IPSec collaborate with Microsoft AD & NPS

Publication Date:  2013-11-13 Views:  823 Downloads:  0
Issue Description
how to grant access on HUAWEI VPN without creating separate username and password for each user on each device? 
Alarm Information
None
Handling Process
First of all, install AD & NPS services and configure the Radius authentication/authorization template at firewall (we don't discuss those parts in this artical), then:

Step 1: Register NPS in Active Directory

we have to register Network Policy Server in Active Directory to allow authentication based on user accounts we created in domain.

To authorize NPS in AD:
  • Logon to server with NPS using account with domain admin credentials.
  • Go to Start / Administrative Tools and then click Network Policy Server.
  • Right-click on NPS (Local) and from context menu click Register server in Active Directory


  • Confirm that you want to authorize this computer (server with NPS) to access users’ dial-in properties by clicking OK in Network Policy Server dialog window. Make sure that authorization will happen in correct domain as per indication in message from system.

  • When operation will be completed with success notification confirmation iwll show on the screen that this computer is now authorized to read users’ dial-in properties from domain.

Step 2: Add HUAWEI DEVICES as RADIUS client and Create Policy

  • Logon to server with NPS using account with admin credentials.
  • Go to Start / Administrative Tools and then click Network Policy Server.

Create a Connection Request Policy, the condition is "devices name" = "US?"
 
Friendly name – name to recognize router, usually same as hostname.

 Create Network Policy, associate the policy with the group on AD.

For this case, we create two policies, upon one for IPSec user and the bottom for firewall admin, we grant level 15 for those users.


 

Root Cause

In order to resolve that I did use AAA features of HUAWEI VRP and built-in Windows Server 2008 R2 or Windows Server 2012 component – NPS (Network Policy Server).


Those two mixed together can create very nice environment which allows flexible management who, when and how can access network devices. Same time, Active Directory will be central place to grant or deny access to devices as well as enforce specific privilege level.

Suggestions
HUAWEI AAA module can work perferct with Mircosoft NPS and AD.

END