Monday, December 19, 2011

About Network Policy Server Role Service

Installing and Configuring a Network Policy Server
The Network Policy Server (NPS) role in Windows Server 2008 replaces the Internet Authentication Service (IAS). Windows Server 2008 R2 can authenticate clients using Network Policy Server (NPS). NPS provides an additional layer of security for your network.

  • NPS provides support for the Remote Authentication Dial-in User Service protocol and can be configured as a RADIUS server or proxy. 
  • NPS also provides functionality that is essential for implementation of Network Access Protection (NAP)
  • NPS is used for enforcement for:

NPS is installed as a server role in Windows Server 2008 and Windows Server 2008 R2. 

NPS is the Microsoft implementation of a RADIUS (Remote Authentication Dial-in User Service) server and proxy in Windows Server 2008. 

NPS allows centralization and management of client health policies and network-access authentication and authorization.

For example, you have a single Active Directory domain with Windows Server 2008 R2 installed on all servers on the network. All client computers run Windows 7. Some of the marketing users want to access the company network when they are traveling. You install NPS and enable the Routing and Remote Access role service on the server in order to give the remote users a virtual private network (VPN). You want to make sure only authorized remote users are allowed to connect to the network between 9am and 5pm. You should create a network policy.
  1. RADIUS server.  Radius Client
    • A NAS (Network Access Server) is a device that provides some level of access to a larger network. Configure network access servers (NAS), such as wireless access points, 802.1X-capable switches, and VPN servers, as RADIUS clients in NPS. You do not add client computers as RADIUS clients.
    • Configure network policies for NPS to authorize connection requests. 
    • Configure RADIUS accounting so NPS logs accounting info to log files either on the local hard disk or in a Microsoft SQL Server database. 
    • RADIUS allows network-access user authentication, authorization, and accounting data to be collected and maintained in a centralized location, instead of on multiple servers. 
    • When a NPS server is part of an Active Directory Domain Services (AD DS) domain, NPS uses AD DS as a user database and allows single sign-on. 
    • NPS enables the heterogeneous use of wireless and VPN equipment. 
  2. RADIUS proxy.  Radius Proxy (If you have an existing Radius server and you need a layer between the Radius server(s) and the access points, or if you need to submit requests to different Radius servers, you can configure Windows Server 2008 as a Radius proxy) 
    • Configure connection request policies to indicate the connection requests the NPS server will forward to other RADIUS servers. 
    • Configure NPS to forward accounting data for logging. 
    • When using NPS as a RADIUS proxy, NPS is a central switching point or routing point through which NPS forwards authentication and accounting messages. 
    • NPS supports the Internet Engineering Task Force (IETF) standards for RADIUS described in Request for Comments (RFC) 2865 and 2866
    • NPS allows you to outsource remote access to a service provider while retaining control over the user authentication, authorization, and accounting. 
    • You can create NPS configurations for wireless access, dial-up, VPN remote access, outsourced dial-up, Internet access, or authenticated access to extranet resources.
  3. NAP policy server.  Network Policy Server Overview
    • NPS as a NAP evaluates statements of health (SoHs) sent by NAP-capable client computers when attempting to connect to the network. 
    • When configured with NAP, NPS acts as a RADIUS server and performs authentication and authorization for connection requests. 
    • You may configure NAP policies in NPS (System health validators (SHVs), health policy, Remediation Server Groups) to allow client computers to update the configuration to become compliant with the organization's network policy
    • Both Windows 7 and Windows Server 2008 include NAP, thus, helping to protect access to private networks. 
    • Non compliant computers can be updated automatically using NAP auto-remediation. NAP auto-remediation brings the non compliant computers into compliance with health policy before connecting to the network. Computers that do not support NAP require a separate network policy with a NAP-Capable Computers condition that matches Only Computers That Are Not NAP-Capable.

