Mideye Server users in Active Directory can change their expired passwords during the logon process in the RADIUS dialogue. A password can expire because the flag “User must change password” at the next logon is set to true, or its expiration date is before the actual login. Show
Requirements:
Configure address, port and shared secret for the NPS. In order for the password change to work, it is important that:
Configure Network Policy Server to enable password change. MS-CHAP-V2In order to perform a password change, the RADIUS client (or aggregator, e.g. Citrix Netscaler or Cisco ASA) must initiate the authentication using the MS-CHAP v2 protocol. Mideye Server will automatically detect the authentication protocol. When MS-CHAP v2 is used, Mideye Server will use the configured NPS to validate the credentials. Requirements & prerequisitesA Mideye Server (4.3.0 or higher) is required. If the NPS server is installed on a separate machine the firewall must allow UDP/1812 (default) two-way traffic between Mideye-server and the NPS. By default, both the Mideye-server and the NPS runs on UDP/1812. Therefore either the NPS or the Mideye-server have to change port if they run on the same server. We recommend that you run the NPS on a different port since the Mideye-server normally serves more than one RADIUS-clients. Install the NPS-roleFrom the Server Manager click “Add Role and Features” Select “Role-based or feature-based installation”. Select destination server for the feature. Select “Network Policy and Access Services” and add features, and click next then “Install”. Configure the NPS-serverOnce the installation is completed, open the Network Policy Server console. First time you need to register the NPS with your domain. Right-click NPS at the top of the tree and choose “Register server in Active Directory” To change the UDP-port for NPS right-click NPS and choose “Properties”. By default UDP/1812 will be used, but this is recommended to be changed to another UDP-port if NPS is installed on the same machine as your Mideye-server. If NPS and Mideye-server are installed on the same server, change the port. Add a new RADIUS-clientThe next step is to add your Mideye-server as a RADIUS-client. Expand “Radius Clients and Servers” and right-click “RADIUS Clients” followed by “New”. Give your Mideye-server a friendly name, IP-address and a shared-secret. This shared secret needs to be identical on your Mideye-server. Create a new Network PolicyExpand “Policies” and right-click “Network Policies” and click “New”. Add a windows-group that contains all users that should be allowed to use the service. Select “Access granted”. Make sure that both MS-CHAP and MS-CHAP-V2 are checked and that both authentication methods allow that users can change their password Click “Next”. Click “Next”. Click “Finish”. Configure Mideye-server to communicate with NPSOn your Mideye-server open configuration-tool. Select “LDAP Servers” tab and choose to modify your existing LDAP-server used by your remote-solution. Click “NPS” tab and enter the IP-address of your NPS-server. Make sure to change the UDP-port to match the same as on the NPS-server. Enter the same shared-secret as on the NPS- server. The last step is to enable your Mideye server to allow password-changes. Click the “Active Directory” tab and check “Allow Password Reset” and “Allow Password Expired”. Change your remote-solution to use MS-CHAPFor instruction on how to enable this for Cisco Anyconnect and Citrix Netscaler, click the respective link. For other solutions contact your vendor on how to enable MS-CHAP-V2. What is the default setting for network access permission?When you add a new network policy to the Network Policy Server (NPS) configuration, the default value of Access Permission is Deny access, and the default value of Ignore user account dial-in properties is false, or not selected.
What is control access through NPS network policy?Access permission is configured on the Overview tab of each network policy in Network Policy Server (NPS). This setting allows you to configure the policy to either grant or deny access to users if the conditions and constraints of the network policy are matched by the connection request.
How are network connection request policies processed by NPS?NPS does not process any connection requests on the local server. Instead, it forwards connection requests to NPS or other RADIUS servers that are configured as members of remote RADIUS server groups.
What is Network Policy Server NPS and when should it be implemented on a given network?Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for connection request authentication and authorization.
|