Microsoft Virtual Academy

Module 8

Installing, Configuring, and

Troubleshooting the Network Policy
Server Role

Module Overview
Installing and Configuring a Network Policy Server
Configuring RADIUS Clients and Servers
NPS Authentication Methods
Monitoring and Troubleshooting a Network Policy Server
Implementing Network Access Protection

Installing and Configuring a Network

Policy Server

Lesson 1: Installing and Configuring a Network Policy

Server
What Is a Network Policy Server?
Demonstration: Installing the Network Policy Server Role
Service
Tools for Configuring a Network Policy Server
Demonstration: Configuring General NPS Settings

What Is a Network Policy Server?

A Windows Server 2012 Network Policy Server provides the following

functions:

RADIUS server. NPS performs centralized connection authentication,

authorization, and accounting for wireless, authenticating switch, and
dial-up and VPN connections

RADIUS proxy. You configure connection request policies that indicate

which connection requests the NPS server will forward to other RADIUS
servers and to which RADIUS servers you want to forward connection
requests

NAP policy server. NPS evaluates statements of health sent by NAPcapable client computers that attempt to connect to the network

Demonstration: Installing the Network Policy Server Role

Service
In this demonstration, you will see how to:
Install the NPS role service
Register NPS in AD DS

Tools for Configuring a Network Policy Server

Tools used to manage NPS include:
NPS management console snap-in
Netsh command-line tool:

NPS server commands

RADIUS client commands
Connection request policy commands
Remote RADIUS server group commands
Network policy commands
Network Access Protection commands

Accounting commands

Windows PowerShell

Demonstration: Configuring General NPS Settings

In this demonstration, you will see how to:
Configure a RADIUS server for VPN connections
Save the configuration

Configuring RADIUS Clients and Servers

Lesson 2: Configuring RADIUS Clients and Servers

What Is a RADIUS Client?
What Is a RADIUS Proxy?
Demonstration: Configuring a RADIUS Client
What Is a Connection Request Policy?
Configuring Connection Request Processing
Demonstration: Creating a Connection Request Policy

What Is a RADIUS Client?

NPS is a RADIUS server

Wireless access
point
(RADIUS
client)

Client
computer

RADIUS server

What Is a RADIUS Proxy?

A RADIUS proxy receives connection attempts from RADIUS clients,

and then forwards them to the appropriate RADIUS server or another

RADIUS proxy for further routing
A RADIUS proxy is required for:

Offering outsourced dial-up, VPN, or wireless network-access services by service

providers
Providing authentication and authorization for user
accounts that are not Active Directory members
Performing authentication and authorization by using
a database that is not a Windows account database
Load-balancing connection requests among
multiple RADIUS servers
Providing RADIUS for outsourced service providers
and limiting traffic types through the firewall

Demonstration: Configuring a RADIUS Client

In this demonstration, you will see how to configure a
RADIUS client

What Is a Connection Request Policy?

Connection request policies are sets of conditions and settings that
designate which RADIUS servers perform the authentication and
authorization of connection requests that NPS receives from RADIUS
clients
Connection request policies
include:

Conditions, such as:

Framed Protocol
Service Type
Tunnel Type
Day and Time restrictions
Settings, such as:

Authentication
Accounting
Attribute Manipulation

Configuring Connection Request Processing

Configuration

Description
Local authentication takes place against

Local vs. RADIUS

authentication

the local security account database or

Active Directory.

RADIUS authentication forwards the

connection request to a RADIUS server for

authentication.

RADIUS server groups

Default ports for

accounting and
authentication by
using RADIUS

Used where one or more RADIUS servers

are capable of handling connection

requests. The connection requests are
load-balanced on specified criteria.

The ports required for accounting and

authentication requests being forwarded to

a RADIUS server are
UDP 1812/1645 and UDP 1813/1646
respectively.

Demonstration: Creating a Connection Request Policy

In this demonstration, you will see how to create a VPN
connection request policy

NPS Authentication Methods

Lesson 3: NPS Authentication Methods

Password-Based Authentication Methods
Using Certificates for Authentication
Required Certificates for Authentication
Deploying Certificates for PEAP and EAP

Password-Based Authentication Methods

Authentication methods for an NPS server from the most

secure to the least secure:

MS-CHAPv2

MS-CHAP

CHAP

PAP
Unauthenticated
access

Using Certificates for Authentication

With NPS, you use certificates for network access

authentication because they:

Provide for stronger security
Eliminate the need for less secure, password-based authentication

Required Certificates for Authentication

You require the following certificates to deploy certificatebased authentication in NPS:
Certificate

Description
CA certificate in the Trusted Root
Certification
Authorities certificate store for the Local
Computer and Current User
Client computer certificate in the certificate
store of the client
Server certificate in the certificate store of
the NPS server
User certificate on a smart card

