Using Windows Network Policy Server for RADIUS client access
Let's show it in the example of Windows Server 2012.
Install and activate the RADIUS server
From the Server Manager right-click and choose "Add Role and Features". Choose "Role-based or feature-based installation". Select "Network Policy and Access Services" add features, and click next followed by "Install".
Once the installation is completed, open the Network Policy Server (NPS) console. First, you need to register the NPS with your domain. Right-click NPS and choose "Register server in Active Directory".
Add a new RADIUS client
The next step is to add your monitoring unit as a RADIUS client. Expand "Radius Clients and Servers" and right-click "RADIUS Clients" followed by "New". Set a friendly name for your monitoring unit, IP address, and shared secret key. This shared secret needs to be identical on your unit, see Access via a Radius server.
Creating Access Groups in a Domain
Open the "Active Directory Users and Computers". Select your domain, right-click followed by "New" and choose "Group". This group will be further used to allow users access to the monitoring unit.
Add a new user, "user_rad_100", in the same way, right-click followed by "New" and choose "User". In the "Dial-in" tab set "Network Access Permission" to "Control access through NPS Network Policy". Add this user to a previously created group.
Set the user password (or reset it by right clicking and selecting "Reset Password..."), which is the SHA-1 hash code entered by a user with a plain text password. For example, for the password "guest" it will be "35675e68f4b5af7b995d9205ad0fc43842f16450" (without quotes).
Create a new Network Policy
Using access policies, we will connect previously created RADIUS client records and domain security groups to access monitoring units. Open the Network Policy Server Console. Expand "Policies", right-click "Network Policies" and click "New". Set the policy name and select access permission as "Grant access".
In the next tab, "Conditions", we need to add the conditions under which this RADIUS policy will be applied. Add a group that contains all users that should be allowed to use the service.
In the next step, configure "Authentication Methods". Disable all authentication methods and enable the "Unencrypted authentication (PAP, SPAP)" method.
At the configuration settings step "Configure Settings", in the settings section of the standard RADIUS attributes, delete the attributes that are available by default. Select the "Vendor Specific" attributes section. Specify vendor as "Custom", select the "Vendor-Specific" attribute, and click "Add...".
In "Attribute Information" click "Add...". Enter the vendor code (for the Vutlan device is 39052) and configure the attributes by attribute number.
Each attribute has a name and an identifier number. Because the server does not have a dictionary for monitoring units, then attributes must be specified through a number as indicated in the table below.
Attributes
Name Number Format Value
SRead 10 string "all" or list of permission
SWrite 11 string "all" or list of permission
CRead 12 string "all"
CWrite 13 string "all"
GRead 14 string "all" or list of group ID
GWrite 15 string "all" or list of group IDEach user profile in the system can have access to system resources in a "read-only" or "read-write" mode.
Each resource in the system is compared with its corresponding access ID.
Access control is carried out by means of lists. The list is a text string, which consists of access IDs separated by commas.
Accordingly, in the user profile, there are two types of lists: lists for read access and for write access (both recording and reading).
The system allows three types of permission lists :
1) Server permission lists:
SRead — read access list;
SWrite — write access list;
The list of identifiers of server resources:
accesskeys — management of iButton access keys and other compatible;
cameras — management of video cameras;
canbus — management of CAN bus;
devvirt — management of virtual devices (timers, PINGs, triggers);
elements — management of elements;
groups — group management;
gsm — management of GSM-modem;
languages — management of installed localization files;
log — management of system log;
logics — management of logic schemes;
modules — management of modules;
notify — management of notifications (mail, trap, SMS);
relays — Relay management (global functions);
sdcard — SD card management;
system — runtime management (OC Linux);
users — user management;
view — control the appearance of the web interface.
Do not specify identification users, otherwise, a user without administrative rights may see the records of other users. In addition, the user is logged in through the RADIUS server, and can not edit or delete user accounts stored in the internal memory of the monitoring device.
2) Client permission lists (web interface):
CRead — read access list;
CWrite — write access list;
The list of resource identifiers of the client (Web Interface) is formed and is used solely by the client (by web interface) under its logical organization. Now it is not used and should be listed as "all,".
3) Lists of permits for groups of objects:
GRead — a list of identifiers of groups with read-only access;
GWrite — a list of identifiers of groups with write-only access;
Lists of permissions for groups consist of group IDs (a positive integer) and are intended to limit the client (web interface) access to the group objects.
The format of these lists - identifiers separated by commas, in this case, there are special control words:
all — full access to all identifiers implies full administrative access;
none — access is completely forbidden.
By default, there are no groups in the system, elements, and modules are not in groups, and access to them is possible only with the rights of "all".
After specifying all the attributes you will get this result. In this example, all users in the "RADIUS group" have full administrator rights on the monitoring unit.