Loading ...

Month: May 2017

Ubiquiti USG Remote User VPN RADIUS Authentication

The following steps will setup Windows Server 2012 R2 RADIUS authentication via Network Policy Server (NPS) with your Ubiquiti UniFi Security Gateway (USG) for a USG Remote User VPN. This will allow users to use their current Active Directory Domain Services (AD DS) credentials to authenticate to the Virtual Private Network (VPN).

I am using the UniFi controller version 5.4.14 hosted in Microsoft Azure on a Linux Server with PostFix for alerting.

Step 1: Configure Windows NPS Server

  1. From the Server Manager Dashboard, install the Network Policy and Access Server role using Add Roles and Features accepting all defaults.
  2. Once installed,  open the Network Policy Server Administrator Tool. Expand the RADIUS Clients and Servers, then right Click on RADIUS Clients and click New.
    USG Remote User VPN - Create New RADIUS Client
  3. Give the USG router a Friendly Name. Type in the IP Address of the inside interface of the USG on the same network as the Windows Server. (This is the IP that the RADIUS requests will come from.) Click the Generate radio button, then click the generate button. Copy this Shared Secret to be pasted later. Click OK. USG Remote User VPN - Create New RADIUS Client
  4. In the Network Policy Server window, expand Policies, right click on Network Policies, and then click New.
    USG Remote User VPN - Create New Network Policy
  5. Enter a policy name and leave Type of Network Access Server as Unspecified. Click on Next.
    USG Remote User VPN - Create New Network Policy
  6. In Specify Conditions click Add.. and then select Windows Group, and pick the AD Group you want to use to allow VPN access.  (If you have not already then you will need to add all users who will be accessing the VPN into a seperate group.) Click Add… then Add Groups… which brings up the typical AD search box. Type in the name of the VPN Windows Group and click on OK. Click OK again. Click on Next
    USG Remote User VPN - Create New Network Policy
  7. Leave the Specify Access Permissions at the defaults (Access Granted, Dial-in box unchecked). Click Next.
  8. Uncheck all authentication methods other than MS-CHAPv2. Click on Next.
    USG Remote User VPN - Create New Network Policy
  9. Accept the defaults under Configure Constraints. Click Next.
  10. Leave all setting at the default on this page except for under Encryption. Uncheck everything except for MPPE 128-bit. Click Next.USG Remote User VPN - Create New Network Policy
  11. Check your settings on the last page. Click Finish.
    USG Remote User VPN - Create New Network Policy
  12. Finally, move the new policy above the two default policies in the list by right clicking and choosing Move  Up.

Step 2: Configure the USG Remote User VPN

  1. To create the remote access network, in the UniFi controller, go to Settings, then Networks, and click Create New Network, give the network a name and select Remote User VPN.
    USG Remote User VPN - Network Setup
  2. Fill in the appropriate Gateway/Subnet information for your environment. Make sure it is not the same as any of your current networks.
  3. Add Manual DNS servers, if required for your environment.
  4. Click on Create New RADIUS Profile.
  5. Give the Profile a name, enter in the IP address of the Windows Server 2012 R2 server that will be used for RADIUS authentication and paste in the generated shared secret.USG Remote User VPN - Create New RADIUS Profile
  6. Click Save. Click on Save again.

This allows easy access from Windows default VPN connections to network assets behind the USG device.

If your company is currently using a Ubiquiti USG device and need a Remote User VPN setup, then contact us for assistance.

WannaCry Ransomware Spread Halted by Webroot

Webroot & WannaCry Ransomware

WannaCry Ransomware: Webroot protects you.

Ransomware attacks continue to spread around the world this weekend, after the initial damage inflicted on healthcare organizations in Europe on Friday.

The criminals responsible for exploiting the Eternal Blue flaw haven’t yet been identified, but up to 100 countries have hit with WannaCry ransomware, with Russia, Ukraine and Taiwan among the top targets.

The ransomware first appeared in March, and is using the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers.  The initial spread of the malware was through email, including fake invoices, job offers and other lures with a .zip file that initiates the WannaCry infection.  The worm-like Eternal Blue can exploit a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution.  This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy technology like XP.

What’s New

Today, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, including XP and Server 2003.

Overnight and today, it has become clear that a  kill switch was included in the code.  When it detects a specific web domain exists—created earlier today—it halts the spread of malware.  You can learn more at The Register.

As a Webroot customer, are you protected?  YES.

Webroot SecureAnywhere  does currently protect you from WannaCry ransomware.

In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before.  It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.

In addition to deploying Webroot SecureAnywhere as part of a strong endpoint control strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.

If you have any questions about your Webroot deployment, reach out to our Support Team now.

And, if you are not a Webroot customer, we encourage you to trial Webroot SecureAnywhere now.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2023- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

[contact-form-7 id="452" title="Free Network Evaluation"]
And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10