![](/user_photo/2706_HbeT2.jpg)
20411B-ENU-TrainerHandbook
.pdf![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd271x1.jpg)
Administering Windows Server® 2012 |
MCT |
|
8-3 |
|
same set of credentials for network-access control (authenticating and authorizing access to a network) as they do to access resources within the AD DS domain.
Organizations that maintain network access, such as Internet service providers (ISPs), have the challenge
of managing a variety of network-access methods from a single administration point, regardless of the |
USE |
||
type of network-access equipment they use. The RADIUS standard supports this requirement. RADIUS is |
|||
a client-server protocol that enables network-access equipment, used as RADIUS clients, to submit |
|||
authentication and accounting requests to a RADIUS server. |
|||
A RADIUS server has access to user-account information, and can verify network-access authentication |
|||
|
|||
credentials. If the user’s credentials are authentic, and RADIUS authorizes the connection attempt, the |
|
||
RADIUS server then authorizes the user’s access based on configured conditions, and logs the network- |
|
||
access connection in an accounting log. Using RADIUS allows you to collect and maintain the network- |
|
||
access user authentication, authorization, and accounting data in a central location, rather than on each |
|||
access server. |
ONLY. |
||
RADIUS Proxy |
|||
When using NPS as a RADIUS proxy, you configure connection request policies that indicate which |
|||
|
|||
connection requests that the NPS server will forward to other RADIUS servers and to which RADIUS |
|
||
servers you want to forward connection requests. You also can configure NPS to forward accounting |
|
||
data for logging by one or more computers in a remote RADIUS server group. |
|
||
With NPS, your organization also can outsource remote-access infrastructure to a service provider, while |
|||
retaining control over user authentication, authorization, and accounting. |
STUDENT |
||
You can create different NPS configurations for the following solutions: |
|||
|
|
||
• |
Wireless access |
|
|
• Organization dial-up or VPN remote access |
|
||
• Outsourced dial-up or wireless access |
|
||
• |
Internet access |
|
|
• Authenticated access to extranet resources for business partners |
|
NAP Policy Server USE
When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoHs) sent by NAPcapable client computers that attempt to connect to the network. NPS also acts as a RADIUS server when it is configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and remediation server groups that allow client computers to update their configuration to become compliant with your organization’s network policy.
Windows 8 and Windows Server 2012 include NAP, which helps protect access to private networks by |
PROHIBITED |
ensuring that client computers are configured in accordance with the organization’s network health |
|
policies before they can connect to network resources. Additionally, NAP monitors client computer |
|
compliance with administrator-defined health policy while the computer is connected to the network. |
|
NAP autoremediation allows you to ensure that noncompliant computers are updated automatically, |
|
bringing them into compliance with health policy so that they can connect successfully to the network. |
|
System administrators define network health policies, and then create these policies by using NAP |
|
components that either NPS provides, depending on your NAP deployment, or that third-party |
|
companies provide. |
|
Health policies can include software requirements, security-update requirements, and required- |
|
configuration settings. NAP enforces health policies by inspecting and assessing the health of client |
|
computers, restricting network access when client computers are deemed unhealthy, and remediating |
|
unhealthy client computers for full network access. |
|
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd272x1.jpg)
8-4 Installing, Configuring, and Troubleshooting the Network Policy Server Role |
MCT |
||||
|
|
||||
|
|
|
|
||
Demonstration: Installing the Network Policy Server Role |
|
|
|||
This demonstration shows how to: |
USE |
||||
• |
Install the NPS role. |
||||
|
|
||||
• Register NPS in AD DS. |
|
|
|||
Demonstration Steps |
|
|
|||
Install the NPS Role |
.ONLY |
||||
1. |
Switch to LON-DC1. |
||||
|
|
||||
2. |
Open Server Manager, and add the Network Policy and Access Services role. |
|
|
||
3. |
Close Server Manager. |
|
|
||
Register NPS in AD DS |
|
|
|||
1. |
Open the Network Policy Server console. |
|
|
||
2. |
Register the server in AD DS. |
STUDENT |
|||
3. |
Leave the Network Policy Server window open. |
||||
|
|
||||
Tools for Configuring a Network Policy Server |
|
|
|||
After you install the Network Policy Server role, |
|
|
|
||
|
|
|
|||
you can open the NPS Administrative tool on |
|
|
|||
the Administrative Tools menu, or you can |
|
|
|||
add the snap-in to create a custom Microsoft |
|
|
|||
Management Console (MMC) tool. You also can |
|
|
|||
use netsh commands to manage and configure |
|
|
|||
the NPS role. |
|
|
•NPS MMC snap-in. Use the NPS MMC to USE configure a RADIUS server, a RADIUS proxy,
or a NAP technology.
