In this article we will discuss about RADIUS proxies and how they affect the way your network is managed by system administrators. By now we’ve learned how to install and configure RADIUS servers for our wireless networks. RADIUS proxies are used to redirect traffic destined for a certain server when there are multiple RADIUS servers used within the network. Based on certain predefined rules, a proxy server will determine where will be the request sent. These type of RADIUS servers can be used to redirect authentication requests based on user’s domain. Suppose you have multiple domains within your forest and each one would have its own RADIUS server to authenticate users. The proxy would be configured to forward authentication requests to the destined RADIUS server. Another common way for using a proxy is to alleviate portions of the network by load balancing traffic destined for RADIUS servers. That being said, you would configure a proxy server in front of multiple RADIUS servers and this server would be responsible for managing network traffic.
To configure a RADIUS proxy you’ll need to add the Network Policy and Access Service role as indicated in the last article. Note that for this exercise you would need to create at least two RADIUS servers. After this step is complete, open the Server Manager console, navigate to Network Policy and Access Services/NPS/RADIUS Clients and Services, right click this node and select New:
The new RADIUS Servers Group Wizard will start. In the first window enter the group’s name and press the Add button to include a RADIUS server to the new group:
Type in the RADIUS server IP address in the Address tab. You can press the Verify button to see is the RADIUS server is resolved by the DNS server:
In the Authentication/Accounting tab you’ll have to enter the shared secret that will be used by all RADIUS servers. Leave the port numbers 1812 and 1813 unchanged because these are the default ports used by RADIUS servers:
On the last tab is where you specify the Load Balancing settings for your RADIUS farm. The priority of ranking indicates the status of the server and the weight is used to calculate how often requests are sent to a specific server in a group of servers that have the same priority. Other load balancing options can be configured from this panel:
After pressing the OK button, the RADIUS server will be added to the RADIUS server group. Repeat these steps for each server. For this example, I’ve configured two RADIUS virtual machines and I’ve added them to my new RADIUS group:
For our RADIUS group we’ll need to create a new Connection Request Policy. Open the NPS console and right click on Policies/Connection Request Policies and select New:
Enter the policy name and select Unspecified from the type of network access server menu:
In the next section we’ll have to specify the conditions that determine wheather this connection request policy is evaluated for a connection request. Note that at least one condition is required. Press the Add button to create a new condition. For my condition I will choose Access Client IPv4 Address and I will specify the network address of my computers:
I will use only one condition for this example, you can add additional conditions if desired. In the next section, we’ll need to enable the forward requests to the following RADIUS server groups for authentication option and select our RADIUS group:
Now press Next and proceed to the Configure Settings section. Here, you can create special rules that will overwrite the request by setting custom attributes. You can also send additional RADIUS attributes to clients or set vendor specific attributes. We will not be using this section since our RADIUS servers are configured using standard settings:
In the last section you ca recheck the settings configured for our request policy and finally complete the wizard:
Once the policy is configured, it will appear in the NPS console under the Connection Request Policies section:
We’ve configured two RADIUS servers and added them to our RADIUS Group. Then, we’ve configured a Connection Request Policy that will redirect RADIUS requests to our group based on the conditions configured in the rule. Because we’ve set the Access Client IPv4 Address condition, only clients that are part of the same network will be able to send authentication requests to our RADIUS farm.
Hope you’ve understood the elements described in this tutorial, please leave a comment if you have any misunderstandings and I will try to respond as soon as possible. Wish you all the best and have a great day!