# Active Directory This tutorial will explain configuring single sign-on with Active Directory using a Windows Radius server. If AWS Directory Service is used a Windows 2012 R2 EC2 instance can be created to serve the Radius server. To begin open the server manager and install the *Network Policy and Access Services* role. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FaV9qNM4gjTmiZnmNhqbt%2Factive_directory0.png?alt=media\&token=e4ef6f9d-f425-47aa-84a4-408ef92a0b4a) Once done search for and open the *Network Policy Server* management. Then in the *RADIUS Clients* section click *New*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FyRlDngMMbnpZPMns4SYU%2Factive_directory1.png?alt=media\&token=db0e8b4e-c5af-4a58-b56f-d0a52bcaefd7) In the Radius client configuration set the *Friendly name* to *Pritunl* then enter the IP address or IP address range of the Pritunl servers. The DNS name can also be used. The IP address should be the address that the Pritunl Radius request will come from this will most likely be the private IP address of the Pritunl server. If multiple Pritunl servers are used all Pritunl servers that will be accepting client connections for Active Directory users will need to be added. Select *Generate* for the shared secret then click *Generate*. Copy the shared secret to the Radius settings in the Pritunl web console. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FL8QdND53VraeTIXYLSO9%2Factive_directory2.png?alt=media\&token=02249364-d0d9-4371-9c64-f110680f4d5f) Next open the *Network Polices* section and click *New*. If you intend on matching Active Directory groups to Pritunl organizations or groups you should continue with the [**Active Directory with Organizations**](https://docs.pritunl.com/kb/vpn/sso/broken-reference) tutorial. This tutorial will only show adding Active Directory clients to the default single sign-on organization. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FTFdDChtQcNUHYICNhIrE%2Factive_directory3.png?alt=media\&token=64bc6f9e-294e-4a8f-a96a-e8c4790684ac) Set the policy name to *Pritunl* and click *Next*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fc6kxsuamEfxzygozN23Z%2Factive_directory4.png?alt=media\&token=9979d3b3-6501-4480-b4f8-01e22963349b) On the specify conditions page click *Add* and select *User Groups* then click *Add*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Ft5m2p2kfVPu4MPh1IGg6%2Factive_directory5.png?alt=media\&token=1ab06681-e830-49fb-bf89-4796122eb8e3) Click *Add Groups* and enter the name of the Active Directory groups that will be permitted to connect to the Pritunl server. Then click *Ok*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F37KVZuZJWpfYytns2Aax%2Factive_directory6.png?alt=media\&token=da858e33-c5d2-43cb-b3dc-97df75ecf912) Then select *Add* and choose the *ClientIPv4Address* and enter the IP address of the Pritunl server. This will only allow the policy to be used by the Pritunl server. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F7DqmfL5mqMZDoym94mHy%2Factive_directory7.png?alt=media\&token=1ba451cc-8f5b-496a-adbf-ab90c0d4fa2a) For the authentication methods configuration select *Unencrypted authentication (PAP, SPAP)*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F4eydN3FSVFyMp9lN1kl3%2Factive_directory8.png?alt=media\&token=196a62a6-06f1-4bce-8480-a97f9f93b478) Once done insure the Pritunl policy is above the deny access policies at the bottom. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FueB2B0j8fl6nMvPSh3O1%2Factive_directory9.png?alt=media\&token=c4bf4f08-7ebe-476f-9c80-56be00fa1971) Once the Radius server is configured enter the IP address of the Windows Radius server with port *1812* and the shared secret from earlier in the Pritunl settings. Users will then be able to login to the web console using their Active Directory credentials. When users connect they will also be required to enter their Active Directory password. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FvIn25Lux5vHmq9fGP3wl%2Factive_directory11.png?alt=media\&token=986d25d9-44ce-4406-b665-ad696a208fee) The event viewer is useful for determining why Radius authentication requests failed. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FI1tylU9gnBsRtZ2ebPek%2Factive_directory10.png?alt=media\&token=160bc487-620d-432a-ba9c-ca5b77f2872d)