Module 6: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
NPS provides support for the Remote Authentication Dial-In User Service (RADIUS) protocol, and can be configured as a RADIUS server or proxy. Additionally, NPS provides functionality that is essential for the implementation of Network Access Protection (NAP). This module explains how to install, configure, and troubleshoot NPS.
Lessons
Installing and Configuring a Network Policy Server
Configuring RADIUS Clients and Servers
NPS Authentication Methods
Monitoring and Troubleshooting a Network Policy Server
Lab : Configuring and Managing Network Policy Server
Installing and Configuring the Network Policy Server Role Service
Configuring a RADIUS Client
Configuring Certificate Auto-Enrollment
Configuring and Testing the VPN
After completing this module, students will be able to:
Install and configure NPS.
Configure RADIUS clients and servers.
Describe NPS authentication methods.
Monitor and troubleshoot NPS.
2. Module Overview
• Installing and Configuring a Network Policy Server
• Configuring RADIUS Clients and Servers
• NPS Authentication Methods
• Monitoring and Troubleshooting a Network Policy Server
3. Lesson 1: Installing and Configuring a Network
Policy Server
• What Is a Network Policy Server?
• Demonstration: How to Install the Network Policy Server
• Tools Used for Managing a Network Policy Server
• Demonstration: How to Configure General NPS Settings
4. What Is a Network Policy Server?
Windows Server 2008 R2 Network Policy Server (NPS):
• RADIUS server
• RADIUS proxy
• NAP policy server
5. Demonstration: How to Install the Network
Policy Server
In this demonstration, you will see how to:
• Install the NPS role
• Register NPS in AD DS
6. Tools Used for Managing a Network Policy Server
Tools used to manage NPS include:
• Netsh command line to configure all aspects of NPS, such as:
• NPS Server Commands
• RADIUS Client Commands
• Connection Request Policy Commands
• Remote RADIUS Server Group Commands
• Network Policy Commands
• Network Access Protection Commands
• Accounting Commands
• NPS MMC Console
7. Demonstration: How to Configure General
NPS Settings
In this demonstration, you will see how to:
• Configure a RADIUS server for VPN connections
• Save the configuration
8. Lesson 2: Configuring RADIUS Clients and Servers
• What Is a RADIUS Client?
• What Is a RADIUS Proxy?
• Demonstration: How to Configure a RADIUS Client
• What Is a Connection Request Policy?
• Configuring Connection Request Processing
• Demonstration: How to Create a New Connection Request
Policy
9. What Is a RADIUS Client?
• RADIUS clients are network access servers, such as:
• Wireless access points
• 802.1x authenticating switches
• VPN servers
• Dial-up servers
• NPS is a RADIUS server
• RADIUS clients send connection requests and accounting
messages to RADIUS servers for authentication, authorization,
and accounting
10. What Is a RADIUS Proxy?
A RADIUS proxy is required for:
• Service providers offering outsourced dial-up, VPN,
or wireless network access services
• Providing authentication and authorization for user
accounts that are not Active Directory members
• Performing authentication and authorization using
a database that is not a Windows account database
• Load-balancing connection requests among
multiple RADIUS servers
A RADIUS proxy receives connection attempts from RADIUS
clients and forwards them to the appropriate RADIUS server or
another RADIUS proxy for further routing
• Providing RADIUS for outsourced service providers
and limiting traffic types through the firewall
11. Demonstration: How to Configure a RADIUS Client
In this demonstration, you will see how to:
• Configure a RADIUS client
12. What Is a Connection Request Policy?
Connection Request policies include:
• Conditions, such as:
• Framed Protocol
• Service Type
• Tunnel Type
• Day and Time restrictions
Connection Request policies are sets of conditions and
settings that designate which RADIUS servers perform
the authentication and authorization of connection
requests that NPS receives from RADIUS clients
• Settings, such as:
• Authentication
• Accounting
• Attribute Manipulation
• Advanced settings
Custom Connection Request policies are required to
forward the request to another proxy or RADIUS server or
server group for authorization and authentication, or to
specify a different server for accounting information
13. Configuring Connection Request Processing
Configuration Description
Local vs. RADIUS
authentication
• Local authentication takes place against the local
security account database or Active Directory.
Connection policies exist on that server.
• RADIUS authentication forwards the connection
request to a RADIUS server for authentication
against a security database. RADIUS maintains a
central store of all the connection policies.
