Guide : Setting up Absolute Secure Access

This product use to be called Netmotion mobility, however, since version 12.70 it’s changed from Netmotion to Absolute and mobility to secure access

Apologies if you find me referring to it with the old name, it’s a change that recently happened so it’s very easy to say the wrong product name.

This guide will show you this service using either device authentication certificates or user authentication certificates, obviously for privacy and security reasons certain names and connections screenshots have been changed.

The fundamentals and workflow are exactly the same, just before we begin remember absolute is a VPN solution that creates a private tunnel from the device to your corporate network, the end result is your laptop will appear to be on your own internal network.

Absolute can be installed as it single server instance, which you should not deploy if you wish to have more than 50 connections active at once, this is fine for a proof of concepts or a demo.

The components of this software are as follows:

Absolute Warehouse Server (x2)
Absolute Publisher Server
Absolute Reputation Server
Absolute Secure Access Server (x4)
NPS server (x2)

Overview Diagram : High Level

If you would like the full copy of this for download click here

Device v User Authentication

Let’s also be clear on device authentication versus user authentication, if you opt for device authentication will utilize the certificate that will be issued to the laptop which means you will be able to remote control the laptop with or without a user logged into it, this is also known as unattended mode

However, if you up for User authentication the user needs his own unique certificate in order to log into the VPN, unlike the device authentication the laptop will not be available when an active user is not signed in and working, when do use the logs off it was either block all traffic or disconnect all traffic depending on your options.

You will also need as part of a set a process a RADIUS server, or the newer term for this kind of server in windows is called a network policy server, or NPS.

For the sake of having resiliency, it’s not recommended to build a single server here as if that server is unavailable then your VPN will be useless, without a successful authentication to this server, you will not be able to connect.

This guide will only focus on "distributed deployment" not the easier one size fits all "small deployment server".

Setup : Absolute Warehouse Server

This is required for all the other services to work so rom the options only select "Warehouse" as you can see here:

Once the core components are installed you will then setup the warehouse service.

If you have more than one warehouse server, in v12.70 and above both the databases are active and there is no longer a passive database anymore.

Setup : New Warehouse

If this is the first warehouse then you need to select the top option as you will be creating the first server for the first time:

Then you will need the password for the warehouse, ensure you make this nice and secure and store it in a password manager:

Then you will need to select the IP of the server, this is not the localhost one so please do not select 127.0.0.1 or ::1 select the actual name of the server which should be there:

You then need a data port, configuration port and replication port as you can see here:

Then you need to choose the location of the warehouse, ensure this is excluded from your A/V scans as well:

If you have a previous LDIF file to import you can do so here, if not click next:

Then you have to select the option to configure backups, I would highly recommend this is completed and you do not disable this option:

Setup : Existing Warehouse

Select the option for "existing warehouse" then you will be asked for the location and the port (which is TCP:4444) and the password, from there this warehouse will work with the new warehouse.

No screenshots for that, its simple.

Setup : Publisher/Reputation Servers

Next we have the publisher server which is also the monitoring server as well, you really only need one of these in your deployment unless you really need more for different purposes.

First you need to connect to the database server, which are the details from before:

Install this with the defaults as the configuration is done from the website interface the setup is not that in-depth and you really just need the basics.

Setup : Secure Access Server (VPN server)

Select the secure access server on this setup screen then once installed you will need to give it the warehouse connection as below:

Once you have provided the server and the password then click next, you will be asked to if you would like to disable the firewall - even if you have another provider for your firewall please leave this ticked....

Then you need to choose the web server settings, I would recommend you use port TCP:443 the standard for HTTPS, if you wish to change this to a different port this does not make it anymore secure.

Also provide the local admin group for the users and where you can access the website from for remote management, for no remote access choose "only the local computer"

Then you need to configure the external address that Secure Access will use, this is the public address that the server needs to know about, you will also need to have the relevent NAT rules in place to route the traffic correctly to the VPN server.

Also note you have an external port, this is the port secure access will listen on, that also needs to be allowed on the firewall and NAT rules, finally DO NOT open other ports from the internet, only this port should be opened publically.

