RADIUS Authentication w/ Microsoft NPS- Starter Connection Request Policy?

Hi Andrew and welcome to the UTM Community!

No need to use RADIUS - take a look at Configuring HTTP/S proxy access with AD SSO.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

Cheers - Bob

Hi Bob,

Thank you for your welcome and suggestion!

Unfortunately, proxy isn't what we're looking for. Was looking to leverage remote-access SSL VPN. But that's good to know when we look toward proxy.

Thanks,

Andrew

SSL VPN Remote Access works like a charm with AD.  Just create a Security Group in AD named, e.g., "SSL VPN", assign members to it and use that Group in a limited Backend Group in 'Users and Groups' in an SSL VPN Profile.  You'll also want to drag that group into 'Groups' in 'Prefetch Directory Users' on the 'Advanced' tab of 'Definitions & Users >> Authentication Services'.

Cheers - Bob
PS Moving this thread to the VPN forum.

If you want to use RADIUS...

It's not just a case of adding NPS services to Windows Server and then pointing UTM at it - you have to configure policies on the NPS control panel in Windows to allow VPN connections  - see https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-nps

Best way to test is to try connecting the VPN - the test tools in UTM/XG can be a bit flakey.  Look at the NPS logs in windows event viewer to see if the connection is being authenticated.

If you want to use RADIUS...

It's not just a case of adding NPS services to Windows Server and then pointing UTM at it - you have to configure policies on the NPS control panel in Windows to allow VPN connections  - see https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-nps

Best way to test is to try connecting the VPN - the test tools in UTM/XG can be a bit flakey.  Look at the NPS logs in windows event viewer to see if the connection is being authenticated.

Thank y'all for your prompt replies :) I failed to include in my initial post I do have test policies in place.

Despite the policies being the most permissive, the Windows NPS logs throw errors 48/49- no applicable policies were found to permit the request received from Sophos.

Connection Request Policy:

* Enabled

* Type of network access server: unspecified

* Conditions: Day and time restrictions- permit all

* Authentication Methods: override network policy authentication settings; all EAP allowed

Network Policy:

* Enabled

* Grant access

* Type of network access server: unspecified

* Conditions: Day and time restrictions - permit all

* Constraints: All EAP types enabled, all Less secure authentication methods enabled except Allow clients to connect without negotiating an authentication method

* Settings: None

As I said, have you tried a real VPN connection, rather than the SOPHOS radius test?

Funny, Andrew, I don't know why I copied that section about the HTTP Proxy from my list of Community Links.  It does address Backend Groups based on AD, but ???

All of my clients that have AD use AD Backend Groups to authenticate SSL VPN Remote Access.  I only recommend RADIUS for IPsec, PPTP and WPA2 Enterprise auth with Wireless Protection - otherwise, it's just a hassle to use this "ancient" (eight+ years older than AD) method that, in essence, rides on top of AD.

Cheers  Bob