Deploying Certificates for PEAP and EAP

For Domain Computer and User accounts, use the

autoenrollment feature in Group Policy

Nondomain member enrollment requires an administrator

to request a user or computer certificate by using the

CA Web Enrollment tool
The administrator must save the computer or user

certificate to removable media, and manually install the

certificate on the nondomain member computer
The administrator can distribute user certificates on a

smart card

Monitoring and Troubleshooting a

Network Policy Server

Lesson 4: Monitoring and Troubleshooting a Network

Policy Server
Methods Used to Monitor NPS
Logging NPS Accounting
Configuring SQL Server Logging
Configuring NPS Events to Record in the Event Viewer

Methods Used to Monitor NPS

NPS monitoring methods include:
Event logging

This method is the process of logging NPS events in the System Event log

This method is useful for auditing and troubleshooting connection attempts

Logging user authentication and accounting requests

This method is useful for connection analysis and billing purposes

This method can be in a text format
This method can be in a database format within an instance of SQL Server

Logging NPS Accounting

Use the NPS console to configure logging:
1. On the Administrative Tools menu, open NPS.
2. In the console tree, click Accounting.
3. In the details pane, click Change Log File Properties.
Log files should be stored on a separate partition from the

system partition.

Configuring SQL Server Logging

You can use SQL Server to log
RADIUS accounting data:
The SQL Server database must have
a stored procedure
named report_event
NPS formats accounting data as an
XML document
The SQL Server database can be on a
local computer or a remote server

Configuring NPS Events to Record in the Event Viewer

How do I configure NPS events to be recorded in Event Viewer?

NPS is configured by default to record failed connections and successful

connections in the event log

You can change this behavior on the General tab of the

Properties sheet for the network policy

Common request failure events consist of requests that NPS rejects or discards;
both failure and success events are recorded

What is Schannel logging, and how do I configure it?

Schannel is a security support provider that supports a set of Internet security

protocols
You can configure Schannel logging in the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurityProviders\SCHANNEL\EventLogging

Implementing Network Access

Protection

Lesson 5: Implementing Network Access Protection

What Is NAP?
NAP Architecture
Requirements for Implementing NAP
Scenarios for Using NAP
NAP with VPN
NAP with IPSec
NAP with 802.1X
NAP with DHCP
Demonstration: Implementing NAP with DHCP
Considerations for NAP

What Is NAP?
What NAP can and cannot do:
NAP can

NAP cannot

Enforce healthrequirement policies on

client computers

Protect the network from

malicious users

Guarantee that a client

computer is not infected

Ensure client computers

are compliant with policies
Offer remediation support
for computers that do not
meet health requirements

NAP Architecture
VPN
server

Active
Director
y

IEEE
802.1X
devices
Intranet

Intern
et

Perimete
r
network
Remediatio
n servers

DHCP
server

Health
Registratio
n Authority

Restricte
d
network

NAP
health
policy
server
NAP client
with limited
access

Requirements for Implementing NAP

All enforcement methods require the NAP agent to run on

the client
A Network Policy Server is required to create and enforce
policies
SHVs are required to determine what will be evaluated on
the client
System health policies are required to determine client
compliance or noncompliance
Certificates are required to validate computer identities for
PEAP authentication
Remediation networks can provide a way for clients to
become compliant and gain access to the network

Scenarios for Using NAP

Roaming laptops
Desktop computers
Visiting laptops
Unmanaged home computers

NAP with VPN

The VPN server uses the NPS server as primary RADIUS
VPN servers are configured as RADIUS clients in NPS
Connection request policy has the VPN server as source
Configure SHVs to test for health conditions
Health policies pass compliant client computers and fail

noncompliant client computers

Network policy grants full access to compliant client computers and
limited access to noncompliant client computers
Group policy or local policy can enable the ECs on client computers
NAP agent service must be enabled on client computers
Computer certificates are required for PEAP authentication

NAP with IPsec

NAP with IPsec requires:
A CA to issue health certificates
An HRA to authenticate and obtain a health certificate on behalf of
clients
Authentication requirements: domain only or anonymous
An NPS server
Client computers configured for IPsec enforcement
IPsec policies to create logical networks

NAP with 802.1X

NAP with 802.1X characteristics:
RADIUS clients are identified by host name or IP address
Shared secrets must be configured
Server certificates must be installed
Network authentication must use EAP methods
VLANs may be configured
Type of network access server should be set to unspecified
Connection requests must use PEAP

NAP with DHCP

NAP enforcement can be integrated with DHCP
NPS server uses health policies and SHVs to evaluate client

health
NPS tells the DHCP server to provide full access to
compliant computers, and to restrict access to
noncompliant computers

Demonstration: Implementing NAP with DHCP

In this demonstration, you will see how to:

Use the NAP wizard to configure DHCP enforcement policies

Install the Network Policy Server
Configure DHCP enforcement to validate that the Windows
Firewall is enabled

Considerations for NAP

Considerations for using NAP:
Use group policy to deploy client settings
Plan the enforcement type you want to enforce
Plan for a remediation network
Ensure that you can provide the administrative support for the
solution
NAP is deprecated in Windows Server 2012 R2

Additional Resources & Next Steps

Instructor-Led
Courses
20411C: Administering

Windows Server 2012

Books

Exam Ref 70-411:

Administering Windows
Server 2012

Exams &
Certifications
Exam 70-411: Administering

Windows Server 2012