Windows Server 2008 Network Policy Server (NPS) Operations Guide

Windows Server 2008 Network Policy Server (NPS) Operations Guide

Microsoft Corporation

Published: April 2008

Author: James McIllece

Editor: Scott Somohano

AbstractThe Network Policy Server Operations Guide provides information about how to administer NPS

after it is installed and deployed. It also includes troubleshooting information for specific problems

and scenarios.

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place,

or event is intended or should be inferred.

Your right to copy this documentation is limited by copyright law and the terms of the software

license agreement. As the software licensee, you may make a reasonable number of copies or

printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative

works for commercial distribution is prohibited and constitutes a punishable violation of the law.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

Network Policy Server Operations Guide........................................................................................7

Windows Server 2008 Editions and NPS....................................................................................7

Windows Server 2008 Enterprise and Datacenter Editions......................................................7

Windows Server 2008 Standard Edition...................................................................................7

Windows Web Server 2008......................................................................................................8

NPS resources............................................................................................................................ 8

Introduction to Administering NPS..................................................................................................8

When to use this guide................................................................................................................8

How to use This guide.................................................................................................................9

Best Practices for NPS................................................................................................................... 9

Installation................................................................................................................................... 9

Client computer configuration....................................................................................................10

Authentication............................................................................................................................ 10

Security issues.......................................................................................................................... 10

Accounting................................................................................................................................. 11

Optimizing NPS......................................................................................................................... 12

Using NPS in large organizations...........................................................................................12

Network Access Protection (NAP).............................................................................................13

Administering NPS........................................................................................................................ 14

Managing NPS Servers................................................................................................................14

Administer NPS by Using Tools....................................................................................................15

Enable Remote Administration of an NPS Server.........................................................................15

Enter the Netsh NPS Context on an NPS Server.........................................................................16

Installing NPS............................................................................................................................... 16

Install Network Policy Server (NPS).............................................................................................17

Install NPS by Using the Add Role Services Wizard.....................................................................18

Manage an NPS Server by Using Remote Desktop Connection..................................................19

Manage Multiple NPS Servers by Using the NPS MMC Snap-in..................................................20

Configure the Local NPS Server by Using the NPS Console........................................................21

Configure NPS on a Multihomed Computer..................................................................................21

Configure NPS UDP Port Information...........................................................................................23

Disable NAS Notification Forwarding............................................................................................24

Export an NPS Server Configuration for Import on Another Server..............................................24

Increase the Number of NPS Concurrent Authentications............................................................26

Interpret NPS Database Format Log Files....................................................................................26

Entries recorded in database-compatible log files.....................................................................27

Interpret Windows System Health Validator Entries in Log Files..................................................35

Diagnostic codes....................................................................................................................... 35

Error codes................................................................................................................................ 36

Determining the client operating system................................................................................39

Example log file entries..........................................................................................................39

First example log file entry..................................................................................................39

Second example log file entry.............................................................................................40

Register an NPS Server in Another Domain.................................................................................41

Register an NPS Server in its Default Domain..............................................................................42

Unregister an NPS Server from its Default Domain......................................................................42

Verify Configuration After an NPS Server IP Address Change......................................................43

Verify Configuration After Renaming an NPS Server....................................................................44

Managing Certificates Used with NPS..........................................................................................45

Change the Cached TLS Handle Expiry.......................................................................................46

Configure the TLS Handle Expiry Time on Client Computers.......................................................47

Configure the TLS Handle Expiry Time on NPS Servers..............................................................47

Obtain the SHA-1 Hash of a Trusted Root CA Certificate.............................................................48

Managing RADIUS Clients............................................................................................................49

Set up RADIUS Clients................................................................................................................. 50

Configure the Network Access Server..........................................................................................50

Add the Network Access Server as a RADIUS Client in NPS.......................................................51

Set up RADIUS Clients by IP Address Range..............................................................................52

Managing Network Policies...........................................................................................................53

An ordered list of rules...............................................................................................................54

Configure NPS for VLANs.............................................................................................................55

Configure a Network Policy for VLANs.........................................................................................55

Configure the EAP Payload Size..................................................................................................56

Configure the Framed-MTU Attribute............................................................................................57

Configure NPS to Ignore User Account Dial-in Properties............................................................58

Network Policy Server Operations Guide

The Network Policy Server (NPS) Operations Guide provides administration information about

NPS in the Windows Server® 2008 operating system.

Note

In Windows Server 2008, Network Policy Server replaces the Internet Authentication

Service (IAS) component of Windows Server 2003.

NPS is the Microsoft implementation of the Remote Authentication Dial-In User Service (RADIUS)

protocol, and can be configured to act as a RADIUS server or RADIUS proxy, providing

centralized network access management. When you configure NPS as a RADIUS server, network

access servers that are configured as RADIUS clients in NPS forward connection requests to

NPS for authentication and authorization.

When you configure NPS as a RADIUS proxy, NPS forwards authentication and accounting

requests to RADIUS servers in a remote RADIUS server group.

The network access servers that you can configure as RADIUS clients in NPS are wireless

access points, virtual private network (VPN) servers, 802.1X authenticating switches, Terminal

Services Gateway (TS Gateway) servers, and dial-up servers.

In addition, you can configure NPS as a Network Access Protection (NAP) policy server. When

NAP is deployed, NPS acts as a NAP policy server, performing client health checks against

configured health policies.

You can also configure the NPS proxy to perform authorization locally while forwarding

authentication requests to a remote RADIUS server group. In addition, you can customize the

processing of accounting requests, processing them locally on the NPS proxy or forwarding them

to other RADIUS servers.

Windows Server 2008 Editions and NPSNPS provides different functionality depending on the edition of Windows Server 2008 that you

install.

Windows Server 2008 Enterprise and Datacenter EditionsWith NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can

configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition,

you can configure RADIUS clients by specifying an IP address range.

Windows Server 2008 Standard EditionWith NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS

clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client by

7

using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS

clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client

resolves to multiple IP addresses, the NPS server uses the first IP address returned in the

Domain Name System (DNS) query.

Windows Web Server 2008NPS is not included in this edition of Windows Web Server 2008.

NPS resourcesFor NPS resources in addition to this guide, see Network Policy Server in the Windows

Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=104545).

Introduction to Administering NPS

This guide, in conjunction with the NPS procedural Help topics, explains how to administer NPS.

The objectives, tasks, and procedures described in this guide and in procedural Help topics

discuss actions that are part of the operating phase of the information technology (IT) life cycle.

To access the NPS procedural Help topics, open the NPS console and press F1.

If you are not familiar with this guide, review the following sections of this introduction.

When to use this guideThis guide assumes a basic understanding of what NPS is, how it works, and why your

organization uses it to manage network access, including the authentication, authorization, and

accounting for network connections. It also assumes that you have a thorough understanding of

how NPS is deployed and managed in your organization before performing any of the actions

described in this guide.

This guide can be used by organizations that have deployed Windows Server 2008. It includes

information that is relevant to different roles within an IT organization, including IT operations

management and administrators.

This guide contains both general information and more detailed procedures that are designed for

operators who have varied levels of expertise and experience. Although the procedures provide

operator guidance from start to finish, operators must have a basic proficiency with Microsoft

Management Console (MMC) and its snap-ins. They must also know how to start administrative

programs, access the command line, and run the Netsh commands for NPS.

If operators are not familiar with NPS, it might be necessary for IT planners or IT managers to

review the relevant operations in this guide and provide the operators with parameters or data

that must be entered when the operation is performed.

8

http://go.microsoft.com/fwlink/?LinkId=104545

http://go.microsoft.com/fwlink/?LinkId=104545

How to use This guideThe operations areas are divided into the following types of content:

Objectives are general goals for managing, monitoring, optimizing and securing NPS. Each

objective consists of one or more general tasks that describe how the objective is

accomplished.

Tasks are used to group related procedures and provide general guidance for achieving the

goals of an objective.

Procedures provide step-by-step instructions for completing tasks.

If you are an IT manager who will be delegating tasks to operators within your organization:

1. Read through the objectives and tasks to determine how to delegate permissions and

whether you need to install tools before operators perform the procedures for each task.

2. Before assigning tasks to individual operators, ensure that you have all the tools installed

where operators can use them.

3. When necessary, create “tear sheets” for each task that operators perform in your

organization. Cut and paste the task and its related procedures into a separate document,

and then either print these documents or store them online, depending on the preference of

your organization.

Best Practices for NPS

This topic provides best practices for implementing and configuring NPS and is based on

recommendations from Microsoft Product Support Services.

InstallationBefore installing NPS, do the following:

Install and test each of your network access servers by using local authentication methods

before you make them RADIUS clients.

After you install and configure NPS, save the configuration by using the netsh nps export

command. Use this command to save the NPS configuration to an XML file every time a

configuration change is made.

If you install additional Extensible Authentication Protocol (EAP) types on your NPS server,

ensure that you document the server configuration in case you need to rebuild the server or

duplicate the configuration on other NPS servers.

If you install additional system health validators (SHVs) on your NPS server, ensure that you

document the server configuration in case you need to rebuild the server or duplicate the

configuration on other NPS servers.

Do not install Windows Server 2008 on the same partition with another version of

Windows Server.

9

Do not configure a server running NPS or the Routing and Remote Access service as a

member of a Windows NT Server 4.0 domain if your user accounts database is stored on a

domain controller running Windows Server 2008 in another domain. Doing this will cause

Lightweight Directory Access Protocol (LDAP) queries from the NPS server to the domain

controller to fail.

Instead, configure your server running NPS or Routing and Remote Access as a member of a

Windows Server 2008 domain. An alternative is to configure a server running NPS as a

RADIUS proxy server that forwards authentication and accounting requests from the

Windows NT Server 4.0 domain to an NPS server in the Windows Server 2008 domain.

Client computer configurationFollowing are the best practices for client computer configuration:

Automatically configure all of your domain member 802.1X client computers by using Group

Policy.

Automatically configure all of your domain member NAP-capable clients by importing NAP

client configuration files into Group Policy.

AuthenticationFollowing are the best practices for authentication:

Use authentication methods, such as Protected Extensible Authentication Protocol (PEAP)

and Extensible Authentication Protocol (EAP), that provide authentication types, such as

Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake

Authentication Protocol version two (PEAP-MS-CHAP v2), that support the use of certificates

for strong authentication. Do not use password-based authentication methods because they

are vulnerable to a variety of attacks and are not secure.

Use PEAP, which is required for all Network Access Protection (NAP) enforcement methods.

Determine the PEAP authentication types that you want to use, such as PEAP-TLS and

PEAP-MS-CHAP v2, and then plan and deploy your public key infrastructure (PKI) to ensure

that all computers and users can enroll the certificates required by the authentication types.

