Hng dn cu hnh Windows Server 2008 lm RADIUS Server cho VPN routers (Cisco, Draytek...

)
Th nm, 12 Thng 1 2012 23:02 0 Cc bnh lun

Li ch
Mt s loi VPN Router (v d Draytek V27xx, V29xx, V33xx hoc Cisco ASA 5510, 18xx, 28xx, 38xx...) mc d u cho php to User Profile ngay trn router nhng c nhc im l s lng ngi dng b gii hn (thng khong 30-100 ngi dng) v nht l gy kh khn trong vic s dng bi ngi dng phi nh nhiu loi mt khu (mt khu ng nhp vo VPN Server, mt khu ng nhp vo AD...) S dng xc thc RADIUS Server, ngi dng c th s dng ngay mt khu AD truy xut t xa ti v ng nhp vo VPN Server trn Router. Hn na, sau khi xc thc vi RADIUS Server thnh cng, ngi dng c th truy cp c ngay vo cc ti nguyn trn mng ni b nh cc th mc chia s, my in... m khng cn phi ng nhp li. Qun tr mng c th qun l v kim tra vic s dng ca tng ngi dng thng qua file log (text / MS SQL) trn RADIUS Server. Ngoi ra, RADIUS Server cn c s dng cung cp dch v xc thc ngi dng cho nhiu loi Network Access Server (NAS) khc nh Remote Desktop Gateway (xc thc ngi dng khi truy cp my tnh t ra), DHCP Server (cp pht IP da trn xc thc ngi dng)...

Trin khai
Trong hng dn ny, chng ti s ly v d trin khai Server 2008 R2 lm RADIUS Server cho VPN router Draytek V29xx hoc Cisco ASA 5510. i vi cc loi router khc, cch lm gn tng t.

a ch IP ca Router: 192.168.1.1 a ch IP ca RADIUS Server: 192.168.1.2 VPN Users: l nhm Domain Users Group hoc Windows Group ca cc ngi dng c quyn truy xut VPN.

Cu hnh trn VPN Router

1. Draytek 29xx: trong menu Applications chn RADIUS, nhp a ch IP ca RADIUS Server trong mng LAN v Shared Secret. Xc nhn mt khu ln na trong Confirm Shared Secret ri bm OK (hnh di).

2. Cisco ASA 5510: truy cp vo menu Configuration.

To IP Name object cho RADIUS Server 1. 2. 3. 4. 1. 2. 3. 4. 5. 1. 2. 3. 4. 5. Trong phn Firewall, bm vo lin kt Objects v chn IP Names. Bm nt Add pha trn. Nhp tn, a ch IP v m t cho RADIUS Server. V d: Name: RADIUS; IP: 192.168.1.2; M t: AD / RADIUS. Bm OK v sau bm Apply. To mt AAA Server Group mi Bm vo phn Remote Access VPN. Chn AAA Setup v chn AAA Server Groups. Bm vo nt Add bn phi ca phn AAA Server Groups. t tn cho nhm (grourp) v d TEST v chn RADIUS protocol. Cc thit lp khc chn ngm nh (default settings). Bm OK. Thm RADIUS server vo Server Group mi to Chn server group va mi to bc trn. Bm nt Add bn phi ca Servers trong Select Group. Trong Interface Name chn loi giao tip trn router ASA s truy cp vo RADIUS server, y l "inside". Trong mc Server Name or IP Address nhp IP Name m bn to cho RADIUS server bc u tin. Trong Server Secret Key khai bo mt mt khu phc tp ( di v loi k t s dng, mc phc tp phi tun th theo ti liu hng dn loi router). Ghi nh mt khu ny v bn s cn phi khai bo khi cu hnh RADIUS server. Xc nhn li mt khu l na trong Common Password. 6. Cc thit lp khc chn ngm nh (default settings). Bm OK. Ch : theo kinh nghim ca chng ti, mc d ti liu hng dn router khng cp, passkey khng nn di hn 32 k t v ch gm s v ch (alphanumeric). Passkey 66 k t do Windows t to khng hot ng vi mt s loi router. Bn cng khng cn phi to User Profile trn router na v vic xc thc sau ny s do RADIUS Server m nhim.

Cu hnh RADIUS trn Windows Server 2008 R2

Bc 1: B sung NPS Server

1. 2. 3. 4.

Khi ng Server Manager. Chn Roles v bm vo Add Roles bn phi. n Next. Chn Network Policy v Access Services Role. n Next. Chn Network Policy Server (hnh bn phi). n Next. n Install. Sau khi ci t role thnh cng, bn thc hin cu hnh bng cch s dng cng c Network Policy Server (NPS) trong menu Administrative Tools. Bc 2: ng k server vi AD

1. 2.

