ITF (FC0-U61) Skills Lab: Manage User Authentication with RADIUS

Exercise 1: Install and Configure NPS and RRAS

Task 1: Add Network Policy Server Feature

1. Connect to the Domain Member Virtual Machine

   • Log in to Windows Server 2019 with the provided credentials.

2. Install Network Policy Server (NPS)

   • Open Windows PowerShell as Administrator.
   • Run the following command:

     Install-WindowsFeature NPAS -IncludeManagementTools

   • Allow the installation to complete.
   • Minimize PowerShell before proceeding.

Task 2: Configure Network Policy Service

1. Open Server Manager

   • Navigate to Tools > Network Policy Server.

2. Add a New RADIUS Client

   • In the left pane, expand RADIUS Clients and Servers.
   • Right-click RADIUS Clients and select New.
   • Fill out the fields:
     • Friendly Name: Provided in Lab
     • Address (IP or DNS): Provided in Lab
     • Shared Secret: Provided in Lab
   • Click Verify, then Resolve, then OK.
   • Click OK to close the New RADIUS Client window.

Task 3: Modify NPS Log Type and Frequency

1. Open NPS Accounting Settings

   • In Network Policy Server, select Accounting in the left pane.
   • Click Change Log File Properties.

2. Modify Log File Properties

   • In the Log File tab:
     • Change Format to IAS (Legacy).
     • Change Create a new log file from Monthly to Daily.
   • Click OK.

3. Close All Open Windows Related to NPS.

Task 4: Address Windows Server 2019 NPS Bug

1. Open PowerShell as Administrator.

2. Switch to Command Line Mode

   • Run:

     cmd

   • Notice the directory change from PS C:\Users\Administrator to C:\Users\Administrator.

3. Run NPS Fix Commands

   • Execute:

     sc sidtype IAS unrestricted
     shutdown /r /t 0

   • The system will restart immediately.

Task 5: Add PLABSA01 to Domain

1. Connect to the Standalone Server Virtual Machine

   • Log in with provided credentials.

2. Join the Server to the Domain

   • Open PowerShell as Administrator.
   • Run the command:

     Add-Computer -DomainCredential labs\administrator -DomainName domain_name_here.com

   • Enter credentials when prompted.

3. Restart the Server

   • Run:

     shutdown /r /t 0

   • The system will restart immediately.

Task 6: Prepare the VPN Interface

1. Reconnect to the Standalone Server.

2. Configure a Static IP Address

   • Open PowerShell as Administrator and run:

     New-NetIPAddress -InterfaceAlias "Ethernet1" -IPAddress 192.168.0.30 -PrefixLength 24

3. Set DNS Server

   • Run:

     Set-DNSClientServerAddress -InterfaceAlias "Ethernet1" -ServerAddresses "192.168.0.1"

4. Keep PowerShell Open for Next Task.

Task 7: Install VPN and Routing Features

1. Remain on the Standalone Server.
2. Install VPN & Routing Services
   • In PowerShell, run:

     Install-WindowsFeature DirectAccess-VPN,Routing -IncludeManagementTools

   • Allow the installation to complete.

Task 8: Initialize Routing and Remote Access

1. Open Server Manager

   • Navigate to Tools > Routing and Remote Access.

2. Enable Routing and Remote Access

   • Right-click the local node and select Configure and Enable Routing and Remote Access.

3. Use the Routing and Remote Access Wizard

   • Select Remote access (dial-up or VPN) > Next.
   • Choose VPN > Next.
   • Select Ethernet1 and uncheck Enable security on the selected interface > Next.
   • Select From a specified range of addresses > Next.
   • Click New..., enter the IP range > OK > Next.
   • Select Yes, set up this server to work with a RADIUS server > Next.
   • Enter the Primary RADIUS server and Shared Secret > Next.
   • Review the settings and click Finish.

4. Confirm Configuration

   • If prompted about Windows Firewall, acknowledge the message.
   • If prompted to Wait for initialization, allow the process to complete.

5. Configure RADIUS Authentication & Accounting

   • Right-click the local node > Properties > Security Tab.
   • Under Authentication provider, click Configure > Edit.
   • Ensure Always use message authentication is checked > OK.
   • Under Accounting provider, click Configure > Edit.
   • Ensure Send RADIUS Accounting On and Off messages is checked > OK.
   • Click OK to exit the Properties window.

6. Minimize the Routing and Remote Access Window.

Exercise 2: Prepare VPN Server and Client

Task 1: Modify VPN Port Properties

1. Open Routing and Remote Access.
2. Right-click Ports > Properties.
3. Configure WAN Miniport (PPTP).
   • Check Remote access connections (inbound only).
   • Uncheck Demand-dial routing connections (inbound and outbound).
   • Assign VPN IP Address (Provided in Lab).
   • Click OK.

Task 2: Enable VPN Ports on the Server Firewall

1. Open Windows Defender Firewall with Advanced Security.

2. Enable the Following Inbound Rules:

   • Routing and Remote Access (GRE-In)
   • Routing and Remote Access (L2TP-In)
   • Routing and Remote Access (PPTP-In)
   • Secure Socket Tunneling Protocol (SSTP-In)

3. Close the Firewall Window.

Task 3: Grant VPN Dial-In Permission

1. Open Active Directory Users and Computers.
2. Right-click Administrator > Properties > Dial-in tab.
3. Select Allow Access > OK.

Task 4: Create a VPN Client Connection

1. Open Network & Internet Settings.
2. Select Network and Sharing Center > Set up a new connection.
3. Choose Connection to a Workplace > Use My Internet Connection (VPN).
4. Enter VPN Address & Destination Name (Provided in Lab) > Create.

Task 5: Test VPN Connectivity

1. Connect to VPN and enter credentials.
2. Verify Connection Status > Check Details.
3. Disconnect the VPN.

Exercise 3: Interpret NPS Logs

Task 1: Install IAS Log Viewer

1. Extract and Install IAS Viewer from C:\Tools.
2. Run through the Installation Wizard.

Task 2: Examine NPS Logs

1. Open IAS Log Viewer.
2. Load Log Files > Select IN24501 > Open.
3. Review Connection & Record Details.

Completion

You have successfully completed the Manage User Authentication with RADIUS lab!