Then you need to choose the IP address scheme, for this we will use a pool of addresses which you will need to add here in the notation of address range then the CIDR and the gateway, this is the addresses that your secure access server will deploy to the clients that connect.

Then you need to set your address pool DNS, which consists of your DNS suffix and DNS servers (yes the servers here are not real and the domain is non-routable)

Then after all this you get the summary screen, ensure you tick "start server offline" and review the data then click next to get the party started......

Once the setup is finished you should be access the server name as a HTTPS address and it should look like this, please note you will be on a self signed certificate so you will need to get that updated, which is next, exciting stuff......

NOTE : The server will be offline not online as per the image

Setup : Self Signed to actual SSL certificate

Once you have the website online with a "internal" certificate you need to fix that, so login to the secure access server and once there start the "Secure Access Management Tool" shown below:

Then click the web server tab and then choose server certificate as shown below:

Those options will look like this, from here you want to click New under certificate request......

Fill in the details here where applicable like Host and ensure you add a DNS:<host> that matches once filled in continue....

That will lead you to this screen:



You will see the CSR you require in Base64 right there in the main window this looks something like this:

-----BEGIN CERTIFICATE REQUEST-----

MIIEvTCCAqUCAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkJlYXJ2aWxsbGUx

EDAOBgNVBAcMB0JlYXIgSFExFDASBgNVBAoMC0JpZyBCZWFyIEhRMRMwEQYDVQQL

DApUZWNobm9sb2d5MRcwFQYDVQQDDA52cG4uYmVhci5sb2NhbDCCAiIwDQYJKoZI

hvcNAQEBBQADggIPADCCAgoCggIBAORT3KNwZjK/ErVDR+juHWlHh6xXogH9XNUu

G5vIszs8ZUbH9Q6arG4X7p2WZh63SfbzpgTwIda2Lk9PqQlp9VHBIIGgPrnJjysz

hGV/OYq9YKxvFIhgucNMic8BJ3l+5BhTHIOIXvhqt6DTQX0bztp6U3iSLhN+N0Ti

I+od0sx1GWd1Ko9jst6bgiJSMlRjL3rG9HFWp0P+rYN+okcaoCAJoFW8GfklrQhP

BcDEU0U6QRSbtFMGMRcL6SE5MSb2z5GzeRXoIrOVBPpM6wmV0n1Us5nsXzPYMJZN

M42xzvoH72jugnmSKS4+cOSqrVqhtoF6gzCqiCb2ImORhF1U8l5N6pWyOcSPTbMQ

bPKi7e4APCwHye49sNR0X10HAuzFL7g0VLjLnZ0PLkz4YKYA4HoKchIu0IJuCeGl

9ocNzgs29Mo9ik/GDrsBmUDOIIGHz4ErdQHJQWaQOAKDb4yuIY1RqhlcnI5ZG/nH

NmWyL/VULJNqA4Qj0la5xyxD4KhrMCUc+DUa0F5aso30n88iUR+rFwxrdsxvqBLT

uoE3R+GvFHNa7AGJX0EU7l9dLLMoMWwyiouUJo4wvT5nMr2J3qWcWPozRJRHBH9y

DAh94lV8zZct+pF+Rf7TlUcOFQofz5N/mxyTBAejfZnsm9c0os5dakh+P6JSjkrp

7MpabCX/AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAgTQF+yJng+5TvK0+77dU