•Netsh commands for NPS. The netsh commands for NPS provide a command set that is fully PROHIBITED equivalent to all configuration settings that are available through the NPS MMC snap-in. You can run
netsh commands manually at the netsh prompt or in administrator scripts.
One example of using netsh is that after you install and configure NPS, you can save the configuration by using the netsh nps show config > path\file.txt command. You then save the NPS configuration with this command each time that you make a change.
•Windows PowerShell®. You also can use Windows PowerShell Cmdlets to configure and manage a Network Policy Server.
For example, to export the NPS configuration, you can use the Export-NpsConfiguration -Path <filename> cmdlet.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd273x1.jpg)
Administering Windows Server® 2012 8-5
Demonstration: Configuring General NPS Settings |
MCT |
|
This demonstration shows how to: |
||
|
•Configure a RADIUS server for VPN connections.
•Save the configuration.
Demonstration Steps |
USE |
|
|
|
|
Configure a RADIUS server for VPN connections |
|
|
1. |
In the Network Policy Server console, launch the Configure VPN or Dial-Up Wizard. |
|
2. |
Add LON-RTR as a RADIUS client. |
|
3. |
Use a shared secret of Pa$$word for authentication between the RADIUS client and the NPS server. |
|
4. |
Select Microsoft Encrypted Authentication version 2 (MS-CHAPv2) for authentication. |
ONLY. |
Save the configuration |
||
1. |
Open Windows PowerShell. |
PROHIBITED USE STUDENT |
2. |
Use the Export-NpsConfiguration -Path lon-dc1.xml command to save the configuration. |
|
3. |
Examine this configuration with notepad. |
|
|
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd274x1.jpg)
8-6 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 2 |
MCT |
|||
Configuring RADIUS Clients and Servers |
||||
USE |
||||
RADIUS is an industry-standard authentication protocol that many vendors use to support the exchange |
||||
of authentication information between elements of a remote-access solution. To centralize your |
||||
organization’s remote-authentication needs, you can configure NPS as a RADIUS server or a RADIUS |
||||
proxy. While configuring RADIUS clients and servers, you must consider several factors, such as the |
||||
RADIUS servers that will authenticate connection requests from RADIUS clients and the ports that RADIUS |
||||
ONLY |
||||
traffic will use. |
||||
Lesson Objectives |
||||
After completing this lesson, you will be able to: |
||||
|
|
|||
• Describe a RADIUS client. |
|
|
||
• Describe a RADIUS Proxy. |
. |
|||
• Explain how to configure a RADIUS client. |
||||
|
|
|||
• Describe the use of a connection request policy. |
|
|
||
• Describe and configure connection-request processing for a RADIUS proxy environment. |
|
|
||
• Explain how to create a new connection request policy. |
|
STUDENT |
||
What Is a RADIUS Client? |
|
|||
A network access server (NAS) is a device that |
|
|
||
|
|
|||
provides some level of access to a larger network. |
|
|
||
An NAS using a RADIUS infrastructure also is a |
|
|
||
RADIUS client, originating connection requests |
|
|
||
and accounting messages to a RADIUS server for |
|
|
USE |
|
authentication, authorization, and accounting. |
|
|
||
Client computers, such as wireless laptop |
|
|
||
computers and other computers that are running |
|
|
||
client-operating systems, are not RADIUS clients. |
|
|
||
RADIUS clients are network access servers— |
|
|
||
|
|
|
||
including wireless access points, 802.1X |
|
|
|
|
authenticating switches, VPN servers, and dial-up |
|
|
|
|
|
PROHIBITED |
|||
|
|
servers—because they use the RADIUS protocol to communicate with RADIUS servers such as NPS servers.
To deploy NPS as a RADIUS server, a RADIUS proxy, or a NAP policy server, you must configure RADIUS clients in NPS.
