The following steps will setup Windows Server 2012 R2 RADIUS authentication via Network Policy Server (NPS) with your Ubiquiti UniFi Security Gateway (USG) for a USG Remote User VPN. This will allow users to use their current Active Directory Domain Services (AD DS) credentials to authenticate to the Virtual Private Network (VPN).
I am using the UniFi controller version 5.4.14 hosted in Microsoft Azure on a Linux Server with PostFix for alerting.
Step 1: Configure Windows NPS Server
- From the Server Manager Dashboard, install the Network Policy and Access Server role using Add Roles and Features accepting all defaults.
- Once installed, open the Network Policy Server Administrator Tool. Expand the RADIUS Clients and Servers, then right Click on RADIUS Clients and click New.
- Give the USG router a Friendly Name. Type in the IP Address of the inside interface of the USG on the same network as the Windows Server. (This is the IP that the RADIUS requests will come from.) Click the Generate radio button, then click the generate button. Copy this Shared Secret to be pasted later. Click OK.
- In the Network Policy Server window, expand Policies, right click on Network Policies, and then click New.
- Enter a policy name and leave Type of Network Access Server as Unspecified. Click on Next.
- In Specify Conditions click Add.. and then select Windows Group, and pick the AD Group you want to use to allow VPN access. (If you have not already then you will need to add all users who will be accessing the VPN into a seperate group.) Click Add… then Add Groups… which brings up the typical AD search box. Type in the name of the VPN Windows Group and click on OK. Click OK again. Click on Next
- Leave the Specify Access Permissions at the defaults (Access Granted, Dial-in box unchecked). Click Next.
- Uncheck all authentication methods other than MS-CHAPv2. Click on Next.
- Accept the defaults under Configure Constraints. Click Next.
- Leave all setting at the default on this page except for under Encryption. Uncheck everything except for MPPE 128-bit. Click Next.
- Check your settings on the last page. Click Finish.
- Finally, move the new policy above the two default policies in the list by right clicking and choosing Move Up.
Step 2: Configure the USG Remote User VPN
- To create the remote access network, in the UniFi controller, go to Settings, then Networks, and click Create New Network, give the network a name and select Remote User VPN.
- Fill in the appropriate Gateway/Subnet information for your environment. Make sure it is not the same as any of your current networks.
- Add Manual DNS servers, if required for your environment.
- Click on Create New RADIUS Profile.
- Give the Profile a name, enter in the IP address of the Windows Server 2012 R2 server that will be used for RADIUS authentication and paste in the generated shared secret.
- Click Save. Click on Save again.
This allows easy access from Windows default VPN connections to network assets behind the USG device.
If your company is currently using a Ubiquiti USG device and need a Remote User VPN setup, then contact us for assistance.
Buddy, thank you SO much for making this. I was having a lot of trouble getting this going for one of my clients and your guide made short work of getting it fixed. I really, really appreciate you putting this together. I know a lot of people don’t take the time to say, ‘you helped with this’, I didn’t want to be one of them. Thank you.
Christian
I cannot thank you enough for this guide – you helped me get this deployed for our own network and a few customers of mine. They (and I) are thrilled with how well this works. Thank you!!
Had to set this up for a Ruckus Wifi network once – this is so much easier, I was looking for all the hard parts. Now to get the controller to adopt the damn USG
I have had difficulty getting USG adopted before. The quickest way is to reset the USG to defaults then login to the console via SSH. Once in run a set-inform command to the controller, click Adopt, and then go back to the console and run the set-inform again.
YUP MAJOR Props
I burnt through a few guides but this one had the missing Key Move the Policy UP LOL
This worked well once it was set up. Something over the past week, users started reporting a “The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations ubiquiti radius” error when trying to connect.
On our UDM, we have a Local WAN IP set with an external address which resolves to a hostname for our employees. This IP/hostname is not pingable from the outside internet. Any ideas on how to make it reachable from the outside again?
Windows 10 users and administrators report problems making L2TP VPN connections after installing the recent Windows 10 KB5009543. Uninstall this update to restore connectivity and block this update to keep it.
Found an article that shows that Ubiquiti Unifi L2TP VPN and Windows 2019 RADIUS do not play nice until you run the following command from an elevated command prompt:
sc sidtype IAS unrestricted
Have to restart NPS too.