Network Policy Server (NPS) Operations Guide[1]

8/8/2019 Network Policy Server (NPS) Operations Guide[1]

1/57

Network Policy Server (NPS) OperationsGuide

Microsoft Corporation

Published: April 2008

Author: James McIllece

Editor: Scott Somohano

Abstract

The Network Policy Server Operations Guide provides information about how to administer NPS

after it is installed and deployed. It also includes troubleshooting information for specific problems

and scenarios.


2/57

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place,or event is intended or should be inferred.

Your right to copy this documentation is limited by copyright law and the terms of the software

license agreement. As the software licensee, you may make a reasonable number of copies or

printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative

works for commercial distribution is prohibited and constitutes a punishable violation of the law.

2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


3/57

Contents

Network Policy Server (NPS) Operations Guide .............................................................................1

Abstract....................................................................................................................................1

Contents ..........................................................................................................................................3

Network Policy Server Operations Guide ........................................................................................6

Windows Server 2008 Editions and NPS .....................................................................................6

Windows Server 2008 Enterprise and Datacenter Editions .............................................. ........6

Windows Server 2008 Standard Edition ...................................................................................6

Windows Web Server 2008 ................................................................................................. .....7

NPS resources .................................................................................................................... ........7

Introduction to Administering NPS .......................................................................................... ........7

When to use this guide ................................................................................................................7

How to use This guide .................................................................................................................8

Best Practices for NPS ....................................................................................................................8

Installation .............................................................................................................................. .....8

Client computer configuration ......................................................................................................9

Authentication ..............................................................................................................................9

Security issues .................................................................................................................... ........9

Accounting .................................................................................................................................10

Optimizing NPS ..........................................................................................................................11

Using NPS in large organizations ...........................................................................................11Network Access Protection (NAP) ....................................................................................... ......12

Administering NPS ........................................................................................................................13

Managing NPS Servers .................................................................................................................13

Administer NPS by Using Tools ............................................................................................. .......14

Enable Remote Administration of an NPS Server .........................................................................14

Enter the Netsh NPS Context on an NPS Server ..........................................................................15

Installing NPS .............................................................................................................................. .15

Install Network Policy Server (NPS) ..............................................................................................16

Install NPS by Using the Add Role Services Wizard .....................................................................17

Manage an NPS Server by Using Remote Desktop Connection ................................................ ...18


4/57

Manage Multiple NPS Servers by Using the NPS MMC Snap-in ..................................................19

Configure the Local NPS Server by Using the NPS Console ........................................................20

Configure NPS on a Multihomed Computer ..................................................................................20

Configure NPS UDP Port Information ...........................................................................................22

Disable NAS Notification Forwarding ............................................................................................23

Export an NPS Server Configuration for Import on Another Server ..................................... .........23

Increase the Number of NPS Concurrent Authentications ..................................................... .......25

Interpret NPS Database Format Log Files ................................................................................ ....25

Entries recorded in database-compatible log files .....................................................................26

Interpret Windows System Health Validator Entries in Log Files ...................................................33

Diagnostic codes ................................................................................................................ .......34

Error codes ................................................................................................................................35

Determining the client operating system ......................................................................... .......37

Example log file entries ....................................................................................................... ...37

First example log file entry ..................................................................................................38

Second example log file entry .............................................................................................39

Register an NPS Server in Another Domain ............................................................................. ....40

Register an NPS Server in its Default Domain ..............................................................................40

Unregister an NPS Server from its Default Domain ............................................................... .......41

Verify Configuration After an NPS Server IP Address Change ......................................................41

Verify Configuration After Renaming an NPS Server ....................................................................43

Managing Certificates Used with NPS ................................................................................... .......44

Change the Cached TLS Handle Expiry .......................................................................................44

Configure the TLS Handle Expiry Time on Client Computers ...................................................... .45

Configure the TLS Handle Expiry Time on NPS Servers ..................................................... .........46

Obtain the SHA-1 Hash of a Trusted Root CA Certificate ......................................................... ....46

Managing RADIUS Clients ........................................................................................................... .47

Set up RADIUS Clients .................................................................................................................48

Configure the Network Access Server ......................................................................................... .49

Add the Network Access Server as a RADIUS Client in NPS .................................................... ...49


5/57

Set up RADIUS Clients by IP Address Range ........................................................................... ....50

Managing Network Policies ...........................................................................................................52

An ordered list of rules ...............................................................................................................52

Configure NPS for VLANs .............................................................................................................53

Configure a Network Policy for VLANs ..........................................................................................54

Configure the EAP Payload Size ....................................................................................... ...........55

Configure the Framed-MTU Attribute ............................................................................................55

Configure NPS to Ignore User Account Dial-in Properties ..................................................... .......56


6/57


7/57

clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client

resolves to multiple IP addresses, the NPS server uses the first IP address returned in the

Domain Name System (DNS) query.

Windows Web Server 2008NPS is not included in this edition of Windows Web Server 2008.

NPS resourcesFor NPS resources in addition to this guide, seeNetwork Policy Serverin the Windows

Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=104545).

Introduction to Administering NPS

This guide, in conjunction with the NPS procedural Help topics, explains how to administer NPS.

The objectives, tasks, and procedures described in this guide and in procedural Help topics

discuss actions that are part of the operating phase of the information technology (IT) life cycle.

To access the NPS procedural Help topics, open the NPS console and press F1.

If you are not familiar with this guide, review the following sections of this introduction.

When to use this guideThis guide assumes a basic understanding of what NPS is, how it works, and why your

organization uses it to manage network access, including the authentication, authorization, and

accounting for network connections. It also assumes that you have a thorough understanding ofhow NPS is deployed and managed in your organization before performing any of the actions

described in this guide.

This guide can be used by organizations that have deployed Windows Server 2008. It includes

information that is relevant to different roles within an IT organization, including IT operations

management and administrators.

This guide contains both general information and more detailed procedures that are designed for

operators who have varied levels of expertise and experience. Although the procedures provide

operator guidance from start to finish, operators must have a basic proficiency with Microsoft

Management Console (MMC) and its snap-ins. They must also know how to start administrative

programs, access the command line, and run the Netsh commands for NPS.

If operators are not familiar with NPS, it might be necessary for IT planners or IT managers to

review the relevant operations in this guide and provide the operators with parameters or data

that must be entered when the operation is performed.

7
http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=104545


8/57

How to use This guideThe operations areas are divided into the following types of content:

Objectives are general goals for managing, monitoring, optimizing and securing NPS.

Each objective consists of one or more general tasks that describe how the objective is

accomplished.

Tasks are used to group related procedures and provide general guidance for achieving

the goals of an objective.

Procedures provide step-by-step instructions for completing tasks.

If you are an IT manager who will be delegating tasks to operators within your organization:

1. Read through the objectives and tasks to determine how to delegate permissions and

whether you need to install tools before operators perform the procedures for each task.

2. Before assigning tasks to individual operators, ensure that you have all the tools installed

where operators can use them.

3. When necessary, create tear sheets for each task that operators perform in yourorganization. Cut and paste the task and its related procedures into a separate document,

and then either print these documents or store them online, depending on the preference of

your organization.

Best Practices for NPS

This topic provides best practices for implementing and configuring NPS and is based on

recommendations from Microsoft Product Support Services.

InstallationBefore installing NPS, do the following:

Install and test each of your network access servers by using local authentication

methods before you make them RADIUS clients.

