Monday, August 5, 2013

How to Setup a SonicWall for RADIUS authentication of multiple groups - Part 1

Recently I had to review our VPN security at work. Originally we were using LDAP authentication with our Active Directory servers. But we needed to setup RADIUS authentication for not only VPN access but also admin login for SonicWall.

There are a couple of how tos from SonicWall on how to setup RADIUS authentication, but none that cover how to setup multiple groups RADIUS authentication correctly. The following how to covers setting up RADIUS on Windows 2008 and SonicWall.

You will need to install (if not already done) the Network Policy Service and create several Active Directory Groups that map to the required security. In my case we created three groups:

VPN Admins - Full access on the VPN and able to administer the SonicWall
VPN Full Access - Full access on the VPN
VPN Restricted Access - Limited to Email and SharePoint servers

1.) Create a new RADIUS client in NPS. Enter a Friendly Name, IP Address, and a shared secret password.

2.) Create a new Network Policy. Network access server type is Unspecified.
3.) Add a new condition - Windows Group. Start with the group VPN Full Access
4.) Add a second condition - Firewall's IP address

5.) Configure Authentication Method. Select MS-CHAP-v2 and MS-CHAP. If you want users to be able to change their password from the VPN client, select the option to change password.

6.) Under RADIUS Attributes add an additional Radius Attribute - Filter-ID. The Filter-ID value needs be set to the same name as the group created in active directory (VPN Full Access).

Do steps 2 thru 6 for each group being added to the firewall.