HXgBvlX3NzuiUl0WHV05v5TtNpe+zAdhVhNuHfFi28jNr83wC24A7Y9ed++Iooxv

NCOYvsaxDF3NXA1ubJyBZ6KsO6lVAIzvYpf0bY5OZ4goupKhhR+WbXAr7OBIwZst

swLXVMpLbDNtjdPihG4Mz6HiZPK8vm07MZ5WtP4Ww4mlQSdhZux7LbI+I8pR24Dg

aCSzQe+FH+GBsKZQtV7EwbKti1o6LPKmwydhYRKyGmzBUiwK8OSuffjo9vlItGSZ

QWTlMbo9Y91s07HH5mRIhEM0eRM8UUfFDIeVEozVE5lOFA6VkRamDuqcuYvxbUeS

kZ8T3jmgB2+jEqGA8Ls+I+fkOvIWElTpLxd+4NEvU0UjCfagwu0WBw3H1NUgQMaT

AtYq23Ngbdi5Fmy3jp87nM3tG7tVgYO/bvxCV0s2J9LOqCguBCvnOK6BJDYZUVdA

iX2oww1SyyPJIre69NUGKSWOjTibSmbxhzykfACtL3dM0ZoZLyUWynKBwvAEfAhi

9d1Zm7FW6Z9Qbx0eQx2JganKLYy1B5q3SM1tgSEts7NuoekMOWxz+/dDHCNKyFh5

gXOhJkwXye6RIIv0G6voPeun+/5ERVL0RJxPoNOt6QkKCAiq/vcAwlCir7zeP0ZQ

MsXx+c+ohiYjo1S5Ldl12ss=

-----END CERTIFICATE REQUEST-----

Once you have this you need to sign this with your certificate authority servers, so save that to the desktop as a txt file the extension is not important only the content of the file, if you have internal servers you can use this command:

certreq -submit -attrib "CertificateTemplate:Web-Server" <path to file>

You will then need to select a certificate server (CA) to process that file, which will then ask you where you wish to save the file, if you save this to the desktop you can continue.

Once you have this file, navigate back to the server certificate windows as below and click the response button below:

You need to select the file you saved on your desktop, however if you have a root CA or intermediate CA you will need to add the files to the relevant import button before you import the certificate, if you do that the wrong way wrong you will get an error.

If you are using an external CA, then you will need to complete this as per there instructions and ensure you download the whole chain before you import the certificate, this is key to this working, so if for an example we take the outlook.com chain:

This will only work if you have "Digicert Global Root CA" as the root, then "Digicert Cloud Service CA-1" as the intermediate then you provide the response file from Digicert.

If you did that correct the window should show the new date and no longer show the certificate CSR options.

Restart the webserver for this to take effect, it will take a minute to get the UI back online, it will prompt you to do this when you update the certificate.

Setup : NPS Server

NOte : Highly recommend you have more than one NPS server for larger deployments

Build a base build of Windows Server, then once you have all the updates installed on it and you have joined it to the domain, all you need is this command:

Install-WindowsFeature NPAS -IncludeManagementTools

I would recommend using the Core version of Windows (aka the non GUI version) as you can remote manage this absolutely fine with no issues, once this is installed you may need to reboot the server.

Once installed all you need is the NPS remote management tool, this is what you are looking for:

There is no requirement to register this server in Active Directory, Absolute will not be looking for this server automatically.

Logging should be automatically setup to log all the events required to monitor and troubleshoot, however if you want to check this you can do so in Accounting then change log file properties, this is what I have setup for this solution:

NPS is installed and the ports used are the usual RADIUS main ports of 1812 for authentication and 1813 for accounting, as you can see here:

Setup : NPS Shared Secrets

I would created a shared secret so you do not need to keep entering it all the time, if you have many servers this can prevent typos later on, so to do that find the Template Management then choose Shared Secrets, right click there and choose New.....

Then enter a suitable name and they key in manual mode as you can see here:

Note the name "Absolute Shared NPS Key"

Setup : NPS Clients and Servers

This section of the NPS servers at the top as below......

The RADIUS clients is what we need here, if you navigate to that section and right click there and choose New this will allow you to add a client, you need to add all the Secure Access VPN servers to this list, this enables these servers to talk to the NPS server.

Now you can select the template you made earlier, that's the bit behind the black box in the image below, along with a suitable name and the IP of the server that will talk to the NPS server.

Ensure all the Secure Access servers are added as clients.

Setup : NPS Connection Request Policy (CRP)

NOTE : This needs to be setup for your company requirements, this is just a guide and should not be taken literally.

