Using Windows Network Policy Server for RADIUS client access

Let's show it on the example of Windows Server 2012.

Install and activate the RADIUS server

From the Server Manager right-click and choose "Add Role and Features". Choose "Role-based or feature-based installation". Select "Network Policy and Access Services" and add features, and click next followed by "Install".

Once the installation is completed, open the Network Policy Server (NPS) console. First, you need to register the NPS with your domain. Right-click NPS and choose "Register server in Active Directory".

Add a new RADIUS client

The next step is to add your monitoring unit as a RADIUS client. Expand "Radius Clients and Servers" and right-click "RADIUS Clients" followed by "New". Set a friendly name for your monitoring unit, IP address, and shared secret key. This shared secret needs to be identical on your unit, see Access via a Radius server.


Creating Access Groups in a Domain

Open the "Active Directory Users and Computers". Select your domain, right-click followed by "New" and choose "Group". This group will be further used to allow users access to the monitoring unit.

Add a new user, "user_rad_100", in the same way, right-click followed by "New" and choose "User". In the "Dial-in" tab set "Network Access Permission" to "Control access through NPS Network Policy". Add this user to a previously created group.

Set user password (or reset it by right click and select "Reset Password..."), which is SHA-1 hash code entered by a user with plain text password. For example, for the password "guest" it will be "35675e68f4b5af7b995d9205ad0fc43842f16450" (without quotes).

Create a new Network Policy

Using access policies, we will connect previously created RADIUS client records and domain security groups to access monitoring units. Open the Network Policy Server Console. Expand "Policies", right-click "Network Policies" and click "New". Set policy name and select access permission as "Grant access".

In the next tab, "Conditions", we need to add the conditions under which this RADIUS policy will be applied. Add a group that contains all users that should be allowed to use the service.

In the next step, configure "Authentication Methods". Disable all authentication methods and enable the "Unencrypted authentication (PAP, SPAP)" method.

At the configuration settings step "Configure Settings", in the settings section of the standard RADIUS attributes, delete the attributes that are available by default. Select the "Vendor Specific" attributes section. Specify vendor as "Custom", select the "Vendor-Specific" attribute, and click "Add...".

In "Attribute Information" click "Add...". Enter the vendor code (for the Vutlan device is 39052) and configure the attributes by attribute number.

Each attribute has a name and an identifier number. Because the server does not have a dictionary for monitoring units, then attributes must be specified through a number as indicated in the table below.

Attributes
Name             Number        Format        Value
SRead            10            string        "all" or list of permission
SWrite           11            string        "all" or list of permission
CRead            12            string        "all"
CWrite           13            string        "all"
GRead            14            string        "all" or list of group ID
GWrite           15            string        "all" or list of group ID

Each user profile in the system can have access to system resources in a "read-only" or "read-write" modes.

Each resource in the system is compared with its corresponding access ID.

Access control is carried out by means of lists. The list is a text string, which consists of access IDs  separated by commas.

Accordingly, in the user profile, there are two types of lists: lists for read access and for write access  (both recording and reading).
The system allows three types of permission lists :

1) Server permission lists:

  • SRead — read access list;
  • SWrite — write access list;

The list of identifiers of server resources:

  • accesskeys — management of iButton access keys and other compatible;
  • cameras — management of video cameras;
  • canbus — management of CAN bus;
  • devvirt — management of virtual devices (timers, PINGs, triggers);
  • elements — management of elements;
  • groups — group management;
  • gsm — management of GSM-modem;
  • languages — management of installed localization files;
  • log — management of system log;
  • logics — management of logic schemes;
  • modules — management of modules;
  • notify — management of notifications (mail, trap, SMS);
  • relays — Relay management (global functions);
  • sdcard — SD card management;
  • system — runtime management (OC Linux);
  • users — user management;
  • view — control the appearance of web interface.

Do not specify identificator users, otherwise a user without administrative rights may see the  records of other users . In addition, the user is logged in through the RADIUS server, can not edit or delete user accounts stored in the internal memory of the monitoring device.

2) Client permission lists (web interface):

  • CRead — read access list;
  • CWrite — write access list;

The list of resource identifiers of the client (Web Interface) is formed and is used solely by the client (by web-interface) under it's logical organization. Now it is not used and should be listed as "all,".

3) Lists of permits for groups of objects:

  • GRead — a list of identifiers of groups with read-only access;
  • GWrite — a list of identifiers of groups with write-only access;

Lists of permissions for groups consist of group IDs (a positive integer) and are intended to limit the client (web interface) access to the group objects.

The format of these lists - identifiers separated by commas, in this case there are special control words:

  • all — full access to all identifiers implies full administrative access;

  • none — access is completely forbidden.

By default, there are no groups in the system, elements and modules are not in groups, and access to them is possible only with the rights of "all".


After specifying all the attributes you will get this result. In this example, all users in the "RADIUS group" have full administrator rights on the monitoring unit.