After you install and configure NPS, save the configuration by using the netsh nps

export command. Use this command to save the NPS configuration to an XML file every time

a configuration change is made.

If you install additional Extensible Authentication Protocol (EAP) types on your NPS

server, ensure that you document the server configuration in case you need to rebuild the

server or duplicate the configuration on other NPS servers. If you install additional system health validators (SHVs) on your NPS server, ensure that

you document the server configuration in case you need to rebuild the server or duplicate the

configuration on other NPS servers.

Do not install Windows Server 2008 on the same partition with another version of

Windows Server.

8


9/57

Do not configure a server running NPS or the Routing and Remote Access service as a

member of a Windows NT Server 4.0 domain if your user accounts database is stored on a

domain controller running Windows Server 2008 in another domain. Doing this will cause

Lightweight Directory Access Protocol (LDAP) queries from the NPS server to the domain

controller to fail.

Instead, configure your server running NPS or Routing and Remote Access as a member of a

Windows Server 2008 domain. An alternative is to configure a server running NPS as a

RADIUS proxy server that forwards authentication and accounting requests from the

Windows NT Server 4.0 domain to an NPS server in the Windows Server 2008 domain.

Client computer configurationFollowing are the best practices for client computer configuration:

Automatically configure all of your domain member 802.1X client computers by using

Group Policy.

Automatically configure all of your domain member NAP-capable clients by importing

NAP client configuration files into Group Policy.

AuthenticationFollowing are the best practices for authentication:

Use authentication methods, such as Protected Extensible Authentication Protocol

(PEAP) and Extensible Authentication Protocol (EAP), that provide authentication types, such

as Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake

Authentication Protocol version two (PEAP-MS-CHAP v2), that support the use of certificates

for strong authentication. Do not use password-based authentication methods because they

are vulnerable to a variety of attacks and are not secure.

Use PEAP, which is required for all Network Access Protection (NAP) enforcement

methods. Determine the PEAP authentication types that you want to use, such as PEAP-TLS

and PEAP-MS-CHAP v2, and then plan and deploy your public key infrastructure (PKI) to

ensure that all computers and users can enroll the certificates required by the authentication

types.

Deploy a certification authority (CA) by using Active Directory Certificate Services

(AD CS) if you use strong certificate-based authentication methods that require the use of a

server certificate on NPS servers. You can also use your CA to deploy computer certificates

to domain member computers and user certificates to members of the Users group in Active

Directory.

Security issuesYour NPS server provides authentication, authorization, and accounting for connection attempts

to your organization network. You can protect your NPS server and RADIUS messages from

unwanted internal and external intrusion.

9


10/57

When you are administering an NPS server remotely, do not send sensitive or confidential data

(for example, shared secrets or passwords) over the network in plaintext. There are two

recommended methods for remote administration of NPS servers:

Use Remote Desktop Connection to access the NPS server.

When Remote Desktop Connection users log on, they can view only their individual clientsessions, which are managed by the server and are independent of each other. In addition,

Remote Desktop Connection provides 128-bit encryption between client and server.

Use Internet Protocol security (IPsec) to encrypt confidential data.

If you manage one or more remote NPS servers from a local NPS server by using the NPS

Microsoft Management Console (MMC) snap-in, you can use IPsec to encrypt communication

between the local NPS server and the remote NPS server.

AccountingThere are two types of accounting, or logging, in NPS:

Event logging for NPS. You can use event logging to record NPS events in the system

and security event logs. Recording NPS events to the security event log is a new feature in

Windows Server 2008, and much more information is logged for NPS than in previous

operating system versions for Internet Authentication Service (IAS). This information is used

primarily for auditing and troubleshooting connection attempts.

Logging user authentication and accounting requests. You can log user

authentication and accounting requests to log files in text format or database format, or you

can log to a stored procedure in a SQL Server 2000, SQL Server 2005, or SQL Server 2008

database. Request logging is used primarily for connection analysis and billing purposes, and

is also useful as a security investigation tool, providing you with a method of tracking down

activity after an attack.

To make the most effective use of NPS logging:

Turn on logging (initially) for both authentication and accounting records. Modify these

selections after you have determined what is appropriate for your environment.

Ensure that event logging is configured with a capacity that is sufficient to maintain your

logs.

Back up all log files on a regular basis because they cannot be recreated after they are

damaged or deleted.

For billing purposes, use the RADIUS Class attribute to both track usage and simplify the

identification of which department or user to charge for usage. Although the automatically

generated Class attribute is unique for each request, duplicate records might exist in caseswhen the reply to the access server is lost and the request is resent. You might need to delete

duplicate requests from your logs to accurately track usage.

If you use SQL Server logging, ensure that you store credentials and other connection

properties in a secure location. This information is not exported to file when you use the

netsh nps export command.

10


11/57

To provide failover and redundancy with SQL Server logging, place two computers

running SQL Server on different subnets. Use the SQL Server tools to set up database

replication between the two servers. For more information, see SQL Server documentation.

Important

If your NPS server is configured to log accounting data but cannot write to the configured

data store (a log file, a SQL Server database, or both), NPS discards all connection

requests and authentication fails. In this circumstance, users cannot access the network

by using connections through RADIUS clients. This ensures that accounting data is

accurate.

Optimizing NPSFollowing are ways to tune NPS performance:

To optimize NPS authentication and authorization response times and minimize network

traffic, install NPS on a domain controller.

When universal principal names (UPNs) or Windows Server 2008 and Windows

Server 2003 domains are used, NPS uses the global catalog to authenticate users. To

minimize the time it takes to do this, install NPS on either a global catalog server or a server

that is on the same subnet.

Disable start and stop notification forwarding from network access servers (NASs) to

individual servers in each remote RADIUS server group if you are not forwarding accounting

requests to the group. For more information, see Disable NAS Notification Forwarding.

Using NPS in large organizations

Following are ways to use NPS in large organizations: If you are using network policies to restrict network access for all but specific groups,

create a universal group for all of the users for whom you want to allow access, and then

create a network policy that grants access for members of this universal group. Do not put all

of your users directly into the universal group, especially if you have a large number of them

on your network. Instead, create separate groups that are members of the universal group,

and then add users to those groups.

Use a user principal name in network policies to refer to users whenever possible. A user

can have the same user principal name regardless of the domain membership of the user

account. This practice provides scalability that might be required in organizations that have a

large number of domains.

If NPS is on a computer other than a domain controller, and it is receiving a very large

number of authentication requests per second, you can improve performance by increasing

the number of concurrent authentications between NPS and the domain controller. For more

information, see Increase the Number of NPS Concurrent Authentications.

11


12/57

Note

To effectively balance the load of either a large number of authorizations or a large

volume of RADIUS authentication traffic (such as a large wireless implementation using

certificate-based authentication), install NPS as a RADIUS server on all of your domain

controllers. Next, configure two or more NPS proxies to forward the authenticationrequests between the access servers and the RADIUS servers. Next, configure your

access servers to use the NPS proxies as RADIUS servers.

Network Access Protection (NAP)When NAP is deployed, NPS acts as a NAP policy server, performing client health checks against

configured health policies. Following are the best practices for NAP deployment with NPS.