Right, now you have the clients all added you then need to setup the CRP policy which is the pre-policy for the connections the server gets, as you can see you can have more than one policy on the same server, here we cover both of the scenarios including Device and User authentication

You need the precedence or processing order to be correct if you are using the same for both, so lets get creating these as per below, the 4th rule is default, so that is included when you install NPS, the 3rd rule is also a backup rule that is disabled.

Setup : User Authentication CRP

Give it a name and type is unspecified.....

Add condition of "NAS Identifier"

Add the NAS Identified or UA for User Authentication:

Ensure you authenticate on this server as below:

In this example the authentication methods come later, leave this unselected:

Confirm the settings in the CRP which should be NAS is equal to UA, then you are done, this alone does not do anything but assess the inbound connection, you now need to link this to the Secure Access server which is done later in the guide.

Setup : Device Authentication CRP

Give it a name and type is unspecified.....

Add condition of "NAS Identifier"

Add the NAS Identified or DA for Device Authentication:

Ensure you authenticate on this server as below:

In this example the authentication methods come later, leave this unselected:

Confirm the settings in the CRP which should be NAS is equal to DA, then you are done, this alone does not do anything but assess the inbound connection, you now need to link this to the Secure Access server which is done later in the guide.

Setup : NPS Network Policies (NPS-NP)

Right, now we move on to the Network Policies this is where more conditions are set for NPS entry requirements, so like before lets do one for User and one for Device Authentication, if you only need one ignore the other one, simple.

This is where you need to specify, authentication, and encryption methodologies, this is also where you specify groups of people you would like to access your NPS server, out the box, for default rule is to deny all access for security, please do not disable this rule when troubleshooting, when you get to the troubleshooting section, you will see why you should not disable this rule, if the conditions you set are not met, the default action should always be deny.

I also recommend a network policy group that denys access via NPS - that way if you have a stolen or malicious laptop, you can quite easily stop all connections to the VPN server, it’s better to have a rule like this, and not need it, then not to have a rule like this, and have a requirement to use it.

Setup : Certificate Generation

In order to use NPS we require a certificate, the certificate needs to be a computer authentication certificate to work with NPS, this means it requires the attribute to prove and ensure the remote computer identity as below:

If you have an internal certificate authority the base template for this is called "Computer Authentication" on the other hand if you have an external CA this will be a server authencation certificate.

If you are using an external certificate authority then you will need to get instructions for that particular provider to generate the certificate, this can be automated if external so it completes automatically.

However, if you have an internal certificate authority you can follow the below instructions, first you need to open the local computer certificate store, to complete this run this command:

Then you want to navigate to the Personal store, this is where the certificate need to be located, once here right click the certificates folder and choose "Request New Certificate"

You require active directory Enrollment as below: 

You need to select the Computer Authentication template, or that is the default name for it, put a tick in the box and click 

There is by default no information you need to enter here so you can click Enrol, and that should successful complete and generate you a certificate

This will be in the Personal store, and this is required by the NPS server for the rest of this setup.

Setup : Deny Policy (NPS-NP)

I highly recommend this policy for security, this is a policy you will setup to Deny connections if the conditionals are true, this is better than the default policy as it will be the first policy applied on NPS.

Give the policy a name and ensure you choose "unspecified"

Then you require a Windows Groups to apply this policy to....

When you add select the groups you require to add from your domain.....this is unique to your company..

Then you want the condition of "Access Denied" as below:

Then for the deny authentication methods add in Smart Card and EAP (PEAP) and EAP-MSCHAP-v2 as well as all the other methods, excluding password changes

The reset for this policy is default then save it and ensure its processing order of 1, if its not right click the policy can use the move up option:

Setup : User Authentication Policy (NPS-NP)

Next we need the user policy, again need to stress this is for the purpose of this guide, you environment will be different, so this will be for people using these settings:

Authentication Mode : User Certificate 
Authentication Type : Protected EAP (PEAP)
EAP Type : Certificate (user)
Mode Type : User Group
Fast Connect : Enabled

Right now we know this lets to making the policy, start with a relevant name:

Then we need the user group, not be careful here about what you click, more on that in the troubleshooting section, but ensure you choose "User Group"

Then you need to use a group you have created, if you have not created on, when you need to do that (obvioulsy)

This will then add itself to the condition, once you have this move right along, to the access type - here choose Access Granted

With Authentication methods you need to add "Protected EAP" as the EAP type, then you need to untick all the "less secure methods"

Then when you click on the "Protected PEAP" you can click the edit button and you will see this, this is the PEAP options.......

