www.technocorp.co.

in

www.technocorp.co.in

Module 6 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Module Overview
www.technocorp.co.in

Installing and Configuring a Network Policy Server Configuring RADIUS Clients and Servers NPS Authentication Methods Monitoring and Troubleshooting a Network Policy Server

Lesson 1: Installing and Configuring a Network Policy Server

www.technocorp.co.in

What Is a Network Policy Server? Demonstration: How to Install the Network Policy Server Tools Used for Managing a Network Policy Server Demonstration: How to Configure General NPS Settings

What Is a Network Policy Server?

Windows Server 2008 R2 Network Policy Server (NPS):

www.technocorp.co.in

RADIUS server

RADIUS proxy
NAP policy server

Demonstration: How to Install the In this demonstration, you will see how to: Network Install the NPS role Policy Server
www.technocorp.co.in
Register NPS in AD DS

Tools Used for Managing a Network Tools used to manage NPS include: Policy Server
NPS MMC Console

www.technocorp.co.in

Netsh command line to configure all aspects of NPS, such as:

NPS Server Commands RADIUS Client Commands Connection Request Policy Commands Remote RADIUS Server Group Commands Network Policy Commands Network Access Protection Commands Accounting Commands

Demonstration: How to Configure In this demonstration, you will see how to: General a RADIUS server for VPN connections NPS Configure Settings
www.technocorp.co.in
Save the configuration

Lesson 2: Configuring RADIUS Clients and Servers

What Is a RADIUS Client? What Is a RADIUS Proxy? Demonstration: How to Configure a RADIUS Client What Is a Connection Request Policy? Configuring Connection Request Processing Demonstration: How to Create a New Connection Request Policy
www.technocorp.co.in

What Is a RADIUS Client?

NPS is a RADIUS server

www.technocorp.co.in

RADIUS clients are network access servers, such as: Wireless access points 802.1x authenticating switches

VPN servers
Dial-up servers RADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting

What Is a RADIUS Proxy?

A RADIUS proxy receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing

www.technocorp.co.in

A RADIUS proxy is required for: Service providers offering outsourced dial-up, VPN, or wireless network access services Providing authentication and authorization for user accounts that are not Active Directory members Performing authentication and authorization using a database that is not a Windows account database Load-balancing connection requests among multiple RADIUS servers Providing RADIUS for outsourced service providers and limiting traffic types through the firewall

Demonstration: How to Configure a RADIUS Client

In this demonstration, you will see how to:
Configure a RADIUS client

www.technocorp.co.in

What Is a Connection Request Policy?

Connection Request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients

www.technocorp.co.in

Connection Request policies include:

Conditions, such as: Settings, such as:

Framed Protocol
Service Type Tunnel Type Day and Time restrictions

Authentication
Accounting Attribute Manipulation Advanced settings

Custom Connection Request policies are required to forward the request to another proxy or RADIUS server or server group for authorization and authentication, or to specify a different server for accounting information

Configuring Connection Request Configuration Description Processing

Local authentication takes place against the local

www.technocorp.co.in

Local vs. RADIUS authentication

security account database or Active Directory. Connection policies exist on that server.

RADIUS authentication forwards the connection

request to a RADIUS server for authentication against a security database. RADIUS maintains a central store of all the connection policies.

RADIUS server groups Default ports for accounting and authentication using RADIUS

Used where one or more RADIUS servers are capable of handling connection requests. The connection requests are load-balanced on criteria specified during the creation of the RADIUS server group if there is more than one RADIUS server in the group.
The ports required for accounting and authentication requests being forwarded to a RADIUS server are UDP 1812/1645 and UDP 1813/1646.

Demonstration: How to Create a New In this demonstration, you will see how to: Connection Request Policy Create a VPN connection request policy
www.technocorp.co.in

Lesson 3: NPS Authentication Methods

www.technocorp.co.in

Password-Based Authentication Methods Using Certificates for Authentication Required Certificates for NPS Authentication Methods Deploying Certificates for PEAP and EAP

Password-Based Authentication Methods

Authentication methods for an NPS server include:

www.technocorp.co.in

MS-CHAPv2 MS-CHAP CHAP PAP Unauthenticated access

Using Certificates for Authentication

www.technocorp.co.in
With NPS, you use certificates for network access authentication because:

Provide for stronger security

Eliminate need for less secure, password-based authentication

Required Certificates for NPS Authentication Methods

You require the following certificates to deploy certificate-based authentication in NPS:

www.technocorp.co.in

CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User Client computer certificate in the certificate store of the client Server certificate in the certificate store of the NPS server User certificate on a smart card

Deploying Certificates for PEAP and EAP

www.technocorp.co.in
For Domain Computer and User accounts, use the auto-enrollment feature in Group Policy Nondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer

The administrator can distribute user certificates on a smart card

Lesson 4: Monitoring and Troubleshooting a Network Policy Server

www.technocorp.co.in

Methods Used to Monitor NPS Logging NPS Accounting Configuring SQL Server Logging Configuring NPS Events to Record in the Event Viewer

Methods Used to Monitor NPS

NPS monitoring methods include:

www.technocorp.co.in

Event logging The process of logging NPS events in the System Event log

Useful for auditing and troubleshooting connection attempts

Logging user authentication and accounting requests

Useful for connection analysis and billing purposes Can be in a text format Can be in a database format within a SQL instance

Logging NPS Accounting

Use the NPS console to configure logging:

Open NPS from the Administrative Tools menu In the console tree, click Accounting In the details pane, click Configure Local File Logging On the Settings tab, select the information to be logged On the Log File tab, select the log type and the frequency or size attributes of the log files to be generated

www.technocorp.co.in

2 3 4 5

Log files should be stored on a separate partition from the system partition: If RADIUS accounting fails due to a full hard disk, NPS stops processing connection requests

Configuring SQL Server Logging

You can use SQL to log RADIUS accounting data:

www.technocorp.co.in

Requires SQL to have a stored procedure named report_event NPS formats accounting data as an XML document Can be a local or remote SQL Server database

Configuring NPS Events to Record in the Event Viewer

How do I configure NPS events to be recorded in Event Viewer?
NPS is configured by default to record failed connections and successful connections in the event log You can change this behavior on the General tab of the Properties sheet for the network policy Common request failure events What information does the failure event record? What information does the success event record?

www.technocorp.co.in

What is Schannel logging, and how do I configure it?

Schannel is a security support provider that supports a set of Internet security protocols You can configure Schannel logging in the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\EventLogging

Lab: Configuring and Managing Network Policy Server

Exercise 1: Installing and Configuring the Network Policy Server Role

Service

www.technocorp.co.in

Exercise 2: Configuring a RADIUS Client

Exercise 3: Configuring Certificate Auto-Enrollment

Exercise 4: Configuring and Testing the VPN

Logon information
Virtual machines User name 6421B-NYC-DC1 6421B-NYC-EDGE1 6421B-NYC-CL1 Contoso\Administrator

Password

Pa$$w0rd

Estimated time: 75 minutes

Lab Scenario Contoso Ltd. is expanding its remote-access solution to all its branch office
www.technocorp.co.in
employees. This will require multiple Routing and Remote Access servers located at different points to provide connectivity for its employees. You must use RADIUS to centralize authentication and accounting for the remote-access solution. You have been tasked with installing and configuring Network Policy Server into an existing infrastructure to be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy.

Lab Review
www.technocorp.co.in

What does a RADIUS proxy provide? What is a RADIUS client, and what are some examples of RADIUS clients?

Module Review and Takeaways

www.technocorp.co.in

Review Questions Tools