Skip to content

Network Policy Servers

Users in Active Directory can change their expired passwords during the login process in the RADIUS dialogue. A password can expire because the flag “User must change password” at the next login is set to true, or its expiration date is before the actual login.

Requirements:

  • The authentication must use the MS-CHAP v2 or EAP-MS-CHAP v2 protocol.
  • A configured Network Policy Server (NPS) pointing to the Active Directory repository.

Configure address, port and shared secret for the NPS. In order for the password change to work, it is important that:

  • The NPS points to the same LDAP server as configured for the Mideye Server.
  • The IP or hostname of Mideye Server is present among the NPS’s RADIUS clients (in order to be able to accept RADIUS requests).
  • The NPS policies are correctly configured.

To create a new NPS Server navigate to “RADIUS Settings” followed by “Network Policy Servers”. Click “Add new NPS server...”.

Server name: Add a friendly name of the NPS. This must be unique.

Hostname: Enter the IP or hostname of the NPS.

Port: Add the RADIUS port of the NPS. If the NPS is on the same machine as the Mideye Server, make sure that the NPS and the Mideye Server are using different UDP-ports.

Shared Secret: Enter the shared secret that should be used between the Mideye Server and the NPS. This must be identical on both ends.

Save the configuration and navigate to “Directory Settings” followed by “LDAP Profiles”. Select “Edit” on the LDAP Server that should use the NPS-server.

On the “General” tab select the Network Policy Server that was created in the previous step. Click “Save”.

Click “Save”.

Change your remote-solution to use MS-CHAP

For instruction on how to enable this for Cisco Anyconnect and Citrix Netscaler, click the respective link. For other solutions contact your vendor about how to enable MS-CHAP-V2.

Install and configure Network Policy Server

See Microsoft documentation on how to install and configure the NPS-role.

Troubleshooting

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs

C:\Program Files (x86)\Mideye Server 6\log\mideyeserver.log

/opt/mideyeserver6/log/mideyeserver.log