![](/user_photo/2706_HbeT2.jpg)
20411B-ENU-TrainerHandbook
.pdf![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd281x1.jpg)
Administering Windows Server® 2012 |
MCT |
|
8-13 |
|
You can configure NPS to accept multiple authentication methods. You also can configure your network access servers, also called RADIUS clients, to attempt to negotiate a connection with client computers by requesting the use of the most secure protocol first, then the next most secure, and so on, down to the least secure. For example, the Routing and Remote Access service tries to negotiate a connection by using the following protocols in the order shown:
1. |
Extensible Authentication Protocol (EAP) |
USE |
|
2. |
MS-CHAP v2 |
||
|
|||
3. |
MS-CHAP |
.ONLY |
|
4. |
Challenge Handshake Authentication Protocol (CHAP) |
||
|
|||
5. |
Shiva Password Authentication Protocol (SPAP) |
|
|
6. |
Password Authentication Protocol (PAP) |
|
MS-CHAP Version 2
1. |
The authenticator (the network access server or the NPS server) sends a challenge to the access client |
|
|
that consists of a session identifier and an arbitrary challenge string. |
STUDENT |
2. |
The access client sends a response that contains: |
|
|
o The user name. |
|
|
o An arbitrary peer-challenge string. |
|
|
o A one-way encryption of the received challenge string, the peer-challenge string, the session |
|
|
identifier, and the user’s password. |
|
|
|
|
3. |
The authenticator checks the client’s response, and then sends back a response that contains: |
USE |
|
o An indication of the connection attempt’s success or failure. |
|
|
o An authenticated response based on the sent challenge string, the peer-challenge string, the |
|
|
client’s encrypted response, and the user’s password. |
|
|
|
|
4. |
The access client verifies the authentication response and, if correct, uses the connection. If the |
|
|
authentication response is not correct, the access client terminates the connection. |
|
1. |
The authenticator (the network access server or the NPS server) sends a challenge to the access client |
|
|
that consists of a session identifier and an arbitrary challenge string. |
|
2. |
The access client sends a response that contains the user name and a nonreversible encryption of the |
|
|
challenge string, the session identifier, and the password. |
PROHIBITED |
3. |
The authenticator checks the response and, if valid, authenticates the user’s credentials. |
|
|
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd282x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd283x1.jpg)
Administering Windows Server® 2012 8-15
Using Certificates for Authentication |
MCT |
||
Certificates are digital documents that certification |
|
||
|
|
|
|
|
USE |
||
authorities (CAs) issue, such as Active Directory |
|
||
Certificate Services (AD CS) or the VeriSign public |
|
||
CA. You can use certificates for many purposes, |
|
||
such as code signing and securing email |
|
||
communication. However, with NPS, you use |
|
||
|
|
||
certificates for network access authentication |
|
|
|
because they provide strong security for |
|
|
|
authenticating users and computers, and |
|
|
|
eliminate the need for less secure, password- |
|
|
|
based authentication methods. |
|
|
|
|
|
|
|
NPS servers use EAP-TLS and PEAP to perform |
ONLY. |
||
certificate-based authentication for many types of network access, including VPN and wireless |
|||
connections. |
Authentication Methods
Two authentication methods, when you configure them with certificate-based authentication types, use certificates: EAP and PEAP. With EAP, you can configure the authentication type TLS (EAP-TLS), and with PEAP, you can configure the authentication types TLS (PEAP-TLS) and MS-CHAP v2 (PEAP-MS-CHAP v2). These authentication methods always use certificates for server authentication. Depending on the authentication type that you configure with the authentication method, you also might use certificates for user authentication and client computer authentication.
the server use certificates to verify their identities to each other, which is known as mutual authentication. Certificates must meet specific requirements to allow the server and the client to use them for mutual authentication.
