We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
9
13
2018
3.1.2023

Common Mistakes to Avoid When Configuring Network Policies for VPN

Last updated:
9.16.2020
3.1.2023
No items found.

Saeed Sheikh is a Cloud and Infrastructure Specialist at Infront Consulting and a Microsoft Certified Solutions Expert in Cloud Platform and Infrastructure. Follow Saeed on Twitter at @saeedonweb.

A Network Policy Server is Microsoft implementation of a RADIUS server that performs authentication, authorization, and accounting for remote VPN connections. Network policies are defined by network administrators to use conditions, settings, and constraints in order to determine who can connect to the network.

I was recently involved in reviewing the existing VPN solution and then deploying another solution for a client. Here are some common mistakes I found made when configuring these policies.
 

Allowing clients to connect without authentication

This one is so obvious. When setting up your Network Policies for your VPN users, do not select the option Allow clients to connect without negotiating an authentication method.

The reason the option is even there is to allow basic testing during deployment without restricting connections due to incorrect Authentication Methods used by client and server. Leaving this option once in production is the equivalent to leaving your front door unlocked.


Using a Less Secure Authentication Method

There are various Authentication Methods available to choose. It can be very overwhelming for new admins which to select. They all have their pros and cons.

To make it easier, let’s talk about the ones not to choose.

Strong options that can be used as an Authentication Method are EAP: MS-CHAP v2 or MS-CHA.


Not Using Enough Encryption

Encryption settings for Network Policy Servers are used to determine the minimum encryption strength that will be allowed between the remote clients and the network access server. The choices are:

You can select multiple encryption strengths. The server and client will negotiate the strongest possible encryption they can both use and then create a connection.

The actual encryption method used will depend on the type of VPN connection.

It is not recommend to use the No Encryption option as that leaves your traffic wide open to attacks.

Conclusion

Network policies for remote VPN users can be confusing, but simple common sense prevails. You should not allow anyone into your network without authentication. Always use strong encryption to protect your data from hackers and be sure to enable the most secure authentication methods possible.

Recent Blog Posts

lunavi logo alternate white and yellow
3.27.2024
03
.
27
.
2024
Utilizing Bicep Parameter Files with ALZ-Bicep

Ready to achieve more efficient Azure Deployments? You can use Bicep parameters instead of JSON which opens new opportunities for deployment. Let Lunavi expert, Joe Thompson, show you how.

Learn more
lunavi logo alternate white and yellow
3.26.2024
03
.
04
.
2024
Anticipating Surges in Cyber Attacks and Bolstering Your InfoSec Defenses in 2024

Learn how to navigate 2024 with the right InfoSec defenses to protect your organization against a rising number of cyber attacks.

Learn more
lunavi logo alternate white and yellow
3.26.2024
01
.
03
.
2024
Microsoft Copilot is Re-Shaping the Innovation Frontier

Microsoft 365 Copilot has been released, and it's changing the way we work. More than OpenAI or ChatGPT, read how Copilot can seamlessly integrate with your workflow.

Learn more