Windows Server – NPS

Introduction

The purpose of this document is to provide guidelines on how to install and configure the Network Policy Server (NPS) to function with Mideye Server when forwarding MS-CHAP-V2 packages. The installation guide for NPS will be installed on a Windows Server 2012 R2 machine, but it´s similar for Windows Server 2008 R2, Windows Server 2016 and Windows Server 2019.

Prerequisites

Requirements & prerequisites

A Mideye Server (4.3.0 or higher) is required. If the NPS server is installed on a separate machine the firewall must allow UDP/1812 (default) two-way traffic between Mideye-server and the NPS. By default, both the Mideye-server and the NPS runs on UDP/1812. Therefore either the NPS or the Mideye-server have to change port if they run on the same server. We recommend that you run the NPS on a different port since the Mideye-server normally serves more than one RADIUS-clients.

Install the NPS-role

From the Server Manager click “Add Role and Features”

Click "Add Role and Features"

Click “Add Role and Features”

Choose "Role-based or feature-based installation".

Choose “Role-based or feature-based installation”.

Select the server.

Select the server.

Select "Network Policy and Access Services" and add features, and click next followed by "Install".

Select “Network Policy and Access Services” and add features, and click next followed by “Install”.

Configure the NPS-server

Once the installation is completed, open the Network Policy Server console. First time you need to register the NPS with your domain. Right-click NPS at the top of the tree and choose “Register server in Active Directory”

Register the NPS with your Active Directory.

Register the NPS with your Active Directory.

To change the UDP-port for NPS right-click NPS and choose “Properties”. By default UDP/1812 will be used, but this is recommended to be changed to another UDP-port if NPS is installed on the same machine as your Mideye-server.

Open properties for NPS.

Open properties for NPS.

If NPS and Mideye-server is installed on same server, change port.

If NPS and Mideye-server are installed on the same server, change the port.

Add a new RADIUS-client

The next step is to add your Mideye-server as a RADIUS-client. Expand “Radius Clients and Servers” and right-click “RADIUS Clients” followed by “New”. Give your Mideye-server a friendly name, IP-address and a shared-secret. This shared secret needs to be identical on your Mideye-server.

Create a new RADIUS-client.

Create a new RADIUS-client.

Create a new Network Policy

Expand “Policies” and right-click “Network Policies” and click “New”.

Give the policy a name.

Give the policy a name.

Add a windows-group that contains all users that should be allowed to use the service.

Add a windows-group that contains all users that should be allowed to use the service.

Select "Access granted".

Select “Access granted”.

Make sure that both MS-CHAP and MS-CHAP-V2 are checked and that both authentication methods allow that users can change their password

Make sure that both MS-CHAP and MS-CHAP-V2 are checked and that both authentication methods allow that users can change their password

Click "Next".

Click “Next”.

Click "Next".

Click “Next”.

Click "Finish".

Click “Finish”.

Configure Mideye-server to communicate with NPS

On your Mideye-server open configuration-tool. Select “LDAP Servers” tab and choose to modify your existing LDAP-server used by your remote-solution.

Modify LDAP-server.

Modify LDAP-server.

Click “NPS” tab and enter the IP-address of your NPS-server. Make sure to change the UDP-port to match the same as on the NPS-server. Enter the same shared-secret as on the NPS- server.

Add the NPS-server to your LDAP-server.

Add the NPS-server to your LDAP-server.

The last step is to enable your Mideye server to allow password-changes. Click the “Active Directory” tab and check “Allow Password Reset” and “Allow Password Expired”.

Enable your Mideye-server to allow password-change.

Enable your Mideye server to allow password-change.

Change your remote-solution to use MS-CHAP

For instruction on how to enable this for Cisco Anyconnect and Citrix Netscaler, click the respective link. For other solutions contact your vendor on how to enable MS-CHAP-V2.

Troubleshooting

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs

 Mideye Server\log\radius-messages.log

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.