Configuring RADIUS authentication for Global VPN Clients with Network Policy and Access Server

Description

Configuring RADIUS authentication for Global VPN Clients with Network Policy and Access Server from Microsoft Windows 2008.

RADIUS can be used as an Authentication, Authorization and Accounting Server (AAA). The RADIUS server authenticates client requests either with an approval or reject. RADIUS Server not only authenticates users based on the username and password but also authorizes based on the configured policy – whether the User group to which the user belongs is authorized or not; time constraints and various other policies if configured.

Click here for the video tutorial of Radius Authentication.



Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


Configuring WAN Group VPN

  1. After logging into the firewall UI, navigate to Device | IPSec VPN | Rules and Settings and edit (configure) WAN Group VPN policy accordingly.

     Image
  2. Configure the policy with shared secret.

        Image

  3. Set VPN authentication and choose the appropriate group that you want to provide permission. Also you need to make sure that this group has VPN access permission to the desired subnets. You can restrict whether you want to provide access to a single subnet or multiple subnets.

             Image

  4. Edit the user under Device | Users | Local Users & Groups | Local User edit a user and on the VPN Access tab and add the networks that can be accessed by this VPN user.

             Image


Configuring RADIUS on Firewall

  1. Navigate to Device | Users | Settings and click  Configure Radius.
     
               Image
  2. Click  Add and then Enter the IP address of the Primary RADIUS Server and the radius port. Microsoft supports both 1812 and 1645 for authentication. If you have a redundant RADIUS server in your environment, you can use it here. Enter the RADIUS server shared secret in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive. This Shared secret is used in an encryption process to obscure certain details in RADIUS messages such as user passwords.

                   Image

                  Image

Configuring RADIUS Client and Associated Policy on Network Policy and Access

  

  1. Configure new RADIUS Client in network in Network Policy and Access Services with IP address of SonicWall Firewall and shared secret.
      Image
     Image

  2. Configure RADIUS Policy that will allow users to get authenticated.
     Image 
    Image  
    Image

  3. Specify the LDAP User group that you want to give access to the resources on the network.
    Image 
    Image 

  4. You can optionally add SonicWall Interface IP address (RADIUS Client IP) in the policy so that the server can only accept incoming Radius requests from SonicWall.
     Image 
    Image 
    Image
     Image 

  5. Configure the authentication methods that you want to allow. SonicWall recommends using MS-CHAP or MS-CHAP V2 as an authentication method. When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. 
     Image 
    Image 
    Image 

  6. Make sure that the configured policy has higher precedence or processing order than the default deny  Connections to other access servers policy.

Testing


        Image




Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


Configuring WAN Group VPN

  1. After logging into the firewall UI, navigate to Manage | VPN | Basic Settings and edit (configure) WAN Group VPN policy accordingly.
    Image

  2. Configure the policy with shared secret.
     Image

  3. Set VPN authentication and choose the appropriate group that you want to provide permission. Also you need to make sure that this group has VPN access permission to the desired subnets. You can restrict whether you want to provide access to a single subnet or multiple subnets.

    Image

  4. Edit the user under Manage | Users | Local Users & Groups | Local User edit a user and on the VPN Access tab and add the networks that can be accessed by this VPN user.
     Image



Configuring RADIUS on Firewall


  1.  Navigate to Manage | Users | Settings and click  Configure Radius.
     Image

  2. Click  Add and then Enter the IP address of the Primary RADIUS Server and the radius port. Microsoft supports both 1812 and 1645 for authentication. If you have a redundant RADIUS server in your environment, you can use it here. Enter the RADIUS server shared secret in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive. This Shared secret is used in an encryption process to obscure certain details in RADIUS messages such as user passwords.

     Image 
    Image




Configuring RADIUS Client and Associated Policy on Network Policy and Access

  

  1. Configure new RADIUS Client in network in Network Policy and Access Services with IP address of SonicWall Firewall and shared secret.
      Image
     Image

  2. Configure RADIUS Policy that will allow users to get authenticated.
     Image 
    Image  
    Image

  3. Specify the LDAP User group that you want to give access to the resources on the network.
    Image 
    Image 

  4. You can optionally add SonicWall Interface IP address (RADIUS Client IP) in the policy so that the server can only accept incoming Radius requests from SonicWall.
     Image 
    Image 
    Image
     Image 

  5. Configure the authentication methods that you want to allow. SonicWall recommends using MS-CHAP or MS-CHAP V2 as an authentication method. When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. 
     Image 
    Image 
    Image 

  6. Make sure that the configured policy has higher precedence or processing order than the default deny  Connections to other access servers policy.


 Testing

Image




Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.


Configuring WAN Group VPN

  1. After logging into the firewall UI, navigate to VPN | Settings and edit (configure) WAN Group VPN policy accordingly.
    Image 

  2. Configure the policy with shared secret.
     Image 
    Image 

  3. Set VPN authentication and choose the appropriate group that you want to provide permission. Also you need to make sure that this group has VPN access permission to the desired subnets. You can restrict whether you want to provide access to a single subnet or multiple subnets.
    Image 
    Image

  4. Edit the user under Users tab and add the networks that can be accessed by this VPN user. 
     Image 


Configuring RADIUS on firewall

 Image 

  1. Enter the IP address of the Primary RADIUS Server and the radius port. Microsoft supports both 1812 and 1645 for authentication. If you have a redundant RADIUS server in your environment, you can use it here. Enter the RADIUS server shared secret in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive. This Shared secret is used in an encryption process to obscure certain details in RADIUS messages such as user passwords. 

    Image 
    Image 



Configuring RADIUS Client and Associated Policy on Network Policy and Access

  1. Configure new RADIUS Client in Network in Network Policy and Access Services with IP address of SonicWall firewall and shared secret.
      Image
     Image

  2. Configure RADIUS Policy that will allow users to get authenticated.
     Image 
    Image  
    Image

  3. Specify the LDAP User group that you want to give access to the resources on the network.
    Image 
    Image 

  4. You can optionally add SonicWall Interface IP address (RADIUS Client IP) in the policy so that the server can only accept incoming Radius requests from SonicWall. Image 
    Image 
    Image
     Image 

  5. Configure the authentication methods that you want to allow. SonicWall recommends using MS-CHAP or MS-CHAP V2 as an authentication method. When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. 
     Image 
    Image 
    Image 
  6. Make sure that the configured policy has higher precedence or processing order than the default deny Connections to other access servers policy.


 Testing

Image

Related Articles

  • Enable public access on SonicWall NSv in Azure
    Read More
  • Configuring Syslog traffic over MPLS in SonicWall
    Read More
  • Cysurance Partner FAQ
    Read More

Categories

Firewalls
SonicWall SuperMassive 9000 Series
GVC/L2TP
Firewalls
TZ Series
GVC/L2TP
Firewalls
NSa Series
GVC/L2TP
Firewalls
NSv Series
GVC/L2TP
not finding your answers?
Ask the Community
was this article helpful?
YesNo