RADIUS server
groups
Used where one or more RADIUS servers are capable
of handling connection requests. The connection
requests are load-balanced on criteria specified during
the creation of the RADIUS server group if there is
more than one RADIUS server in the group.
Default ports for
accounting and
authentication
using RADIUS
The ports required for accounting and authentication
requests being forwarded to a RADIUS server are
UDP 1812/1645 and UDP 1813/1646.
14. Demonstration: How to Create a New Connection
Request Policy
In this demonstration, you will see how to:
• Create a VPN connection request policy
15. Lesson 3: NPS Authentication Methods
• Password-Based Authentication Methods
• Using Certificates for Authentication
• Required Certificates for NPS Authentication Methods
• Deploying Certificates for PEAP and EAP
17. Using Certificates for Authentication
With NPS, you use certificates for network access
authentication because:
• Provide for stronger security
• Eliminate need for less secure, password-based authentication
18. Required Certificates for NPS Authentication Methods
You require the following certificates to deploy certificate-based
authentication in NPS:
• CA certificate in the Trusted Root Certification
Authorities certificate store for the Local Computer
and Current User
• Client computer certificate in the certificate store of the client
• Server certificate in the certificate store of the NPS server
• User certificate on a smart card
19. Deploying Certificates for PEAP and EAP
• For Domain Computer and User accounts, use the auto-enrollment
feature in Group Policy
• Nondomain member enrollment requires an administrator
to request a user or computer certificate using the
CA Web Enrollment tool
• The administrator must save the computer or user certificate to a
floppy disk or other removable media, and manually install the
certificate on the nondomain member computer
• The administrator can distribute user certificates on a smart card
20. Lesson 4: Monitoring and Troubleshooting a
Network Policy Server
• Methods Used to Monitor NPS
• Logging NPS Accounting
• Configuring SQL Server Logging
• Configuring NPS Events to Record in the Event Viewer
21. Methods Used to Monitor NPS
NPS monitoring methods include:
• Event logging
• The process of logging NPS events in the System Event log
• Useful for auditing and troubleshooting connection attempts
• Logging user authentication and accounting requests
• Useful for connection analysis and billing purposes
• Can be in a text format
• Can be in a database format within a SQL instance
22. Logging NPS Accounting
Use the NPS console to configure logging:
Open NPS from the Administrative Tools menu
In the console tree, click Accounting
In the details pane, click Configure Local File Logging
On the Settings tab, select the information to be logged
On the Log File tab, select the log type and the frequency
or size attributes of the log files to be generated
1
2
3
4
5
Log files should be stored on a separate partition from the system
partition:
If RADIUS accounting fails due to a full hard disk, NPS stops
processing connection requests
23. Configuring SQL Server Logging
You can use SQL to log RADIUS accounting data:
• Requires SQL to have a stored procedure
named report_event
• NPS formats accounting data as an XML document
• Can be a local or remote SQL Server database
24. Configuring NPS Events to Record in the Event Viewer
How do I configure NPS events to be recorded in Event Viewer?
• NPS is configured by default to record failed connections and
successful connections in the event log
• You can change this behavior on the General tab of the
Properties sheet for the network policy
• Common request failure events
• What information does the failure event record?
• What information does the success event record?
What is Schannel logging, and how do I configure it?
• Schannel is a security support provider that supports a set of
Internet security protocols
• You can configure Schannel logging in the following Registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
SecurityProvidersSCHANNELEventLogging
25. Lab: Configuring and Managing Network Policy Server
• Exercise 1: Installing and Configuring the Network Policy
Server Role Service
• Exercise 2: Configuring a RADIUS Client
• Exercise 3: Configuring Certificate Auto-Enrollment
• Exercise 4: Configuring and Testing the VPN
Estimated time: 75 minutes
Logon information
Virtual machines
6421B-NYC-DC1
6421B-NYC-EDGE1
6421B-NYC-CL1
User name ContosoAdministrator
Password Pa$$w0rd
26. Lab Scenario
Contoso Ltd. is expanding its remote-access solution to all
its branch office employees. This will require multiple
Routing and Remote Access servers located at different
points to provide connectivity for its employees. You must
use RADIUS to centralize authentication and accounting for
the remote-access solution. You have been tasked with
installing and configuring Network Policy Server into an
existing infrastructure to be used for NAP, Wireless and
Wired access, RADIUS, and RADIUS Proxy.
27. Lab Review
• What does a RADIUS proxy provide?
• What is a RADIUS client, and what are some examples of
RADIUS clients?