OpenVPN + Windows AD CS + NPS

---

Hello all!
Again I have a new challenge with a new implementation (testing). After all the help I receved here regarding AD CS and a lot of testing and reading, I successfully installed an internal 2 tier PKI.

Now for the next part: I want to configure OpenVPN to use the NPS for authentication (thinking of certificates also). So on OpenVPN I need to have certificates from ADCS and not creating a CA on OpenVPN per se, as for the majority of tutorials online.

Does anyone has some experience with this, using an external CA? I found a guide on Web Archive but most information is no longer available...
Thank you in advance for the help!

Regards,
Fábio Teles

@fabio-teles,

You need to have NPS role installed and functional on Windows Server.
You need to have an operational OpenVPN server and it's IP Address.

1. In NPS, you want to create your OpenVPN server as a new RADIUS Client.
2. Generate a new key
3. Create a new NPS policy
   • Add a condition for a Windows Group, add your VPN users who are allowed to use VPN.
   • Add another condition for Client IPv4 Addresses, add the IPv4 address of the OpenVPN server.
4. Grant Access to the VPN users.
5. Configure authentication method, under EAP types (MS-CHAPv2)
6. accept the defaults on constraint.
7. Complete the policy, move the policy up in the list.

In OpenVPN web-gui, look for authentication and select RADIUS. If RADIUS is not used click button to use it.
Then under RADIUS authentication select MS-CHAPv2
Then in RADIUS settings setup what you configured in NPS with the shared secret.
update