Deploy a certification authority (CA) by using Active Directory® Certificate Services (AD CS) if

you use strong certificate-based authentication methods that require the use of a server

certificate on NPS servers. You can also use your CA to deploy computer certificates to

domain member computers and user certificates to members of the Users group in Active

Directory.

Security issuesYour NPS server provides authentication, authorization, and accounting for connection attempts

to your organization network. You can protect your NPS server and RADIUS messages from

unwanted internal and external intrusion.

10

When you are administering an NPS server remotely, do not send sensitive or confidential data

(for example, shared secrets or passwords) over the network in plaintext. There are two

recommended methods for remote administration of NPS servers:

Use Remote Desktop Connection to access the NPS server.

When Remote Desktop Connection users log on, they can view only their individual client

sessions, which are managed by the server and are independent of each other. In addition,

Remote Desktop Connection provides 128-bit encryption between client and server.

Use Internet Protocol security (IPsec) to encrypt confidential data.

If you manage one or more remote NPS servers from a local NPS server by using the NPS

Microsoft Management Console (MMC) snap-in, you can use IPsec to encrypt communication

between the local NPS server and the remote NPS server.

AccountingThere are two types of accounting, or logging, in NPS:

Event logging for NPS. You can use event logging to record NPS events in the system and

security event logs. Recording NPS events to the security event log is a new feature in

Windows Server 2008, and much more information is logged for NPS than in previous

operating system versions for Internet Authentication Service (IAS). This information is used

primarily for auditing and troubleshooting connection attempts.

Logging user authentication and accounting requests. You can log user authentication

and accounting requests to log files in text format or database format, or you can log to a

stored procedure in a SQL Server 2000, SQL Server 2005, or SQL Server 2008 database.

Request logging is used primarily for connection analysis and billing purposes, and is also

useful as a security investigation tool, providing you with a method of tracking down activity

after an attack.

To make the most effective use of NPS logging:

Turn on logging (initially) for both authentication and accounting records. Modify these

selections after you have determined what is appropriate for your environment.

Ensure that event logging is configured with a capacity that is sufficient to maintain your logs.

Back up all log files on a regular basis because they cannot be recreated after they are

damaged or deleted.

For billing purposes, use the RADIUS Class attribute to both track usage and simplify the

identification of which department or user to charge for usage. Although the automatically

generated Class attribute is unique for each request, duplicate records might exist in cases

when the reply to the access server is lost and the request is resent. You might need to delete

duplicate requests from your logs to accurately track usage.

If you use SQL Server logging, ensure that you store credentials and other connection

properties in a secure location. This information is not exported to file when you use the

netsh nps export command.

11

To provide failover and redundancy with SQL Server logging, place two computers running

SQL Server on different subnets. Use the SQL Server tools to set up database replication

between the two servers. For more information, see SQL Server documentation.

Important

If your NPS server is configured to log accounting data but cannot write to the configured

data store (a log file, a SQL Server database, or both), NPS discards all connection

requests and authentication fails. In this circumstance, users cannot access the network

by using connections through RADIUS clients. This ensures that accounting data is

accurate.

Optimizing NPSFollowing are ways to tune NPS performance:

To optimize NPS authentication and authorization response times and minimize network

traffic, install NPS on a domain controller.

When universal principal names (UPNs) or Windows Server 2008 and Windows Server 2003

domains are used, NPS uses the global catalog to authenticate users. To minimize the time it

takes to do this, install NPS on either a global catalog server or a server that is on the same

subnet.

Disable start and stop notification forwarding from network access servers (NASs) to

individual servers in each remote RADIUS server group if you are not forwarding accounting

requests to the group. For more information, see Disable NAS Notification Forwarding.

Using NPS in large organizationsFollowing are ways to use NPS in large organizations:

If you are using network policies to restrict network access for all but specific groups, create a

universal group for all of the users for whom you want to allow access, and then create a

network policy that grants access for members of this universal group. Do not put all of your

users directly into the universal group, especially if you have a large number of them on your

network. Instead, create separate groups that are members of the universal group, and then

add users to those groups.

Use a user principal name in network policies to refer to users whenever possible. A user can

have the same user principal name regardless of the domain membership of the user

account. This practice provides scalability that might be required in organizations that have a

large number of domains.

If NPS is on a computer other than a domain controller, and it is receiving a very large

number of authentication requests per second, you can improve performance by increasing

the number of concurrent authentications between NPS and the domain controller. For more

information, see Increase the Number of NPS Concurrent Authentications.

12

Note

To effectively balance the load of either a large number of authorizations or a large

volume of RADIUS authentication traffic (such as a large wireless implementation using

certificate-based authentication), install NPS as a RADIUS server on all of your domain

controllers. Next, configure two or more NPS proxies to forward the authentication

requests between the access servers and the RADIUS servers. Next, configure your

access servers to use the NPS proxies as RADIUS servers.

Network Access Protection (NAP)When NAP is deployed, NPS acts as a NAP policy server, performing client health checks against

configured health policies. Following are the best practices for NAP deployment with NPS.

For the most secure and effective NAP deployment on your network, deploy strong

enforcement methods, such as Internet Protocol security (IPsec), 802.1X, and virtual private

network (VPN) enforcement methods. Strong enforcement methods use certificate-based

authentication and secure the channel between clients and servers through which the

statement of health (SoH) and statement of health response (SoHR) are sent. The DHCP

enforcement method is the least secure enforcement method and should be deployed only in

circumstances where secure transmission of the SoH and SoHR are not required.

When you deploy the IPsec enforcement method, enable pass-through authentication in

Internet Information Services (IIS). Enabling pass-through authentication ensures that only

domain member computers can obtain a health certificate and communicate with other

domain member computers.

Before you create health policies for your NAP deployments, if you are using non-Microsoft

products that support NAP, install non-Microsoft system health agents (SHAs) on client

computers. In addition, install the corresponding system health validators (SHVs) for the

SHAs on NPS servers.

When you deploy NAP by using the VPN or 802.1X enforcement methods with PEAP

authentication, you must configure PEAP authentication in the NPS connection request policy

even when connection requests are processed locally.

For a streamlined method of creating network policies, connection request policies, and

health policies for your NAP deployment, use the New NAP Policies wizard. If you want to

modify policies created by using the wizard, open the policy in the NPS console and make

required changes.

When you deploy NAP with the IPsec and DHCP enforcement methods, enable client health

checks when you configure authentication. You should also configure the Identity Type

condition in network policy with the value Computer health check.

To deploy NAP with the DHCP enforcement method, you must install both NPS and DHCP on

the same computer.

13

Administering NPS

By effectively administering your NPS deployment, you can provide secure network access for

your organization, ensuring that authorized organization employees, business partners, and

guests can access the network when and where they need to do so.

Note

The procedures in this guide do not include instructions for those cases in which the User

Account Control dialog box opens to request your permission to continue. If this dialog

box opens while you are performing the procedures in this guide, and if the dialog box

was opened in response to your actions, click Continue.

The following objectives are part of administering NPS:

Managing NPS Servers

Managing Certificates Used with NPS

Managing RADIUS Clients

Managing Network Policies

Managing NPS Servers

Managing NPS servers across your organization means providing NPS server availability, with

approved and consistent network policies configured across your NPS deployment.

When you manage NPS servers, you ensure that RADIUS clients have access to the servers,

that NPS servers have permission to access your user account databases, and that RADIUS

traffic is sent and received on the same UDP ports.

In addition, you can synchronize server configurations in whole or in part by using Netsh

commands for NPS.

The following tasks for managing NPS servers are described in this objective:

Administer NPS by Using Tools

Configure NPS on a Multihomed Computer

Configure NPS UDP Port Information

Disable NAS Notification Forwarding

Export an NPS Server Configuration for Import on Another Server

Increase the Number of NPS Concurrent Authentications

Interpret NPS Database Format Log Files

Register an NPS Server in Another Domain

Register an NPS Server in its Default Domain

Unregister an NPS Server from its Default Domain

Verify Configuration After an NPS Server IP Address Change

14

Verify Configuration After Renaming an NPS Server

Administer NPS by Using Tools

NPS provides three tools that you can use to administer NPS: the NPS console, the NPS

Microsoft Management Console (MMC) snap-in, and the Netsh commands for NPS (netsh nps).

The following procedures show how to manage NPS using these tools:

Enable Remote Administration of an NPS Server

Enter the Netsh NPS Context on an NPS Server

Installing NPS

Manage an NPS Server by Using Remote Desktop Connection

Manage Multiple NPS Servers by Using the NPS MMC Snap-in

Configure the Local NPS Server by Using the NPS Console

Enable Remote Administration of an NPS Server

You can use this procedure to enable the Remote administration exception in Windows Firewall

with Advanced Security.

You can use the Network Policy Server (NPS) Microsoft Management Console (MMC) snap-in to

manage both the local and remote NPS servers. To manage remote servers, however, you must

first enable the Remote administration exception on the firewall of the NPS server that you want

to manage.

Administrative Credentials

To complete this procedure, you must be a member of the Administrators group.

To enable remote administration of an NPS server

1. Click Start, and then click Control Panel.

2. In Control Panel, verify that Control Panel Home is selected. Under Security, click

Allow a program through Windows Firewall. The Windows Firewall Settings dialog

box opens.

3. In Windows Firewall Settings, verify that the Exceptions tab is selected.

4. In Program or port, scroll to and select the Remote administration check box, and then

click OK.

15

Enter the Netsh NPS Context on an NPS Server

You can use commands in the Netsh NPS context to show and set the configuration of the

authentication, authorization, accounting, and auditing database used both by NPS and the

Routing and Remote Access service. Use commands in the Netsh NPS context to:

Configure or reconfigure an NPS server, including all aspects of NPS that are also available

for configuration by using the NPS console in the Windows interface.

Export the configuration of one NPS server (the source server), including registry keys and

the NPS configuration store, as a Netsh script.

Import the configuration to another NPS server by using a Netsh script and the exported

configuration file from the source NPS server.

You can run these commands from the Windows Server 2008 command prompt or from the

command prompt for the Netsh NPS context. For these commands to work at the Windows

Server 2008 command prompt, you must type netsh nps before typing additional commands and

their parameters.

There are functional differences between Netsh context commands in the Windows Server 2003

family and Netsh commands in Windows Server 2008.


To perform this procedure, you must be a member of the Administrators group on the local

computer.

To enter the Netsh NPS context on an NPS server

1. Open Command Prompt.

2. Type netsh, and then press ENTER.

3. Type nps, and then press ENTER.

Installing NPS

There are multiple ways to install NPS, and to understand the differences between these

methods, an understanding of the Network Policy and Access Services (NPAS) server role is

required.

The NPAS server role is a logical grouping of the following network access technologies:

Network Policy Server (NPS)

Routing and Remote Access service (RRAS)

Health Registration Authority (HRA)

16

Host Credential Authorization Protocol (HCAP)

These technologies are the role services of the NPAS server role. When you install the NPAS

server role, you can install one or more role service while running the Add Roles Wizard.