Sau khi chy cng c NPS, n nt phi vo mcNPS(Local) v chn Register Server in Active Directory. Thc hin theo hng dn (chn cc thit lp ngm nh). Xem hnh bn phi. Ch : thc hin c vic ny, bn cn c quyn Domain Admins. Bc 3: To RADIUS client cho Router

1. 2. 3. 4. 5.

n du + m rng th mc RADIUS Clients and Servers. Bm nt phi chut vo RADIUS Clients ri chn New RADIUS Client. t tn (Friendly Name) cho router. V d "CiscoASA" hoc "V2950". Bn lu nn t tn l duy nht v d nh v n gin d dng khai bo khi to cc Policy cc bc sau. Nhp mt khu (Server Secret Key, Pre-Shared Key, PassKey...) m bn khai bo khi cu hnh router ri xc nhn li ln na trong Confirm shared secret. Cc thit lp khc t ngm nh. Bm OK hon thnh vic to RADIUS Client (hnh di).

Bc 4: To mt Connection Request Policy Connection Request Policy RADIUS Server xc nh s tip nhn cc yu cu xc thc n t u v c cc thng s nh th no. Bn c th to nhiu Connection Request Policy cho nhiu mc ch xc thc khc nhau. 1. 2. 3. 4. 5. 6. 7. n du + m rng th mc Policies. Bm nt phi chut vo Connection Request Policies ri chn New. t tn cho Policy Name sao cho c lin h vi loi router m bn to trong RADIUS client v d CiscoASA hoc V2950. Chn Type of network access server l Unspecified ri n Next. Trong th Conditions bm Add. Chn iu kin Client Friendly Name ri bm Add sau nhp tn m bn khai bo mc 3 bc 3 v d V2950. BmOK ri n Next. Trong hai trang sau , chn cc thit lp mc nh (default settings) ri n Next. Trong mc Specify a Realm Name chn ty chn Attribute ct bn tri. Trong menu tng ng bn phi, chn trong menu th xung Attribute: gi trUser-Name. n Next ln na. Xem li cc thit lp ln cui trong trang tip theo ri n Finish.

Ch : Bn c th chn Type of network access server l Remote Access Server (VPN -Dial up) hoc mt kiu khc ty thuc vo NAS m bn mun trin khai nh hnh di y. Tuy nhin nu NAS ca bn l switch xc thc 802.1X hoc im truy cp khng dy WAP, chn Unspecified.

Bc 5: To Network Policy 1. 2. 3. 4. 5. 6. 7. 8. Bm nt phi chut vo th mc Network Policy v chn New. t tn cho Policy Name. Khai bo Type of network access server l Unspecified ri n Next (xem ch trn). Trong th Conditions n Add. Gi s bn to policy ny nhm mc ch p dng cho nhm ngi dng VPN Users v truy cp t xa qua RADIUS Client V2950. Thc hin tip nh sau: B sung iu kin Users Group ri chn nhm VPN Users. B sung iu kin Client Friendly Name ri chn tn m bn khai bo cho RADIUS client v d V2950. Bm Next. Chn Access granted (ngm nh) v bm Next ln na. Trong th Constraints, gi nguyn cc thng s mc nh v bm Next. Trong th Settings, gi nguyn cc thng s mc nh v bm Next. Xem li cc thit lp ln cui trc khi n Finish.

Bc 6: Restart Network Policy Server service

Kim tra xc thc RADIUS v lu cu hnh trn router

Khng phi loi router no cng c chc nng kim tra xc thc RADIUS. V d sau y hng dn kim tra RADIUS Authentication trn Cisco ASA 5510. 1. 2. Chn menu Configuration, ri chn Remote Access VPN. Trong AAA Setup, chn AAA Server Groups. Chn Server Group bn mi to.

3. 4. 5. 6.

Trong Servers in the Selected Group, chn server m bn to v bm nt Test bn phi. Chn nt Authentication. Nhp the Username v Password ca mt ngi dng p ng cc iu kin khai bo trong Network Policy m bn to trn v bm OK. Nu xc thc RADIUS xy ra thnh cng, bn s thy thng bo nh hnh bn di. Lu cu hnh trn Router.

i vi mt s loi router khc, kim tra RADIUS Authentication thng qua VPN Connection Satus hoc trong Event Viewer ca Windows Server 2008 R2. Hnh di y l trang Connection Management ca mt VPN router

Draytek.

Kim tra RADIUS Authentication qua Event Viewer ca Windows.

La chn giao thc xc thc (Authentication Protocols) gia Client v Router v gi Router vi RADIUS Server
c th lin lc c vi nhau, gia Client v VPN Router v gia VPN Router vi RADIUS Server phi u h tr v c ci t cng loi giao thc xc thc. V d: VPN router Draytek nu cha ci t certificate th khng th s dng giao thc PEAP hoc EAP (l giao thc xc thc s dng certificate).

Vic thit lp giao thc xc thc trn Client c thc hin ti th Security ca VPN Connection Properties. V d

xem hnh di:

Vic thit giao thc xc thc

gia VPN Router v RADIUS Server c thc hin trn mc Authentication Methods ca th Constraints i vi

Network Policy p dng cho RADIUS Client (xem hnh di).

Mt s router khng h tr xc thc m ha (encrypted authentication), khi cn chn thm Unencrypted authentication (PAP, SPAP)... trong mc Authentication Methods ca th Constraints (xem mi tn hnh trn).