For the most secure and effective NAP deployment on your network, deploy strong

enforcement methods, such as Internet Protocol security (IPsec), 802.1X, and virtual private

network (VPN) enforcement methods. Strong enforcement methods use certificate-based

authentication and secure the channel between clients and servers through which thestatement of health (SoH) and statement of health response (SoHR) are sent. The DHCP

enforcement method is the least secure enforcement method and should be deployed only in

circumstances where secure transmission of the SoH and SoHR are not required.

When you deploy the IPsec enforcement method, enable pass-through authentication in

Internet Information Services (IIS). Enabling pass-through authentication ensures that only

domain member computers can obtain a health certificate and communicate with other

domain member computers.

Before you create health policies for your NAP deployments, if you are using non-

Microsoft products that support NAP, install non-Microsoft system health agents (SHAs) on

client computers. In addition, install the corresponding system health validators (SHVs) forthe SHAs on NPS servers.

When you deploy NAP by using the VPN or 802.1X enforcement methods with PEAP

authentication, you must configure PEAP authentication in the NPS connection request policy

even when connection requests are processed locally.

For a streamlined method of creating network policies, connection request policies, and

health policies for your NAP deployment, use the New NAP Policies wizard. If you want to

modify policies created by using the wizard, open the policy in the NPS console and make

required changes.

When you deploy NAP with the IPsec and DHCP enforcement methods, enable client

health checks when you configure authentication. You should also configure the Identity

Type condition in network policy with the value Computer health check.

To deploy NAP with the DHCP enforcement method, you must install both NPS and

DHCP on the same computer.

12


13/57

Administering NPS

By effectively administering your NPS deployment, you can provide secure network access for

your organization, ensuring that authorized organization employees, business partners, and

guests can access the network when and where they need to do so.

Note

The procedures in this guide do not include instructions for those cases in which the User

Account Control dialog box opens to request your permission to continue. If this dialog

box opens while you are performing the procedures in this guide, and if the dialog box

was opened in response to your actions, click Continue.

The following objectives are part of administering NPS:

Managing NPS Servers

Managing Certificates Used with NPS

Managing RADIUS Clients Managing Network Policies

Managing NPS Servers

Managing NPS servers across your organization means providing NPS server availability, with

approved and consistent network policies configured across your NPS deployment.

When you manage NPS servers, you ensure that RADIUS clients have access to the servers,

that NPS servers have permission to access your user account databases, and that RADIUS

traffic is sent and received on the same UDP ports.

In addition, you can synchronize server configurations in whole or in part by using Netsh

commands for NPS.

The following tasks for managing NPS servers are described in this objective:

Administer NPS by Using Tools

Configure NPS on a Multihomed Computer

Configure NPS UDP Port Information

Disable NAS Notification Forwarding

Export an NPS Server Configuration for Import on Another Server

Increase the Number of NPS Concurrent Authentications

Interpret NPS Database Format Log Files

Register an NPS Server in Another Domain

Register an NPS Server in its Default Domain

Unregister an NPS Server from its Default Domain

Verify Configuration After an NPS Server IP Address Change

13


14/57

Verify Configuration After Renaming an NPS Server

Administer NPS by Using Tools

NPS provides three tools that you can use to administer NPS: the NPS console, the NPS

Microsoft Management Console (MMC) snap-in, and the Netsh commands for NPS (netsh nps).

The following procedures show how to manage NPS using these tools:

Enable Remote Administration of an NPS Server

Enter the Netsh NPS Context on an NPS Server

Installing NPS

Manage an NPS Server by Using Remote Desktop Connection

Manage Multiple NPS Servers by Using the NPS MMC Snap-in

Configure the Local NPS Server by Using the NPS Console

Enable Remote Administration of an NPSServer

You can use this procedure to enable the Remote administration exception in Windows Firewall

with Advanced Security.

You can use the Network Policy Server (NPS) Microsoft Management Console (MMC) snap-in to

manage both the local and remote NPS servers. To manage remote servers, however, you must

first enable the Remote administration exception on the firewall of the NPS server that you wantto manage.

Administrative Credentials

To complete this procedure, you must be a member of the Administrators group.

To enable remote administration of an NPS server

1. Click Start, and then click Control Panel.

2. In Control Panel, verify that Control Panel Home is selected. UnderSecurity, click

Allow a program through Windows Firewall. The Windows Firewall Settings dialog

box opens.

3. In Windows Firewall Settings, verify that the Exceptions tab is selected.4. In Program or port, scroll to and select the Remote administration check box, and

then click OK.

14


15/57

Enter the Netsh NPS Context on an NPSServer

You can use commands in the Netsh NPS context to show and set the configuration of theauthentication, authorization, accounting, and auditing database used both by NPS and the

Routing and Remote Access service. Use commands in the Netsh NPS context to:

Configure or reconfigure an NPS server, including all aspects of NPS that are also

available for configuration by using the NPS console in the Windows interface.

Export the configuration of one NPS server (the source server), including registry keys

and the NPS configuration store, as a Netsh script.

Import the configuration to another NPS server by using a Netsh script and the exported

configuration file from the source NPS server.

You can run these commands from the Windows Server 2008 command prompt or from the

command prompt for the Netsh NPS context. For these commands to work at the WindowsServer 2008 command prompt, you must type netsh nps before typing additional commands and

their parameters.

There are functional differences between Netsh context commands in the Windows Server 2003

family and Netsh commands in Windows Server 2008.


To perform this procedure, you must be a member of the Administrators group on the local

computer.

To enter the Netsh NPS context on an NPS server

1. Open Command Prompt.2. Type netsh, and then press ENTER.

3. Type nps, and then press ENTER.

Installing NPS

There are multiple ways to install NPS, and to understand the differences between these

methods, an understanding of the Network Policy and Access Services (NPAS) server role is

required.The NPAS server role is a logical grouping of the following network access technologies:

Network Policy Server (NPS)

Routing and Remote Access service (RRAS)

Health Registration Authority (HRA)

Host Credential Authorization Protocol (HCAP)

15


16/57

These technologies are the role services of the NPAS server role. When you install the NPAS

server role, you can install one or more role service while running the Add Roles Wizard.

Note

The Add Roles Wizard is opened by using either Server Manager or Initial Configuration

Tasks.

After you have run the Add Roles Wizard and you have installed one or more role service of the

NPAS server role, you cannot install additional role services by using the same wizard.

For this reason, if you run the Add Roles Wizard and you install NPAS role services other than

NPS, you cannot run the Add Roles Wizard again to install NPS later you must instead open a

similar wizard named the Add Role Services Wizard.

If you want to install NPS, and you have not yet installed any other role services of the NPAS

server role, follow the instructions in the procedure Install Network Policy Server (NPS).

If you want to install NPS, but you have already installed other NPAS role services, follow the

instructions in the procedureInstall NPS by Using the Add Role Services Wizard.

Install Network Policy Server (NPS)

You can use this procedure to install Network Policy Server (NPS) by using the Add Roles

Wizard. NPS is a role service of the Network Policy and Access Services server role.

Note

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all

installed network adapters. If Windows Firewall with Advanced Security is enabled when

you install NPS, firewall exceptions for these ports are automatically created during the

installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your

network access servers are configured to send RADIUS traffic over ports other than

these defaults, remove the exceptions created in Windows Firewall with Advanced

Security during NPS installation, and create exceptions for the ports that you do use for

RADIUS traffic.



To install NPS

1. Do one of the following:

In Initial Configuration Tasks, in Customize This Server, click Add roles. The

Add Roles Wizard opens.

