This topic describes how to configure a RADIUS server that is running Network Policy Server (NPS) to be used for client authentication by Forefront TMG. Before you begin, you should be aware of the security considerations described in Planning for authentication [TMG].

Setting up RADIUS authentication with NPS consists of the following steps:

  1. Installing NPS. NPS is installed as a Windows component. For more information, see Network Policy Server Infrastructure (

  2. Configuring Forefront TMG as a RADIUS client in NPS.

  3. Configuring the RADIUS server in the Forefront TMG Management console. Ensure that these settings are the same as those you specify when configuring Forefront TMG as a RADIUS client. Note that the specified RADIUS server settings apply to all rule types using RADIUS authentication.

  4. Modifying the Forefront TMG system policy rule, if required. The rule presumes that the RADIUS server is located in the default Internal network and allows RADIUS protocols from the Local Host network (the Forefront TMG computer) to the Internal network. Modify the rule if the network location is incorrect, or if you want to specify the address of the RADIUS server rather than the entire Internal network. The rule is enabled by default.

To configure Forefront TMG as a RADIUS client on NPS

  1. On the computer on which you have installed NPS, click Start, click Run, type nps.msc, and then press ENTER. Leave the management console open for the following NPS configuration tasks.

  2. In the NPS management console, in the tree, expand RADIUS Clients and Servers, right-click RADIUS Clients, and then click New RADIUS Client.

  3. On the New RADIUS Client dialog box, in the Friendly name box, type a description of Forefront TMG. In the Address (IP or DNS) box, type the IP address of Forefront TMG.

  4. In the Shared secret box, type the shared secret you created in Configuring VPN connections to use NAP based quarantine.

  5. In the Confirm shared secret box, type the shared secret again.

  6. Select the RADIUS client is NAP-capable check box, and then click OK. See the following example.

To configure the RADIUS server in Forefront TMG

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. In the Tasks pane, click Configure Client Access.

  3. On the Networks tab, select the network where the RADIUS server is located, and then click Configure.

  4. On the Web Proxy tab, click Authentication.

  5. Under Method, clear any other selected methods, and then select RADIUS.

  6. Click RADIUS Servers, and then click Add.

  7. In Server name, type the name or IP address of the RADIUS server to be used for authentication.

  8. Click Change, and in New secret and Confirm new secret, type the shared secret to be used for communications between the Forefront TMG server and the RADIUS server. Be sure to specify the same secret you entered when configuring Forefront TMG as a client on the RADIUS server.

  9. In Authentication Port, specify the UDP port used by the RADIUS server for incoming RADIUS authentication requests. The default value of 1812 is based on RFC 2138.

  10. In Time-out (seconds), specify the time (in seconds) that Forefront TMG should try to obtain a response from the RADIUS server before trying an alternate server.

  11. Click OK five times to exit all windows, then on the Apply Changes bar, click the Apply button.

To modify the RADIUS system policy rule

  1. In the Forefront TMG Management console, in the tree, click Firewall Policy node, and then on the Tasks pane, click Edit System Policy.

  2. In the Configuration Groups list, in the Authentication Services section, click RADIUS.

  3. On the General tab, verify that Enable this configuration group is selected.

  4. On the To tab, to specify a different location, select Internal, and then click Remove. Click Add, and then specify the network object that represents the RADIUS server.

Copyright © 2009 by Microsoft Corporation. All rights reserved.