How to setup Remote VPN access using Windows Radius Server and Unifi USG/Controller Prerequisites: Windows Server 2012 or newer Domain Controller Services running Unifi USG (Pro, XG or 3P) Administrative Access to Windows Domain Installing Network Policy Server/RADIUS on Server 1. Login to the Windows Server you would like to function as the RADIUS authentication server. 2. Open Server Manager > Manage > Add Roles and Features Select to install the Network Policy and Access Services b. c. Click next and complete the install. Ensure to install the Management tools as well 3. In Server Manager go to Tools > Network Policy Server 4. Right click NPS (Local) and ensure the server is Registered to Active Directory and the Service is started
Creating a Security Group for VPN Domain Users 1. Navigate to your Active Directory User and Computers Tool 2. Create a new Security group with a friendly name (VPN Remote Users) 3. Add the Users to this group that you want to have access to the VPN connection Adding the RADIUS connection to the USG Router 1. Right click RADIUS Clients and select New 2. Fill in a Friendly name for the connection (USGRouter) 3. Fill in the LAN IP Address of the USG Router (in this case, 192.168.0.1) 4. Create a manual shared secret of less than 64 characters. I used a generated secret and got an error on the controller as the key was too long. I ve stuck with a 24 character key now and it seems to take it. Not currently sure of the max characters it likes. 5. Save this Shared Secret in a documented location for later
6. Click OK. You should see your connection to the USG router listed now
Adding the Network Policy to Limit it to a Security Group 1. Right click Network Policies under Policies, and select New 2. Give it a friendly name Ex. VPN Remote Users 3. Click Next 4. Select Add then User Groups then search for your Security group you made earlier (VPN Remote Users) b. Click Next
5. Click Next again after ensuring Access Granted is selected 6. Uncheck MS-CHAP and leave only the top two boxes checked. b. Click Next 7. Leave all defaults on Configure Constraints and click Next 8. Leave all defaults on Configure Settings EXCEPT navigate to Encryption > and uncheck all but strongest encryption b. Click Next 9. Review the final screen then click Finish It should look something like the below
b. 10. Right click your new policy in the list and move it up until it is processed as the first policy Configuring the Controller/USG Router connection 1. Login to the Unifi Controller and Navigate to Settings > Networks > Create a New Network 2. Give it a friendly name (VPN Remote Users) 3. Select Remote User VPN as the Purpose 4. Select L2TP Server 5. Set a new Pre-Shared Key that is DIFFERENT than the one you used before. This one is the key you will be giving to your users to connect to the VPN. 6. Enter a Gateway/Subnet that is not already in use 192.168.2.1/24 for example 7. Leave Name Server as Auto (unless you would like to set DNS servers) 8. Click Create New Radius Profile 9. Give it a Friendly Name 10. Enter the IP address of the Network Policy Server we configured earlier 11. Enter the Shared Secret we used earlier that you saved (you saved this, right?)
b. Hit Save 12. Hit Save again after reviewing your settings 13. Adding the VPN to your Windows 10 Machine 1. Click your Network Adapter (Wireless or Wired) in the bottom corner of your taskbar 2. 3. Click Network & Internet Settings 4. Click VPN then Add a VPN Connection
5. Give the connection a friendly name (Ex. Work ) 6. Enter the Public IP address or Vanity Domain name you have pointed to your public IP address. To check the public IP address your USG router is using, navigate to Settings > Networks > WAN and click Edit b. 7. Change the VPN type to L2TP/IPsec with pre-shared key
8. Enter the Pre-Shared Key you set at step 5 in the prior section. This is the one the Users enter to connect. 9. Fill in the Username and Password of a Domain user that has been added to the Security Group we made earlier EX. domain\vpnuser 10. Attempt to connect to the VPN 11. Rejoice as it works! Some things that caught me up during this: Moving my Network Policy to be processed first Not using the L2TP as the connection method I had honestly been entering the wrong Public IP for a little bit, always double check your typing