Click Start, and then click Server Manager. In the left pane of Server Manager,

click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add

Roles Wizard opens.

2. In Before You Begin, click Next.

16


17/57

Note

The Before You Begin page of the Add Roles Wizard is not displayed if you

have previously selected Do not show this page again when the Add Roles

Wizard was run.

3. In Select Server Roles, in Roles, select Network Policy and Access Services,

and then click Next.

4. In Network Policy and Access Services, click Next.

5. In Select Role Services, in Role Services, select Network Policy Server, and then

click Next.

6. In Confirm Installation Selections, click Install.

7. In Installation Results, review your installation results, and then click Close.

Install NPS by Using the Add Role ServicesWizard

You can use this procedure to install Network Policy Server (NPS) as a role service of the

Network Policy and Access Services (NPAS) server role in circumstances where you have

previously installed other NPAS role services.

Important

To successfully use this procedure to install NPS, it is required that you previously

installed the NPAS server role with a different role service, such as the Routing and

Remote Access service (RRAS). If you have not previously installed NPAS, do not use

this procedure; instead, use the procedure Install Network Policy Server (NPS).



To install NPS by using the Add Role Services wizard

1. Click Start, and then click Server Manager. In the left pane of Server Manager,

double-click Roles to expand the tree. Browse to and right-click Network Policy and

Access Services, and then click Add Role Services. The Add Role Services wizard

opens.

2. In Select Role Services, in Role Services, select Network Policy Server, and then

click Next.

3. In Confirm Installation Selections, click Install.

4. In Installation Results, review your installation results, and then click Close.

17


18/57

Manage an NPS Server by Using RemoteDesktop Connection

Use this procedure to manage a remote NPS server by using Remote Desktop Connection.By using Remote Desktop Connection, you can remotely manage your NPS servers running

Windows Server 2008. You can also remotely manage NPS servers from a computer running

Windows Vista.



To manage an NPS server by using Remote Desktop Connection

1. On each NPS server that you want to manage remotely, in Control Panel, double-

click System. The System page opens.

2. In System, in Tasks, click Remote settings. The System Properties dialog boxopens.

3. In System Properties, ensure that the Remote tab is selected. In Remote Desktop,

select an option that allows connections from remote computers.

4. Click Select Users. The Remote Desktop Users dialog box opens.

5. In Remote Desktop Users, to grant permission to a user to connect remotely to the

NPS server, click Add, and then type the user name for the user's account. Click OK.

6. Repeat step 5 for each user for whom you want to grant remote access permission to

the NPS server.

7. On each NPS server, if Windows Firewall with Advanced Security is enabled, add an

exception for Remote Desktop.

8. To connect to a remote NPS server that you have configured by using the previous

steps, click Start, click All Programs, click Accessories, and then click Remote

Desktop Connection.

9. In Computer, type the NPS server name or IP address. If you want, click Options,

configure additional connection options, and then click Save to save the connection for

repeated use.

10. Click Connect, and when prompted provide user account credentials for an account

that has permissions to log on to and configure the NPS server.

18


19/57

Manage Multiple NPS Servers by Using theNPS MMC Snap-in

Use this procedure to manage multiple NPS servers by using the NPS Microsoft ManagementConsole (MMC) snap-in.

You can also use the instructions below to manage a local NPS server and one or more remote

NPS servers from the Microsoft Management Console (MMC) on the local NPS server.

Before performing the procedure below, you must install NPS on the local computer and on

remote computers.

Important

Before you can manage a remote NPS server, you must configure the remote server to

allow remote administration. For more information, seeEnable Remote Administration of

an NPS Server.

Depending on network conditions and the number of NPS servers you manage by using the NPS

MMC snap-in, response of the MMC snap-in might be slow. In addition, NPS server configuration

traffic is sent over the network during a remote administration session by using the NPS snap-in.

Ensure that your network is physically secure and that malicious users do not have access to this

network traffic.



To manage multiple NPS servers by using the NPS snap-in

1. To open MMC, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins

dialog box opens.

3. In Add or Remove Snap-ins, in Available snap-ins, scroll down the list, click

Network Policy Server, and then click Add. The Select Computerdialog box opens.

4. In Select Computer, verify that Local computer (the one this console is running

on) is selected, and then click OK. The snap-in for the local NPS server is added to the

list in Selected snap-ins.

5. In Add or Remove Snap-ins, in Available snap-ins, ensure that Network Policy

Serveris still selected, and then click Add. The Select Computerdialog box opens

again.

6. In Select Computer, click Another computer, and then type the IP address or fullyqualified domain name of the remote NPS server that you want to manage by using the

NPS snap-in. Optionally, you can click Browse to browse the directory for the computer

you want to add. Click OK.

7. Repeat steps 5 and 6 to add more NPS servers to the NPS snap-in. When you have

added all the NPS servers you want to manage, click OK.

19


20/57

8. To save the NPS snap-in for later use, click File, click Save, type a name for your

Microsoft Management Console (.msc) file, and then click Save.

Configure the Local NPS Server by Using theNPS Console

After you have installed NPS, you can use this procedure to manage the local NPS server by

using the NPS Microsoft Management Console (MMC).

The NPS console differs from use of the NPS MMC snap-in in the following ways:

The NPS console is installed by default when you install NPS.

The NPS console is used to manage the local NPS server only; you cannot use the NPS

console to manage remote NPS servers. You can use the NPS MMC snap-in to create a custom MMC console that allows you to

manage remote NPS servers in addition to managing the local NPS server.



To configure the local NPS server by using the NPS console

1. Click Start, click Administrative Tools, and then click Network Policy Server. The

NPS console opens.

2. In the NPS console, click NPS (Local). In the details pane, choose eitherStandard

Configuration orAdvanced Configuration, and then do one of the following basedupon your selection:

If you choose Standard Configuration, select a scenario from the list, and then

follow the instructions to start a configuration wizard

If you choose Advanced Configuration, click the arrow to expand Advanced

Configuration options, and then review and configure the available options based on

the NPS functionality that you want.

Configure NPS on a Multihomed ComputerA computer with multiple network adapters installed is known as a multihomed computer. When

you use multiple network adapters in an NPS server, you can configure the following:

The network adapters that do and do not send and receive RADIUS traffic.

20


21/57

On a per-network adapter basis, whether NPS monitors RADIUS traffic on Internet

Protocol version 4 (IPv4), IPv6, or both IPv4 and IPv6.

The UDP ports over which RADIUS traffic is sent and received on a per-protocol (IPv4 or

IPv6), per-network adapter basis.

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both IPv6 andIPv4 for all installed network adapters. Because NPS automatically uses all network adapters for

RADIUS traffic, you only need to specify the network adapters that you want NPS to use for

RADIUS traffic when you want to prevent NPS from using an adapter for RADIUS traffic.

Note

If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS

traffic for the uninstalled protocol.

On an NPS server that has multiple network adapters installed, you might want to configure NPS

to send RADIUS traffic only on a specific adapter.

For example, one network adapter installed in the NPS server might lead to a network segment

that does not contain RADIUS clients, while a second network adapter provides NPS with a

network path to its configured RADIUS clients. In this scenario it is important to direct NPS to use

the second network adapter for all RADIUS traffic.

In another example, if your NPS server has three network adapters installed, but you only want

NPS to use two of the adapters for RADIUS traffic, you should configure port information for the

two adapters only. By excluding port configuration for the third adapter, you prevent NPS from

using the adapter for RADIUS traffic.

