Secure remote access is a critical requirement for many organizations. While many VPN technologies exist, combining Secure Socket Tunneling Protocol (SSTP) with centralized RADIUS authentication provides a robust approach that balances strong encryption, firewall-friendliness, and scalable authentication and accounting. This article offers a detailed, step-by-step technical integration guide designed for site administrators, developers, and IT teams tasked with deploying a production-grade SSTP service backed by RADIUS.

Why choose SSTP with RADIUS?

SSTP uses SSL/TLS over TCP (typically TCP 443) to encapsulate PPP traffic. This makes it:

  • Firewall-friendly — uses port 443, commonly open on restrictive networks.
  • SSL/TLS-based — benefits from established PKI and cipher suites.
  • Integrated with Windows — native support on many Windows clients without third-party software.

RADIUS (Remote Authentication Dial-In User Service) provides centralized authentication, authorization, and accounting (AAA). When integrated with SSTP, RADIUS offers:

  • Centralized user management and policy enforcement
  • Support for MFA and external identity stores (LDAP/AD)
  • Session logging and accounting for audits and billing

Combining the two provides a scalable, auditable, and secure remote access solution that fits enterprise needs.

High-level architecture

Typical components in the integrated architecture:

  • VPN Server (SSTP endpoint) — can be a Windows Server with Routing and Remote Access Service (RRAS), or a Linux-based SSTP server (e.g., using stunnel + pppd or specialized projects).
  • RADIUS Server — FreeRADIUS, Microsoft NPS, or commercial RADIUS services (e.g., Cisco ISE, ClearPass).
  • Directory/Identity Provider — Active Directory, LDAP, or cloud identity providers (via RADSec/proxy or connectors).
  • Clients — Windows, macOS (with third-party SSTP client), mobile devices (where supported), and custom clients.

Prerequisites and planning

Before implementing, plan for the following:

  • Certificate infrastructure: SSTP requires a valid server certificate trusted by clients (SubjectAltName with FQDN). Use public CA or internal PKI with trust distribution.
  • RADIUS selection: Choose a server that supports your required authentication methods (EAP, PAP, CHAP, MS-CHAPv2), accounting, and MFA integration.
  • Network layout: Ensure port 443/TCP reaches the SSTP endpoint; RADIUS (UDP 1812/1813 commonly) must be accessible from the VPN server to the RADIUS server(s), considering redundancy and load balancing.
  • Security policies: Decide allowed ciphers, EAP types (e.g., EAP-MSCHAPv2 for Windows), session timeouts, and authorization attributes.
  • Logging & monitoring: Configure syslog, RADIUS accounting streams, and VPN logs for security and compliance.

Step 1 — Provision a trusted SSTP certificate

Acquire a certificate whose Subject Common Name (CN) or Subject Alternative Name (SAN) matches the public FQDN clients connect to (e.g., vpn.example.com). For public trust, obtain from a public CA (Let’s Encrypt can be used but requires automation for renewal). For internal-only deployments, use an internal CA and ensure client trust distribution via Group Policy or MDM.

Key technical details:

  • Key length: 2048 bits or higher (recommended 3072/4096 for long-term use).
  • Signature: SHA-256 or stronger.
  • Extended Key Usage (EKU): Server Authentication.
  • Validity period: align with CA policy; automate renewal if using short-lived certificates.

Step 2 — Configure the SSTP server

Windows Server (RRAS)

Steps:

  • Install the Remote Access role and enable VPN (Routing and Remote Access Service).
  • Under RRAS console, right-click server → Properties → Security tab → select the installed server certificate for SSTP.
  • Enable SSTP as a supported VPN type.
  • Configure IP address assignment — static pool or DHCP relay. Ensure IP pool and routing match internal resources and DNS.
  • Configure NAT or firewall rules to forward TCP 443 to the SSTP server if behind edge devices.

Important settings:

  • Allow EAP methods: for Windows clients, configure EAP-MSCHAPv2 for username/password; EAP-TLS if using client certificates.
  • Disable insecure protocols like PAP unless encapsulated and necessary for legacy clients.

Linux-based SSTP

Common patterns involve using stunnel or sstp-server implementations. Example components:

  • stunnel providing TLS termination using the certificate above.
  • sstp-client/server or pppd to handle PPP negotiation and user authentication.
  • RADIUS client library (radclient or libreswan plugins) to forward authentication to the RADIUS server.

Key tips:

  • Terminate TLS in a hardened context (hardened OpenSSL config, TLS 1.2/1.3 only, disable weak ciphers).
  • Ensure pppd options match RADIUS expectations (chap-secrets, ms-chap-v2 configured where needed).

