Installing and Configuring a Network Policy Server
NPS is installed as a server role in Windows Server 2008 and Windows Server 2008 R2.
NPS is the Microsoft implementation of a RADIUS (Remote Authentication Dial-in User Service) server and proxy in Windows Server 2008.
NPS allows centralization and management of client health policies and network-access authentication and authorization.
For example, you have a single Active Directory domain with Windows Server 2008 R2 installed on all servers on the network. All client computers run Windows 7. Some of the marketing users want to access the company network when they are traveling. You install NPS and enable the Routing and Remote Access role service on the server in order to give the remote users a virtual private network (VPN). You want to make sure only authorized remote users are allowed to connect to the network between 9am and 5pm. You should create a network policy.
Network Policy Server
Demo – Install a Network Policy Server Role
Tools to manage a NPS
Demo – Configure General NPS Settings
Demo - Register NPS in Active Directory using Netsh
Configure RADIUS Clients and Servers
Radius Proxy
Demo – Configure a RADIUS Client
We will set up DC1 as NPS. SVR1 is a RRAS Server and will be a RADIUS client.
First, set up DC1 as NPS:
1. Start
Administrative Tools
Network Policy Server
2. Under NPS (Local), click on RADIUS Clients and Servers
3. Under RADIUS Clients and Servers, select RADIUS Clients
4. Right click, and select New RADIUS Client
5. Give the New Radius Client a Friendly name, for example, Rras Server1
6. Type in the IP Address, for example, 10.10.0.24
7. Choose a Vendor name, most are RADIUS Standard
8. Choose Generate to automatically generate a Shared secret
9. Click on the Generate button
10. Two additional boxes are available to check for Additional Options:
a. Access-Request messages must contain the Message-Authenticator attribute (also known as signature attribute and provides additional security)
b. RADIUS client is NAP-capable
11. Click OK
Next, set up SVR1 as a RADIUS client:
Connection Request Policies are a collection of settings that determine the particular RADIUS server that performs the authentication and authorization of the connection requests that NPS receives from RADIUS clients.
What are the Connection Request Conditions?
What are the Connection Request Settings?
Configuring Connection Request Processing
The Network Policy Server (NPS) role in Windows Server 2008 replaces the Internet Authentication Service (IAS). Windows Server 2008 R2 can authenticate clients using Network Policy Server (NPS). NPS provides an additional layer of security for your network.
- NPS provides support for the Remote Authentication Dial-in User Service protocol and can be configured as a RADIUS server or proxy.
- NPS also provides functionality that is essential for implementation of Network Access Protection (NAP).
- NPS is used for enforcement for:
NPS is installed as a server role in Windows Server 2008 and Windows Server 2008 R2.
NPS is the Microsoft implementation of a RADIUS (Remote Authentication Dial-in User Service) server and proxy in Windows Server 2008.
NPS allows centralization and management of client health policies and network-access authentication and authorization.
For example, you have a single Active Directory domain with Windows Server 2008 R2 installed on all servers on the network. All client computers run Windows 7. Some of the marketing users want to access the company network when they are traveling. You install NPS and enable the Routing and Remote Access role service on the server in order to give the remote users a virtual private network (VPN). You want to make sure only authorized remote users are allowed to connect to the network between 9am and 5pm. You should create a network policy.
- RADIUS server. Radius Client
- A NAS (Network Access Server) is a device that provides some level of access to a larger network. Configure network access servers (NAS), such as wireless access points, 802.1X-capable switches, and VPN servers, as RADIUS clients in NPS. You do not add client computers as RADIUS clients.
- Configure network policies for NPS to authorize connection requests.
- Configure RADIUS accounting so NPS logs accounting info to log files either on the local hard disk or in a Microsoft SQL Server database.
- RADIUS allows network-access user authentication, authorization, and accounting data to be collected and maintained in a centralized location, instead of on multiple servers.
- When a NPS server is part of an Active Directory Domain Services (AD DS) domain, NPS uses AD DS as a user database and allows single sign-on.
- NPS enables the heterogeneous use of wireless and VPN equipment.
- RADIUS proxy. Radius Proxy (If you have an existing Radius server and you need a layer between the Radius server(s) and the access points, or if you need to submit requests to different Radius servers, you can configure Windows Server 2008 as a Radius proxy)
- Configure connection request policies to indicate the connection requests the NPS server will forward to other RADIUS servers.
- Configure NPS to forward accounting data for logging.
- When using NPS as a RADIUS proxy, NPS is a central switching point or routing point through which NPS forwards authentication and accounting messages.
- NPS supports the Internet Engineering Task Force (IETF) standards for RADIUS described in Request for Comments (RFC) 2865 and 2866.
- NPS allows you to outsource remote access to a service provider while retaining control over the user authentication, authorization, and accounting.
- You can create NPS configurations for wireless access, dial-up, VPN remote access, outsourced dial-up, Internet access, or authenticated access to extranet resources.
- NAP policy server. Network Policy Server Overview
- NPS as a NAP evaluates statements of health (SoHs) sent by NAP-capable client computers when attempting to connect to the network.
