locked
RADIUS over the internet? RRS feed

  • Question

  • I would like to configure a Server 2016 NPS deployment to serve RADIUS for WiFi authentication in several offices.  The NPS would be hosted in AWS, as such the only practical way for multiple offices to access it would just be over the public internet.  Can NPS be configured such that this is safe to do?  i.e. only allow PEAP rather than PAP, MSCHAP, etc.?

    Thanks

    Thursday, July 19, 2018 12:52 PM

All replies

  • Hi,

    Thanks for your question.

    Yes! We can configure NPS only allow PEAP for authentication and safety, and deploy it in AWS. Meanwhile, NPS need to be registered in Active Directory. Therefore, the ports and services which are prerequisites of AD, NPS should be allowed to cross through between sites and AWS.  

    Here’s NPS configuration with AZURE infrastructure for your reference, it may be helpful.

    https://blogs.msdn.microsoft.com/vaibhavdgupta/2017/12/16/securing-remote-connection-to-azure-infrastructure-using-azure-multi-factor-authentication-mfa/

    In addition, here’s an article talked about how to configure NPS with PEAP, hope this helps.

    https://www.gypthecat.com/how-to-configure-windows-2012-nps-for-radius-authentication-with-ubiquiti-unifi

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 20, 2018 6:04 AM
  • To clarify, my proposed deployment would be exposing RADIUS over the public internet.  My question is, is that safe to do?  Typically, RADIUS deployments would be internal or at least over a VPN, for a variety of reasons that's not practical in this case.  I just want to make sure that RADIUS packets traveling over the internet will be safe and not subject to easy cracking.  If there are some additional configurations I should put in place to ensure the communications are secure I'd like to know what those are.

    Thanks

    Friday, July 20, 2018 9:12 AM
  • Exactly same needs here. Only Azure instead AWS :)

    I would add a RADIUS proxy but not sure this is enough to secure the solution …

    Any idea or suggestion ?

    Thank you

    Riccardo

    Thursday, September 27, 2018 3:43 PM
  • Hi dmc1561,

    did you achieve your target ? if so, please could you share some insights ?

    Thank you in advance

    Riccardo

    Tuesday, June 11, 2019 2:26 PM
  • I wound up changing the port number that my NPS server was accepting RADIUS traffic from and locked down on my firewall to only allow the public IPs of my sites to access that port.  Just to obfuscate things a little more.  I never got a definitive answer on the safety of transmitting RADIUS (specifically PEAP traffic) over the internet. 

    If you're planning to use an older protocol like PAP that seems to be a universally bad idea since it uses weak hashing.  If you're using PEAP that is significantly better since it uses TLS encryption.  It's drawback it using MSCHAPv2 and storing hashes on the server.  But since I'm running my own RADIUS server and not using a hosted provider I felt it was safer.

    This page had some useful info: https://docs.foxpass.com/docs/is-radius-secure

    Hope that helps

    Tuesday, June 11, 2019 2:47 PM