|
Note: Using certificates for VPN connection authentication is the strongest form of |
STUDENT |
|
|
|||
authentication available in Windows Server 2008 R2. You must use certificates for IPsec |
|||
authentication on VPN connections that are based on Layer Two Tunneling protocol over |
|||
Internet protocol security (L2TP/IPsec). PPTP connections do not require certificates, although |
|||
USE |
|||
you can configure PPTP connections to use certificates for computer authentication when you |
|||
use EAP-TLS as the authentication method. For wireless clients (computing devices with wireless |
|||
network adapters, such as your portable computer or personal digital assistant), use PEAP with |
|||
EAP-TLS and smart cards or certificates for authentication. |
|||
|
|
||
|
Note: You can deploy certificates for use with NPS by installing and configuring the AD CS |
PROHIBITED |
|
|
|||
server role. |
|||
Mutual Authentication |
|||
When you use EAP with a strong EAP type (such as TLS with smart cards or certificates), the client and |
|||
this object identifier must be present in the EKU extensions of the certificate or authentication will fail. |
One such requirement is that the certificate is configured with one or more purposes in Extend Key Usage (EKU) extensions that correlate to the certificate use. For example, you must configure a certificate that you use for a client’s authentication with the Client Authentication purpose. Similarly, you must configure a certificate that you use for a server’s authentication with the Server Authentication purpose. When you use certificates for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When you use a certificate for client computer authentication,
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd284x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd285x1.jpg)
|
|
|
|
|
|
Administering Windows Server® 2012 |
|
MCT |
||||
|
|
|
|
|
|
8-17 |
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Certificate |
|
Required for EAP-TLS and |
|
|
Required for PEAP-MS- |
|
Details |
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
||||
|
|
PEAP-TLS? |
|
|
CHAP v2? |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Client computer |
|
Yes. Client computer |
|
No. User |
If you deploy user |
|
USE |
||||
|
certificate in the |
|
certificates are required |
|
authentication is |
certificates on smart |
||||||
|
certificate store of |
|
unless user certificates are |
|
performed with |
cards, client |
|
|
|
|
||
|
the client |
|
distributed on smart cards. |
|
password-based |
computers do not |
|
|
|
|
||
|
|
|
Client certificates are |
|
credentials, not |
need client |
|
|
|
|
||
|
|
|
enrolled automatically for |
|
certificates. |
certificates. |
|
|
|
|
||
|
|
|
domain member |
|
|
|
|
|
.ONLY |
|||
|
of the NPS server |
|
computers. For nondomain |
|
certificates, you can |
to the client |
|
|||||
|
|
member computers, you |
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
must import the certificate |
|
|
|
|
|
|
|
|
|
|
|
|
manually or obtain it with |
|
|
|
|
|
|
|
|
|
|
|
|
the Web-enrollment tool. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
Server certificate in |
|
Yes. You can configure |
|
Yes. In addition to |
The NPS server sends |
||||||
|
the certificate store |
|
AD CS to autoenroll server |
|
using AD CS for server |
the server certificate |
||||||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
certificates to members of |
|
purchase server |
computer. The client |
||||||
|
|
|
the RAS and IAS servers |
|
||||||||
|
|
|
|
certificates from other |
computer uses the |
|
STUDENT |
|||||
|
|
|
group in AD DS. |
|
|
|||||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
CAs that client |
certificate to |
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
computers already |
authenticate the NPS |
|||||
|
|
|
|
|
|
trust. |
server. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
User certificate on |
|
AD CS to auto-enroll server |
|
No. User |
For EAP-TLS and |
|
|
|
|
||
|
a smart card |
|
certificates to members of |
|
authentication is |
PEAP-TLS, if you do |
|
|
|
|||
|
|
|
the RAS and IAS servers |
|
performed with |
|
|
|
||||
|
|
|
|
not auto-enroll client |
||||||||
|
|
|
group in AD DS. |
|
password-based |
|||||||
|
|
|
|
computer certificates, |
||||||||
|
|
|
|
|
|
credentials, not |
||||||
|
|
|
|
|
|
user certificates on |
|
|
|
|
||
|
|
|
|
|
|
certificates. |
|
|
|
|
||
|
|
|
|
|
|
smart cards are |
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
required. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication provides authenticated access to 802.11 wireless networks and wired Ethernet networks. 802.1X provides support
for secure EAP types, such as TLS with smart cards or certificates. You can configure 802.1X with EAP-TLSUSE
Validate server certificate option on the client, the client authenticates the server by
PROHIBITEDis
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd286x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd287x1.jpg)
Administering Windows Server® 2012 |
|
MCT |
|
8-19 |
|
||
With PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate |
|
|
|
store, except the following: |
|
|
|
• Certificates that do not contain the Server Authentication purpose in EKU extensions. |
|
USE |
|
• Certificates that do not contain a subject name. |
|
||
• Registry-based and smart card-logon certificates. |
|
||
Minimum Client Certificate Requirements |
|
With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets
• An enterprise CA issued the client certificate or it is mapped to an Active Directory user or computer account.
