1
00:00:03,440 --> 00:00:06,740
And now we're going to go to our Policies,

2
00:00:06,740 --> 00:00:10,040
and then we're going to highlight our Network Policies.

3
00:00:10,040 --> 00:00:12,210
And once we're here,

4
00:00:12,210 --> 00:00:17,410
we're going to right‑click and then just choose New and give it a policy name.

5
00:00:17,410 --> 00:00:21,900
So this is going to be my Always On VPN access policy, so we'll call it that.

6
00:00:21,900 --> 00:00:31,660
The type of network access server, select Remote Access Server(VPN‑Dial up).

7
00:00:31,660 --> 00:00:33,940
Click Next.

8
00:00:33,940 --> 00:00:37,650
And in the Conditions here, we want to specify our user group that we created.

9
00:00:37,650 --> 00:00:41,300
So the Conditions mean anything that matches these

10
00:00:41,300 --> 00:00:44,030
conditions will match this rule effectively,

11
00:00:44,030 --> 00:00:44,860
right?

12
00:00:44,860 --> 00:00:47,040
And so in this case,

13
00:00:47,040 --> 00:00:52,470
we want our VPN users in this group to be able to be processed by this rule.

14
00:00:52,470 --> 00:00:56,740
So we'll click Add, and we're going to select User Groups.

15
00:00:56,740 --> 00:01:00,640
Click Add once more, click Add Groups, and then we're going to

16
00:01:00,640 --> 00:01:08,840
add our group that we created previously.

17
00:01:08,840 --> 00:01:15,250
So click OK and Next. Access granted.

18
00:01:15,250 --> 00:01:18,340
Obviously, we want these users to be able to access the VPN and

19
00:01:18,340 --> 00:01:20,210
the infrastructure, so we'll leave it at that.

20
00:01:20,210 --> 00:01:24,660
Choose Next. And here we want to uncheck all of the less

21
00:01:24,660 --> 00:01:26,880
secure authentication methods listed here.

22
00:01:26,880 --> 00:01:31,660
We only want to use secure authentication methods. And specifically, that's

23
00:01:31,660 --> 00:01:35,640
being EAP, and so we'll click on the Add button here in the EAP Types

24
00:01:35,640 --> 00:01:38,560
field, and we're going to select Protected EAP.

25
00:01:38,560 --> 00:01:42,740
This is the protocol of choice, so we're going to click OK.

26
00:01:42,740 --> 00:01:45,760
And once that's done, we're going to highlight Protected EAP that

27
00:01:45,760 --> 00:01:49,300
we just added here and then click Edit. And a couple of things that

28
00:01:49,300 --> 00:01:51,360
we need to pay careful attention to.

29
00:01:51,360 --> 00:01:57,250
First of all, the certificate is issued to the NPS server. Here we have a very

30
00:01:57,250 --> 00:02:02,040
clean lab build. It has one certificate. It can't be wrong. In your

31
00:02:02,040 --> 00:02:05,080
environment, you have may have multiple certificates here.

32
00:02:05,080 --> 00:02:09,420
You need to ensure that the certificate that you use for the

33
00:02:09,420 --> 00:02:13,930
NPS policy is issued by the same certification authority as the

34
00:02:13,930 --> 00:02:16,400
user authentication certificates.

35
00:02:16,400 --> 00:02:18,760
So you want to ensure that this is the correct certificate.

36
00:02:18,760 --> 00:02:23,570
So you can validate that here by looking at the issuer and

37
00:02:23,570 --> 00:02:25,180
the expiration date and so forth.

38
00:02:25,180 --> 00:02:27,690
Unfortunately, there's no way to actually look at this

39
00:02:27,690 --> 00:02:30,870
certificate, so you may have to do some deduction here to make

40
00:02:30,870 --> 00:02:33,840
sure it's the right one in your environment.

41
00:02:33,840 --> 00:02:37,260
Next, we will uncheck Enable Fast Reconnect.

42
00:02:37,260 --> 00:02:41,160
Fast reconnect is a technology that's used for Wi‑Fi

43
00:02:41,160 --> 00:02:45,330
predominantly. It certainly can be used for VPN, but it does kind

44
00:02:45,330 --> 00:02:50,300
of short circuit or creates a shortcut for our authentication,

45
00:02:50,300 --> 00:02:52,480
and specifically, reauthentication.

46
00:02:52,480 --> 00:02:55,440
It's helpful for Wi‑Fi clients switching between access

47
00:02:55,440 --> 00:02:59,320
points, not really ideal for authenticating users from an

48
00:02:59,320 --> 00:03:01,340
untrusted network like the internet.

49
00:03:01,340 --> 00:03:05,290
So uncheck that. I also suggest selecting the option

50
00:03:05,290 --> 00:03:07,940
Disconnect Clients without Cryptobinding.

51
00:03:07,940 --> 00:03:13,420
So cryptobinding is essentially a feature of the authentication

52
00:03:13,420 --> 00:03:17,580
process that allows the peers to exchange some information to

53
00:03:17,580 --> 00:03:21,910
ensure that they were both communicating directly with each other

54
00:03:21,910 --> 00:03:24,460
during the authentication process.

55
00:03:24,460 --> 00:03:28,600
And so cryptobinding is essentially if you think of it as like a almost like a

56
00:03:28,600 --> 00:03:33,210
hash of all of the communication taking place during the authentication

57
00:03:33,210 --> 00:03:38,140
process, and those hashes should match. If they do not,

58
00:03:38,140 --> 00:03:41,780
it's likely that this connection was tampered with. So it

59
00:03:41,780 --> 00:03:44,990
may have been intercepted, and so you would want a client

60
00:03:44,990 --> 00:03:49,000
to disconnect as opposed to, you know, connecting and divulging credentials.

61
00:03:49,000 --> 00:03:52,030
So here I'm going to select Disconnect Clients with

62
00:03:52,030 --> 00:03:55,340
without Cryptobinding for best security.

63
00:03:55,340 --> 00:04:02,570
Also, I want to remove the Secured password option here, and I want to add

64
00:04:02,570 --> 00:04:07,180
Smart Card or other certificate because, again, we are using certificate

65
00:04:07,180 --> 00:04:09,630
authentication for our users for high assurance.

66
00:04:09,630 --> 00:04:14,550
So we're going to click OK and then click OK again, and we're done here.

67
00:04:14,550 --> 00:04:21,740
So we'll click Next, we'll click Next once more, and again, and then Finish.

68
00:04:21,740 --> 00:04:22,610
And that's it.

69
00:04:22,610 --> 00:04:26,540
We've defined our Always On VPN network access policy,

70
00:04:26,540 --> 00:04:31,040
an authentication request from the VPN server coming to this

71
00:04:31,040 --> 00:04:37,000
NPS server, if it matches these conditions, should be good to go.