Upload
tracy-cannon
View
230
Download
2
Embed Size (px)
Citation preview
Microsoft® Official Course
Module 8
Installing, Configuring, and Troubleshooting the Network
Policy Server Role
Module Overview
Installing and Configuring a Network Policy Server
Configuring RADIUS Clients and Servers
NPS Authentication Methods•Monitoring and Troubleshooting a Network Policy Server
Lesson 1: Installing and Configuring a Network Policy Server
What Is a Network Policy Server?
Demonstration: Installing the Network Policy Server Role
Tools for Configuring a Network Policy Server•Demonstration: Configuring General NPS Settings
What Is a Network Policy Server?
•A Windows Server 2012 Network Policy Server provides the following functions:• RADIUS server. NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and dial-up and VPN connections• RADIUS proxy. You configure connection request policies that indicate which connection requests that the NPS server will forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests• NAP policy server. NPS evaluates statements of health (SoHs) sent by NAP-capable client computers that attempt to connect to the network
Demonstration: Installing the Network Policy Server Role
In this demonstration, you will see how to: • Install the NPS role•Register NPS in AD DS
Tools for Configuring a Network Policy Server
•Tools used to manage NPS include:• NPS management console snap-in• Netsh command-line tool:
• NPS server commands• RADIUS client commands• Connection request policy commands• Remote RADIUS server group commands• Network policy commands• Network Access Protection commands• Accounting Commands
• Windows PowerShell
Demonstration: Configuring General NPS Settings
In this demonstration, you will see how to: •Configure a RADIUS server for VPN connections•Save the configuration
Lesson 2: Configuring RADIUS Clients and Servers
What Is a RADIUS Client?
What Is a RADIUS Proxy?
Demonstration: Configuring a RADIUS Client
What Is a Connection Request Policy?
Configuring Connection-Request Processing•Demonstration: Creating a Connection Request Policy
What Is a RADIUS Client?
•RADIUS clients are network access servers, such as:• Wireless access points• 802.1x authenticating switches• VPN servers• Dial-up servers
•RADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting
NPS is a RADIUS server
What Is a RADIUS Proxy?
• A RADIUS proxy receives connection attempts from RADIUS clients, and then forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing• A RADIUS proxy is required for:• Offering outsourced dial-up, VPN, or wireless network-
access services by service providers • Providing authentication and authorization for user
accounts that are not Active Directory members• Performing authentication and authorization by using
a database that is not a Windows account database • Load-balancing connection requests among
multiple RADIUS servers • Providing RADIUS for outsourced service providers
and limiting traffic types through the firewall
Demonstration: Configuring a RADIUS Client
• In this demonstration, you will see how to configure a RADIUS client
What Is a Connection Request Policy?
• Connection request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients
• Connection request policies include:• Conditions, such
as:• Framed Protocol• Service Type• Tunnel Type• Day and Time
restrictions
• Settings, such as:• Authentication• Accounting• Attribute
Manipulation• Advanced
settings
Configuring Connection-Request Processing
Configuration Description
Local vs. RADIUS authentication
• Local authentication takes place against the local security account database or Active Directory. Connection policies exist on that server.
• RADIUS authentication forwards the connection request to a RADIUS server for authentication against a security database. RADIUS maintains a central store of all the connection policies.
RADIUS server groups
Used where one or more RADIUS servers are capable of handling connection requests. The connection requests are load-balanced on criteria specified during the creation of the RADIUS server group if there is more than one RADIUS server in the group.
Default ports for accounting and authentication by using RADIUS
The ports required for accounting and authentication requests being forwarded to a RADIUS server are UDP 1812/1645 and UDP 1813/1646.
Demonstration: Creating a Connection Request Policy
• In this demonstration, you will see how to create a VPN connection request policy
Lesson 3: NPS Authentication Methods
Password-Based Authentication Methods
Using Certificates for Authentication
Required Certificates for Authentication•Deploying Certificates for PEAP and EAP
Password-Based Authentication Methods
•Authentication methods for an NPS server from the most secure to the least:
MS-CHAPv2
MS-CHAP
CHAP
PAP
Unauthenticated access
Using Certificates for Authentication
•With NPS, you use certificates for network access authentication because they:• Provide for stronger security• Eliminate the need for less secure, password-based authentication
Required Certificates for Authentication
Certificate Description
CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User
Client computer certificate in the certificate store of the client
Server certificate in the certificate store of the NPS server
User certificate on a smart card
You require the following certificates to deploy certificate-based authentication in NPS:
Deploying Certificates for PEAP and EAP
• For Domain Computer and User accounts, use the autoenrollment feature in Group Policy• Nondomain member enrollment requires an administrator to request a user or computer certificate by using the CA Web Enrollment tool • The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer• The administrator can distribute user certificates on a smart card
Lesson 4: Monitoring and Troubleshooting a Network Policy Server
Methods Used to Monitor NPS
Logging NPS Accounting
Configuring SQL Server Logging•Configuring NPS Events to Record in the Event Viewer
Methods Used to Monitor NPS
•NPS monitoring methods include:• Event logging
• This method is the process of logging NPS events in the System Event log
• This method is useful for auditing and troubleshooting connection attempts
• Logging user authentication and accounting requests • This method is useful for connection analysis and billing
purposes• This method can be in a text format• This method can be in a database format within a SQL
instance
Logging NPS Accounting
• Use the NPS console to configure logging:
1. On the Administrative Tools menu, open NPS
2. In the console tree, click Accounting
3. In the details pane, click Change Log File Properties
• Log files should be stored on a separate partition from the system partition
Configuring SQL Server Logging
You can use SQL to log RADIUS accounting data:• The SQL Server database must have a stored procedure named report_event • NPS formats accounting data as an XML document • The SQL Server database can be on a local computer or a remote server
Configuring NPS Events to Record in the Event Viewer
• How do I configure NPS events to be recorded in Event Viewer?• NPS is configured by default to record failed connections
and successful connections in the event log• You can change this behavior on the General tab of the
Properties sheet for the network policy
• Common request failure events consist of requests that NPS rejects or discards; both failure and success events are recorded
• What is Schannel logging, and how do I configure it?• Schannel is a security support provider that supports a set
of Internet security protocols• You can configure Schannel logging in the following
Registry key:• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurityProviders\SCHANNEL\EventLogging
Lab: Installing and Configuring a Network Policy Server
Exercise 1: Installing and Configuring NPS to Support RADIUS•Exercise 2: Configuring and Testing a RADIUS Client
Logon Information
Virtual Machines: 20411B-LON-DC120411B-LON-RTR20411B-LON-CL2
User name: Adatum\AdministratorPassword: Pa$$w0rdEstimated Time: 60 minutes
Lab Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center is located in London, to support the London office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum is expanding its remote-access solution to the entire organization. This will require multiple VPN servers that are located at different points to provide connectivity for its employees. You are responsible for performing the tasks necessary to support these VPN connections.
Lab Review
What does a RADIUS proxy provide?•What is a RADIUS client, and what are some examples of RADIUS clients?
Module Review and Takeaways
Review Questions•Tools