Microsoft NPS - RADIUS Configuration with Cloud Authentication Service - RSA Ready Implementation Guide
a year ago

This article describes how to integrate RSA Cloud Authentication Service with Microsoft NPS using RADIUS.

  
Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using RADIUS.

Procedure

  1. Sign in to RSA Cloud Authentication Service.
  2. Navigate to Authentication Clients > RADIUS.
  3. Click Add RADIUS Client and Profiles.
  4. On the RADIUS Client page, enter the following details:
    1. Name: Enter a descriptive name for the RADIUS client.
    2. IP Address: Enter the IP address of the RADIUS client (NPS server IP address).
    3. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
  5. Click Save and Next Step and click Finish to complete the configuration.
  6. Click Publish Changes to apply your changes to the RADIUS server and wait for the process to be completed.

  

Notes

  • The RSA Cloud Authentication RADIUS server is configured to listen on UDP port 1812.  
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

    

Configure Microsoft NPS 

Perform these steps to configure Microsoft NPS as a RADIUS client to RSA Cloud Authentication Service and to configure the Connection Request Policy in NPS.
Procedure

  1. In Server Manager, click Tools, and then click Network Policy Server to open the NPS console.
  2. In the left pane, expand the RADIUS Clients and Servers folder, right-click Remote RADIUS Server Groups, and click New.
  3. On the New Remote RADIUS Server Group dialog box:
    1. In the Group name field, enter a name for the remote RADIUS server group.
    2. Under RADIUS Servers, click Add.
  4. On the Add RADIUS Server dialog box, enter management IP address or FQDN of the Identity router deployed in RSA and click Verify if FQDN is used.
  5. Click the Authentication/Accounting tab.
  6. For Shared secret and Confirm shared secret, enter the same shared secret used for adding RADIUS client in RSA Cloud Authentication Service.
  7. Select the Request must contain the message authenticator attribute checkbox. 
  8. Click the Load Balancing tab.
  9. Increase the timeout value for Number of seconds without response before request is considered dropped to 10 seconds and click OK.

    Note: The default value of 3 seconds for Number of seconds without response before request is considered dropped might be insufficient and users might experience authentication issues. The Windows Security Event log records the authentication failure with Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond and Reason Code: 117. Increase the timeout value appropriately to resolve this issue.
  10. In the left pane, expand Policies, right-click Connection Request Policy, and click New.
  11. Enter a name for Policy name and select the access server type of your deployment from in the Type of network access server drop-down list.
  12. Click Next.
  13. Click Add to specify a new condition to the policy.
  14. Select User Name for the condition and click Add.
  15. Depending on the format of your user login names, enter the common element of the Username (For example, a pattern that matches the e-mail domain). This will signal to Microsoft NPS that usernames in this pattern will match that policy and hence these requests will be sent to RSA RADIUS Server for authentication.
  16. Click OK.
  17. Click Next.
  18. In Settings, under Authentication:
    1. Choose the Forward requests to the following remote RADIUS server group for authentication option.
    2. Select the RADIUS server group configured earlier in the drop-down list.
  19. Click Next. For any request that triggers the policy, the RADIUS request will be forwarded to the RSA RADIUS Server. 
  20. Select Username in the Attribute drop-down list and click Add.
  21. For the Attribute Manipulation Rule, enter the common element of the Username in the Find field and leave the Replace with field blank. 
  22. Click OK and then click Next.

    Note: This step is necessary as the username will be edited by NPS and sent to RSA in the accepted format.  For example, during authentication, the end user enters "username@example.com",  but only “username" will be passed to the RSA RADIUS Server. 
  23. Click Finish.
  24. In the main pane of Microsoft NPS, expand RADIUS Client and Servers, right-click RADIUS Clients, and click New.
  25. On the New RADIUS Client screen:
    1. In the Friendly name field, enter a display name for the RADIUS client.
    2. For Address (IP or DNS), enter the IP address of the client (Network Access Server).
    3. For Shared secret and Confirm shared secret, enter the same shared secret used for adding RADIUS client in the RSA Authentication Manager or RSA Cloud Administration Console.
    4. Click OK.
      This RADIUS Client will send the request to NPS that will be later proxied by NPS to RSA RADIUS server for authentication. 

 

The configuration is complete.

Return to Microsoft NPS - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?