When you use the procedure in Configure NPS UDP Port Information, you can configure NPS to

listen for and send RADIUS traffic on a network adapter by using the following syntax:

IPv4 traffic syntax:IPAddress:UDPport, where IPAddress is the IPv4 address that is

configured on the network adapter over which you want to send RADIUS traffic, and UDPportis the RADIUS port number that you want to use for RADIUS authentication or accounting

traffic.

IPv6 traffic syntax:[IPv6Address]:UDPport, where the brackets around IPv6Address

are required, IPv6Address is the IPv6 address that is configured on the network adapter over

which you want to send RADIUS traffic, and UDPportis the RADIUS port number that you

want to use for RADIUS authentication or accounting traffic.

The following characters can be used as delimiters for configuring IP address and UDP port

information:

Address/port delimiter: colon (:)

Port delimiter: comma (,) Interface delimiter: semicolon (;)

Make sure that your network access servers are configured with the same RADIUS UDP ports

that you configure on your NPS servers. The RADIUS standard UDP ports defined in RFCs 2865

and 2866 are 1812 for authentication and 1813 for accounting; however, some access servers

are configured by default to use UDP port 1645 for authentication requests and UDP port 1646 for

accounting requests.

21


22/57

Important

If you do not use the default RADIUS ports, you must configure exceptions on the firewall

for the local computer to allow RADIUS traffic on the new ports.

Configure NPS UDP Port Information

Use this procedure to configure User Datagram Protocol (UDP) ports for RADIUS traffic.

You can use the following procedure to configure the ports that Network Policy Server (NPS) uses

for RADIUS authentication and accounting traffic.

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet

Protocol version 6 (IPv6) and IPv4 for all installed network adapters.

Note

If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS

traffic for the uninstalled protocol.

The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports

defined in RFCs 2865 and 2866. However, by default, many access servers use ports 1645 for

authentication requests and 1646 for accounting requests. No matter which ports you decide to

use, make sure that NPS and your access server are configured to use the same ones.

Important

If you do not use the default RADIUS ports, you must configure exceptions on the firewall

for the local computer to allow RADIUS traffic on the new ports.

Administrative credentials


To configure NPS UDP port information


NPS console opens.

2. In the NPS console, right-click Network Policy Server, and then click Properties.

3. Click the Ports tab, and then prepend the IP address for the network adapter you

want to use for RADIUS traffic to the existing port numbers. For example, if you want to

use the IP address 192.168.1.2 and RADIUS ports 1812 and 1645 for authentication

requests, change the port setting from 1812,1645 to 192.168.1.2:1812,1645.

If your RADIUS authentication and RADIUS accounting UDP ports are different from thedefault values, change the port settings accordingly.

4. To use multiple port settings for authentication or accounting requests, separate the

port numbers with commas.

22


23/57

Disable NAS Notification Forwarding

You can use this procedure to disable the forwarding of start and stop messages from network

access servers (NASs) to members of a remote RADIUS server group configured in NPS.

When you have remote RADIUS server groups configured and, in NPS Connection Request

Policies, you clear the Forward accounting requests to this remote RADIUS server group

check box, these groups are still sent NAS start and stop notification messages.

This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification

forwarding for individual servers in each remote RADIUS server group.



To disable NAS notification forwarding


NPS console opens.

2. In the NPS console, double-click RADIUS Clients and Servers, click Remote

RADIUS Server Groups, and then double-click the remote RADIUS server group that

you want to configure. The remote RADIUS server group Properties dialog box opens.

3. Double-click the group member that you want to configure, and then click the

Authentication/Accounting tab.

4. In Accounting, clear the Forward network access server start and stop

notifications to this servercheck box, and then click OK.

5. Repeat steps 3 and 4 for all group members that you want to configure.

Export an NPS Server Configuration forImport on Another Server

This procedure allows you to export the entire NPS configuration including RADIUS clients and

servers, network policy, connection request policy, registry, and logging configuration from one

NPS server for import on another NPS server.

Important

Do not use this procedure if the source NPS database has a higher version number than

the version number of the destination NPS database. You can view the version number of

the NPS database from the display of the netsh nps show config command.

When the netsh import command is run, NPS is automatically refreshed with the updated

configuration settings. You do not need to stop NPS on the destination computer to run the netsh

23


24/57

import command, however if the NPS console or NPS MMC snap-in is open during the

configuration import, changes to the server configuration are not visible until you refresh the view.

Note

When you use the netsh nps export command, you are required to provide the

command parameterexportPSK with the valueYES. This parameter and value explicitly

state that you understand that you are exporting the NPS server configuration, and that

the exported XML file contains unencrypted shared secrets for RADIUS clients and

members of remote RADIUS server groups.

Because NPS server configurations are not encrypted in the exported XML file, sending it over a

network might pose a security risk, so take precautions when moving the XML file from the source

server to the destination servers. For example, add the file to an encrypted, password protected

archive file before moving the file. In addition, store the file in a secure location to prevent

malicious users from accessing it.

Note

If SQL Server logging is configured on the source NPS server, SQL Server logging

settings are not exported to the XML file. After you import the file on another NPS server,

you must manually configure SQL Server logging.



To copy an NPS server configuration to another NPS server using Netsh commands

1. On the source NPS server, open Command Prompt, type netsh, and then press

ENTER.

2. At the netsh prompt, type nps, and then press ENTER.

3. At the netsh nps prompt, type export filename="path\file.xml"exportPSK=YES,

wherepath is the folder location where you want to save the NPS server configuration

file, and file is the name of the XML file that you want to save. Press ENTER.

This stores configuration settings (including registry settings) in an XML file. The path can

be relative or absolute, or it can be a Universal Naming Convention (UNC) path. After you

press ENTER, a message appears indicating whether the export to file was successful.

4. Copy the file you created to the destination NPS server.

5. At a command prompt on the destination NPS server, type netsh nps import

filename="path\file.xml", and then press ENTER. A message appears indicating whether

the import from the XML file was successful.

24


25/57

Increase the Number of NPS ConcurrentAuthentications

You can use this procedure to increase the number of concurrent authentications between NPSand domain controllers when NPS is not installed on a domain controller.

If the NPS server is on a computer other than a domain controller and it is receiving a very large

number of authentication requests per second, you can improve performance by increasing the

number of concurrent authentications between the NPS server and the domain controller.

Caution

Incorrectly editing the registry can severely damage your system. Before making changes

to the registry, you should back up any valued data on the computer.



To increase the number of concurrent authentications

1. Click Start, click Run, type regedit, and then press ENTER. Registry Editor opens.

2. In Registry Editor, browse to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter

s

3. Right-click Parameters, point to New, and then click DWORD (32-bit) Value.

4. Replace the default text for the new key by typing the text MaxConcurrentApi , and

then press ENTER.

5. Right-click MaxConcurrentApi , and then click Modify. The Edit DWORD (32-bit)Value dialog box opens.

6. In Value data, type a value between 2 and 5. Do not enter a value higher than 5, or

NPS might place an excessive load on the domain controller. Click OK.

Interpret NPS Database Format Log Files

Unlike IAS-formatted log files, database-compatible log files present the data in a standard

sequence and use a structure that is identical, regardless of the format used by the networkaccess server (NAS) that sends the data. This consistent sequence and structure helps simplify

accounting and authentication records. Data can be easily exported to a database.