• The user or computer certificate on the client chains to a trusted-root CA; the certificate includes
the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication |
|
||
is 1.3.6.1.5.5.7.3.2); and fails neither the checks that CryptoAPI performs, which the remote access orONLY |
|||
network policies specify, nor the Certificate object identifier checks that the NPS network policies |
. |
||
STUDENT |
|||
specify. |
|||
• The 802.1X client does not use registry-based certificates that are either smart card-logon or |
|||
password-protected certificates. |
|||
• For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate |
|||
contains the user principal name (UPN). To configure the UPN in a certificate template: |
|||
a. Open Certificate Templates. |
|||
b. In the details pane, right-click the certificate template that you want to change, and then click |
|||
|
Properties. |
||
c. |
Click the Subject Name tab, and then click Build from this Active Directory information. |
||
d. In Include this information in alternate subject name, select User principal name (UPN). |
|||
|
|||
• For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate |
|||
must contain the client’s FQDN, also known as the DNS name. To configure this name in the |
USE |
||
certificate template: |
|||
a. |
Open Certificate Templates. |
||
|
|
||
b. In the details pane, right-click the certificate template that you want to change, and then click |
PROHIBITED |
||
|
Properties. |
||
c. Click the Subject Name tab, and then click Build from this Active Directory information. |
|||
d. In Include this information in alternate subject name, select DNS name. |
|||
With |
|
||
the |
|
||
• Wireless clients do not display registry-based and smart card-logon certificates. |
|||
• Wireless clients and VPN clients do not display password-protected certificates. |
|||
• Certificates that do not contain the Client Authentication purpose in EKU extensions. |
|||
|
|
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd288x1.jpg)
8-20 Installing, Configuring, and Troubleshooting the Network Policy Server Role |
MCT |
||||
|
|
|
|||
|
|
|
|
|
|
Lesson 4 |
|
|
|
||
Monitoring and Troubleshooting a Network Policy Server |
USE |
||||
You can monitor NPS by configuring and using logging for events, and user authentication and |
|||||
|
|
|
|||
accounting requests. Event logging enables you to record NPS events in the system and security event |
|
|
|
||
logs. You can use request logging for connection analysis and billing purposes. The information that the |
|
|
|
||
log files collect is useful for troubleshooting connection attempts and for security investigation. |
|
|
|
||
Lesson Objectives |
.ONLY |
||||
After completing this lesson, you will be able to: |
|||||
• Describe the methods for monitoring NPS. |
|||||
• Describe how to configure log file properties. |
|||||
• Describe how to configure SQL Server logging in NPS. |
|||||
• Describe how to configure NPS events to be recorded in Event Viewer. |
|||||
Methods Used to Monitor NPS |
|
STUDENT |
|||
The two types of accounting, or logging, that you |
|
|
|||
|
|
||||
can use to monitor NPS are: |
|
|
|||
• Event logging for NPS. You can use event |
|
|
|||
logging to record NPS events in the system |
|
|
|||
and security event logs. You use this primarily |
|
|
|||
for auditing and troubleshooting connection |
|
|
|||
attempts. |
|
|
|||
• Logging user authentication and accounting |
|
|
|||
requests. You can log user authentication and |
|
|
USE |
||
accounting requests to log files in text format |
|
|
|||
|
|
|
|
||
or database format, or you can log to a stored |
|
|
|
|
|
|
|
|
|
||
procedure in a SQL Server database. Use |
|
|
|
||
request logging primarily for connection analysis and billing purposes, and as a security investigation |
|
|
|
||
tool, because it enables you to identify an attacker’s activity. |
|
|
|
•Turn on logging (initially) for authentication and accounting records. Modify these selections after PROHIBITED you determine what is appropriate for your environment.
•Ensure that you configure event logging with sufficient capacity to maintain your logs.
•Back up all log files on a regular basis, because they cannot be recreated when damaged or deleted.
•Use the RADIUS Class attribute to track usage and simplify identification of which department or user to charge for usage. Although the Class attribute, which is generated automatically, is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is re-sent. You might need to delete duplicate requests from your logs to track usage accurately.
•To provide failover and redundancy with SQL Server logging, place two computers that are running SQL Server on different subnets. Use the SQL Server Create Publication Wizard to set up database replication between the two servers. For more information, refer to the SQL Server documentation.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd289x1.jpg)
|
|
|
Administering Windows Server® 2012 |
MCT |
|||
|
|
|
8-21 |
|
|
||
|
|
Note: To interpret logged data, view the information on the Microsoft TechNet website: |
|
|
|
||
|
|
|
|
|
|||
Interpret NPS Database Format Log Files |
|
|
|
||||
http://go.microsoft.com/fwlink/?LinkID=214832&clcid=0x409 |
USE |
||||||
Logging NPS Accounting |
|||||||
You can configure NPS to perform RADIUS |
|
||||||
|
|
|
|||||
|
.ONLY |
||||||
accounting for user authentication requests, |
|||||||
Access-Accept messages, Access-Reject messages, |
|||||||
|
|
|
|||||
accounting requests and responses, and periodic |
|
|
|
||||
status updates. You can use this procedure to |
|
|
|
||||
configure the log files where you want to store |
|
|
|
||||
the accounting data. |
|
|
|
||||
Considerations for Configuring |
|
|
|
||||
Accounting for NPS |
|
|
|
•To send the log file data for collection by another process, you can configure NPS to write to a STUDENT named pipe. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The
named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. In the
Local File Properties dialog box, in Create a new log file, select Never (unlimited file size) when you use named pipes.
•To create the log file directory, use system environment variables (instead of user variables),
such as %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs\).
•Switching log-file formats does not cause a new log to be created. If you change log file formats,
the file that is active when the change occurs will contain a mixture of the two formats. Records at theUSE log’s start will have the previous format, and records at the log’s end will have the new format.
•If you are administering an NPS server remotely, you cannot browse the directory structure. If you need to log accounting information to a remote server, specify the log file name by typing a Universal Naming Convention (UNC) name, such as \\MyLogServer\LogShare.
•If RADIUS accounting fails due to a full hard-disk drive or other causes, NPS stops processing PROHIBITED connection requests, which prevents users from accessing network resources.
•NPS enables you to log to a SQL Server database in addition to, or instead of, logging to a local file.3.2.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd290x1.jpg)