This is also wrong, the EAP type here is secure password which is wrong for this guide, so you will need to update that, you will also need to ensure Fast Reconnect is ticked for this solution, if when you try to add PEAP you get no certificates that is because you have skipped a set above to generate that certificate, go back and do that.

Finally you need to ensure that you remove "secure password" and add "certificate or smartcard"

If you click the add button you will see the certificate option, add that to the profile....

Firstly add the new EAP type:

Then remove the secure password option with a highlight and the remove button...

You should now only see the certification option in the list like this:

The EAP will pickup the main certificate automatically, then we can move on to constraints, here NPS will only allow connections for 8 hours after disconnecting people from the VPN, this is optional if required:

Encryption settings wise we require MPPE 128bit and do not pass the policy with this, with this set it will stop very legacy connecting to your network via VPN......

Then on the review screen, ensure the setting are set, then you can finish to save the policy, then you have done the User Authentication Policy.

Setup : Device Authentication Policy (NPS-NP)

Next we need the user policy, again need to stress this is for the purpose of this guide, you environment will be different, so this will be for people using these settings:

Authentication Mode : Device Certificate 
Authentication Type : Certificate Authentication
EAP Type : Certificate (device)
Mode Type : Windows Group
Fast Connect : Enabled

Right now we know this lets to making the policy, start with a relevant name:

Then we need the user group, not be careful here about what you click, more on that in the troubleshooting section, but ensure you choose "Machine Group"

Then you need to use a group you have created, if you have not created on, when you need to do that (obvioulsy)

This will then add itself to the condition, once you have this move right along, to the access type - here choose Access Granted

With Authentication methods you need to add "Protected EAP" as the EAP type, then you need to untick all the "less secure methods"

Check the certificate is correct for the clients, this is the certificate the server presents to the client that it can authenticate with......

The EAP will pickup the main certificate automatically, then we can move on to constraints, here NPS will only allow connections for 8 hours after disconnecting people from the VPN, this is optional if required:

Encryption settings wise we require MPPE 128bit and do not pass the policy with this, with this set it will stop very legacy connecting to your network via VPN......

Then on the review screen, ensure the setting are set, then you can finish to save the policy, then you have done the Device Authentication Policy.

Setup : NPS Summary

You should now have 3 policies you have created in the order like this:

1. Deny Access
2. SSL - User Authentication
3. Device Authentication VPN

The policy's should be in that processing order, depending on your configuration the user policy should be above the device policy, meaning any user polices will get applied first, remember that when a policy match's that policy is applied without assessing the policy's beneath it, so one the user policy matches it will not apply the device policy version - aka when it matches 2 it will not assess 3, to asses 3 it has to fail 2.

Setup : NPS Troubleshooting

This is more generic advise linked to VPN, but if you navigate to the custom event log which is installed once you install NPS, for this exact task, this the Server Role > Network Policy and Access Service log:

This is where you will see the authentication logs for the NPS server, the two main event ID's you need to be looking for are 6272 and 6273, as you can see here we have lots of 6272 events.

This is how it works for the majority:

6272 is a successful authentication or access granted
6273 is a denied authentication or access denied

Review : Authenticated Event ID (6272)

This is what a successful login looks like:

Network Policy Server granted access to a user.