Note

Although NPS supports both IAS-formatted and database-compatible log files, use the

database-compatible log format in most instances because it supports tools compliant

with Open Database Connectivity (ODBC).

25


26/57

Entries recorded in database-compatible log filesThe following are example entries (Access-Request and Access-Accept) from a database-

compatible log file.

NoteIn the examples below, "IAS" refers to Internet Authentication Service. In Windows

Server 2008. NPS replaces IAS. In NPS accounting data, the term IAS refers to the

Network Policy Server service.

This is the first example:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,,

,,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

This is the second example:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.1

0","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1

10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

The following table shows the attributes that can be contained in a record in the database-

compatible log file, the sequence in which they are recorded, and how the preceding examples

are interpreted.

Additional information

A blank field in the first column of the table indicates that the network access server did

not include a value with the attribute in the packets for the preceding example entries.

The Data type column identifies the data type (text, number, or time) for each attribute.

When you create a database into which log files are imported, you must define each field for

the data type of the attribute value that will be imported into it. In database-compatible log

files, text values (such as strings, octet strings, and IP addresses) are always surrounded bydouble quotes. If the double quotes appear within the string, then they are replaced with a

double set of double quotes.

This table shows the values for the example entries of an IAS-internal attribute.

Value shown in

example

Attribute Data type Description

"CLIENTCOMP" ComputerName Text The name of the server where the packet

was received (this is an IAS-internal

attribute).

"IAS" ServiceName Text The name of the service that generated the

recordIAS or the Routing and Remote

Access service (this is an IAS-internal

attribute).

03/07/2008 Record-Date Time The date at the NPS or Routing and

Remote Access server (this is an IAS-

26


27/57

Value shown in

example


internal attribute).

13:04:33 Record-Time Time The time at the NPS or Routing andRemote Access server (this is an IAS-

internal attribute).

1 Packet-Type Number The type of packet, which can be:

1 = Access-Request

2 = Access-Accept

3 = Access-Reject

4 = Accounting-Request

This is an IAS-internal attribute.

"client" User-Name Text The user identity, as specified by the user.

Fully-Qualified-

Distinguished-

Name

Text The user name in canonical format (this is

an IAS-internal attribute).

Called-Station-ID Text The phone number dialed by the user.

Calling-Station-ID Text The phone number from which the call

originated.

Callback-Number Text The callback phone number.

Framed-IP-

Address

Text The framed address to be configured for

the user.

NAS-Identifier Text The text that identifies the network access

server originating the request.

NAS-IP-Address Text The IP address of the network access

server originating the request.

NAS-Port Number The physical port number of the network

access server originating the request.

9 Client-Vendor Number The manufacturer of the network access

server (this is an IAS-internal attribute).

"10.10.10.10" Client-IP-Address Text The IP address of the RADIUS client (this

is an IAS-internal attribute).

"npsclient" Client-Friendly-

Name

Text The friendly name for the RADIUS client

(this is an IAS-internal attribute).

Event-Timestamp Time The date and time that this event occurred

27


28/57

Value shown in

example


on the network access server.

Port-Limit Number The maximum number of ports that thenetwork access server provides to the user.

NAS-Port-Type Number The type of physical port that is used by

the network access server originating the

request.

Connect-Info Text Information that is used by the network

access server to specify the type of

connection made. Typical information

includes connection speed and data

encoding protocols.

Framed-Protocol Number The protocol to be used.

Service-Type Number The type of service that the user has

requested.

1 Authentication-

Type

Number The authentication scheme, which is used

to verify the user and can be:

1 = PAP

2 = CHAP

3 = MS-CHAP

4 = MS-CHAP v2

5 = EAP

7 = None

8 = Custom


Policy-Name Text The friendly name of the network policy

that either granted or denied access. This

attribute is logged in Access-Accept and

Access-Reject messages. If a user is

rejected because none of the network

policies matched, then this attribute is

blank.

0 Reason-Code Number The reason for rejecting a user, which can

be:

0 = IAS_SUCCESS

1 = IAS_INTERNAL_ERROR

28


29/57

Value shown in

example


2 = IAS_ACCESS_DENIED

3 = IAS_MALFORMED_REQUEST

4 =

IAS_GLOBAL_CATALOG_UNAVAILAB

LE

5 = IAS_DOMAIN_UNAVAILABLE

6 = IAS_SERVER_UNAVAILABLE

7 = IAS_NO_SUCH_DOMAIN

8 = IAS_NO_SUCH_USER

16 = IAS_AUTH_FAILURE

17 =

IAS_CHANGE_PASSWORD_FAILURE

18 =

IAS_UNSUPPORTED_AUTH_TYPE

32 = IAS_LOCAL_USERS_ONLY

33 =

IAS_PASSWORD_MUST_CHANGE

34 = IAS_ACCOUNT_DISABLED

35 = IAS_ACCOUNT_EXPIRED

36 =

IAS_ACCOUNT_LOCKED_OUT

37 =

IAS_INVALID_LOGON_HOURS

38 =

IAS_ACCOUNT_RESTRICTION

48 = IAS_NO_POLICY_MATCH

64 = IAS_DIALIN_LOCKED_OUT

65 = IAS_DIALIN_DISABLED

66 = IAS_INVALID_AUTH_TYPE

67 =IAS_INVALID_CALLING_STATION

68 =

IAS_INVALID_DIALIN_HOURS

69 =

IAS_INVALID_CALLED_STATION

29


30/57

Value shown in

example


70 = IAS_INVALID_PORT_TYPE

71 = IAS_INVALID_RESTRICTION

80 = IAS_NO_RECORD

96 = IAS_SESSION_TIMEOUT

97 =

IAS_UNEXPECTED_REQUEST


Class Text The attribute that is sent to the client in an

Access-Accept packet.

Session-Timeout Number The length of time (in seconds) before the

session is terminated.

Idle-Timeout Number The length of idle time (in seconds) before

the session is terminated.

Termination-

Action

Number The action that the network access server

takes when service is completed.

EAP-Friendly-

Name

Text The friendly name of the EAP-based

authentication method that was used by

the access client and NPS server during

the authentication process. For example, if

the client and server use Extensible

Authentication Protocol (EAP) and the EAPtype MS-CHAP v2, the value of EAP-

Friendly-Name is Microsoft Secured

Password (EAP-MSCHAPv2)."

Acct-Status-Type Number The number that specifies whether an

accounting packet starts or stops a

bridging, routing, or Terminal Server

session.

Acct-Delay-Time Number The length of time (in seconds) for which

the network access server has been

sending the same accounting packet.

Acct-Input-Octets Number The number of octets received during the

session.

Acct-Output-

Octets

Number The number of octets sent during the

session.

Acct-Session-Id Text The unique numeric string that identifies

30


31/57

Value shown in

example


the server session.

Acct-Authentic Number The number that specifies which serverauthenticated an incoming call.

Acct-Session-

Time

Number The length of time (in seconds) for which

the session has been active.

Acct-Input-

Packets

Number The number of packets received during the

session.

Acct-Output-

Packets

Number The number of packets sent during the

session.

Acct-Terminate-

Cause

Number The reason that a connection was

terminated.

Acct-Multi-Ssn-ID Text The unique numeric string that identifies

the multilink session.

Acct-Link-Count Number The number of links in a multil ink session.

Acct-Interim-

Interval

Number The length of interval (in seconds) between

each interim update that the network

access server sends.