Network Policy Server
    Server Manager/Add Roles

    Demo – Install a Network Policy Server Role
    1. Launch Server Manager
    2. Select Roles
    3. Click on Add Roles
    4. The Add Roles Wizard displays. Review the information and click Next
    5. Check off Network Policy and Access Services
    6. Click Next
    7. Help links are displayed. Click Next
    8. On the Select Role Services page, select Network Policy Server
    9. Click Next
    10. Click Install
    11. Click Close
    12. You will see the Network Policy and Access Services role displayed.
    13. Confirm Network Policy and Access Services Role Install
    14. Click Close to close Server Manager

      Install a Network Policy Server from the command prompt
      1. Start | Run | cmd
      2. Servermanagercmd –install NPAS-Policy-Server (not case sensitive)
      3. Press Enter
      Note: Configuration of the Network Policy Server is done in the GUI or using netsh command.
      The following link contains the Server Manager command line and syntax parameters which will allow you to install Server Manager Roles and Features from the command line:

      Tools to manage a NPS

      You can open NPS from Administrative Tools, or you can use:
      • NPS MMC Snap-in Console
      • Netsh command line
      Note: After you configure NPS, save the configuration by using netsh nps show config > path\file.txt NPS Best Practices

      Demo – Configure General NPS Settings
      1. Start | Administrative Tools | Network Policy Server
      2. Right click NPS (Local)
      3. You can Import Configuration, Export Configuration, view Properties (General tab: Server desc, logging info, Ports tab: authentication and accounting port numbers)
      4. You can Register server in Active Directory

      Demo - Register NPS in Active Directory using Netsh
      1. Start | Run| cmd
      2. netsh ras add registeredserver
      3. Press Enter

      Configure RADIUS Clients and Servers

      RADIUS is used to support the exchange of authentication in a remote access solution.

      Radius Client

      A Radius client is not a laptop or desktop computer. NPS is a RADIUS server. Radius clients are network access servers:
      • Wireless access points
      • 802.1x authenticating switches
      • VPN servers
      • Dial-up servers

      Radius Proxy

      Receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy. Required for:
      • Service providers offering outsourced dial-up, VPN, or wireless network access services to multiple customers
      • Authentication and authorization for user accounts not in Active Directory
      • Authentication and authorization for a database that is not a Windows account database
      • Load-balancing connection requests between multiple RADIUS servers
      • Outsourced service providers and minimize intranet firewall configuration

      Demo – Configure a RADIUS Client

      We will set up DC1 as NPS. SVR1 is a RRAS Server and will be a RADIUS client.

      First, set up DC1 as NPS:

      1. Start

      Administrative Tools
      Network Policy Server

      2. Under NPS (Local), click on RADIUS Clients and Servers

      3. Under RADIUS Clients and Servers, select RADIUS Clients

      4. Right click, and select New RADIUS Client

      5. Give the New Radius Client a Friendly name, for example, Rras Server1

      6. Type in the IP Address, for example,

      7. Choose a Vendor name, most are RADIUS Standard

      8. Choose Generate to automatically generate a Shared secret

      9. Click on the Generate button

      10. Two additional boxes are available to check for Additional Options:

         a. Access-Request messages must contain the Message-Authenticator attribute (also known as signature attribute and provides additional security)

         b. RADIUS client is NAP-capable

      11. Click OK

      Next, set up SVR1 as a RADIUS client:
      1. Start | Administrative Tools | Routing and Remote Access

      2. Right- click on SVR1

      3. Select Properties

      4. Select the Security tab

      5. In the Authentication provider: drop-down menu, choose RADIUS Authentication

      6. Click on the Configure button

      7. Click on the Add button to add a RADIUS server

      8. In the Server name: box, type DC1

      9. In the Accounting provider: drop-down menu, choose RADIUS Accounting

      10. Click on the Configure button

      11. Click on the Add button to Add the RADIUS Server

      12. In the server name: box, type DC1

      13. You have the ability to change the Time-out, Initial Score, and Port that is in use

      14. Click OK

      15. Click OK

      16. Click Apply

      17. A message generates “To use a new authentication provider, you must restart the Routing and Remote Access”. (A restart is required)

      18. Click OK

      19. When you return to the Routing and Remote Access dialog box, right-click on SVR1 and choose All Tasks

      20. Select Restart

      What is a Connection Request Policy?

      Connection Request Policies are a collection of settings that determine the particular RADIUS server that performs the authentication and authorization of the connection requests that NPS receives from RADIUS clients. 

      The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally.

      What are the Connection Request Conditions?

      • Framed Protocol
      • Service Type
      • Tunnel Type
      • Day and Time restrictions

      What are the Connection Request Settings?
      • Authentication
      • Accounting
      • Attribute Manipulation
      • Advanced Settings

      Configuring Connection Request Processing
      • Local Authentication: Local authentication takes place on the local security account database or on Active Directory and the connection policies are on the server.
      • RADIUS Authentication: RADIUS authentication forwards the connection to a Radius server and authenticates against the security database. RADIUS manages the connection policies in a central store. If the environment contains multiple remote access servers, it is best to use RADIUS for authentication.