Note

The Add Roles Wizard is opened by using either Server Manager or Initial Configuration

Tasks.

After you have run the Add Roles Wizard and you have installed one or more role service of the

NPAS server role, you cannot install additional role services by using the same wizard.

For this reason, if you run the Add Roles Wizard and you install NPAS role services other than

NPS, you cannot run the Add Roles Wizard again to install NPS later — you must instead open a

similar wizard named the Add Role Services Wizard.

If you want to install NPS, and you have not yet installed any other role services of the NPAS

server role, follow the instructions in the procedure Install Network Policy Server (NPS).

If you want to install NPS, but you have already installed other NPAS role services, follow the

instructions in the procedure Install NPS by Using the Add Role Services Wizard.

Install Network Policy Server (NPS)

You can use this procedure to install Network Policy Server (NPS) by using the Add Roles

Wizard. NPS is a role service of the Network Policy and Access Services server role.

Note

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all

installed network adapters. If Windows Firewall with Advanced Security is enabled when

you install NPS, firewall exceptions for these ports are automatically created during the

installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your

network access servers are configured to send RADIUS traffic over ports other than

these defaults, remove the exceptions created in Windows Firewall with Advanced

Security during NPS installation, and create exceptions for the ports that you do use for

RADIUS traffic.



To install NPS

1. Do one of the following:

In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add

Roles Wizard opens.

Click Start, and then click Server Manager. In the left pane of Server Manager, click

Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles

17

Wizard opens.

2. In Before You Begin, click Next.

Note

The Before You Begin page of the Add Roles Wizard is not displayed if you

have previously selected Do not show this page again when the Add Roles

Wizard was run.

3. In Select Server Roles, in Roles, select Network Policy and Access Services, and

then click Next.

4. In Network Policy and Access Services, click Next.

5. In Select Role Services, in Role Services, select Network Policy Server, and then

click Next.

6. In Confirm Installation Selections, click Install.

7. In Installation Results, review your installation results, and then click Close.

Install NPS by Using the Add Role Services Wizard

You can use this procedure to install Network Policy Server (NPS) as a role service of the

Network Policy and Access Services (NPAS) server role in circumstances where you have

previously installed other NPAS role services.

Important

To successfully use this procedure to install NPS, it is required that you previously

installed the NPAS server role with a different role service, such as the Routing and

Remote Access service (RRAS). If you have not previously installed NPAS, do not use

this procedure; instead, use the procedure Install Network Policy Server (NPS).



To install NPS by using the Add Role Services wizard

1. Click Start, and then click Server Manager. In the left pane of Server Manager, double-

click Roles to expand the tree. Browse to and right-click Network Policy and Access

Services, and then click Add Role Services. The Add Role Services wizard opens.

2. In Select Role Services, in Role Services, select Network Policy Server, and then

click Next.

3. In Confirm Installation Selections, click Install.

18

4. In Installation Results, review your installation results, and then click Close.

Manage an NPS Server by Using Remote Desktop Connection

Use this procedure to manage a remote NPS server by using Remote Desktop Connection.

By using Remote Desktop Connection, you can remotely manage your NPS servers running

Windows Server 2008. You can also remotely manage NPS servers from a computer running

Windows Vista.



To manage an NPS server by using Remote Desktop Connection

1. On each NPS server that you want to manage remotely, in Control Panel, double-click

System. The System page opens.

2. In System, in Tasks, click Remote settings. The System Properties dialog box opens.

3. In System Properties, ensure that the Remote tab is selected. In Remote Desktop,

select an option that allows connections from remote computers.

4. Click Select Users. The Remote Desktop Users dialog box opens.

5. In Remote Desktop Users, to grant permission to a user to connect remotely to the NPS

server, click Add, and then type the user name for the user's account. Click OK.

6. Repeat step 5 for each user for whom you want to grant remote access permission to the

NPS server.

7. On each NPS server, if Windows Firewall with Advanced Security is enabled, add an

exception for Remote Desktop.

8. To connect to a remote NPS server that you have configured by using the previous steps,

click Start, click All Programs, click Accessories, and then click Remote Desktop

Connection.

9. In Computer, type the NPS server name or IP address. If you want, click Options,

configure additional connection options, and then click Save to save the connection for

repeated use.

10. Click Connect, and when prompted provide user account credentials for an account that

has permissions to log on to and configure the NPS server.

19

Manage Multiple NPS Servers by Using the NPS MMC Snap-in

Use this procedure to manage multiple NPS servers by using the NPS Microsoft Management

Console (MMC) snap-in.

You can also use the instructions below to manage a local NPS server and one or more remote

NPS servers from the Microsoft Management Console (MMC) on the local NPS server.

Before performing the procedure below, you must install NPS on the local computer and on

remote computers.

Important

Before you can manage a remote NPS server, you must configure the remote server to

allow remote administration. For more information, see Enable Remote Administration of

an NPS Server.

Depending on network conditions and the number of NPS servers you manage by using the NPS

MMC snap-in, response of the MMC snap-in might be slow. In addition, NPS server configuration

traffic is sent over the network during a remote administration session by using the NPS snap-in.

Ensure that your network is physically secure and that malicious users do not have access to this

network traffic.



To manage multiple NPS servers by using the NPS snap-in

1. To open MMC, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog

box opens.

3. In Add or Remove Snap-ins, in Available snap-ins, scroll down the list, click Network

Policy Server, and then click Add. The Select Computer dialog box opens.

4. In Select Computer, verify that Local computer (the one this console is running on)

is selected, and then click OK. The snap-in for the local NPS server is added to the list in

Selected snap-ins.

5. In Add or Remove Snap-ins, in Available snap-ins, ensure that Network Policy

Server is still selected, and then click Add. The Select Computer dialog box opens

again.

6. In Select Computer, click Another computer, and then type the IP address or fully

qualified domain name of the remote NPS server that you want to manage by using the

NPS snap-in. Optionally, you can click Browse to browse the directory for the computer

you want to add. Click OK.

7. Repeat steps 5 and 6 to add more NPS servers to the NPS snap-in. When you have

added all the NPS servers you want to manage, click OK.

20

8. To save the NPS snap-in for later use, click File, click Save, type a name for your

Microsoft Management Console (.msc) file, and then click Save.

Configure the Local NPS Server by Using the NPS Console

After you have installed NPS, you can use this procedure to manage the local NPS server by

using the NPS Microsoft Management Console (MMC).

The NPS console differs from use of the NPS MMC snap-in in the following ways:

The NPS console is installed by default when you install NPS.

The NPS console is used to manage the local NPS server only; you cannot use the NPS

console to manage remote NPS servers.

You can use the NPS MMC snap-in to create a custom MMC console that allows you to

manage remote NPS servers in addition to managing the local NPS server.



To configure the local NPS server by using the NPS console

1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS

console opens.

2. In the NPS console, click NPS (Local). In the details pane, choose either Standard

Configuration or Advanced Configuration, and then do one of the following based

upon your selection:

If you choose Standard Configuration, select a scenario from the list, and then

follow the instructions to start a configuration wizard

If you choose Advanced Configuration, click the arrow to expand Advanced

Configuration options, and then review and configure the available options based on

the NPS functionality that you want.

Configure NPS on a Multihomed Computer

A computer with multiple network adapters installed is known as a multihomed computer. When

you use multiple network adapters in an NPS server, you can configure the following:

The network adapters that do and do not send and receive RADIUS traffic.

21

On a per-network adapter basis, whether NPS monitors RADIUS traffic on Internet Protocol

version 4 (IPv4), IPv6, or both IPv4 and IPv6.

The UDP ports over which RADIUS traffic is sent and received on a per-protocol (IPv4 or

IPv6), per-network adapter basis.

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both IPv6 and

IPv4 for all installed network adapters. Because NPS automatically uses all network adapters for

RADIUS traffic, you only need to specify the network adapters that you want NPS to use for

RADIUS traffic when you want to prevent NPS from using an adapter for RADIUS traffic.

Note

If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS

traffic for the uninstalled protocol.

On an NPS server that has multiple network adapters installed, you might want to configure NPS

to send RADIUS traffic only on a specific adapter.

For example, one network adapter installed in the NPS server might lead to a network segment

that does not contain RADIUS clients, while a second network adapter provides NPS with a

network path to its configured RADIUS clients. In this scenario it is important to direct NPS to use

the second network adapter for all RADIUS traffic.

In another example, if your NPS server has three network adapters installed, but you only want

NPS to use two of the adapters for RADIUS traffic, you should configure port information for the

two adapters only. By excluding port configuration for the third adapter, you prevent NPS from

using the adapter for RADIUS traffic.

When you use the procedure in Configure NPS UDP Port Information, you can configure NPS to

listen for and send RADIUS traffic on a network adapter by using the following syntax:

IPv4 traffic syntax: IPAddress:UDPport, where IPAddress is the IPv4 address that is

configured on the network adapter over which you want to send RADIUS traffic, and UDPport

is the RADIUS port number that you want to use for RADIUS authentication or accounting

traffic.

IPv6 traffic syntax: [IPv6Address]:UDPport, where the brackets around IPv6Address are

required, IPv6Address is the IPv6 address that is configured on the network adapter over

which you want to send RADIUS traffic, and UDPport is the RADIUS port number that you

want to use for RADIUS authentication or accounting traffic.

The following characters can be used as delimiters for configuring IP address and UDP port

information:

Address/port delimiter: colon (:)

Port delimiter: comma (,)

Interface delimiter: semicolon (;)

Make sure that your network access servers are configured with the same RADIUS UDP ports

that you configure on your NPS servers. The RADIUS standard UDP ports defined in RFCs 2865

and 2866 are 1812 for authentication and 1813 for accounting; however, some access servers

22

are configured by default to use UDP port 1645 for authentication requests and UDP port 1646 for

accounting requests.

Important

If you do not use the default RADIUS ports, you must configure exceptions on the firewall

for the local computer to allow RADIUS traffic on the new ports.

Configure NPS UDP Port Information

Use this procedure to configure User Datagram Protocol (UDP) ports for RADIUS traffic.

You can use the following procedure to configure the ports that Network Policy Server (NPS) uses

for RADIUS authentication and accounting traffic.

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet

Protocol version 6 (IPv6) and IPv4 for all installed network adapters.

Note

If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS

traffic for the uninstalled protocol.

The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports

defined in RFCs 2865 and 2866. However, by default, many access servers use ports 1645 for

authentication requests and 1646 for accounting requests. No matter which ports you decide to

use, make sure that NPS and your access server are configured to use the same ones.

Important

If you do not use the default RADIUS ports, you must configure exceptions on the firewall

for the local computer to allow RADIUS traffic on the new ports.

Administrative credentials


To configure NPS UDP port information


console opens.