Tunnel-Type Number The tunneling protocol to be used.

Tunnel-Medium-

Type

Number The medium to use when creating a tunnel

for protocols. For example, L2TP packetscan be sent over multiple link layers.

Tunnel-Client-

Endpt

Text The IP address of the tunnel client.

Tunnel-Server-

Endpt

Text The IP address of the tunnel server.

Acct-Tunnel-Conn Text An identifier assigned to the tunnel.

Tunnel-Pvt-

Group-ID

Text The group ID for a specific tunneled

session.

Tunnel-

Assignment-ID

Text The tunnel to which a session is assigned.

Tunnel-

Preference

Number The preference of the tunnel type, as

indicated with the Tunnel-Type attribute

when multiple tunnel types are supported

by the access server.

31


32/57

Value shown in

example


MS-Acct-Auth-

Type

Number A Routing and Remote Access service

attribute. For more information, see RFC

2548.

MS-Acct-EAP-

Type



2548.

MS-RAS-Version Text A Routing and Remote Access service


2548.

MS-RAS-Vendor Number A Routing and Remote Access service


2548.

MS-CHAP-Error Text A Routing and Remote Access service


2548.

MS-CHAP-

Domain

Text A Routing and Remote Access service


2548.

MS-MPPE-

Encryption-Types



2548.

MS-MPPE-

Encryption-Policy



2548.

Proxy-Policy-

Name

Text The name of the connection request policy

that matched the connection request.

Provider-Type Number Specifies the location where authentication

occurs. Possible values are 0, 1, and 2. A

value of 0 indicates that no authentication

occurred. A value of 1 indicates that

authentication occurs on the local NPSserver. A value of 2 indicates that the

connection request is forwarded to a

remote RADIUS server for authentication.

Provider-Name Text A string value that corresponds to Provider-

Type. Possible values are "None" for a

Provider-Type value of 0, "Windows" for a

32


33/57

Value shown in

example


Provider-Type value of 1, and "Radius

Proxy" for Provider-Type value of 2.

Remote-Server-

Address

IP address The IP address of the remote RADIUS

server to which the connection request was

forwarded for authentication.

"CLIENTCOMP" MS-RAS-Client-

Name

Text The name of the remote access client. The

Vendor-Length of the Value field, including

the vendor ID, vendor-type, vendor-length,

and value, must be at least 7 and less than

40.

Value, which specifies the computer name

of the endpoint that is requesting network

access, is sent in ASCII format and is null

terminated.

The valid character set for the computer

name includes letters, numbers, and the

following symbols: ! @ # $ % ^ & ) ( . - _

{ } ~.

MS-RAS-Client-

Version

Number The operating system version that is

installed on the remote access client. The

Vendor-Length of the Value field, including

the vendor ID, vendor-type, vendor-length,

and value, must be at least 7.

Value, which specifies the version of the

operating system on a remote access

client, is a string that is in network byte

order.

Interpret Windows System Health ValidatorEntries in Log Files

When NPS is configured as a Network Access Protection (NAP) policy server, and one or more

health policies are configured with the Windows Security Health Validator (WSHV), NPS logs

statement of health responses (SoHRs) in the NPS log file or to a Microsoft SQL Server

database, depending on your accounting configuration.

You can use the information in this topic to interpret WSHV entries in NPS accounting logs.

33


34/57

Diagnostic codesThe WSHV entries contain elements that correspond to components that might be installed or

enabled on client computers, such as firewalls, antivirus applications, and Windows Automatic

Updates.

The WSHV log file entries always present the WSHV list of elements as diagnostic codes, and

these codes are always presented in the following order:

1. Firewall (On/Off)

2. Antivirus - On/Off

3. Antivirus - Up-to-date status

4. Antispyware - On/Off

5. Antispyware - Up-to-date status

6. Automatic Updates (On/Off)

7. Security Updates - Compliance code

8. Security Updates - Severity

9. Security Updates - Legitimate Source (Windows Update, Windows Server Update

Services, or Microsoft Update)

For item 9 above, the following codes are possible values in the log file.

Update source Diagnostic code

Windows Update 0x00004000

Windows Server Update Services (WSUS) 0x00010000

Microsoft Update 0x00020000

Important

If the configuration allows the receipt of updates from more than one source, the log file

entry combines the codes. For example, if both Windows Update and Microsoft Update

are legitimate sources, the log file code is 0x00024000.

When each of the other eight elements is evaluated as compliant by NPS, the diagnostic code is

0x0. When an element of the SHV is compliant, the corresponding component on the client

computer is either on, as in the case of a firewall application, or it is up-to-date, as in the case of

Windows Automatic Updates or signatures for an antispyware application. If the Windows SHV is

not configured to enforce any specific element, such as Firewall or Security Updates, log entries

for the element are not relevant and should be ignored.

The Security Updates element provides a severity rating. To interpret the severity rating when

reviewing the NPS log file, you can use the following severity levels.

Severity level Code in NPS log

Unspecified 0x0040

34


35/57

Severity level Code in NPS log

Low 0x0080

Moderate 0x0100

Important 0x0200

Critical 0x0400

Error codesOn the client computer, the NAP agent can receive errors from the Windows System Health

Agent, which monitors the components on the client operating system, such as firewalls and

antivirus applications. When the NAP agent sends a statement of health (SoH) to NPS, the

statement contains information about errors on the client computer.

In turn, NPS records the error in the NPS log file.The following table provides the possible error codes that can be logged by NPS.

Error code Description

0xC0FF0001 E_MSSHV_PRODUCT_NOT_ENABLED

A system health component is not enabled.

0xC0FF0002 E_MSSHAV_PRODUCT_NOT_INSTALLED

A system health component is not installed.

0xC0FF0003 E_MSSHAV_WSC_SERVICE_DOWN

The Windows Security Center service is not running.

0xC0FF0004 E_MSSHV_PRODUCT_NOT_UPTODATE

The signatures for a specific system health component are not

up to date.

0x00FF0008 E_MSSHAV_WUA_SERVICE_NOT_STARTED_SINCE_BOOT

The Windows Server Update Services has not started. An

administrator must try to start the service manually.

0xC0FF000C E_MSSHAV_NO_WUS_SERVER

The Windows Update Agent on this computer is not configured

to synchronize with a Windows Server Update Services server.

An administrator must configure the Windows Update Agent

service. Click the Try again button after configuration is done

for the changes to take effect.

0xC0FF000D E_MSSHAV_NO_CLIENT_ID

35


36/57


Windows failed to determine the Windows Server Update

Services client ID of this computer.

0xC0FF000E E_MSSHAV_WUA_SERVICE_DISABLEDThe Windows Update Agent service has been disabled or not

configured to start automatically. An administrator must enable

the service.

0xC0FF000F E_MSSHAV_WUA_COMM_FAILURE

The periodic scan of this computer for security updates failed.

An administrator must ensure that a Windows Server Update

Services server is available and that the Windows Update

Agent on this computer is configured to synchronize with the

server.

0xC0FF0010 E_MSSHAV_UPDATES_INSTALLED_REQUIRE_REBOOT

Security updates have been installed and require this computer

to be restarted. Please close all applications and restart this

computer.

0xC0FF0012 E_MSSHV_WUS_SHC_FAILURE

The NPS server failed to validate the security update status of

this computer. An administrator must ensure that a Windows

Server Update Services server is available and that the

Windows Update Agent on this computer is configured to

synchronize with the server.

