Configure RADIUS authentication - Learn Tech From Zero

2.2 Point-to-Site (P2S) VPN Connectivity

Before diving into RADIUS, a quick refresher on P2S VPNs:

A Point-to-Site (P2S) VPN allows individual clients (like laptops or workstations) to securely connect to an Azure Virtual Network (VNet) over the internet.
Unlike Site-to-Site VPNs (which connect entire networks), P2S VPN is for remote users.
P2S VPNs use authentication methods to verify who can connect. One of these methods is RADIUS authentication.

RADIUS (Remote Authentication Dial-In User Service) is a protocol that helps validate users trying to connect to a network.

It is centralized: one server handles authentication for multiple clients.
Works in environments where you already have a user directory, like Active Directory (AD).
Provides two main functions:
1. Authentication – checks if the username and password are correct.
2. Authorization – checks if the user has permission to connect.

In Azure P2S VPN context:

The Azure VPN Gateway uses RADIUS to check if a connecting client is allowed.
You need a RADIUS server that communicates with your VPN Gateway.

Can be Windows Server with Network Policy Server (NPS) role installed.
Should be on a network reachable by Azure VPN Gateway (either on-premises network or in a VNet with VPN connectivity).
Steps:
1. Install NPS role on Windows Server.
2. Register NPS with Active Directory.
3. Configure RADIUS clients:
  - The VPN Gateway IP is the RADIUS client.
  - Shared secret must be configured for secure communication.
4. Create Network Policies:
  - Specify which users or groups can connect.
  - Set authentication method (e.g., MS-CHAPv2).

In Azure, go to your VPN Gateway.
Under Point-to-Site configuration, select Authentication type → choose RADIUS Authentication.
Provide:
- RADIUS server IP address (the NPS server)
- Shared secret (must match the one on NPS)
Save configuration. This tells Azure VPN Gateway to forward all P2S VPN login attempts to your RADIUS server.

From a client machine, try to connect using the VPN client configured for the P2S VPN.
Enter your username and password from Active Directory.
If configured correctly:
- Azure Gateway forwards request → RADIUS server authenticates → client gets access.
If something fails, check:
- VPN Gateway IP is added as RADIUS client.
- Shared secret matches.
- User is in allowed group according to NPS policy.

RADIUS is used for centralized authentication in P2S VPNs.
You need an NPS server or any RADIUS-compatible server reachable by Azure VPN Gateway.
Shared secret must match between VPN Gateway and RADIUS server.
Authentication flow:
- Client → Azure VPN Gateway → RADIUS Server → Active Directory → back to client.
Network Policy Server (NPS) defines which users/groups can connect.
RADIUS supports MFA if configured on NPS with additional extensions.
Limitations:
- P2S VPN using RADIUS does not work with Azure AD authentication.
- You cannot use certificate authentication and RADIUS simultaneously for the same configuration.

RADIUS = central authentication server (think “one place checks all VPN users”).
NPS is the Microsoft implementation of RADIUS.
Always check shared secret – exam often asks about connection failure troubleshooting.
Know the flow diagram: Client → VPN Gateway → RADIUS → AD → VPN Gateway → Client
Network Policy = who can connect and how (e.g., require group membership, type of encryption).

✅ Summary for Students

Use RADIUS when you want centralized authentication for P2S VPN users.
Set up NPS server, add VPN Gateway as RADIUS client, define Network Policies, and configure Azure VPN Gateway to use RADIUS.
Understand the authentication flow and how to troubleshoot connection issues.
Remember exam keywords: P2S VPN, RADIUS, NPS, Shared Secret, Network Policy, Authentication, Authorization.