User:

Security ID: bear.local/DA-Test-Laptop$

Account Name: host/DA-Test-Laptop.bear.local

Account Domain: BEAR

NAS:

NAS IPv4 Address: -

NAS IPv6 Address: -

NAS Identifier: DA

NAS Port-Type: -

NAS Port: -

RADIUS Client:

Client Friendly Name: Secure Access Server #1

Client IP Address: 12.778.12.445

Authentication Details:

Connection Request Policy Name: Absolute - User Auth

Network Policy Name: Device Authentication VPN

Authentication Provider: Windows

Authentication Server: nps-1.bear.local

Authentication Type: EAP

EAP Type: Microsoft: Smart Card or other certificate

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Review : Authenticated Event ID (6273)

Now we also need to look at a failed authentication request to see what we can tell from a denied log as well however on the Authentication details is really valid for denied requests unless you need for tracing, so for this device the account in active directory was disabled:

Authentication Details:

Connection Request Policy Name: Absolute - User Auth

Network Policy Name: Device Authentication VPN

Authentication Provider: Windows

Authentication Server: nps-1.bear.local

Authentication Type: EAP

EAP Type: Microsoft: Smart Card or other certificate

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 34

Reason: The user or computer account that is specified in the RADIUS Access-Request message is disabled.

Then this example

Authentication Details:

Connection Request Policy Name: Absolute - User Auth

Network Policy Name: Device Authentication VPN

Authentication Provider: Windows

Authentication Server: nps-1.bear.local

Authentication Type: EAP

EAP Type: Microsoft: Smart Card or other certificate

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 23

Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

If you get Reason Code 23, then a common reason for this is someone has added a active directory as Machine Group when you should be User Groups, for this reason I do not use Windows Group but that is a personal preference, the group types you can choose are outlined below:

If you would like a full listing of the error codes then you can use this resource here

So from this we can tell the what the laptop is called, the NAS ID, the Secure Access servers that they are using, the CRP the Policy name and the NPS server as well as the EAP type all in a single event entry.

If you need to do more detailed logs analysis, the default location for these logs are %windir%\System32\Logfiles however if you have customised the location, you will need to look in that folder instead, here you can see the folder has been redirected in the NPS panel.....

Setup : Configuration Menu

This is the main menu where you will need to configure all the settings for the Absolute VPN services, there are only a couple you really need to know about these are under the image:

The ones in red can cause interruption to connections if misconfigured, be particularly careful with the ones in bold.

Server settings - Set server wide settings per server or globally
Client settings - Set client device settings per device or globally
Authentication settings - Set Authentication settings for all clients to NPS/Radius

Device Groups - Assign devices to groups to then assign policy to those devices
Device - shows the devices that are registered with Absolute
User groups - Assign users to groups to then assign policy to those users
Licensing - Check the number of valid licenses for your organisation 

Setup : Server Settings

This is where you can set setting per server or globally, personally unless you have certain requirements you do not need to customise these, many of these settings will be set from the setup you completed for the VPN sever, however I do customise a couple of settings these are:

NOTE : These setting are custom (partially) to this environment, you will have different requirements

Console > Logon Notice : Set a login banner for the environment you are managing

Console > Session Timeout : Set a timeout for active sessions on the admin UI interface
Deployment > Resource Location : Set a custom deployment location 

Setup : Client Authentication

This is where you can set setting per client or globally to all clients, personally unless you have certain requirements you do not need to customise these, however I do customise a couple of settings these are:

NOTE : These setting are custom (partially) to this environment, you will have different requirements

Captive Portal Detection > Web Proxy : Disable web proxy during hotspot authentication

Compression > On/Off : Disable Compression
Display > Screen Setting : Stay Awake, Never Sleep

Location > Data Reporting On/Off : On, all clients

Login > Default Credentials : Windows User

Miscellaneous > Device ID Preservation: Preserve existing device ID

Network Diagnostic Reports > Allow Users to Diagnose Network Problems : Disabled

Permissions > Connection Default Override : Unticked

Permissions > Default Credentials Override : Unticked

Security > Encryption Type > AES256
Virtual Address > Allocation Method: IPv4 : Address Pool

Setup : Authentication Settings

Careful, there be dragons here - especially in this section

This is where you need to configure how the client and devices authenticate to the NPS server, changes to this area without understanding will cause large issues on your environment, ensure you know what you are doing before making changes, this is guide on how to set it up, it should be used as reference not as a troubleshooting workflow.

