Setup RADIUS Authentication


This section will detail how to install and configure a RADIUS server and client for Windows, and how to integrate RADIUS with IDM by enabling the RADIUS Cloud Deployment authentication method.

1. Connect to the VESC Server

You will configure the RADIUS server and client on the VESC Server for this lab.

Double-click the VESC Server.rdp link on the Desktop to connect to the VESC Server.

2. Install and Configure a RADIUS Server for Windows

  1. Click Server Manager from the task bar.
  2. Click Manage.
  3. Click Add Roles and Features.

2.1. Enable Network Policy and Access Services

  1. Click Server Selection.
  2. Click Server Roles.
  3. You may need to scroll down to find Network Policy and Access Services.
  4. Click the checkbox to enable Network Policy and Access Services.

2.1.1. Add Features for Network Policy and Access Services

Click Add Features.

2.1.2. Install the New Roles and Features

  1. Click Confirmation.
  2. Click Install.

Wait for the installation to complete.  This may take several minutes to complete.

2.1.3. Close the Installation Window

  1. Ensure the Feature Installation shows the installation succeeded.
  2. Click Close.

2.2. Configure Network Policy Server

Within Server Manager,

  1. Click Tools.
  2. Click Network Policy Server.

2.2.1. Register Network Policy Server in Active Directory

  1. Click Action.
  2. Click Register server in Active Directory.

2.2.2. Authorize to Read User's Dial-In Properties

  1. Click OK to authorize this computer to read user's dial-in properties.
  2. Click OK to confirm that the computer is not authorized.

2.3. Add a new RADIUS Client

  1. Click the caret next to RADIUS Clients and Servers to expand the folder.
  2. Right-click RADIUS Clients.
  3. Click New.

2.3.1. Configure the RADIUS Client

  1. Enter vescsrv-01a.corp.local for the Friendly Name.
  2. Enter vescsrv-01a.corp.local for the Address (IP or DNS).
  3. Enter VMware1! for the Shared Secret.
  4. Enter VMware1! for the Confirm Shared Secret.
  5. Click OK.

2.3.2. Add a New Network Policy

  1. Click the caret next to Policies to expand it.
  2. Right-click Network Policies.
  3. Click New.

2.3.3. Configure Policy Name and Connection Type

  1. Enter IDM Authentication for the Policy name.
  2. Select Unspecified for the Type of Network access server.
  3. Click Next.

2.3.4. Add Conditions

Click Add.

2.3.5. Add a User Groups Condition

  1. Click User Groups.
  2. Click Add.

2.3.6. Add Groups

Click Add Groups.

2.3.7. Select the Domain Users Group

  1. Enter Domain Users into the search field.
  2. Click Check Names.  Ensure the Domain Users group is found.
  3. Click OK.

2.3.8. Confirm User Groups

Click OK.

2.3.9. Continue after specifying User Groups Condition

Click Next.

2.3.10. Specify Access Granted Permission

  1. Select Access Granted.
  2. Click Next.

2.3.11. Configure Authentication Methods

  1. Under the Less secure authentication methods, ensure that ALL of the options are checked EXCEPT for Perform machine health check only.
  2. Click Next.

2.3.12. Close Help Popup

Click No.

2.3.13. Accept the Default Constraints

Click Next to accept the default Constraints.

2.3.14. Accept the Default Settings

Click Next to accept the default Settings.

2.3.15. Complete the New Network Policy

Click Finish.

3. Return to the Main Console

With the RADIUS client configured, you will configure the remainder of the requirements from the Main Console.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

4. Configure the RADIUS Authentication Method for VMware Identity Manager

In the VMware Identity Manager Administration Console,

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click Connectors.
  4. Click Lab.

4.1. Select the RADIUSAuthAdapter

  1. Click the Auth Adapters tab.
  2. You may need to scroll down.
  3. Click the RADIUSAuthAdapter link.

4.2. Configure the RADIUSAuthAdapter Details

  1. Click to enable the Enable RADIUS Adapter option.
  2. Enter 5 for the Number of attempts to RADIUS server.
  3. Enter 20 for the Server timeout in seconds.
  4. Enter vescsrv-01a.corp.local for the RADIUS server hostname/address.
  5. Select MSCHAPv2 for the Authentication type.
  6. Enter VMware1! for the Shared secret.

4.3. Save the RADIUSAuthAdapter

  1. Scroll down to the bottom.
  2. Click Save.

4.4. Return to the VMware Identity Manager Admin Console

  1. Confirm the RADIUSAuthAdapter shows as Enabled.
  2. Click Admin Console.

5. Configure the Identity Providers

  1. Click Identity & Access Management.
  2. Click Identity Providers.
  3. Click Built-In.

5.1. Associate the RADIUS Authentication Method

  1. Scroll down to the bottom.
  2. Click to enable the RADIUS (cloud deployment) authentication method for this Identity Provider.
  3. Click Save.

6. Configure the Policy Rules

  1. Click Identity & Access Management.
  2. Click Policies.
  3. Click Edit Default Policy.

6.1. Add Policy Rule

  1. Click Configuration.
  2. Click Add Policy Rule.

6.2. Configure Policy Rule

  1. Select ALL RANGES for the Network Range.
  2. Select Web Browser for the Device type.
  3. Select Authenticate using... for the action.
  4. Select RADIUS (cloud deployment) for the authentication type.
  5. Select Password (cloud deployment) for the fallback authentication type.

6.3. Save the Policy Rule

  1. Scroll down to the bottom.
  2. Click Save.

6.4. Move the Policy Rule to the Top

  1. Move the Policy Rule for the RADIUS (cloud deployment) authentication to the top.
  2. Click Next.

6.5. Review and Save

Review the configuration as desired and click Save.

7. Test RADIUS Authentication from a Web Browser

  1. Right-click the Google Chrome icon from the task bar.
  2. Click New incognito window.
  1. Enter https://{yourtenant} in the navigation bar and press Enter.
    NOTE - Be sure to replace {yourtenant} with your actual tenant that you have accessed in previous steps!
  2. Select corp.local for the Domain.
  3. Click Next.

7.2. Authenticate using RADIUS

  1. Notice we are being prompted to authenticate with our RADIUS passcode.
  2. Enter aduser for the username.
  3. Enter VMware1! for the RADIUS Passcode.
  4. Click Sign In.
  1. Click the User dropdown.
  2. Click Settings.

7.4. Confirm RADIUS Authentication was Successful

  1. Confirm the User Profile shows as [email protected].
  2. Click the X to close the incognito browsing session and return to the VMware Identity Manager Administration Console.

This confirms that we were able to successfully install and configure our RADIUS Server on the Windows server, and then enabled and configured our RADIUS authentication method and Policy Rules to allow our users to authenticate using their RADIUS passcode when accessing the tenant from a Web Browser.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.