- When configured with NAP, NPS acts as a RADIUS server and performs authentication and authorization for connection requests.
- You may configure NAP policies in NPS (System health validators (SHVs), health policy, Remediation Server Groups) to allow client computers to update the configuration to become compliant with the organization's network policy
- Both Windows 7 and Windows Server 2008 include NAP, thus, helping to protect access to private networks.
- Non compliant computers can be updated automatically using NAP auto-remediation. NAP auto-remediation brings the non compliant computers into compliance with health policy before connecting to the network. Computers that do not support NAP require a separate network policy with a NAP-Capable Computers condition that matches Only Computers That Are Not NAP-Capable.
Network Policy Server
 |
| Server Manager/Add Roles |
Demo – Install a Network Policy Server Role
- Launch Server Manager
- Select Roles
- Click on Add Roles
- The Add Roles Wizard displays. Review the information and click Next
- Check off Network Policy and Access Services
- Click Next
- Help links are displayed. Click Next
- On the Select Role Services page, select Network Policy Server
- Click Next
- Click Install
- Click Close
- You will see the Network Policy and Access Services role displayed.
- Click Close to close Server Manager
 |
| Confirm Network Policy and Access Services Role Install |
Install a Network Policy Server from the command prompt
- Start | Run | cmd
- Servermanagercmd –install NPAS-Policy-Server (not case sensitive)
- Press Enter
Note: Configuration of the Network Policy Server is done in the GUI or using netsh command.
The following link contains the Server Manager command line and syntax parameters which will allow you to install Server Manager Roles and Features from the command line:
Tools to manage a NPS
You can open NPS from Administrative Tools, or you can use:
- NPS MMC Snap-in Console
- Netsh command line
Note: After you configure NPS, save the configuration by using netsh nps show config > path\file.txt NPS Best Practices
Demo – Configure General NPS Settings
- Start | Administrative Tools | Network Policy Server
- Right click NPS (Local)
- You can Import Configuration, Export Configuration, view Properties (General tab: Server desc, logging info, Ports tab: authentication and accounting port numbers)
- You can Register server in Active Directory
Demo - Register NPS in Active Directory using Netsh
- Start | Run| cmd
- netsh ras add registeredserver
- Press Enter
Configure RADIUS Clients and Servers
RADIUS is used to support the exchange of authentication in a remote access solution.
Radius Client
A Radius client is not a laptop or desktop computer. NPS is a RADIUS server. Radius clients are network access servers:
- Wireless access points
- 802.1x authenticating switches
- VPN servers
- Dial-up servers
Radius Proxy
Receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy. Required for:
- Service providers offering outsourced dial-up, VPN, or wireless network access services to multiple customers
- Authentication and authorization for user accounts not in Active Directory
- Authentication and authorization for a database that is not a Windows account database
- Load-balancing connection requests between multiple RADIUS servers
- Outsourced service providers and minimize intranet firewall configuration
Demo – Configure a RADIUS Client
We will set up DC1 as NPS. SVR1 is a RRAS Server and will be a RADIUS client.
First, set up DC1 as NPS:
1. Start
Administrative Tools
Network Policy Server
2. Under NPS (Local), click on RADIUS Clients and Servers
3. Under RADIUS Clients and Servers, select RADIUS Clients
4. Right click, and select New RADIUS Client
5. Give the New Radius Client a Friendly name, for example, Rras Server1
6. Type in the IP Address, for example, 10.10.0.24
7. Choose a Vendor name, most are RADIUS Standard
8. Choose Generate to automatically generate a Shared secret
9. Click on the Generate button
10. Two additional boxes are available to check for Additional Options:
a. Access-Request messages must contain the Message-Authenticator attribute (also known as signature attribute and provides additional security)
b. RADIUS client is NAP-capable
11. Click OK
1. Start | Administrative Tools | Routing and Remote Access
2. Right- click on SVR1
3. Select Properties
4. Select the Security tab
5. In the Authentication provider: drop-down menu, choose RADIUS Authentication
6. Click on the Configure button
7. Click on the Add button to add a RADIUS server
8. In the Server name: box, type DC1
9. In the Accounting provider: drop-down menu, choose RADIUS Accounting
10. Click on the Configure button
11. Click on the Add button to Add the RADIUS Server
12. In the server name: box, type DC1
13. You have the ability to change the Time-out, Initial Score, and Port that is in use
14. Click OK
15. Click OK
16. Click Apply
17. A message generates “To use a new authentication provider, you must restart the Routing and Remote Access”. (A restart is required)
18. Click OK
19. When you return to the Routing and Remote Access dialog box, right-click on SVR1 and choose All Tasks
20. Select Restart
What is a Connection Request Policy?
The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally.
What are the Connection Request Conditions?
- Framed Protocol
- Service Type
- Tunnel Type
- Day and Time restrictions
What are the Connection Request Settings?