These settings are custom to this guide, unless you understand the workflow you should not be changing values based on this blog entry, you can cause more issues than you solve, careful, you will also need setting from the NPS server section to complete this and allow people to connect.

The main policies are shown below:

The orange box is required for "all" configurations, the red box is required for device authentication or "DA" and the green box is required for user authentication or "UA" - regardless of configuration you require the orange box configured and a red or green box.

However before you can configure the orange box you first need to choose between device authentication or user authentication - should have made one blue, so its like taking the pill in the Matrix.

Setup : Authentication Settings Warning

A thing to note is that this guide covers both Device and User authentication, when you set the policy you can set the policy on device groups, however remember all devices that absolute does not know about will need to start off in the "New" device group - or more technically its the group where the "default group for new devices" is ticked.

Note : It is not a good idea to have both policies setup as the "New" group needs to have one policy assigned to it, that will either be a "device" authentication profile or a "user" authentication profile, please note that many people will follow one or the other not both.

Note : Once the laptop is know to Absolute you can assign it to a device group the both Device/User is supported but the "New" group cannot be both - so that means new devices will only allow device or user.

Setup : Authentication Settings - Device Authentication

Navigate to Configure > Authentication Settings as below:

Then you want the new option:

Then give the policy a name:

This is the Device Authentication, so first you need to set the mode to "Unattended" this is from Authentication > Mode:

NOTE : Ensure you do not put settings in the USER section of the policy, you need DEVICE

Next, set the settings under RADIUS: Device Authentication > NAS ID, this needs to be set to the NPS server expected NAS ID which is DA for this example:

Next, you need the NPS servers under RADIUS: Device Authentication - Servers you need to add the IP addresses of the NPS servers, by using the Add button:

You will need the IP address, the Port which is 1812 unless you have customised it, then the shared secret you created back in the NPS setup.

Then you should see them all there on port 1812 as below:

That concludes the Device Authentication policy.

Setup : Authentication Settings - User Authentication

Navigate to Configure > Authentication Settings as below:

Then you want the new option:

Then give the policy a name:

This is the Device Authentication, so first you need to set the mode to "Unattended" this is from Authentication > Mode:

NOTE : Ensure you do not put settings in the DEVICE section of the policy, you need USER

Next, set the settings under RADIUS: User Authentication > NAS ID, this needs to be set to the NPS server expected NAS ID which is DA for this example:

Next, you need the NPS servers under RADIUS: User Authentication - Servers you need to add the IP addresses of the NPS servers, by using the Add button:

You will need the IP address, the Port which is 1812 unless you have customised it, then the shared secret you created back in the NPS setup.

Then you should see them all there on port 1812 as below:

That concludes the User Authentication policy.

Setup : Device Groups

This guide will only cover the creation of the first device group, with a device group you can apply both client and authentication setting to that groups, which makes administration very easy, so to create one navigate to Configure > Device Groups.....

Once here add a new one:

Give it a name, obviously:

Then you need to navigate to "Client Settings" to set the Authentication settings:

Under the device settings tree, you will see that group click on it and then find the Authentication Settings Profile

You will then need to give it the authentication policy from the last step.

Setup : Policy for split tunnels

This is the last section in this guide, and it will only show you how to setup the recommended routing for sending traffic down the tunnel of not, for that go to Policy > Policy Management

Then go to Rules and you need to create the options below:

So to complete this choose New, give the policy the name as per above and the contents of the policy are as follows:

Setup : Inside Tunnel Policy

This is the first policy and the Action is as below:

Then in the definition at the bottom select the hosts and website in blue and add your internal domains with the *.domain so for example *.bear.local

This will then route all your domain traffic inside the tunnel - magic.

Setup : Outside Tunnel Policy

This is the first policy and the Action is as below:

Then in the hosts just add a * entry for everything that is not in the other rule.....

The pop to rule sets....

Give this new policy a relevant name:

Then add those rules to the ruleset:

You do get more options like policies and Network Access Control (NAC) however as these are very much tailed to your company requirements they cannot really be explained in a generic guide in to much detail.

That completes the guide.