RADIUS Client Examples
Examples of network access servers include the following:
•Network access servers that provide remote access connectivity to an organization network or the Internet, such as a computer that is running the Windows Server 2012 operating system, and the Routing and Remote Access service that provides either traditional dial-up or VPN remote access services to an organization’s intranet.
•Wireless access points that provide physical-layer access to an organization’s network by using wireless-based transmission and reception technologies.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd275x1.jpg)
•Switches that provide physical-layer access to an organization’s network, using traditional local areaMCT network (LAN) technologies, such as the Ethernet.
•NPS-based RADIUS proxies that forward connection requests to RADIUS servers that are members of
a remote RADIUS server group that you configure on the RADIUS proxy, or other RADIUS proxies. USE
You can use NPS as a RADIUS proxy to route |
.ONLY |
|
|
|
|
RADIUS messages between RADIUS clients |
|
|
(network access servers) and RADIUS servers that |
|
|
perform user authentication, authorization, and |
|
|
accounting for the connection attempt. |
|
|
When you use NPS as a RADIUS proxy, NPS is a |
|
|
central switching or routing point through which |
|
|
RADIUS access and accounting messages flow. |
|
|
•You are a service provider who offers outsourced dial, VPN, or wireless network-access services to STUDENT multiple customers.
Your NAS sends connection requests to the NPS RADIUS proxy. Based on the user name’s realm portion in the connection request, the NPS RADIUS proxy forwards the connection request to a RADIUS server that the customer maintains, and can authenticate and authorize the connection attempt.
•You want to provide authentication and authorization for user accounts that are not members of the domain in which the NPS server is a member, or of a domain that has a two-way trust with the NPS
server’s member domain.
This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead ofUSE configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy
uses the realm-name portion of the user name, and then forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be
•authenticated for NAS in another domain or forest. PROHIBITED You want to perform authentication and authorization by using a database that is not a Windows
account database.
In this case, NPS forwards connection requests that match a specified realm name to a RADIUS server, which has access to a different database of user accounts and authorization data. An example of another user database is SQL databases.
•You want to process a large number of connection requests. In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy.
The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers, and it increases processing of large numbers of RADIUS clients and authentications each second.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd276x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd277x1.jpg)
Administering Windows Server® 2012 |
MCT |
||
8-9 |
|
||
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on a |
|||
variety of factors, including: |
|
|
|
• The time of day and day of the week. |
USE |
||
• The realm name in the connection request. |
|||
• The connection type that you are requesting. |
|||
• The RADIUS client’s IP address. |
|||
Conditions |
.ONLY |
||
Connection request policy conditions are one or more RADIUS attributes that are compared to the |
|||
|
|
attributes of the incoming RADIUS access-request message. If multiple conditions exist, NPS enforces the policy only if all of the conditions in the connection-request message and in the connection request policy match.
•Authentication is not configured. STUDENT
•Accounting is not configured to forward accounting information to a remote RADIUS server group.
•Attribute manipulation is not configured with rules that change attributes in forwarded connection requests. USE
•Forwarding Request is turned on, which means that the local NPS server authenticates and authorizes connection requests.
•Advanced attributes are not configured.
The default connection request policy uses NPS as a RADIUS server. To configure an NPS server to act as a RADIUS proxy, you also must configure a remote RADIUS server group. You can create a new remote RADIUS server group while you are creating a new connection request policy with the New Connection Request Policy Wizard. You either can delete the default connection request policy or verify that the default connection request policy is the last policy processed.
PROHIBITED
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd278x1.jpg)
8-10 Installing, Configuring, and Troubleshooting the Network Policy Server Role |
MCT |
|||
|
|
|||
|
|
|
|
|
Configuring Connection-Request Processing |
|
|
||
The default connection request policy uses NPS as |
|
|
|
|
|
USE |
|||
a RADIUS server, and processes all authentication |
||||
requests locally. |
||||
|
|
|||
Considerations for Configuring |
|
|
||
Connection-Request Processing |
|
|
||
When configuring connection-request processing, |
|
|
•To configure an NPS server to act as a ONLY RADIUS proxy and forward connection
requests to other NPS or RADIUS servers, you must configure a remote RADIUS server
group, and then add a new connection request policy that specifies conditions and settings that the connection requests must match. .