- Authentication
- Accounting
- Attribute Manipulation
- Advanced Settings
Configuring Connection Request Processing
- Local Authentication: Local authentication takes place on the local security account database or on Active Directory and the connection policies are on the server.
- RADIUS Authentication: RADIUS authentication forwards the connection to a Radius server and authenticates against the security database. RADIUS manages the connection policies in a central store. If the environment contains multiple remote access servers, it is best to use RADIUS for authentication.
- RADIUS server groups: Criteria are specified to load-balance the connection requests when creating the RADIUS server groups, if more than one RADIUS server is in the group.
- Default ports for Accounting and Authentication using RADIUS: The ports required for accounting and authentication when requests are forwarded to RADIUS are UDP 1812/1645 and UDP 1813/1646. We need to ensure these ports are open in the firewall.
Connection Request Policies
1. Start | Administrative Tools | Network Policy Server
NPS Authentication Methods
Certificate types:
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
Server certificates
Client certificates
Deploying Certificates for PEAP and EAP
How to Create a New Connection Request Policy
1. Start | Administrative Tools | Network Policy Server
2. Under Policies, right-click on Connection Request Policies
3. Click on New
4. The New Connection Request Policy Wizard launches
5. Type in the Policy name:, for example, Radius Client Policy
6. Under Type of network access server: drop-down box, choose Remote Access Server (VPN-Dial up)
7. Click Next
8. Click on Add to add a set of policy conditions
9. Click on Client Ipv4 Address to add the Radius client ip address
10. Specify the Ipv4 address of the RADIUS client, for example 10.10.0.24.
11. Click Next
12. Highlight Authentication and click the New box to Forward requests to the following remote RADIUS server group for authentication: (good for load balancing)
13. Type in the Group name: example, PcRepairNorthShore
14. Click Add
15. On the Add RADIUS Server dialog box, type in the IP address of the RADIUS server you want to add. For our example, we will use 10.10.0.10.
16. You can also specify Authentication/Accounting criteria and Load Balancing criteria
17. Click OK
18. Click OK
19. Highlight Accounting, and then check off the Forward accounting requests to this remote RADIUS server group
20. Click Next
21. You can specify Realm Names and RADIUS Attributes that you need
22. Click Next
23. Click Finish to Complete the Connection Request Policy Wizard
24. You can see the Policy listed in the Connection Request Policies window
25. Right click the policy and select Move Up to put this policy first because policies are processed from the top down
Note: If you need to disable the policy, right-click the policy and select Disable
NPS Authentication Methods
Authentication methods for an NPS server include:
• MS-CHAPv2
• MS-CHAP
• CHAP
• PAP
• Unauthenticated access
Password-based authentication methods are the weakest method.
Certificate-based authentication is the strongest and most secure method in the NPS environment.
Certificate types:
• CA (Certificate Authority) certificate: Verifies the trust path of other certificates
• Client computer certificate: Issued to the computer to prove its ID to NPS during authentication
• Server certificate: Issued to an NPS server to prove its ID to client computers during authentication
• User certificate: Issued to individuals to prove their ID to NPS servers for authentication
Certificates can be obtained from public or commercial CA providers or you can host your own internal Active Directory certificate services.
Note: Specify certificate-based authentication in a network policy by indicating the authentication methods on the Constraints tab.
The initial expense of using a Certificate Authority is worth the extra security that is obtained by using a CA.
The certificates must all be x.509 compatible and must work for connections that use SSL/TLS (Secure Sockets Layer/Transport Layer Security) when they are used for network access authentication.
We must obtain Server certificates and Client certificates.
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
Server certificates
• Must contain Subject attribute that is not NULL
• Must chain to a trusted-root CA
• Configured with Server Authentication purpose in EKU (Extended Key Usage) extensions
• Configured with required algorithm of RSA with a minimum 2048 key length http://en.wikipedia.org/wiki/RSA_(algorithm)
• Subject Alternative Name extension, if used, must contain the DNS name
Client certificates
• Issued by an Enterprise CA or mapped to an account in Active Directory
• Must chain to a trusted-root CA
• For computer certificates, the Subject Alternative Name use contain the FQDN
• For user certificates, the Subject Alternative Name must contain the UPN
Deploying Certificates for PEAP and EAP
Once you have made the decision to go with certificates for authentication, you must employ certificates for PEAP (Protected Extension Authentication Protocol) and EAP (Extension Authentication Protocol)
• You can use Active Directory, for domain computer and user accounts, using the auto-enrollment feature in Group Policy
• Non domain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool
• The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the non domain member computer
• The administrator can distribute the user certificates on a smart card, if you have that technology
Password-Based Authentication Methods
Certificates and NPS
Certificate Requirements for PEAP and EAP
EAP Overview
PEAP Overview
Best Practices for NPS
The Precision Guide to Windows Server 2008 Network Infrastructure
Configuration: MCTS Exam 70-642 Study Guide [Kindle Edition]
Configuration: MCTS Exam 70-642 Study Guide [Kindle Edition]
No comments:
Post a Comment
"Comment As:" anonymous if you would rather not sign into an account!