software on the planet. – MDMarra Jan 28 '14 at 17:58
  • 1
    @MDMarra: You don't use any Sage software, do you? – Evan Anderson Jan 28 '14 at 18:01
  • @EvanAnderson I don't, but Siemens had a HVAC program that is dependent on the server's version of IE, because it pre-renders all of the pages in IE and serves them from some crazy on-disk cache and their code only works with IE8 (or did at the time 2-3 years ago). It's so bad, that many places create a separate VLAN with minimal routing to/from and require employees from physical facilities to VPN into that subnet (even from on-site) to access it. – MDMarra Jan 28 '14 at 18:03
  • In fact, that software failed and caused smoke to pour out of some vents during an open house once :D – MDMarra Jan 28 '14 at 18:04
  • @MDMarra - I can't speak to the IE silliness (on that front, though, you should look at Rockwell and their dependence on DDE-- they might have Siemens beat from a "reliance on old technology" perspective in the SCADA space). I can definitely say that idiotic security is par for the course in the SCADA industry. Except for the last few years SCADA companies seem to think that corporate networks are some kind of fantasy "candy land" where only good intentions exist and there are no malicious actors "behind the firewall". >sigh< (The smoky open house story is pretty cool! Heh heh...) – Evan Anderson Jan 28 '14 at 18:17
  • I finally got the chance to ask a guy at Siemens and he confirmed what you said. The RADIUS login is not for the project file, but rather for accessing the web configuration interface of an already configured Scalance. I want to thank you for all the research you did, you put way more effort into this than I ever could expect and hope. – RikuXan Feb 10 '14 at 18:55
  • @RikuXan - Glad I could help out! – Evan Anderson Feb 10 '14 at 23:32
0

I'm looking at the same issue but for WatchGuard PPTP/L2TP integration with AD. Although they have built-in AD support, it cannot be used together with AD only their built-in user DB or Radius. The following describes how to setup FreeRADIUS to query AD.

Check out http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

user2625709
  • 216
  • 3
  • 4
  • How to configure a Watchguard PPTP MUVPN to authenticate against Active Directory, using Windows Server's RADIUS features - http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/authentication/radius_a-d_mvpn_l2tp-pptp_c.html – TessellatingHeckler Jul 15 '14 at 19:41