2. In the NPS console, right-click Network Policy Server, and then click Properties.

3. Click the Ports tab, and then prepend the IP address for the network adapter you want to

use for RADIUS traffic to the existing port numbers. For example, if you want to use the

IP address 192.168.1.2 and RADIUS ports 1812 and 1645 for authentication requests,

change the port setting from 1812,1645 to 192.168.1.2:1812,1645.

If your RADIUS authentication and RADIUS accounting UDP ports are different from the

default values, change the port settings accordingly.

4. To use multiple port settings for authentication or accounting requests, separate the port

23

numbers with commas.

Disable NAS Notification Forwarding

You can use this procedure to disable the forwarding of start and stop messages from network

access servers (NASs) to members of a remote RADIUS server group configured in NPS.

When you have remote RADIUS server groups configured and, in NPS Connection Request

Policies, you clear the Forward accounting requests to this remote RADIUS server group

check box, these groups are still sent NAS start and stop notification messages.

This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification

forwarding for individual servers in each remote RADIUS server group.



To disable NAS notification forwarding


console opens.

2. In the NPS console, double-click RADIUS Clients and Servers, click Remote RADIUS

Server Groups, and then double-click the remote RADIUS server group that you want to

configure. The remote RADIUS server group Properties dialog box opens.

3. Double-click the group member that you want to configure, and then click the

Authentication/Accounting tab.

4. In Accounting, clear the Forward network access server start and stop notifications

to this server check box, and then click OK.

5. Repeat steps 3 and 4 for all group members that you want to configure.

Export an NPS Server Configuration for Import on Another Server

This procedure allows you to export the entire NPS configuration — including RADIUS clients and

servers, network policy, connection request policy, registry, and logging configuration — from one

NPS server for import on another NPS server.

24

Important

Do not use this procedure if the source NPS database has a higher version number than

the version number of the destination NPS database. You can view the version number of

the NPS database from the display of the netsh nps show config command.

When the netsh import command is run, NPS is automatically refreshed with the updated

configuration settings. You do not need to stop NPS on the destination computer to run the netsh

import command, however if the NPS console or NPS MMC snap-in is open during the

configuration import, changes to the server configuration are not visible until you refresh the view.

Note

When you use the netsh nps export command, you are required to provide the

command parameter exportPSK with the value YES. This parameter and value explicitly

state that you understand that you are exporting the NPS server configuration, and that

the exported XML file contains unencrypted shared secrets for RADIUS clients and

members of remote RADIUS server groups.

Because NPS server configurations are not encrypted in the exported XML file, sending it over a

network might pose a security risk, so take precautions when moving the XML file from the source

server to the destination servers. For example, add the file to an encrypted, password protected

archive file before moving the file. In addition, store the file in a secure location to prevent

malicious users from accessing it.

Note

If SQL Server logging is configured on the source NPS server, SQL Server logging

settings are not exported to the XML file. After you import the file on another NPS server,

you must manually configure SQL Server logging.



To copy an NPS server configuration to another NPS server using Netsh commands

1. On the source NPS server, open Command Prompt, type netsh, and then press

ENTER.

2. At the netsh prompt, type nps, and then press ENTER.

3. At the netsh nps prompt, type export filename="path\file.xml" exportPSK=YES, where

path is the folder location where you want to save the NPS server configuration file, and

file is the name of the XML file that you want to save. Press ENTER.

This stores configuration settings (including registry settings) in an XML file. The path can

be relative or absolute, or it can be a Universal Naming Convention (UNC) path. After you

press ENTER, a message appears indicating whether the export to file was successful.

4. Copy the file you created to the destination NPS server.

5. At a command prompt on the destination NPS server, type netsh nps import

filename="path\file.xml", and then press ENTER. A message appears indicating whether

25

the import from the XML file was successful.

Increase the Number of NPS Concurrent Authentications

You can use this procedure to increase the number of concurrent authentications between NPS

and domain controllers when NPS is not installed on a domain controller.

If the NPS server is on a computer other than a domain controller and it is receiving a very large

number of authentication requests per second, you can improve performance by increasing the

number of concurrent authentications between the NPS server and the domain controller.

Caution

Incorrectly editing the registry can severely damage your system. Before making changes

to the registry, you should back up any valued data on the computer.



To increase the number of concurrent authentications

1. Click Start, click Run, type regedit, and then press ENTER. Registry Editor opens.

2. In Registry Editor, browse to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\

Parameters

3. Right-click Parameters, point to New, and then click DWORD (32-bit) Value.

4. Replace the default text for the new key by typing the text MaxConcurrentApi, and then

press ENTER.

5. Right-click MaxConcurrentApi, and then click Modify. The Edit DWORD (32-bit) Value

dialog box opens.

6. In Value data, type a value between 2 and 5. Do not enter a value higher than 5, or NPS

might place an excessive load on the domain controller. Click OK.

Interpret NPS Database Format Log Files

Unlike IAS-formatted log files, database-compatible log files present the data in a standard

sequence and use a structure that is identical, regardless of the format used by the network

26

access server (NAS) that sends the data. This consistent sequence and structure helps simplify

accounting and authentication records. Data can be easily exported to a database.

Note

Although NPS supports both IAS-formatted and database-compatible log files, use the

database-compatible log format in most instances because it supports tools compliant

with Open Database Connectivity (ODBC).

Entries recorded in database-compatible log filesThe following are example entries (Access-Request and Access-Accept) from a database-

compatible log file.

Note

In the examples below, "IAS" refers to Internet Authentication Service. In Windows

Server 2008. NPS replaces IAS. In NPS accounting data, the term IAS refers to the

Network Policy Server service.

This is the first example:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,,,

,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

This is the second example:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/

client",,,,,,,,9,"10.10.10.10","npsclient",,,,,,2,1,"Allow access if dial-in permission is

enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

The following table shows the attributes that can be contained in a record in the database-

compatible log file, the sequence in which they are recorded, and how the preceding examples

are interpreted.

Additional information

A blank field in the first column of the table indicates that the network access server did not

include a value with the attribute in the packets for the preceding example entries.

The Data type column identifies the data type (text, number, or time) for each attribute. When

you create a database into which log files are imported, you must define each field for the

data type of the attribute value that will be imported into it. In database-compatible log files,

text values (such as strings, octet strings, and IP addresses) are always surrounded by

double quotes. If the double quotes appear within the string, then they are replaced with a

double set of double quotes.

This table shows the values for the example entries of an IAS-internal attribute.

Value shown in

example

Attribute Data type Description

"CLIENTCOMP" ComputerName Text The name of the server where the packet

27

Value shown in

example


was received (this is an IAS-internal

attribute).

"IAS" ServiceName Text The name of the service that generated

the record—IAS or the Routing and

Remote Access service (this is an IAS-

internal attribute).

03/07/2008 Record-Date Time The date at the NPS or Routing and

Remote Access server (this is an IAS-


13:04:33 Record-Time Time The time at the NPS or Routing and

Remote Access server (this is an IAS-


1 Packet-Type Number The type of packet, which can be:

1 = Access-Request

2 = Access-Accept

3 = Access-Reject

4 = Accounting-Request

This is an IAS-internal attribute.

"client" User-Name Text The user identity, as specified by the user.

Fully-Qualified-

Distinguished-

Name

Text The user name in canonical format (this is

an IAS-internal attribute).

Called-Station-ID Text The phone number dialed by the user.

Calling-Station-ID Text The phone number from which the call

originated.

Callback-Number Text The callback phone number.

Framed-IP-

Address

Text The framed address to be configured for

the user.

NAS-Identifier Text The text that identifies the network access

server originating the request.

NAS-IP-Address Text The IP address of the network access

server originating the request.

NAS-Port Number The physical port number of the network

28

Value shown in

example


access server originating the request.

9 Client-Vendor Number The manufacturer of the network access

server (this is an IAS-internal attribute).

"10.10.10.10" Client-IP-Address Text The IP address of the RADIUS client (this

is an IAS-internal attribute).

"npsclient" Client-Friendly-

Name

Text The friendly name for the RADIUS client

(this is an IAS-internal attribute).

Event-Timestamp Time The date and time that this event occurred

on the network access server.

Port-Limit Number The maximum number of ports that the

network access server provides to the

user.

NAS-Port-Type Number The type of physical port that is used by

the network access server originating the

request.

Connect-Info Text Information that is used by the network

access server to specify the type of

connection made. Typical information

includes connection speed and data

encoding protocols.

Framed-Protocol Number The protocol to be used.

Service-Type Number The type of service that the user has

requested.

1 Authentication-

Type

Number The authentication scheme, which is used

to verify the user and can be:

1 = PAP

2 = CHAP

3 = MS-CHAP

4 = MS-CHAP v2

5 = EAP

7 = None

8 = Custom


29

Value shown in

example


Policy-Name Text The friendly name of the network policy

that either granted or denied access. This

attribute is logged in Access-Accept and

Access-Reject messages. If a user is

rejected because none of the network

policies matched, then this attribute is

blank.

0 Reason-Code Number The reason for rejecting a user, which can

be:

0 = IAS_SUCCESS

1 = IAS_INTERNAL_ERROR

2 = IAS_ACCESS_DENIED

3 = IAS_MALFORMED_REQUEST

4 =

IAS_GLOBAL_CATALOG_UNAVAILA

BLE

5 = IAS_DOMAIN_UNAVAILABLE

6 = IAS_SERVER_UNAVAILABLE

7 = IAS_NO_SUCH_DOMAIN

8 = IAS_NO_SUCH_USER

16 = IAS_AUTH_FAILURE

17 =

IAS_CHANGE_PASSWORD_FAILUR

E

18 =

IAS_UNSUPPORTED_AUTH_TYPE

32 = IAS_LOCAL_USERS_ONLY

33 =

IAS_PASSWORD_MUST_CHANGE

34 = IAS_ACCOUNT_DISABLED

35 = IAS_ACCOUNT_EXPIRED

36 = IAS_ACCOUNT_LOCKED_OUT

37 = IAS_INVALID_LOGON_HOURS

38 = IAS_ACCOUNT_RESTRICTION

48 = IAS_NO_POLICY_MATCH

30

Value shown in

example


64 = IAS_DIALIN_LOCKED_OUT

65 = IAS_DIALIN_DISABLED

66 = IAS_INVALID_AUTH_TYPE

67 =

IAS_INVALID_CALLING_STATION

68 = IAS_INVALID_DIALIN_HOURS

69 =

IAS_INVALID_CALLED_STATION

70 = IAS_INVALID_PORT_TYPE

71 = IAS_INVALID_RESTRICTION

80 = IAS_NO_RECORD

96 = IAS_SESSION_TIMEOUT

97 = IAS_UNEXPECTED_REQUEST


Class Text The attribute that is sent to the client in an

Access-Accept packet.

Session-Timeout Number The length of time (in seconds) before the

session is terminated.

