The computer acting as the primary NPS RADIUS proxy is not required to be dedicated to forwarding RADIUS messages. For example, you can install NPS on a file server. Because the primary NPS RADIUS proxy computer is not performing authentication or authorization of network access connections, it can be a member of a domain of either forest.
To Configure the Primary NPS RADIUS Proxy for RADIUS Ports and Clients
1. In the Network Policy Server snap-in for the primary NPS RADIUS proxy, configure additional UDP ports for RADIUS messages that are sent by the access servers as needed. By default, NPS uses UDP ports 1812 and 1645 for authentication and UDP ports 1813 and 1646 for accounting.
2. Add the access servers as RADIUS clients by using the instructions in the “Configuring NPS with RADIUS Clients” section of “Configuring the Primary NPS Server” earlier in this chapter.
To Configure the Primary NPS RADIUS Proxy for a Remote RADIUS Server Group Corresponding to the NPS RADIUS Servers in the First Forest
1. In the console tree of the Network Policy Server snap-in, expand RADIUS Clients And Servers.
2. Right-click Remote RADIUS Server Groups, and then click New.
3. In the New Remote RADIUS Server Group dialog box, in the Group Name field, type the group name for the NPS RADIUS servers in the first forest (for example: RADIUS Servers in Forest1). Click Add.
4. On the Address tab, type the DNS name, IPv4 address, or IPv6 address of the primary NPS RADIUS server in the first forest. If you specify a name, click Verify to resolve the name to an IP address.
5. On the Authentication/Accounting tab, type the shared secret between the primary and secondary NPS RADIUS proxies and the primary NPS server in the first forest.
6. Click OK to add the server to the list of servers in the group.
7. In the New Remote RADIUS Server Group dialog box, click Add.
8. On the Address tab, type the DNS name, IPv4 address, or IPv6 address of the secondary NPS RADIUS server in the first forest.
9. On the Authentication/Accounting tab, type the shared secret between the primary and secondary NPS RADIUS proxies and the secondary NPS server in the first forest.
10. Click OK to add the server to the list of servers in the group, and then click OK again.
To Configure the Primary NPS RADIUS Proxy for a Remote RADIUS Server Group Corresponding to the NPS RADIUS Servers in the Second Forest
1. In the console tree of the Network Policy Server snap-in, expand RADIUS Clients And Servers.
2. Right-click Remote RADIUS Server Groups, and then click New.
3. In the New Remote RADIUS Server Group dialog box, in the Group Name field, type the group name for the NPS RADIUS servers in the second forest (for example: RADIUS Servers in Forest2). Click Add.
4. On the Address tab, type the DNS name, IPv4 address, or IPv6 address of the primary NPS RADIUS server in the second forest. If you specify a name, click Verify to resolve the name to an IP address.
5. On the Authentication/Accounting tab, type the shared secret between the primary and secondary NPS RADIUS proxies and the primary NPS RADIUS server in the second forest.
6. Click OK to add the server to the list of servers in the group.
7. In the New Remote RADIUS Server Group dialog box, click Add.
8. On the Address tab, type the DNS name, IPv4 address, or IPv6 address of the secondary NPS RADIUS server in the second forest.
9. On the Authentication/Accounting tab, type the shared secret between the primary and secondary NPS RADIUS proxies and the secondary NPS RADIUS server in the second forest.
10. Click OK to add the server to the list of servers in the group, and then click OK again.
To Configure the Primary NPS RADIUS Proxy for a Connection Request Policy to Forward RADIUS Request Messages to the NPS RADIUS Servers in the First Forest
1. In the console tree of the Network Policy Server snap-in, expand Polices, right-click Connection Request Policies, and then click New.
2. On the Specify Connection Request Policy Name And Connection Type page, in the Policy Name box, type the name for the connection request policy (for example:
Forward Requests to RADIUS Servers in Forest1). Click Next.
3. On the Specify Conditions page, click Add.
4. In the Select Conditions dialog box, double-click User Name.
5. In the User Name dialog box, type the realm name for all names in the first forest (for example: forest1.example.com), click OK, and then click Next.
6. On the Specify Connection Request Forwarding page, select Forward Requests To The Following Remote RADIUS Server Group For Authentication, and then in the drop-down list, select the remote RADIUS server group for the NPS RADIUS servers in the first forest (for example: RADIUS Servers in Forest1). Click Next.
7. On the Configure Settings page, click Next,
8. On the Completing Connection Request Policy Wizard page, click Finish.
To Configure the Primary NPS RADIUS Proxy for a Connection Request Policy to Forward RADIUS Request Messages to the NPS RADIUS Servers in the Second Forest
1. In the console tree of the Network Policy Server snap-in, expand Policies, right-click Connection Request Policies, and then click New.
2. On the Specify Connection Request Policy Name And Connection Type page, in the Policy Name box, type the name for the connection request policy (for example:
Forward Requests to RADIUS Servers in Forest2). Click Next.
3. On the Specify Conditions page, click Add.
4. In the Select Conditions dialog box, double-click User Name.
5. In the User Name dialog box, type the realm name for all names in the second forest (for example: forest2.example.com), click OK, and then click Next.
6. On the Specify Connection Request Forwarding page, select Forward Requests To The Following Remote RADIUS Server Group For Authentication, and then, in the drop-down list, select the remote RADIUS server group for the NPS RADIUS servers in the second forest (for example: RADIUS Servers in Forest2). Click Next.
7. On the Configure Settings page, click Next,
8. On the Completing Connection Request Policy Wizard page, click Finish.