      • RADIUS server groups: Criteria are specified to load-balance the connection requests when creating the RADIUS server groups, if more than one RADIUS server is in the group.
      • Default ports for Accounting and Authentication using RADIUS: The ports required for accounting and authentication when requests are forwarded to RADIUS are UDP 1812/1645 and UDP 1813/1646. We need to ensure these ports are open in the firewall.
      Connection Request Policies

      How to Create a New Connection Request Policy

      1. Start | Administrative Tools | Network Policy Server

      2. Under Policies, right-click on Connection Request Policies

      3. Click on New

      4. The New Connection Request Policy Wizard launches

      5. Type in the Policy name:, for example, Radius Client Policy

      6. Under Type of network access server: drop-down box, choose Remote Access Server (VPN-Dial up)

      7. Click Next

      8. Click on Add to add a set of policy conditions

      9. Click on Client Ipv4 Address to add the Radius client ip address

      10. Specify the Ipv4 address of the RADIUS client, for example

      11. Click Next

      12. Highlight Authentication and click the New box to Forward requests to the following remote RADIUS server group for authentication: (good for load balancing)

      13. Type in the Group name: example, PcRepairNorthShore

      14. Click Add

      15. On the Add RADIUS Server dialog box, type in the IP address of the RADIUS server you want to add. For our example, we will use

      16. You can also specify Authentication/Accounting criteria and Load Balancing criteria

      17. Click OK

      18. Click OK

      19. Highlight Accounting, and then check off the Forward accounting requests to this remote RADIUS server group

      20. Click Next

      21. You can specify Realm Names and RADIUS Attributes that you need

      22. Click Next

      23. Click Finish to Complete the Connection Request Policy Wizard

      24. You can see the Policy listed in the Connection Request Policies window

      25. Right click the policy and select Move Up to put this policy first because policies are processed from the top down
      Note: If you need to disable the policy, right-click the policy and select Disable

      NPS Authentication Methods

      Authentication methods for an NPS server include:

      • MS-CHAPv2

      • MS-CHAP

      • CHAP

      • PAP

      • Unauthenticated access

      Password-based authentication methods are the weakest method.

      Certificate-based authentication is the strongest and most secure method in the NPS environment.

      Certificate types:

      CA (Certificate Authority) certificate: Verifies the trust path of other certificates

      • Client computer certificate: Issued to the computer to prove its ID to NPS during authentication

      • Server certificate: Issued to an NPS server to prove its ID to client computers during authentication

      • User certificate: Issued to individuals to prove their ID to NPS servers for authentication

      Certificates can be obtained from public or commercial CA providers or you can host your own internal Active Directory certificate services.

      Note: Specify certificate-based authentication in a network policy by indicating the authentication methods on the Constraints tab.

      The initial expense of using a Certificate Authority is worth the extra security that is obtained by using a CA.

      The certificates must all be x.509 compatible and must work for connections that use SSL/TLS (Secure Sockets Layer/Transport Layer Security) when they are used for network access authentication.

      We must obtain Server certificates and Client certificates.

      Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

      Server certificates
      • Must contain Subject attribute that is not NULL

      • Must chain to a trusted-root CA

      • Configured with Server Authentication purpose in EKU (Extended Key Usage) extensions

      • Configured with required algorithm of RSA with a minimum 2048 key length

      • Subject Alternative Name extension, if used, must contain the DNS name

      Client certificates
      • Issued by an Enterprise CA or mapped to an account in Active Directory

      • Must chain to a trusted-root CA

      • For computer certificates, the Subject Alternative Name use contain the FQDN

      • For user certificates, the Subject Alternative Name must contain the UPN

      Deploying Certificates for PEAP and EAP

      Once you have made the decision to go with certificates for authentication, you must employ certificates for PEAP (Protected Extension Authentication Protocol) and EAP (Extension Authentication Protocol)

      • You can use Active Directory, for domain computer and user accounts, using the auto-enrollment feature in Group Policy

      • Non domain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool

      • The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the non domain member computer

      • The administrator can distribute the user certificates on a smart card, if you have that technology

      Password-Based Authentication Methods

      Certificates and NPS

      Certificate Requirements for PEAP and EAP

      EAP Overview

      PEAP Overview

      Best Practices for NPS

      Configure Log File Properties

      Configure SQL Server Logging in NPS

      No comments:

      Post a Comment

      "Comment As:" anonymous if you would rather not sign into an account!