Idle-Timeout Number The length of idle time (in seconds) before

the session is terminated.

Termination-

Action

Number The action that the network access server

takes when service is completed.

EAP-Friendly-

Name

Text The friendly name of the EAP-based

authentication method that was used by

the access client and NPS server during

the authentication process. For example, if

the client and server use Extensible

Authentication Protocol (EAP) and the

EAP type MS-CHAP v2, the value of EAP-

Friendly-Name is “Microsoft Secured

Password (EAP-MSCHAPv2)."

Acct-Status-Type Number The number that specifies whether an

accounting packet starts or stops a

bridging, routing, or Terminal Server

session.

31

Value shown in

example


Acct-Delay-Time Number The length of time (in seconds) for which

the network access server has been

sending the same accounting packet.

Acct-Input-Octets Number The number of octets received during the

session.

Acct-Output-

Octets

Number The number of octets sent during the

session.

Acct-Session-Id Text The unique numeric string that identifies

the server session.

Acct-Authentic Number The number that specifies which server

authenticated an incoming call.

Acct-Session-

Time

Number The length of time (in seconds) for which

the session has been active.

Acct-Input-

Packets

Number The number of packets received during the

session.

Acct-Output-

Packets

Number The number of packets sent during the

session.

Acct-Terminate-

Cause

Number The reason that a connection was

terminated.

Acct-Multi-Ssn-ID Text The unique numeric string that identifies

the multilink session.

Acct-Link-Count Number The number of links in a multilink session.

Acct-Interim-

Interval

Number The length of interval (in seconds)

between each interim update that the

network access server sends.

Tunnel-Type Number The tunneling protocol to be used.

Tunnel-Medium-

Type

Number The medium to use when creating a tunnel

for protocols. For example, L2TP packets

can be sent over multiple link layers.

Tunnel-Client-

Endpt

Text The IP address of the tunnel client.

Tunnel-Server-

Endpt

Text The IP address of the tunnel server.

32

Value shown in

example


Acct-Tunnel-Conn Text An identifier assigned to the tunnel.

Tunnel-Pvt-

Group-ID

Text The group ID for a specific tunneled

session.

Tunnel-

Assignment-ID

Text The tunnel to which a session is assigned.

Tunnel-

Preference

Number The preference of the tunnel type, as

indicated with the Tunnel-Type attribute

when multiple tunnel types are supported

by the access server.

MS-Acct-Auth-

Type

Number A Routing and Remote Access service

attribute. For more information, see RFC

2548.

MS-Acct-EAP-

Type



2548.

MS-RAS-Version Text A Routing and Remote Access service


2548.

MS-RAS-Vendor Number A Routing and Remote Access service


2548.

MS-CHAP-Error Text A Routing and Remote Access service


2548.

MS-CHAP-

Domain

Text A Routing and Remote Access service


2548.

MS-MPPE-

Encryption-Types



2548.

MS-MPPE-

Encryption-Policy



2548.

Proxy-Policy- Text The name of the connection request policy

33

Value shown in

example


Name that matched the connection request.

Provider-Type Number Specifies the location where authentication

occurs. Possible values are 0, 1, and 2. A

value of 0 indicates that no authentication

occurred. A value of 1 indicates that

authentication occurs on the local NPS

server. A value of 2 indicates that the

connection request is forwarded to a

remote RADIUS server for authentication.

Provider-Name Text A string value that corresponds to

Provider-Type. Possible values are "None"

for a Provider-Type value of 0, "Windows"

for a Provider-Type value of 1, and "Radius

Proxy" for Provider-Type value of 2.

Remote-Server-

Address

IP address The IP address of the remote RADIUS

server to which the connection request

was forwarded for authentication.

"CLIENTCOMP" MS-RAS-Client-

Name

Text The name of the remote access client. The

Vendor-Length of the Value field, including

the vendor ID, vendor-type, vendor-length,

and value, must be at least 7 and less than

40.

Value, which specifies the computer name

of the endpoint that is requesting network

access, is sent in ASCII format and is null

terminated.

The valid character set for the computer

name includes letters, numbers, and the

following symbols: ! @ # $ % ^ & ‘ ) ( . - _ {

} ~.

MS-RAS-Client-

Version

Number The operating system version that is

installed on the remote access client. The

Vendor-Length of the Value field, including

the vendor ID, vendor-type, vendor-length,

and value, must be at least 7.

Value, which specifies the version of the

operating system on a remote access

34

Value shown in

example


client, is a string that is in network byte

order.

Interpret Windows System Health Validator Entries in Log Files

When NPS is configured as a Network Access Protection (NAP) policy server, and one or more

health policies are configured with the Windows Security Health Validator (WSHV), NPS logs

statement of health responses (SoHRs) in the NPS log file or to a Microsoft® SQL Server™

database, depending on your accounting configuration.

You can use the information in this topic to interpret WSHV entries in NPS accounting logs.

Diagnostic codesThe WSHV entries contain elements that correspond to components that might be installed or

enabled on client computers, such as firewalls, antivirus applications, and Windows Automatic

Updates.

The WSHV log file entries always present the WSHV list of elements as diagnostic codes, and

these codes are always presented in the following order:

1. Firewall (On/Off)

2. Antivirus - On/Off

3. Antivirus - Up-to-date status

4. Antispyware - On/Off

5. Antispyware - Up-to-date status

6. Automatic Updates (On/Off)

7. Security Updates - Compliance code

8. Security Updates - Severity

9. Security Updates - Legitimate Source (Windows Update, Windows Server Update Services,

or Microsoft Update)

For item 9 above, the following codes are possible values in the log file.

Update source Diagnostic code

Windows Update 0x00004000

Windows Server Update Services (WSUS) 0x00010000

35

Update source Diagnostic code

Microsoft Update 0x00020000

Important

If the configuration allows the receipt of updates from more than one source, the log file

entry combines the codes. For example, if both Windows Update and Microsoft Update

are legitimate sources, the log file code is 0x00024000.

When each of the other eight elements is evaluated as compliant by NPS, the diagnostic code is

0x0. When an element of the SHV is compliant, the corresponding component on the client

computer is either on, as in the case of a firewall application, or it is up-to-date, as in the case of

Windows Automatic Updates or signatures for an antispyware application. If the Windows SHV is

not configured to enforce any specific element, such as Firewall or Security Updates, log entries

for the element are not relevant and should be ignored.

The Security Updates element provides a severity rating. To interpret the severity rating when

reviewing the NPS log file, you can use the following severity levels.

Severity level Code in NPS log

Unspecified 0x0040

Low 0x0080

Moderate 0x0100

Important 0x0200

Critical 0x0400

Error codesOn the client computer, the NAP agent can receive errors from the Windows System Health

Agent, which monitors the components on the client operating system, such as firewalls and

antivirus applications. When the NAP agent sends a statement of health (SoH) to NPS, the

statement contains information about errors on the client computer.

In turn, NPS records the error in the NPS log file.

The following table provides the possible error codes that can be logged by NPS.

Error code Description

0xC0FF0001 E_MSSHV_PRODUCT_NOT_ENABLED

A system health component is not enabled.

0xC0FF0002 E_MSSHAV_PRODUCT_NOT_INSTALLED

36


A system health component is not installed.

0xC0FF0003 E_MSSHAV_WSC_SERVICE_DOWN

The Windows Security Center service is not running.

0xC0FF0004 E_MSSHV_PRODUCT_NOT_UPTODATE

The signatures for a specific system health component are not

up to date.

0x00FF0008 E_MSSHAV_WUA_SERVICE_NOT_STARTED_SINCE_BOOT

The Windows Server Update Services has not started. An

administrator must try to start the service manually.

0xC0FF000C E_MSSHAV_NO_WUS_SERVER

The Windows Update Agent on this computer is not configured

to synchronize with a Windows Server Update Services server.

An administrator must configure the Windows Update Agent

service. Click the Try again button after configuration is done

for the changes to take effect.

0xC0FF000D E_MSSHAV_NO_CLIENT_ID

Windows failed to determine the Windows Server Update

Services client ID of this computer.

0xC0FF000E E_MSSHAV_WUA_SERVICE_DISABLED

The Windows Update Agent service has been disabled or not

configured to start automatically. An administrator must enable

the service.

0xC0FF000F E_MSSHAV_WUA_COMM_FAILURE

The periodic scan of this computer for security updates failed.

An administrator must ensure that a Windows Server Update

Services server is available and that the Windows Update

Agent on this computer is configured to synchronize with the

server.

0xC0FF0010 E_MSSHAV_UPDATES_INSTALLED_REQUIRE_REBOOT

Security updates have been installed and require this computer

to be restarted. Please close all applications and restart this

computer.

0xC0FF0012 E_MSSHV_WUS_SHC_FAILURE

The NPS server failed to validate the security update status of

this computer. An administrator must ensure that a Windows

37


Server Update Services server is available and that the

Windows Update Agent on this computer is configured to

synchronize with the server.

0xC0FF0014 E_MSSHV_UNKNOWN_CLIENT

Unknown client

0xC0FF0017 E_MSSHV_INVALID_SOH

The Windows Security Health Validator did not process the

latest Statement of Health (SoH) because the SoH is not valid.

0xC0FF0018 E_MSSHAV_WSC_SERVICE_NOT_STARTED_SINCE_BOOT

The Windows Security Center service has not started. An

administrator must try to start the service manually.

0xC0FF0047 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_ENABLED

A third-party system health component is not enabled.

0xC0FF0048 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_UPTODATE

The signatures for a specific third-party system health

component are not up to date.

0xC0FF004EL E_MSSHAV_BAD_UPDATE_SOURCE_MU

This computer is not configured to receive security updates

from a source approved for this network. An administrator must

configure the Windows Update Agent service to receive

updates from Microsoft Update.

0xC0FF004FL E_MSSHAV_BAD_UPDATE_SOURCE_WUMU




updates from Windows Update or Microsoft Update.

0xC0FF0050L E_MSSHAV_BAD_UPDATE_SOURCE_MUWSUS




updates from Windows Server Update Services or Microsoft

Update.

0xC0FF0051L E_MSSHAV_NO_UPDATE_SOURCE

The Windows Update Agent on this computer is not configured

to receive security updates. An administrator must configure the

38


Windows Update Agent service. The NAP agent might have to

be restarted for changes to take effect.

Determining the client operating systemWhen you review Windows SHV entries in the NPS log file, you can determine whether the client

computer is running Windows Vista or Windows XP in one of two ways:

1. Examine the field OS-Version in the NPS log.

2. Count the number of diagnostic codes recorded in the log file. If the client computer is running

Windows Vista, NPS logs all eight diagnostic codes. If the client computer is running

Windows XP, NPS logs only six diagnostic codes because the monitoring of antispyware

status is not supported in WSHV for Windows XP.

