Hey everyone! I'm working on a project where we need to set up RADIUS authentication for network device admins. We've got a Network Policy Server (NPS) running on a virtual machine under the customer's domain, but they don't want us to use their Active Directory for user management. Instead, they're insisting on having a local user setup on that VM. I've done some research and it seems like I might not be able to create local users directly for NPS since it typically requires registration with an AD. I'm aware that one solution would be to create a local AD on the VM and register the NPS there, but this poses a security risk as the VM is still within their AD. Any thoughts on how to work around this?
3 Answers
Another option is to make this single VM a domain controller for a completely new domain. Layering NPS on top of AD shouldn't be an issue at all. However, for this particular case, I'm thinking it might be worth exploring a different RADIUS server if that’s feasible. Setting up config files might not be for everyone, though.
You can actually create local users on the NPS server! The NPS can utilize its local Security Accounts Manager (SAM) database rather than needing an Active Directory. Just make sure you remove the NPS from the AD setup if you go this route.
So just to clarify, the SAM database is for local users on the machine where NPS is hosted, right? This means we can set up RADIUS with these local users for authentication and authorization. Thanks for the tip!
Have you considered setting up a Read Only Domain Controller (RODC) on the NPS server? This way, you can register the NPS server with the customer's Active Directory, but the MSP only gets read-only access to the RODC, which might alleviate their security concerns. Just a thought!
That's an interesting solution! So the RODC would hold a cache of certain groups from the AD, and we could register the NPS with it? That could actually work out well for us!
Thanks for the suggestion! I'll definitely consider it.