Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Setting up Radius Server to authenticate users in AD

Posted on 2012-04-12
7
Medium Priority
?
546 Views
Last Modified: 2012-05-10
Hi Team,

I have just been assigned a project in which 10 users out of 120 users in an active directory environment need to start using radius authentication.
These 10 users are the domain admins of the company and need higher security then what AD has build in. Has any of you done this is the past and are there any articles or book you can point me to.
The ultimate goal here is for all domain users to type in the password give by the radius server every time they log into any computer.

Thank you.
0
Comment
Question by:exTechnology
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37837183
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37837197
This is a great group of links to assist with setting up RRAS and radius

http://technet.microsoft.com/en-us/network/bb545655
There are Step by Steps and video labs.
0
 
LVL 41

Expert Comment

by:footech
ID: 37846076
I have just been assigned a project in which 10 users out of 120 users in an active directory environment need to start using radius authentication.

Radius authentication for what?  To authenticate their wireless connection?  Their wired connection?  Are you wanting to authenticate the machines they are logging on to?

The password that users type in to log on to a computer will always be their AD password, there is no separate password for NPS/RADIUS.  NPS just authenticates a user based on the user's AD group membership.  The user is verified either through the use of their AD credentials (i.e. username and password), or through a certificate.  A machine can also be authenticated in similar fashion.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 2

Author Comment

by:exTechnology
ID: 37883219
I would like to use the Radius Authentication for the user that logs into a wired domain computer. Is this possible? Instead of using their AD Password they would use the password the radius server generates and displays on the keychain module?
0
 
LVL 41

Expert Comment

by:footech
ID: 37888201
In short, no.  Reread the bottom paragraph of my previous post.

I think you're misunderstanding what NPS/RADIUS is for.  When a user logs on to a computer, it will always be using either AD credentials or local credentials.  After that point, the connection (wired, wireless, or even VPN) can be authenticated by the RADIUS, but that is done by checking whether the user (or machine) is allowed by verifying their credentials against AD.  Other criteria can also be applied by the rules which must match in order for the connection to be allowed, such as where the connection is coming, what type of device, time of day, etc.

Can't say I know what you're referencing here...
password the radius server generates and displays on the keychain
0
 
LVL 2

Author Comment

by:exTechnology
ID: 37889157
Ok, so when the user logs in they will use their AD account password, after that point, would the radius server ask the user for a second password for authentication? What I mean by the keychain is that the radius system that we have has key chains that generate random passwords, each use will have one of these. When does this authentication come into play when using the radius feature within AD account?

Thank you
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 37889658
No, it would use their credentials already entered (at least in a default configuration).  RADIUS comes into play to authorize the connection.  For instance, for wired connections 802.1x is used so that if a device without proper credentials is plugged into an ethernet port, the port won't allow any communication.  I've never seen what you're describing, so I don't know if there's a way to configure it to do what you want, but it's not the way RADIUS is typically used.

I'm really not sure what you're trying to do here that can't be accomplished with AD settings.  Are you worried about password complexity or length?  That can be set.  Need different requirements for Domain Admins?  That can be set with fine-grained password policies if your domain functional level is 2008.  Are up looking to do two-factor authentication?  Can't help you with that, but I know there're products out there for it.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question