Example log file entriesThe first example log file entry depicts an entry for a client computer running Windows Vista that

is not configured to synchronize with a Windows Server Update Services server. The text in italics

is added to clarify the meaning of the diagnostic codes and does not normally appear in NPS log

entries.

First example log file entry

Machine testclient was quarantined.

OS-Version = 6.0.5495 0.0 x86 Workstation

Fully-Qualified-Machine-Name = <undetermined>

Fully-Qualified-User-Name = <undetermined>

NAS-IP-Address = <not present>

NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1

NAS-Identifier = testserver

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Account-Session-Identifier = F1290E5E59241D44A57539224835F0FDC46427E9FBCAC601

Proxy-Policy-Name = Use Windows authentication for all users

Policy-Name = Access Denied

Quarantine-Session-Identifier =

{5E0E29F1-2459-441D-A575-39224835F0FD} - 2006-08-28 23:44:32.391Z

Quarantine-Help-URL = <undetermined>

39

Quarantine-System-Health-Result =

Windows Security Health Validator

NonCompliant

None

(0x0-) Firewall is compliant

(0x0-) Anti Virus is compliant

(0x0-) Anti Virus signatures are compliant

(0x0-) Anti Spyware is compliant

(0x0-) Anti Spyware signatures are compliant

(0x0-) Automatic Update is compliant

(0xc0ff000c-The Windows Update Agent on this computer is not

configured to synchronize with a Windows Server Update Services

server. An administrator must configure the Windows Update Agent

service. Please click on the 'try again' button after configuration is

done for the changes to take effect.) Diagnostic code for Security Updates from Diagnostic

Code table

(0x40-) Unspecified Severity Level from Severity level table

(0x00004000-) Legitimate update source is Windows Update

Second example log file entry

The second example log file entry depicts an entry for a client computer running Windows Vista

that is configured to use the Windows Security Center for the firewall, antivirus, antispyware and

Automatic Updates. Because Windows Security Center is disabled, as is detailed in the log file

entry, the diagnostic codes for the Windows SHV do not have meaning and should be ignored.

Machine testclient was quarantined.

OS-Version = 6.0.5495 0.0 x86 Workstation

Fully-Qualified-Machine-Name = <undetermined>

Fully-Qualified-User-Name = <undetermined>

NAS-IP-Address = <not present>

NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1

NAS-Identifier = testserver

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Account-Session-Identifier = 32049473A12646448AB5DCFD9BF69271B0477E2E58CCC601

Proxy-Policy-Name = Use Windows authentication for all users

40

Policy-Name = Access Denied

Quarantine-Session-Identifier = {73940432-26A1-4446-8AB5-DCFD9BF69271} - 2006-08-30

17:17:33.585Z

Quarantine-Help-URL = <undetermined>

Quarantine-System-Health-Result =

Windows Security Health Validator

NonCompliant

None

(0xc0ff0003-The Windows Security Center service is not running.)

(0x0-)

(0x0-)


(0x0-)


(0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize

with a Windows Server Update Services server. An administrator must configure the Windows

Update Agent service. Please click on the 'try again' button after configuration is done

for the changes to take effect.)

(0x40-)

Register an NPS Server in Another Domain

To provide an NPS server with permission to read the dial-in properties of user accounts in Active

Directory, the NPS server must be registered in the domain where the accounts reside.

You can use this procedure to register an NPS server in a domain where the NPS server is not a

domain member.



You can perform this procedure by using the following methods:

To register an NPS server in another domain

1. On the domain controller, click Start, click Administrative Tools, and then click Active

Directory Users and Computers. The Active Directory Users and Computers

console opens.

2. In the console tree, navigate to the domain where you want the NPS server to read user

account information, and then click the Users folder.

41

3. In the details pane, right-click RAS and IAS Servers, and then click Properties. The

RAS and IAS Servers Properties dialog box opens.

4. In the RAS and IAS Servers Properties dialog box, click the Members tab, add each of

the NPS servers that you want to register in the domain, and then click OK.

To register an NPS server in another domain by using Netsh commands for NPS

1. Open Command Prompt.

2. Type the following at the command prompt: netsh nps add registeredserver domain

server, and then press ENTER.

In the preceding command, domain is the DNS domain name of the domain where you

want to register the NPS server, and server is the name of the NPS server computer.

Register an NPS Server in its Default Domain

You can use this procedure to register an NPS server in the domain where the server is a domain

member.

NPS servers must be registered in Active Directory so that they have permission to read the dial-

in properties of user accounts during the authorization process. Registering an NPS server adds

the server to the RAS and IAS Servers group in Active Directory.



To register an NPS server in its default domain

1. Open the NPS console.

2. Right-click NPS (Local), and then click Register Server in Active Directory. The

Network Policy Server dialog box opens.

3. In Network Policy Server, click OK, and then click OK again.

Unregister an NPS Server from its Default Domain

In the process of managing your NPS server deployment, you might find it useful to move an NPS

server to another domain, to replace an NPS server, or to retire an NPS server. When you move

42

or decommission an NPS server, unregister the NPS server in the Active Directory domains

where the NPS server has permission to read the properties of user accounts in Active Directory.



To unregister an NPS server

1. On the domain controller, click Start, click Administrative Tools, and then click Active

Directory Users and Computers. The Active Directory Users and Computers

console opens.

2. Click Users, and then double-click RAS and IAS servers.

3. Click the Members tab, and then select the NPS server that you want to unregister.

4. Click Remove, click Yes, and then click OK.

Verify Configuration After an NPS Server IP Address Change

There might be circumstances where you need to change the IP address of an NPS server or

proxy, such as when you move the server to a different IP subnet.

If you change an NPS server or proxy IP address, it is necessary to reconfigure portions of your

NPS deployment.

Use the following general guidelines to assist you in verifying that an IP address change does not

interrupt network access authentication, authorization, or accounting on your network.



To verify configuration after an NPS server IP address change

1. Reconfigure all RADIUS clients, such as wireless access points and VPN servers, with

the new IP address of the NPS server.

2. If the NPS server is a member of a remote RADIUS server group, reconfigure the NPS

proxy with the new IP address of the NPS server.

3. If you have configured the NPS server to use SQL Server logging, verify that connectivity

between the computer running SQL Server and the NPS server is still functioning

properly.

4. If you have deployed IPsec to secure RADIUS traffic between your NPS server and an

NPS proxy or other servers or devices, reconfigure the IPsec policy or the connection

security rule in Windows Firewall with Advanced Security to use the new IP address of

the NPS server.

43

5. If the NPS server is multihomed and you have configured the server to bind to a specific

network adapter, reconfigure NPS port settings with the new IP address.

To verify configuration after an NPS proxy IP address change

1. Reconfigure all RADIUS clients, such as wireless access points and VPN servers, with

the new IP address of the NPS proxy.

2. If the NPS proxy is multihomed and you have configured the proxy to bind to a specific

network adapter, reconfigure NPS port settings with the new IP address.

3. Reconfigure all members of all remote RADIUS server groups with the proxy server IP

address. To accomplish this task, at each NPS server that has the NPS proxy configured

as a RADIUS client:

a. Double-click NPS (Local), double-click RADIUS Clients and Servers, click RADIUS

Clients, and then in the details pane, double-click the RADIUS client that you want to

change.

b. In RADIUS client Properties, in Address (IP or DNS), type the new IP address of

the NPS proxy.

4. If you have configured the NPS proxy to use SQL Server logging, verify that connectivity

between the computer running SQL Server and the NPS proxy is still functioning properly.

Verify Configuration After Renaming an NPS Server

There might be circumstances when you need to change the name of an NPS server or proxy,

such as when you redesign the naming conventions for your servers.

If you change an NPS server or proxy name, it is necessary to reconfigure portions of your NPS

deployment.

Use the following general guidelines to assist you in verifying that a server name change does not

interrupt network access authentication, authorization, or accounting.



To verify configuration after an NPS server or proxy name change

1. If the NPS server is a member of a remote RADIUS server group and the group is

configured with computer names rather than IP addresses, reconfigure the remote

RADIUS server group with the new NPS server name.

2. If certificate-based authentication methods are deployed at the NPS server, the name

change invalidates the server certificate. You can request a new certificate from the

44

certification authority (CA) administrator or, if the computer is a domain member

computer and you autoenroll certificates to domain members, you can refresh Group

Policy to obtain a new certificate through autoenrollment. To refresh Group Policy:

a. Open Command Prompt.

b. Type gpupdate, and then press ENTER.

3. After you have a new server certificate, request that the CA administrator revoke the old

certificate.

After the old certificate is revoked, NPS will continue to use it until the old certificate

expires. By default, the old certificate remains valid for a maximum time of one week and

10 hours. This time period might be different depending on whether the Certificate

Revocation List (CRL) expiry and the Transport Layer Security (TLS) cache time expiry

have been modified from their defaults. The default CRL expiry is one week; the default

TLS cache time expiry is 10 hours.

If you want to configure NPS to use the new certificate immediately, however, you can

manually reconfigure network policies with the new certificate.

4. After the old certificate expires, NPS automatically begins using the new certificate.

5. If you have configured the NPS server to use SQL Server logging, verify that connectivity

between the computer running SQL Server and the NPS server is still functioning

properly.

Managing Certificates Used with NPS

If you deploy a certificate-based authentication method, such as EAP-TLS, PEAP-TLS, or PEAP-

MS-CHAP v2, you must enroll a server certificate to all of your NPS servers. The server certificate

must:

Meet the minimum server certificate requirements as described in Certificate Requirements

for PEAP and EAP at http://go.microsoft.com/fwlink/?LinkID=101491.

Be issued by a certification authority (CA) that is trusted by client computers. A CA is trusted

when its certificate exists in the Trusted Root Certification Authorities certificate store for the

current user and local computer.

The following objectives assist in managing NPS server certificates in deployments where the

trusted root CA is a third-party CA, such as Verisign, or is a CA that you have deployed for your

public key infrastructure (PKI) by using Active Directory Certificate Services (AD CS) in Windows

Server 2008.

The following objectives are part of managing NPS server certificates:

Change the Cached TLS Handle Expiry

Obtain the SHA-1 Hash of a Trusted Root CA Certificate

45

http://go.microsoft.com/fwlink/?LinkID=101491

http://go.microsoft.com/fwlink/?LinkID=101491

Change the Cached TLS Handle Expiry

During the initial authentication processes for Extensible Authentication Protocol-Transport Layer

Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security

(PEAP-TLS), and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake

Authentication Protocol version 2 (PEAP-MS-CHAP v2), the NPS server caches a portion of the

connecting client's TLS connection properties. The client also caches a portion of the NPS

server's TLS connection properties.

Each individual collection of these TLS connection properties is called a TLS handle.

Client computers can cache the TLS handles for multiple authenticators, while NPS servers can

cache the TLS handles of many client computers.

