Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
2K views

Module 7: Installing, Configuring, and Troubleshooting The Network Policy Server

This document provides an overview and instructions for installing, configuring, and troubleshooting the Network Policy Server (NPS) role service in Windows Server 2008. It covers topics such as installing and configuring an NPS, configuring RADIUS clients and servers, authentication methods, and monitoring and troubleshooting an NPS. Demonstrations show how to perform tasks like installing NPS, configuring settings and connection policies, and setting up logging.

Uploaded by

健康生活園Healthy Life Garden
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
2K views

Module 7: Installing, Configuring, and Troubleshooting The Network Policy Server

This document provides an overview and instructions for installing, configuring, and troubleshooting the Network Policy Server (NPS) role service in Windows Server 2008. It covers topics such as installing and configuring an NPS, configuring RADIUS clients and servers, authentication methods, and monitoring and troubleshooting an NPS. Demonstrations show how to perform tasks like installing NPS, configuring settings and connection policies, and setting up logging.

Uploaded by

健康生活園Healthy Life Garden
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 30

Module 7: Installing,

Configuring, and
Troubleshooting the
Network Policy Server
Role Service
Module Overview
• Installing and Configuring a Network Policy Server

• Configuring RADIUS Clients and Servers

• NPS Authentication Methods

• Monitoring and Troubleshooting a Network Policy Server


Lesson 1: Installing and Configuring a Network
Policy Server
• What Is a Network Policy Server?

• Network Policy Server Usage Scenarios

• Demonstration: How to Install the Network Policy Server

• Tools Used for Managing a Network Policy Server

• Demonstration: Configuring General NPS Settings


What Is a Network Policy Server?

Windows Server 2008 Network Policy Server (NPS):

• RADIUS server

• RADIUS proxy

• Network Access Protection


Network Policy Server Usage Scenarios

NPS is used for the following scenarios:

• Network Access Protection


• Enforcement for IPsec traffic
• Enforcement for 802.1x wired and wireless
• Enforcement for DHCP
• Enforcement for VPN

• Secure Wired and Wireless Access

• RADIUS

• Terminal Server Gateway


Demonstration: How to Install the Network
Policy Server

In this demonstration, you will see how to install the


Network Policy Server
Tools Used for Managing a Network Policy Server

Tools used to manage NPS include:

• NPS MMC Console

• Netsh command line to configure all aspects of NPS, such as:


• NPS Server Commands
• RADIUS Client Commands
• Connection Request Policy Commands
• Remote RADIUS Server Group Commands
• Network Policy Commands
• Network Access Protection Commands
• Accounting Commands
Demonstration: Configuring General NPS Settings

In this demonstration, you will see how to configure


general NPS settings
Lesson 2: Configuring RADIUS Clients and Servers
• What Is a RADIUS Client?

• What Is a RADIUS Proxy?

• Demonstration: Configuring a RADIUS Client

• Configuring Connection Request Processing

• What Is a Connection Request Policy?

• Demonstration: Creating a New Connection Request Policy


What Is a RADIUS Client?

• NPS is a RADIUS server

• RADIUS clients are network access servers, such as:


• Wireless access points
• 802.1x authenticating switches
• VPN servers
• Dial-up servers

• RADIUS clients send connection requests and accounting


messages to RADIUS servers for authentication, authorization,
and accounting
What Is a RADIUS Proxy?

A RADIUS proxy receives connection attempts from RADIUS


clients and forwards them to the appropriate RADIUS server or
another RADIUS proxy for further routing

A RADIUS proxy is required for:

• Service providers offering outsourced dial-up, VPN,


or wireless network access services

• Providing authentication and authorization for user


accounts that are not Active Directory members

• Performing authentication and authorization using


a database that is not a Windows account database

• Load-balancing connection requests among


multiple RADIUS servers

• Providing RADIUS for outsourced service providers


and limiting traffic types through the firewall
Demonstration: Configuring a RADIUS Client

In this demonstration, you will see how to:


• Add a new RADIUS client to NPS

• Configure Routing and Remote Access as a RADIUS client


Configuring Connection Request Processing
Configuration Description

Local vs. RADIUS • Local authentication takes place against the local
authentication security account database or Active Directory.
Connection policies exist on that server.
• RADIUS authentication forwards the connection
request to a RADIUS server for authentication against
a security database. RADIUS maintains a central store
of all the connection policies.
RADIUS server Used where one or more RADIUS servers are capable of
groups handling connection requests. The connection requests
are load-balanced on criteria specified during the
creation of the RADIUS server group if there is more
than one RADIUS server in the group.
Default ports for The ports required for accounting and authentication
accounting and requests being forwarded to a RADIUS server are
authentication using UDP 1812/1645 and UDP 1813/1646.
RADIUS
What Is a Connection Request Policy?