Step 3 — Deploy and configure RADIUS

FreeRADIUS (example)

FreeRADIUS is popular and highly configurable. Core steps:

  • Install FreeRADIUS and enable the rlm_ippool module if providing IP allocation via RADIUS.
  • Define the SSTP server as a client in clients.conf with a shared secret and correct IP address.
  • Configure the users file or integrate with LDAP/Active Directory for authentication backend. For AD, configure rlm_ldap with correct bind DN, search filters, and group membership logic.
  • Enable modules for EAP and MS-CHAPv2 if required. For MS-CHAPv2, install the required patch or module and provide access to AD for NT-Password or use proxying.
  • Configure accounting to log sessions (sql or detail files) and enable radacct to capture start/stop messages.

Security notes:

  • Use secure passwords for RADIUS shared secrets — consider long random strings and rotate periodically.
  • Restrict RADIUS server access via firewall and bind interfaces only to required networks.

Microsoft NPS (Network Policy Server)

NPS integrates seamlessly with Active Directory and is a common choice in Windows-centric environments.

  • Install NPS role on a server joined to AD.
  • Register NPS in Active Directory to allow it to read user attributes.
  • Add the SSTP server as a RADIUS client with shared secret.
  • Create Connection Request Policies and Network Policies to select authentication methods (EAP-MSCHAPv2, PEAP) and enforce conditions (e.g., AD group membership).
  • Enable accounting to capture session records; optionally forward to a centralized SIEM.

Step 4 — Configure RADIUS attributes for authorization and assignment

RADIUS can return attributes to control session behavior. Typical useful attributes:

  • Framed-IP-Address — assign a specific IP to a user.
  • Framed-Route or Filter-Id — to push route or firewall policies.
  • Filter rules for split-tunneling versus full-tunnel control.
  • Session-Timeout and Idle-Timeout — enforce session lifetimes.
  • Vendor-Specific Attributes (VSAs) — used for device-specific features (e.g., Windows RRAS specific attributes).

Example: Returning Framed-IP-Address and Filter-Id from FreeRADIUS SQL query based on user group membership to place users on different subnets and firewall rules.

Step 5 — Test authentication flows and failover

Testing checklist:

  • Validate certificate chain on client devices — ensure no warnings and TLS negotiation parameters are acceptable.
  • Test successful authentication with a known user; verify RADIUS access-accept and accounting start messages.
  • Test failed authentication and verify access-reject behavior and logging.
  • Test policy enforcement — ensure Filter-Id or assigned IP and routes are applied after connection.
  • Verify accounting stop messages when disconnecting and that session records are complete.

For redundancy:

  • Configure multiple RADIUS servers in the SSTP server’s client list; implement load balancing or failover.
  • Use synchronized session databases or central accounting (SQL) to maintain continuity across RADIUS nodes.

Step 6 — Integrate Multi-Factor Authentication (MFA)

MFA significantly improves security. Approaches:

  • Use RADIUS proxying to an MFA provider (Duo, Okta, Azure MFA) that supports RADIUS callbacks or RADSEC.
  • Leverage NPS extensions for Duo or Azure MFA for tight integration with Windows environments.
  • Use EAP-TLS or certificate-based client auth as a form of possession factor complemented with password or OTP for knowledge/possession.

Implementation tip: ensure MFA prompts and timeouts are compatible with the SSTP client behavior. Some clients may not gracefully handle out-of-band prompts unless the RADIUS flow and EAP method are supported end-to-end.

Hardening and operational best practices

To maintain a secure service:

  • Enforce modern TLS: TLS 1.2/1.3 only, strong ciphers, and disable renegotiation where unnecessary.
  • Limit administrative access to the SSTP and RADIUS servers; use jump hosts and MFA for admin sessions.
  • Monitor logs centrally and enable alerts for multiple failed authentications, unusual session durations, or unusual bandwidth patterns.
  • Rotate RADIUS secrets regularly and use unique secrets per client where possible.
  • Patch dependencies (OpenSSL/OS/RADIUS software) quickly and test in staging first.
  • Pen-test the deployment, including certificate validation, RADIUS attribute enforcement, and split-tunnel policies.

Troubleshooting common issues

Client shows TLS/certificate errors

Verify server cert chain and FQDN match, and ensure clients trust the issuing CA. Capture network traffic to confirm TLS handshake details.

Authentication fails but RADIUS logs accept

Check PPP/MS-CHAP negotiation errors. Ensure shared secrets match, and check for mismatch in EAP method configuration between client, SSTP server, and RADIUS.

No accounting records

Confirm RADIUS accounting is enabled on the SSTP server and the RADIUS server is configured to listen/process accounting packets (UDP 1813 or configured port).

Conclusion

Integrating SSTP with RADIUS results in a secure, scalable remote access solution suitable for enterprises and service providers. The keys to a successful deployment are a trusted certificate for TLS termination, correctly configured RADIUS policies for centralized authentication and authorization, robust logging and monitoring, and appropriate hardening practices. Follow the steps above to build an SSTP+RADIUS deployment that meets security and operational requirements while providing a seamless experience for users.

For additional resources and deployment examples, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.