0xC0FF0014 E_MSSHV_UNKNOWN_CLIENT

Unknown client

0xC0FF0017 E_MSSHV_INVALID_SOH

The Windows Security Health Validator did not process the

latest Statement of Health (SoH) because the SoH is not valid.

0xC0FF0018 E_MSSHAV_WSC_SERVICE_NOT_STARTED_SINCE_BOOT

The Windows Security Center service has not started. An

administrator must try to start the service manually.

0xC0FF0047 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_ENABLEDA third-party system health component is not enabled.

0xC0FF0048 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_UPTODATE

The signatures for a specific third-party system health

component are not up to date.

0xC0FF004EL E_MSSHAV_BAD_UPDATE_SOURCE_MU

36


37/57


This computer is not configured to receive security updates

from a source approved for this network. An administrator must

configure the Windows Update Agent service to receive

updates from Microsoft Update.

0xC0FF004FL E_MSSHAV_BAD_UPDATE_SOURCE_WUMU



configure the Windows Update Agent service to receive

updates from Windows Update or Microsoft Update.

0xC0FF0050L E_MSSHAV_BAD_UPDATE_SOURCE_MUWSUS



configure the Windows Update Agent service to receiveupdates from Windows Server Update Services or Microsoft

Update.

0xC0FF0051L E_MSSHAV_NO_UPDATE_SOURCE

The Windows Update Agent on this computer is not configured

to receive security updates. An administrator must configure the

Windows Update Agent service. The NAP agent might have to

be restarted for changes to take effect.

Determining the client operating systemWhen you review Windows SHV entries in the NPS log file, you can determine whether the client

computer is running Windows Vista or Windows XP in one of two ways:

1. Examine the field OS-Version in the NPS log.

2. Count the number of diagnostic codes recorded in the log file. If the client computer is

running Windows Vista, NPS logs all eight diagnostic codes. If the client computer is running

Windows XP, NPS logs only six diagnostic codes because the monitoring of antispyware

status is not supported in WSHV for Windows XP.

Example log file entries

The first example log file entry depicts an entry for a client computer running Windows Vista that

is not configured to synchronize with a Windows Server Update Services server. The text in italics

is added to clarify the meaning of the diagnostic codes and does not normally appear in NPS log

entries.

37


38/57

First example log file entry

Machine testclient was quarantined.

OS-Version = 6.0.5495 0.0 x86 Workstation

Fully-Qualified-Machine-Name =

Fully-Qualified-User-Name =

NAS-IP-Address =

NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1

NAS-Identifier = testserver

Called-Station-Identifier =

Calling-Station-Identifier =

Account-Session-Identifier = F1290E5E59241D44A57539224835F0FDC46427E9FBCAC601

Proxy-Policy-Name = Use Windows authentication for all users

Policy-Name = Access Denied

Quarantine-Session-Identifier =

{5E0E29F1-2459-441D-A575-39224835F0FD} - 2006-08-28 23:44:32.391Z

Quarantine-Help-URL =

Quarantine-System-Health-Result =

Windows Security Health Validator

NonCompliant

None

(0x0-) Firewall is compliant

(0x0-) Anti Virus is compliant

(0x0-) Anti Virus signatures are compliant

(0x0-) Anti Spyware is compliant

(0x0-) Anti Spyware signatures are compliant

(0x0-) Automatic Update is compliant

(0xc0ff000c-The Windows Update Agent on this computer is not

configured to synchronize with a Windows Server Update Services

server. An administrator must configure the Windows Update Agent

service. Please click on the 'try again' button after configuration is

done for the changes to take effect.) Diagnostic code for Security Updates from

Diagnostic Code table

(0x40-) Unspecified Severity Level from Severity level table

(0x00004000-) Legitimate update source is Windows Update

38


39/57

Second example log file entry

The second example log file entry depicts an entry for a client computer running Windows Vista

that is configured to use the Windows Security Center for the firewall, antivirus, antispyware and

Automatic Updates. Because Windows Security Center is disabled, as is detailed in the log file

entry, the diagnostic codes for the Windows SHV do not have meaning and should be ignored.Machine testclient was quarantined.

OS-Version = 6.0.5495 0.0 x86 Workstation

Fully-Qualified-Machine-Name =

Fully-Qualified-User-Name =

NAS-IP-Address =

NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1

NAS-Identifier = testserver

Called-Station-Identifier =

Calling-Station-Identifier =

Account-Session-Identifier = 32049473A12646448AB5DCFD9BF69271B0477E2E58CCC601

Proxy-Policy-Name = Use Windows authentication for all users

Policy-Name = Access Denied

Quarantine-Session-Identifier = {73940432-26A1-4446-8AB5-DCFD9BF69271} - 2006-08-30

17:17:33.585Z

Quarantine-Help-URL =

Quarantine-System-Health-Result =

Windows Security Health Validator

NonCompliant

None

(0xc0ff0003-The Windows Security Center service is not running.)

(0x0-)

(0x0-)


(0x0-)


(0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize

with a Windows Server Update Services server. An administrator must configure the

Windows Update Agent service. Please click on the 'try again' button after configuration

is done for the changes to take effect.)

(0x40-)

39


40/57

Register an NPS Server in Another Domain

To provide an NPS server with permission to read the dial-in properties of user accounts in Active

Directory, the NPS server must be registered in the domain where the accounts reside.

You can use this procedure to register an NPS server in a domain where the NPS server is not a

domain member.



You can perform this procedure by using the following methods:

To register an NPS server in another domain

1. On the domain controller, click Start, click Administrative Tools, and then click

Active Directory Users and Computers. The Active Directory Users and Computers

console opens.

2. In the console tree, navigate to the domain where you want the NPS server to read

user account information, and then click the Users folder.

3. In the details pane, right-click RAS and IAS Servers, and then click Properties. The

RAS and IAS Servers Properties dialog box opens.

4. In the RAS and IAS Servers Properties dialog box, click the Members tab, add

each of the NPS servers that you want to register in the domain, and then click OK.

To register an NPS server in another domain by using Netsh commands for NPS

1. Open Command Prompt.

2. Type the following at the command prompt: netsh nps add registeredserverdomain server, and then press ENTER.

In the preceding command, domain is the DNS domain name of the domain where you

want to register the NPS server, and serveris the name of the NPS server computer.

Register an NPS Server in its Default Domain

You can use this procedure to register an NPS server in the domain where the server is a domainmember.

NPS servers must be registered in Active Directory so that they have permission to read the dial-

in properties of user accounts during the authorization process. Registering an NPS server adds

the server to the RAS and IAS Servers group in Active Directory.


40


41/57


To register an NPS server in its default domain

1. Open the NPS console.

2. Right-click NPS (Local), and then click Register Server in Active Directory. TheNetwork Policy Serverdialog box opens.

3. In Network Policy Server, click OK, and then click OK again.

Unregister an NPS Server from its DefaultDomain

In the process of managing your NPS server deployment, you might find it useful to move an NPSserver to another domain, to replace an NPS server, or to retire an NPS server. When you move

or decommission an NPS server, unregister the NPS server in the Active Directory domains

where the NPS server has permission to read the properties of user accounts in Active Directory.



To unregister an NPS server

1. On the domain controller, click Start, click Administrative To

Network Policy Server (NPS) Operations Guide[1]

Documents

Transcript of Network Policy Server (NPS) Operations Guide[1]