Connection Request policies are sets of conditions and


settings that designate which RADIUS servers perform the
authentication and authorization of connection requests
that NPS receives from RADIUS clients

Connection Request policies include:

• Conditions, such as: • Settings, such as:


• Framed Protocol • Authentication
• Service Type • Accounting
• Tunnel Type • Attribute Manipulation
• Day and Time restrictions • Advanced settings

Custom Connection Request policies are required to


forward the request to another proxy or RADIUS server or
server group for authorization and authentication, or to
specify a different server for accounting information
Demonstration: Creating a New Connection
Request Policy
In this demonstration, you will see how to:
• Use the Connection Request Policy wizard to create a new
connection request policy
• Disable or delete a connection request policy
Lesson 3: NPS Authentication Methods
• Password-Based Authentication Methods

• Using Certificates for Authentication

• Required Certificates for NPS Authentication Methods

• Deploying Certificates for PEAP and EAP


Password-Based Authentication Methods

Authentication methods for an NPS server include:

• MS-CHAPv2

• MS-CHAP

• CHAP

• PAP

• Unauthenticated access
Using Certificates for Authentication

Certificate-based authentication in NPS:

• Certificate types:
• CA certificate: Verifies the trust path of other certificates
• Client computer certificate: Issued to the computer to prove its
identity to NPS during authentication
• Server certificate: Issued to an NPS server to prove its identity
to client computers during authentication
• User certificate: Issued to individuals to prove their identity to
NPS servers for authentication

• Certificates can be obtained from public CA providers or you


can host your own Active Directory certificate services

• To specify certificate-based authentication in a network policy,


configure the authentication methods on the Constraints tab
Required Certificates for NPS Authentication Methods

All certificates must meet the requirements for X.509 and must
work for connections that use SSL/TLS

Type Requirements
Server • Must contain a Subject attribute that is not NULL
certificates • Must chain to a trusted-root CA

• Configured with Server Authentication purpose in EKU extensions

• Configured with required algorithm of RSA with a minimum 2048 key


length
• Subject Alternative Name extension, if used, must contain the DNS name

Client • Issued by an Enterprise CA or mapped to an account in Active Directory


certificates • Must chain to a trusted-root CA

• For computer certificates, the Subject Alternative Name must contain


the FQDN
• For user certificates, the Subject Alternative Name must contain the UPN
Deploying Certificates for PEAP and EAP

• For Domain Computer and User accounts, use the auto-enrollment


feature in Group Policy

• Nondomain member enrollment requires an administrator


to request a user or computer certificate using the
CA Web Enrollment tool

• The administrator must save the computer or user certificate to a


floppy disk or other removable media, and manually install the
certificate on the nondomain member computer

• The administrator can distribute user certificates on a smart card


Lesson 4: Monitoring and Troubleshooting a
Network Policy Server
• Methods Used to Monitor NPS

• Configuring Log File Properties

• Configuring SQL Server Logging

• Configuring NPS Events to Record in the Event Viewer


Methods Used to Monitor NPS

NPS monitoring methods include:

• Event logging
• The process of logging NPS events in the System Event log
• Useful for auditing and troubleshooting connection attempts

• Logging user authentication and accounting requests


• Useful for connection analysis and billing purposes
• Can be in a text format
• Can be in a database format within a SQL instance
Configuring Log File Properties

Use the NPS console to configure logging:

1 Open NPS from the Administrative Tools menu

2 In the console tree, click Accounting

3 In the details pane, click Configure Local File Logging

4 On the Settings tab, select the information to be logged

On the Log File tab, select the log type and the frequency
5 or size attributes of the log files to be generated

Log files should be stored on a separate partition from the system


partition:
If RADIUS accounting fails due to a full hard disk, NPS stops
processing connection requests
Configuring SQL Server Logging

You can use SQL to log RADIUS accounting data:


• Requires SQL to have a stored procedure
named report_event

• NPS formats accounting data as an XML document

• Can be a local or remote SQL Server database


Configuring NPS Events to Record in the Event Viewer

How do I configure NPS events to be recorded in Event Viewer?

• NPS is configured by default to record failed connections and


successful connections in the event log
• You can change this behavior on the General tab of the
Properties sheet for the network policy
• Common request failure events
• What information does the failure event record?
• What information does the success event record?

What is Schannel logging, and how do I configure it?


• Schannel is a security support provider that supports a set of
Internet security protocols
• You can configure Schannel logging in the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurityProviders\SCHANNEL\EventLogging
Lab: Configuring and Managing Network Policy Server
• Exercise 1: Installing and Configuring the Network Policy
Server Role Service
• Exercise 2: Configuring a RADIUS Client

• Exercise 3: Configuring Certificate Auto-Enrollment

Logon information
Virtual machine 6421A-NYC-DC1 and
6421A-NYC-SVR1
User name Administrator
Password Pa$$w0rd

Estimated time: 60 minutes


Lab Review
• What does a RADIUS proxy provide?

• What is a RADIUS client, and what are some examples of


RADIUS clients?
Module Review and Takeaways
• Review questions

• Best Practices

• Security Issues

• Tools
Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.
Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.

You might also like