The cached TLS handles on the client and server allows the reauthentication process to occur

more rapidly. For example, when a wireless computer reauthenticates with an NPS server, the

NPS server can examine the TLS handle for the wireless client and can quickly determine that

the client connection is a reconnect. The NPS server authorizes the connection without

performing full authentication.

Correspondingly, the client examines the TLS handle for the NPS server, determines that it is a

reconnect, and does not need to perform server authentication.

On computers running Windows Vista and Windows Server 2008, the default TLS handle expiry

is 10 hours.

In some circumstances, you might want to increase or decrease the TLS handle expiry time.

For example, you might want to decrease the TLS handle expiry time is in a scenario where a

user's certificate is revoked by an administrator and the certificate has expired. In this scenario,

the user can still connect to the network if an NPS server has a cached TLS handle that has not

expired. Reducing the TLS handle expiry might help prevent such users with revoked certificates

from reconnecting.

Note

The best solution to this scenario is to disable the user account in Active Directory, or to

remove the user account from the Active Directory group that is granted permission to

connect to the network in network policy. The propagation of these changes to all domain

controllers might also be delayed, however, due to replication latency.

Use the following tasks to configure the TLS handle expiry:

Configure the TLS Handle Expiry Time on Client Computers

Configure the TLS Handle Expiry Time on NPS Servers

46

Configure the TLS Handle Expiry Time on Client Computers

Use this procedure to change the amount of time that client computers cache the Transport Layer

Security (TLS) handle of an NPS server. After successfully authenticating an NPS server, client

computers cache TLS connection properties of the NPS server as a TLS handle. The TLS handle

has a default duration of 10 hours (36,000,000 milliseconds). You can increase or decrease the

TLS handle expiry time by using the following procedure.

Important

This procedure must be performed on an NPS server, not on a client computer.



To configure the TLS handle expiry time on client computers

1. On an NPS server, open Registry Editor.

2. Browse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Control\SecurityProviders\SCHANNEL

3. On the Edit menu, click New, and then click Key.

4. Type ClientCacheTime, and then press ENTER.

5. Right-click ClientCacheTime, click New, and then click DWORD (32-bit) Value.

6. Type the amount of time, in milliseconds, that you want client computers to cache the

TLS handle of an NPS server after the first successful authentication attempt by the NPS

server.

Configure the TLS Handle Expiry Time on NPS Servers

Use this procedure to change the amount of time that NPS servers cache the Transport Layer

Security (TLS) handle of client computers. After successfully authenticating an access client, NPS

servers cache TLS connection properties of the client computer as a TLS handle. The TLS handle

has a default duration of 10 hours (36,000,000 milliseconds). You can increase or decrease the

TLS handle expiry time by using the following procedure.

Important

This procedure must be performed on an NPS server, not on a client computer.


47


To configure the TLS handle expiry time on NPS servers using the Windows interface

1. On an NPS server, open Registry Editor.

2. Browse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Control\SecurityProviders\SCHANNEL

3. On the Edit menu, click New, and then click Key.

4. Type ServerCacheTime, and then press ENTER.

5. Right-click ServerCacheTime, click New, and then click DWORD (32-bit) Value.

6. Type the amount of time, in milliseconds, that you want NPS servers to cache the TLS

handle of a client computer after the first successful authentication attempt by the client.

Obtain the SHA-1 Hash of a Trusted Root CA Certificate

Use this procedure to obtain the Secure Hash Algorithm (SHA-1) hash of a trusted root

certification authority (CA) from a certificate that is installed on the local computer. In some

circumstances, such as when deploying Group Policy, it is necessary to designate a certificate by

using the SHA-1 hash of the certificate.

When using Group Policy, you can designate one or more trusted root CA certificates that clients

must use in order to authenticate the NPS server during the process of mutual authentication with

EAP or PEAP. To designate a trusted root CA certificate that clients must use to validate the

server certificate, you can enter the SHA-1 hash of the certificate.

This procedure demonstrates how to obtain the SHA-1 hash of a trusted root CA certificate by

using the Certificates Microsoft Management Console (MMC) snap-in.


To complete this procedure, you must be a member of the Users group on the local computer.

To obtain the SHA-1 hash of a trusted root CA certificate

1. Click Start, click Run, type mmc, and then click OK. The Add or Remove Snap-ins

dialog box opens.

2. In Add or Remove Snap-ins, in Available snap-ins, double-click Certificates. The

Certificates snap-in wizard opens. Click Computer account, and then click Next.

3. In Select Computer, ensure that Local computer (the computer this console is

running on) is selected, click Finish, and then click OK.

4. In the left pane, double-click Certificates (Local Computer), and then double-click the

Trusted Root Certification Authorities folder.

48

5. The Certificates folder is a subfolder of the Trusted Root Certification Authorities

folder. Click the Certificates folder.

6. In the details pane, browse to the certificate for your trusted root CA. Double-click the

certificate. The Certificate dialog box opens.

7. In the Certificate dialog box, click the Details tab.

8. In the list of fields, scroll to and select Thumbprint.

9. In the lower pane, the hexadecimal string that is the SHA-1 hash of your certificate is

displayed. Select the SHA-1 hash, and then press the Windows keyboard shortcut for the

Copy command (CTRL+C) to copy the hash to the Windows clipboard.

10. Open the location to which you want to paste the SHA-1 hash, correctly locate the cursor,

and then press the Windows keyboard shortcut for the Paste command (CTRL+V).

Managing RADIUS Clients

You can configure any of the following types of RADIUS clients in NPS:

Virtual private network (VPN) servers

Wireless access points

802.1X authenticating switches

Dial-up servers

NPS proxies

Terminal Services Gateway (TS Gateway) servers

To use NPS to manage network access, you must configure one or more RADIUS clients in NPS.

If you are configuring an NPS proxy as a RADIUS client on an NPS server, the NPS proxy must

also be configured with RADIUS clients that forward connection requests to the proxy. The proxy

forwards the connection request to a remote RADIUS server group based on the connection

request processing rules defined on the proxy.

The following objectives are part of managing RADIUS clients:

Set up RADIUS Clients

Set up RADIUS Clients by IP Address Range

Set up RADIUS Clients

When you add a new network access server (VPN server, wireless access point, authenticating

switch, or dial-up server) to your network, you must add the server as a RADIUS client in NPS,

and then configure the RADIUS client to communicate with the NPS server.

49

Important

Client computers, such as wireless laptop computers and other computers running client

operating systems, are not RADIUS clients. RADIUS clients are network access servers

—such as wireless access points, 802.1X authenticating switches, virtual private network

(VPN) servers, and dial-up servers—because they use the RADIUS protocol to

communicate with RADIUS servers such as Network Policy Server (NPS) servers.

This step is also necessary when your NPS server is a member of a remote RADIUS server

group that is configured on an NPS proxy. In this circumstance, in addition to performing the

steps in this task on the NPS proxy, you must do the following:

On the NPS proxy, configure a remote RADIUS server group that contains the NPS server.

On the remote NPS server, configure the NPS proxy as a RADIUS client.

Task requirements

The following are required to perform the procedures for this task:

You must have at least one network access server (VPN server, wireless access point,

authenticating switch, or dial-up server) or NPS proxy physically installed on your network.

To complete this task, perform the following procedures:

Configure the Network Access Server

Add the Network Access Server as a RADIUS Client in NPS

Configure the Network Access Server

Use this procedure to configure network access servers for use with NPS. When you deploy

network access servers (NASs) as RADIUS clients, you must configure the clients to

communicate with the NPS servers where the NASs are configured as clients.

This procedure provides general guidelines about the settings you should use to configure your

NASs; for specific instructions on how to configure the device you are deploying on your network,

see your NAS product documentation.



To configure the network access server

1. On the NAS, in RADIUS settings, select RADIUS authentication on User Datagram

Protocol (UDP) port 1812 and RADIUS accounting on UDP port 1813.

2. In Authentication server or RADIUS server, specify your NPS server by IP address or

fully qualified domain name (FQDN), depending on the requirements of the NAS.

3. In Secret or Shared secret, type a strong password. When you configure the NAS as a

RADIUS client in NPS, you will use the same password, so do not forget it.

4. If you are using PEAP or EAP as an authentication method, configure the NAS to use

50

EAP authentication.

5. If you are configuring a wireless access point, in SSID, specify a Service Set Identifier

(SSID), which is an alphanumeric string that serves as the network name. This name is

broadcast by access points to wireless clients and is visible to users at your wireless

fidelity (Wi-Fi) hotspots.

6. If you are configuring a wireless access point, in 802.1X and WEP, enable IEEE 802.1X

authentication if you want to deploy PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS.

Add the Network Access Server as a RADIUS Client in NPS

Use this procedure to add a network access server as a RADIUS client in NPS. You can use this

procedure to configure a network access server (NAS) as a RADIUS client by using the NPS

console.

Important

Client computers, such as wireless laptop computers and other computers running client

operating systems, are not RADIUS clients. RADIUS clients are network access servers

—such as wireless access points, 802.1X authenticating switches, virtual private network

(VPN) servers, and dial-up servers—because they use the RADIUS protocol to

communicate with RADIUS servers such as Network Policy Server (NPS) servers.



To add a network access server as a RADIUS client in NPS

1. On the NPS server, click Start, click Administrative Tools, and then click Network

Policy Server. The NPS console opens.

2. In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS

Clients, and then click New RADIUS Client.

3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.

4. In New RADIUS Client, in Friendly name, type a display name for the NAS. In Address

(IP or DNS), type the NAS IP address or fully qualified domain name (FQDN). If you

enter the FQDN, click Verify if you want to verify that the name is correct and maps to a

valid IP address.

5. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not

sure of the NAS manufacturer name, select RADIUS standard.

6. In New RADIUS Client, in Shared secret, do one of the following:

Ensure that Manual is selected, and then in Shared secret, type the strong

51

password that is also entered on the NAS. Retype the shared secret in Confirm

shared secret.

Select Generate, and then click Generate to automatically generate a shared secret.

Save the generated shared secret for configuration on the NAS so that it can

communicate with the NPS server.

7. In New RADIUS Client, in Additional Options, if you are using any authentication

methods other than EAP and PEAP, and if your NAS supports use of the message

authenticator attribute, select Access Request messages must contain the Message

Authenticator attribute.

8. In New RADIUS Client, in Additional Options, if you plan on deploying Network Access

Protection (NAP) and your NAS supports NAP, select RADIUS client is NAP-capable.

9. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.

Set up RADIUS Clients by IP Address Range

Use this procedure to configure two or more network access servers as RADIUS clients in NPS

by using an IP address range. If you are running Windows Server 2008 Enterprise or Windows

Server 2008 Datacenter, you can configure RADIUS clients in NPS by IP address range. This

allows you to add a large number of RADIUS clients (such as wireless access points) to the NPS

console at one time, rather than adding each RADIUS client individually.

