March 1, 2023
Saeed Sheikh is a Cloud and Infrastructure Specialist at Infront Consulting and a Microsoft Certified Solutions Expert in Cloud Platform and Infrastructure. Follow Saeed on Twitter at @saeedonweb.
A Network Policy Server is Microsoft implementation of a RADIUS server that performs authentication, authorization, and accounting for remote VPN connections. Network policies are defined by network administrators to use conditions, settings, and constraints in order to determine who can connect to the network.
I was recently involved in reviewing the existing VPN solution and then deploying another solution for a client. Here are some common mistakes I found made when configuring these policies.
This one is so obvious. When setting up your Network Policies for your VPN users, do not select the option Allow clients to connect without negotiating an authentication method.
The reason the option is even there is to allow basic testing during deployment without restricting connections due to incorrect Authentication Methods used by client and server. Leaving this option once in production is the equivalent to leaving your front door unlocked.
There are various Authentication Methods available to choose. It can be very overwhelming for new admins which to select. They all have their pros and cons.
To make it easier, let’s talk about the ones not to choose.
Strong options that can be used as an Authentication Method are EAP: MS-CHAP v2 or MS-CHA.
Encryption settings for Network Policy Servers are used to determine the minimum encryption strength that will be allowed between the remote clients and the network access server. The choices are:
You can select multiple encryption strengths. The server and client will negotiate the strongest possible encryption they can both use and then create a connection.
The actual encryption method used will depend on the type of VPN connection.
It is not recommend to use the No Encryption option as that leaves your traffic wide open to attacks.
Network policies for remote VPN users can be confusing, but simple common sense prevails. You should not allow anyone into your network without authentication. Always use strong encryption to protect your data from hackers and be sure to enable the most secure authentication methods possible.