•You can use the New Connection Request Policy Wizard to create a new remote RADIUS server group
•when you create a new connection-request. STUDENT If you do not want the NPS server to act as a RADIUS server and process connection requests locally,
you can delete the default connection request policy.
•If you want the NPS server to act as both a RADIUS server (processes connection requests locally) and as a RADIUS proxy (forwards some connection requests to a remote RADIUS server group), then you should add a new policy, and verify that the default connection request policy is the last policy processed.
|
Note: If you disable either IPv4 or IPv6 on a network adapter, NPS does not monitor |
USE |
|
||
RADIUS traffic for the uninstalled protocol. |
||
|
|
|
The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined in RFCs |
||
2865 and 2866. However, by default, many access servers use ports 1645 for authentication requests and |
PROHIBITED |
|
|
|
1646 for accounting requests. When you are deciding on what port numbers to use, make sure that you configure NPS and the access server to use the same port numbers. If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall for the local computer to enable RADIUS traffic on the new ports.
Configuring NPS UDP Port Information
You can use the following procedure to configure the User Datagram Protocol (UDP) ports that NPS uses for RADIUS authentication and accounting traffic.
Note: To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd279x1.jpg)
|
|
Administering Windows Server® 2012 |
|
MCT |
|
|
|
8-11 |
|
||
To configure NPS UDP port information by using the Windows interface: |
|
|
|
||
1. |
Open the NPS console. |
|
USE |
||
2. |
Right-click Network Policy Server, and then click Properties. |
|
|||
3. |
Click the Ports tab, and then examine the settings for ports. If your RADIUS authentication and |
|
|||
|
|
|
|||
|
|
RADIUS accounting UDP ports vary from the provided default values (1812 and 1645 for |
|
|
|
|
|
authentication, and 1813 and 1646 for accounting), type your port settings in Authentication and |
|
|
|
|
|
Accounting. |
|
.ONLY |
|
|
|
Note: To use multiple port settings for authentication or accounting requests, separate the |
|
||
|
|
|
|||
|
|
|
|
|
|
port numbers with commas. |
|
|
|
||
Demonstration: Creating a Connection Request Policy |
|
|
|
||
This demonstration shows how to create a VPN connection request policy. |
|
STUDENT |
|||
Demonstration Steps |
|
||||
|
|
|
|||
1. |
On LON-DC1, switch to the Network Policy Server console. |
|
|
|
|
2. |
View the existing Connection Request Policies. The wizard created these automatically when you |
|
|
||
|
|
specified the NPS role of this server. |
|
|
|
3. |
Create a new Connection Request Policy with the following settings: |
|
|
|
|
|
|
o Type of network access server: Remote Access Server (VPN-Dial up) |
|
|
|
|
|
o Condition: NAS Port Type as Virtual (VPN) |
|
|
|
|
|
o Other settings: default values |
|
|
|
4. |
Assign the new policy the highest priority. |
|
PROHIBITED USE |
||
|
|
|
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd280x1.jpg)
.ONLY USE MCT
Other authentication methods implement the use of certificate-based credentials for the user, the client computer, the NPS server, or some combination. Certificate-based authentication methods provide strong security and are recommended over password-based authentication methods.
When you deploy NPS, you can specify the required type of authentication method for access to your network.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the password-based authentication methods for an NPS server. |
STUDENT |
||
• Describe how certificates are used to provide authentication for network clients. |
|||
• Describe the types of certificates that are needed for various authentication methods. |
|||
• Describe how to deploy certificates for PEAP and EAP. |
|||
Password-Based Authentication Methods |
|
USE |
|
Each authentication method has advantages and |
|
|
|
|
|
||
disadvantages in terms of security, usability, and |
|
|
|
breadth of support. However, password-based |
|
|
|
authentication methods do not provide strong |
|
|
PROHIBITED |
security, and we do not recommend them. We |
|
|
|
recommend that you use a certificate-based |
|
|
|
authentication method for all network access |
|
|
|
methods that support certificate use. This is |
|
|
|
especially true for wireless connections, for which |
|
|
|
we recommend the use of PEAP-MS-CHAP v2 or |
|
|
|
PEAP-TLS. |
|
|
|
|
|
|
The authentication method you require is
determined by the configuration of the network access server, the client computer, and network policy on the NPS server. Consult your access server documentation to determine which authentication methods are supported.