none
How to access Active Directory properties via Radius/NPS

    Question

  •  

    My company wants to interface our hardware product to the Microsoft Network Policy Server (NPS) via Radius with the purpose of authenticating our users against the Active Directory (AD) database.  We have a few questions about how AD and NPS interact.  Ultimately we need for NPS to return the full list of AD group membership when a user attempts to login. 

    • How do AD properties map to radius attributes of various radius dictionaries (e.g. – std radius, vendor specific dictionary, etc)?
      • How do Microsoft radius dictionaries relate to AD properties?
      • What is the complete list of AD properties?
      • How do we specify the mapping of AD properties to radius attributes within NPS? 
      • More specifically, how do we specify the mapping of these properties to our company’s vendor specific dictionary?
    • The one AD property we are most interested in is ‘member of group’
      • How does our application receive AD group membership list for an authenticated user?
    Thursday, March 22, 2012 4:33 PM

Answers

All replies

  • Is this for Certificate based authentication using 802.1x/EAP?

    Is it for wireless?

    .

    Some observations:

    • By default, a RADIUS client will send the auth request to the RADIUS server (NPS), which then NPS will contact AD for authentication.
    • Authentication can be in the form of credentials or certificate based (using EAP & 802.1x).
    • As for setting in NPS by group, you will be using an AD group.
    • The RADIUS client will have no idea, nor should it, what user accounts or groups exist in AD, otherwise that could lead to a directory harvesting or other possible types of attacks. RADIUS clients just send the auth to the RADIUS server (NPS or Unix, etc) and the RADIUS server can be configured to keep track of eerything using Accounting features.

    .

    What brand/vendor device are you trying to use as a RADIUS client to NPS?

    As for how to "map" properties, it's rather the attributes you set at the NPS side so it will accept it from the RADIUS clients.

    Planning NPS as a RADIUS server
    Updated: October 21, 2008, Applies To: Windows Server 2008, Windows Server 2008 R2
    http://technet.microsoft.com/en-us/library/dd197604(WS.10).aspx
     
    Cisco: User Management: Configuring Authentication Servers
     Add New Entry (Login Event, Logout Event, Shared Event)
     http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_auth.html#wp1159142

    .

    As for specifying a group, unless I'm misunderstanding what you're asking, or not sure if you tried it or having trouble with it, you would specify the group in the NPS conditions, as the screenshotw show in Part 2 below.

    Setting up Wi-Fi Authentication in Windows Server 2008 (Part 1)
    http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html

    Setting up Wi-Fi Authentication in Windows Server 2008 (Part 2)
    http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part2.html 

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Tiger Li Tuesday, March 27, 2012 9:59 AM
    Thursday, March 22, 2012 10:15 PM
  • Hi Ronster59,

    Thanks for posting here.

    Actually here is little misunderstanding which RADIUS/NPS server communicates with domain controller and getting data form that by using the LDAP but not mapping . We can read the detail explication form the link below:

    How Network Policy Server Works
    http://technet.microsoft.com/en-us/library/dd197603(WS.10).aspx

     

    If you are interest in deployment a NPS  compatible device for RADIUS authentication please post to MSDN forum in order to get the most professional responses.

    Network Policy Server
    http://msdn.microsoft.com/en-us/library/windows/desktop/bb892034(v=vs.85).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support


    • Edited by Tiger Li Friday, March 23, 2012 7:41 AM
    • Marked as answer by Tiger Li Tuesday, March 27, 2012 9:59 AM
    Friday, March 23, 2012 7:40 AM
  •  

    Thanks for the quick responses.   First, to answer your questions:

    • Is this for Certificate based authentication using 802.1x/EAP?  No. 
    • Is it for wireless? No
    • What brand/vendor device are you trying to use as a RADIUS client to NPS?  We want to use NPS to authenticate and authorize logins into a proprietary device, over wired Ethernet.

    Ace, your response prompted me to learn more about how to configure NPS polices. Following describes an approach we think might work, albeit with a scalability limitation that we're hoping there is a solution to:

    1. We initially wanted to have one policy which will return the user’s group membership via AD “member-of” property.  Since this isn’t possible, we plan to configure multiple network policies and have each return different group information via vendor specific Radius attributes.
      • eg. We have groups:
        • Engineering
        • DevTest
        • Alaska
        • Hawaii
      • We configure these network Policies
        • Alaska_Engineer_Policy: if a user login belongs to both Alaska and Engineering groups, this policy will match. We want to return a Radius attribute to tell the client that the user is in both these groups, eg. belongToGroup = “Engineer, Alaska”             
        • Alaska_DevTest_Policy: returns belongToGroup = “DevTest, Alaska”
        • Hawaii_Engineer_Policy: returns belongToGroup = “Engineer, Hawaii”
        • Hawaii_DevTest_Policy: returns belongToGroup = “DevTest, Hawaii”

    Our question is that as we add more groups, the combinations of groups will increase, thus increasing the number of policies we have to configure.  In practice, the number of policies configured will likely be much less than the theoretical maximum of 2^N-1, but we’d like to know if there is a better way to accomplish what we are trying to do?

    2.  We know how to configure an individual Radius client, one per IP address.   If we have hundreds of clients and they are all in the same subnet, is there a way to configure only one Radius client and specifying a subnet instead of a specific IP.  Eg. FreeRadius’s allows you to do this in client.conf

               client 192.168.0.0/16 {

                  secret          = test

                  shortname       = my-subnet


    Ron Pleshek

    Tuesday, March 27, 2012 4:03 PM