You cannot configure RADIUS clients by IP address range if you are running NPS on Windows

Server 2008 Standard.

Use this procedure to add a group of network access servers (NASs) as RADIUS clients that are

all configured with IP addresses from the same IP address range.

All of the RADIUS clients in the range must use the same configuration and shared secret.



To set up RADIUS clients by IP address range



2. In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS

Clients, and then click New RADIUS Client.

3. In New RADIUS Client, in Friendly name type a display name for the collection of

NASs.

4. In New RADIUS Client, in Address (IP or DNS), type the IP address range for the

RADIUS clients by using Classless Inter-Domain Routing (CIDR) notation. For example,

52

if the IP address range for the NASs is 10.10.0.0, type 10.10.0.0/16.

5. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not

sure of the NAS manufacturer name, or if you have NASs from multiple vendors, select

RADIUS Standard.

6. In New RADIUS Client, in Shared secret, do one of the following:

Ensure that Manual is selected, and then in Shared secret, type the strong

password that is also configured on all of the NASs. Retype the shared secret in

Confirm shared secret.

Select Generate, and then click Generate to automatically generate a shared secret.

Save the generated shared secret for configuration on the NASs so that they can

communicate with the NPS server.

7. In New RADIUS Client, in Additional Options, if you are using any authentication

methods other than EAP and PEAP, and if all of your NASs support use of the message

authenticator attribute, select Access Request messages must contain the Message

Authenticator attribute.

8. In New RADIUS Client, in Additional Options, if you plan on deploying Network Access

Protection (NAP) and all of your NASs support NAP, select RADIUS client is NAP-

capable.

9. Click OK. Your NASs appears in the list of RADIUS clients configured on the NPS server.

Managing Network Policies

This section provides information about how to manage NPS network policies.

After NPS authenticates users or computers connecting to your network, it performs authorization

to determine whether to grant the user or computer permission to connect.

Authorization is performed when NPS checks the dial-in properties of user accounts in Active

Directory and when NPS evaluates the connection request against the network policies

configured in the NPS console.

In the Active Directory Users and Computers snap-in, on the Dial-in tab of user account

properties, the Network Access Permission setting is used by NPS to make authorization

decisions, as follows:

If the value of Network Access Permission is Deny access, the user is always denied

access to the network by NPS, regardless of any settings in network policy.

If the value of Network Access Permission is Allow access, the user is allowed network

access unless there is a network policy that explicitly denies access to the user.

If the value of Network Access Permission is Control access through NPS Network

Policy, NPS makes authorization decisions based solely on network policy settings.

53

Note

For ease of administration of network access, it is recommended that the Network

Access Permission setting is always set to Control access through NPS Network

Policy. By default, if your forest functional level is Windows Server 2008, when you

create a user account, the value of Network Access Permission is set to Control

access through NPS Network Policy.

You can also specify connection settings in an NPS network policy that are applied after the

connection is authenticated and authorized. For example, you can define IP filters for the

connection that specify the network resources to which the user has permission to connect.

An ordered list of rulesWhen you configure multiple network policies in NPS, the policies are an ordered list of rules.

NPS evaluates the policies in listed order from first to last. If there is a network policy that

matches the connection request, NPS uses the policy to determine whether to grant or deny

access to the user or computer connection.

When you order the network policies in the NPS console, ensure that rules created in one policy

do not unintentionally counteract the rules in a different policy.

For example, a member of the Domain Users group might also be a member of the Wireless

Users group that is created (by you or by another administrator) in Active Directory. Perhaps your

organization has limited wireless resources, so members of the Domain Users group are denied

access when connecting through wireless access points; however, members of the Wireless

Users group are granted access when connecting by wireless. If the network policy that denies

wireless access to Domain Users is evaluated before the Wireless Users policy is evaluated, NPS

denies access to members of the Wireless Users group when they attempt to connect by wireless

— even though your intention is to grant them access.

The solution to this problem is to move the Wireless Users network policy higher in the list of

policies in the NPS console so that it is evaluated before the Domain Users policy is evaluated. In

this circumstance, when a member of the Wireless Users group attempts to connect, NPS

evaluates the Wireless Users policy first and then authorizes the connection. When NPS receives

a wireless connection attempt from a member of the Domain Users group that is not also a

member of the Wireless Users group, the connection attempt does not match the Wireless Users

policy, so that policy is not evaluated by NPS. Instead, NPS moves down to the Domain Users

wireless policy, and then denies the connection to the member of the Domain Users group.

The following objectives are part of managing NPS network policies:

Configure NPS for VLANs

Configure the EAP Payload Size

Configure NPS to Ignore User Account Dial-in Properties

54

Configure NPS for VLANs

By using VLAN-aware network access servers and NPS in Windows Server 2008, you can

provide groups of users with access only to the network resources that are appropriate for their

security permissions. For example, you can provide visitors with wireless access to the Internet

without allowing them access to your organization network.

In addition, VLANs allow you to logically group network resources that exist in different physical

locations or on different physical subnets. For example, members of your sales department and

their network resources, such as client computers, servers, and printers, might be located in

several different buildings at your organization, but you can place all of these resources on one

VLAN using the same IP address range. The VLAN then functions, from the end-user

perspective, as a single subnet.

You can also use VLANs when you want to segregate a network between different groups of

users. After you have determined how you want to define your groups, you can create security

groups in the Active Directory Users and Computers snap-in, and then add members to the

groups.

Use the following procedure to configure a network policy using VLANs:

Configure a Network Policy for VLANs

Configure a Network Policy for VLANs

Use this procedure to configure a network policy that assigns users to a VLAN. When you use

VLAN-aware network hardware, such as routers, switches, and access controllers, you can

configure network policy to instruct the access servers to place members of specific Active

Directory groups on specific VLANs. This ability to group network resources logically with VLANs

provides flexibility when designing and implementing network solutions.

When you configure the settings of an NPS network policy for use with VLANs, you must

configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-

Tag.

You can use the following procedure to create a network policy that assigns users to a VLAN.

This procedure is provided as a guideline; your network configuration might require different

settings than those provided below.



To configure a network policy for VLANs



2. Double-click Policies, click Network Policies, and then in the details pane double-click

55

the policy that you want to configure.

3. In the policy Properties dialog box, click the Settings tab.

4. In policy Properties, in Settings, in RADIUS Attributes, ensure that Standard is

selected.

5. In the details pane, in Attributes, the Service-Type attribute is configured with a default

value of Framed. By default, for policies with access methods of VPN and dial-up, the

Framed-Protocol attribute is configured with a value of PPP. To specify additional

connection attributes required for VLANs, click Add. The Add Standard RADIUS

Attribute dialog box opens.

6. In Add Standard RADIUS Attribute, in Attributes, scroll down to and add the following

attributes:

a. Tunnel-Medium-Type. Select a value appropriate to the previous selections you

have made for the policy. For example, if the network policy you are configuring is a

wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical

format).

b. Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which

group members will be assigned.

c. Tunnel-Type. Select Virtual LANs (VLAN).

7. In Add Standard RADIUS Attribute, click Close.

8. If your network access server (NAS) requires use of the Tunnel-Tag attribute, use the

following steps to add the Tunnel-Tag attribute to the network policy. If your NAS

documentation does not mention this attribute, do not add it to the policy. Add the

attributes as follows:

a. In policy Properties, in Settings, in RADIUS Attributes, click Vendor Specific.

b. In the details pane, click Add. The Add Vendor Specific Attribute dialog box opens.

c. In Attributes, scroll down to and select Tunnel-Tag, and then click Add. The

Attribute Information dialog box opens.

d. In Attribute value, type the value that you obtained from your hardware

documentation.

Configure the EAP Payload Size

In some cases, routers or firewalls drop packets because they are configured to discard packets

that require fragmentation.

When you deploy NPS with network policies that use the Extensible Authentication Protocol

(EAP) with Transport Layer Security (TLS), or EAP-TLS, as an authentication method, the default

maximum transmission unit (MTU) that NPS uses for EAP payloads is 1500 bytes.

56

This maximum size for the EAP payload can create RADIUS messages that require

fragmentation by a router or firewall between the NPS server and a RADIUS client. If this is the

case, a router or firewall positioned between the RADIUS client and the NPS server might silently

discard some fragments, resulting in authentication failure and the inability of the access client to

connect to the network.

Use the following procedure to lower the maximum size that NPS uses for EAP payloads by

adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:

Configure the Framed-MTU Attribute

Configure the Framed-MTU Attribute

Use this procedure to lower the maximum EAP payload size by using the Framed-MTU attribute

in an NPS network policy. You can lower the EAP payload size by configuring the Framed-MTU

attribute in network policy settings properties in the NPS console.

Perform this procedure if you have routers or firewalls that are not capable of performing

fragmentation. The recommended Framed-MTU value in this circumstance is 1344 bytes or less.



To configure the Framed-MTU attribute


console opens.



3. In the policy Properties dialog box, click the Settings tab.

4. In Settings, in RADIUS Attributes, click Standard. In the details pane, click Add. The

Add Standard RADIUS Attribute dialog box opens.

5. In Attributes, scroll down to and click Framed-MTU, and then click Add. The Attribute

Information dialog box opens.

6. In Attribute Value, type a value equal to or less than 1344. Click OK, click Close, and

then click OK.

57

Configure NPS to Ignore User Account Dial-in Properties

Use this procedure to configure an NPS network policy to ignore the dial-in properties of user

accounts in Active Directory during the authorization process. User accounts in Active Directory

Users and Computers have dial-in properties that NPS evaluates during the authorization process

unless the Network Access Permission property of the user account is set to Control access

through NPS Network Policy.

There are two circumstances where you might want to configure NPS to ignore the dial-in

properties of user accounts in Active Directory:

When you want to simplify NPS authorization by using network policy but not all of your user

accounts have the Network Access Permission property set to Control access through

NPS Network Policy. For example, some user accounts might have the Network Access

Permission property of the user account set to Deny access or Allow access.

When other dial-in properties of user accounts are not applicable to the connection type

configured in the network policy. For example, properties other than the Network Access

Permission setting are applicable only to dial-in or VPN connections, but the network policy

you are creating is for wireless or authenticating switch connections.

You can use this procedure to configure NPS to ignore user account dial-in properties. If a

connection request matches the network policy where this check box is selected, NPS does not

use the dial-in properties of the user account to determine whether the user or computer is

authorized to access the network; only the settings in the network policy are used to determine

authorization.



To configure NPS to ignore user account dial-in properties


console opens.



3. In the policy Properties dialog box, on the Overview tab, in Access Permission, select

the Ignore user account dial-in properties check box, and then click OK.

58

Windows Server 2008 Network Policy Server (NPS) Operations Guide

Documents

Transcript of Windows Server 2008 Network Policy Server (NPS) Operations Guide