Microsoft® Official Course

Module 8

Installing, Configuring, and Troubleshooting the Network

Policy Server Role

Module Overview

Installing and Configuring a Network Policy Server

Configuring RADIUS Clients and Servers

NPS Authentication Methods•Monitoring and Troubleshooting a Network Policy Server

Lesson 1: Installing and Configuring a Network Policy Server

What Is a Network Policy Server?

Demonstration: Installing the Network Policy Server Role

Tools for Configuring a Network Policy Server•Demonstration: Configuring General NPS Settings

What Is a Network Policy Server?

•A Windows Server 2012 Network Policy Server provides the following functions:• RADIUS server. NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and dial-up and VPN connections• RADIUS proxy. You configure connection request policies that indicate which connection requests that the NPS server will forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests• NAP policy server. NPS evaluates statements of health (SoHs) sent by NAP-capable client computers that attempt to connect to the network

Demonstration: Installing the Network Policy Server Role

In this demonstration, you will see how to: • Install the NPS role•Register NPS in AD DS

Tools for Configuring a Network Policy Server

•Tools used to manage NPS include:• NPS management console snap-in• Netsh command-line tool:

• NPS server commands• RADIUS client commands• Connection request policy commands• Remote RADIUS server group commands• Network policy commands• Network Access Protection commands• Accounting Commands

• Windows PowerShell

Demonstration: Configuring General NPS Settings

In this demonstration, you will see how to: •Configure a RADIUS server for VPN connections•Save the configuration

Lesson 2: Configuring RADIUS Clients and Servers

What Is a RADIUS Client?

What Is a RADIUS Proxy?

Demonstration: Configuring a RADIUS Client

What Is a Connection Request Policy?

Configuring Connection-Request Processing•Demonstration: Creating a Connection Request Policy

What Is a RADIUS Client?

•RADIUS clients are network access servers, such as:• Wireless access points• 802.1x authenticating switches• VPN servers• Dial-up servers

•RADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting

NPS is a RADIUS server

What Is a RADIUS Proxy?

• A RADIUS proxy receives connection attempts from RADIUS clients, and then forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing• A RADIUS proxy is required for:• Offering outsourced dial-up, VPN, or wireless network-

access services by service providers • Providing authentication and authorization for user

accounts that are not Active Directory members• Performing authentication and authorization by using

a database that is not a Windows account database • Load-balancing connection requests among

multiple RADIUS servers • Providing RADIUS for outsourced service providers

and limiting traffic types through the firewall

Demonstration: Configuring a RADIUS Client

• In this demonstration, you will see how to configure a RADIUS client

What Is a Connection Request Policy?

• Connection request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients

• Connection request policies include:• Conditions, such

as:• Framed Protocol• Service Type• Tunnel Type• Day and Time

restrictions

• Settings, such as:• Authentication• Accounting• Attribute

Manipulation• Advanced

settings

Configuring Connection-Request Processing

Configuration Description

Local vs. RADIUS authentication

• Local authentication takes place against the local security account database or Active Directory. Connection policies exist on that server.

• RADIUS authentication forwards the connection request to a RADIUS server for authentication against a security database. RADIUS maintains a central store of all the connection policies.

RADIUS server groups

Used where one or more RADIUS servers are capable of handling connection requests. The connection requests are load-balanced on criteria specified during the creation of the RADIUS server group if there is more than one RADIUS server in the group.

Default ports for accounting and authentication by using RADIUS

The ports required for accounting and authentication requests being forwarded to a RADIUS server are UDP 1812/1645 and UDP 1813/1646.

Demonstration: Creating a Connection Request Policy

• In this demonstration, you will see how to create a VPN connection request policy

Lesson 3: NPS Authentication Methods

Password-Based Authentication Methods

Using Certificates for Authentication

Required Certificates for Authentication•Deploying Certificates for PEAP and EAP

Password-Based Authentication Methods

•Authentication methods for an NPS server from the most secure to the least:

MS-CHAPv2

MS-CHAP

CHAP

PAP

Unauthenticated access

Using Certificates for Authentication

•With NPS, you use certificates for network access authentication because they:• Provide for stronger security• Eliminate the need for less secure, password-based authentication

Required Certificates for Authentication

Certificate Description

CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User

Client computer certificate in the certificate store of the client

Server certificate in the certificate store of the NPS server

User certificate on a smart card

You require the following certificates to deploy certificate-based authentication in NPS:

Deploying Certificates for PEAP and EAP

• For Domain Computer and User accounts, use the autoenrollment feature in Group Policy• Nondomain member enrollment requires an administrator to request a user or computer certificate by using the CA Web Enrollment tool • The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer• The administrator can distribute user certificates on a smart card

Lesson 4: Monitoring and Troubleshooting a Network Policy Server

Methods Used to Monitor NPS

Logging NPS Accounting

Configuring SQL Server Logging•Configuring NPS Events to Record in the Event Viewer

Methods Used to Monitor NPS

•NPS monitoring methods include:• Event logging

• This method is the process of logging NPS events in the System Event log

• This method is useful for auditing and troubleshooting connection attempts

• Logging user authentication and accounting requests • This method is useful for connection analysis and billing

purposes• This method can be in a text format• This method can be in a database format within a SQL

instance

Logging NPS Accounting

• Use the NPS console to configure logging:

1. On the Administrative Tools menu, open NPS

2. In the console tree, click Accounting

3. In the details pane, click Change Log File Properties

• Log files should be stored on a separate partition from the system partition

Configuring SQL Server Logging

You can use SQL to log RADIUS accounting data:• The SQL Server database must have a stored procedure named report_event • NPS formats accounting data as an XML document • The SQL Server database can be on a local computer or a remote server

Configuring NPS Events to Record in the Event Viewer

• How do I configure NPS events to be recorded in Event Viewer?• NPS is configured by default to record failed connections

and successful connections in the event log• You can change this behavior on the General tab of the

Properties sheet for the network policy

• Common request failure events consist of requests that NPS rejects or discards; both failure and success events are recorded

• What is Schannel logging, and how do I configure it?• Schannel is a security support provider that supports a set

of Internet security protocols• You can configure Schannel logging in the following

Registry key:• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

SecurityProviders\SCHANNEL\EventLogging

Lab: Installing and Configuring a Network Policy Server

Exercise 1: Installing and Configuring NPS to Support RADIUS•Exercise 2: Configuring and Testing a RADIUS Client

Logon Information

Virtual Machines: 20411B-LON-DC120411B-LON-RTR20411B-LON-CL2

User name: Adatum\AdministratorPassword: Pa$$w0rdEstimated Time: 60 minutes

Lab Scenario

A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center is located in London, to support the London office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.

 A. Datum is expanding its remote-access solution to the entire organization. This will require multiple VPN servers that are located at different points to provide connectivity for its employees. You are responsible for performing the tasks necessary to support these VPN connections.

Lab Review

What does a RADIUS proxy provide?•What is a RADIUS client, and what are some examples of RADIUS clients?

Module Review and Takeaways

Review Questions•Tools