Windows Server 2008 Network Policy Server (NPS) Operations Guide Microsoft Corporation Published: April 2008 Author: James McIllece Editor: Scott Somohano
Abstract The Network Policy Server Operations Guide provides information about how to administer NPS after it is installed and deployed. It also includes troubleshooting information for specific problems and scenarios.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents Windows Server 2008 Network Policy Server (NPS) Operations Guide.........................................1 Abstract....................................................................................................................................1 Contents..........................................................................................................................................3 Network Policy Server Operations Guide........................................................................................6 Windows Server 2008 Editions and NPS.....................................................................................6 Windows Server 2008 Enterprise and Datacenter Editions......................................................6 Windows Server 2008 Standard Edition...................................................................................6 Windows Web Server 2008......................................................................................................7 NPS resources............................................................................................................................7 Introduction to Administering NPS..................................................................................................7 When to use this guide................................................................................................................7 How to use This guide.................................................................................................................8 Best Practices for NPS....................................................................................................................8 Installation...................................................................................................................................8 Client computer configuration......................................................................................................9 Authentication..............................................................................................................................9 Security issues............................................................................................................................9 Accounting.................................................................................................................................10 Optimizing NPS..........................................................................................................................11 Using NPS in large organizations...........................................................................................11 Network Access Protection (NAP).............................................................................................12 Administering NPS........................................................................................................................13 Managing NPS Servers.................................................................................................................13 Administer NPS by Using Tools....................................................................................................14 Enable Remote Administration of an NPS Server.........................................................................14 Enter the Netsh NPS Context on an NPS Server..........................................................................15 Installing NPS...............................................................................................................................15 Install Network Policy Server (NPS)..............................................................................................16 Install NPS by Using the Add Role Services Wizard.....................................................................17 Manage an NPS Server by Using Remote Desktop Connection...................................................18
Manage Multiple NPS Servers by Using the NPS MMC Snap-in..................................................19 Configure the Local NPS Server by Using the NPS Console........................................................20 Configure NPS on a Multihomed Computer..................................................................................20 Configure NPS UDP Port Information...........................................................................................22 Disable NAS Notification Forwarding............................................................................................23 Export an NPS Server Configuration for Import on Another Server..............................................23 Increase the Number of NPS Concurrent Authentications............................................................25 Interpret NPS Database Format Log Files....................................................................................25 Entries recorded in database-compatible log files.....................................................................26 Interpret Windows System Health Validator Entries in Log Files...................................................33 Diagnostic codes.......................................................................................................................34 Error codes................................................................................................................................35 Determining the client operating system................................................................................37 Example log file entries..........................................................................................................37 First example log file entry..................................................................................................38 Second example log file entry.............................................................................................39 Register an NPS Server in Another Domain.................................................................................40 Register an NPS Server in its Default Domain..............................................................................40 Unregister an NPS Server from its Default Domain......................................................................41 Verify Configuration After an NPS Server IP Address Change......................................................41 Verify Configuration After Renaming an NPS Server....................................................................43 Managing Certificates Used with NPS..........................................................................................44 Change the Cached TLS Handle Expiry.......................................................................................44 Configure the TLS Handle Expiry Time on Client Computers.......................................................45 Configure the TLS Handle Expiry Time on NPS Servers..............................................................46 Obtain the SHA-1 Hash of a Trusted Root CA Certificate.............................................................46 Managing RADIUS Clients............................................................................................................47 Set up RADIUS Clients.................................................................................................................48 Configure the Network Access Server..........................................................................................49 Add the Network Access Server as a RADIUS Client in NPS.......................................................49
Set up RADIUS Clients by IP Address Range...............................................................................50 Managing Network Policies...........................................................................................................52 An ordered list of rules...............................................................................................................52 Configure NPS for VLANs.............................................................................................................53 Configure a Network Policy for VLANs..........................................................................................54 Configure the EAP Payload Size..................................................................................................55 Configure the Framed-MTU Attribute............................................................................................55 Configure NPS to Ignore User Account Dial-in Properties............................................................56
Network Policy Server Operations Guide The Network Policy Server (NPS) Operations Guide provides administration information about NPS in the Windows Server® 2008 operating system. Note In Windows Server 2008, Network Policy Server replaces the Internet Authentication Service (IAS) component of Windows Server 2003. NPS is the Microsoft implementation of the Remote Authentication Dial-In User Service (RADIUS) protocol, and can be configured to act as a RADIUS server or RADIUS proxy, providing centralized network access management. When you configure NPS as a RADIUS server, network access servers that are configured as RADIUS clients in NPS forward connection requests to NPS for authentication and authorization. When you configure NPS as a RADIUS proxy, NPS forwards authentication and accounting requests to RADIUS servers in a remote RADIUS server group. The network access servers that you can configure as RADIUS clients in NPS are wireless access points, virtual private network (VPN) servers, 802.1X authenticating switches, Terminal Services Gateway (TS Gateway) servers, and dial-up servers. In addition, you can configure NPS as a Network Access Protection (NAP) policy server. When NAP is deployed, NPS acts as a NAP policy server, performing client health checks against configured health policies. You can also configure the NPS proxy to perform authorization locally while forwarding authentication requests to a remote RADIUS server group. In addition, you can customize the processing of accounting requests, processing them locally on the NPS proxy or forwarding them to other RADIUS servers.
Windows Server 2008 Editions and NPS NPS provides different functionality depending on the edition of Windows Server 2008 that you install.
Windows Server 2008 Enterprise and Datacenter Editions With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.
Windows Server 2008 Standard Edition With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS 6
clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
Windows Web Server 2008 NPS is not included in this edition of Windows Web Server 2008.
NPS resources For NPS resources in addition to this guide, see Network Policy Server in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=104545).
Introduction to Administering NPS This guide, in conjunction with the NPS procedural Help topics, explains how to administer NPS. The objectives, tasks, and procedures described in this guide and in procedural Help topics discuss actions that are part of the operating phase of the information technology (IT) life cycle. To access the NPS procedural Help topics, open the NPS console and press F1. If you are not familiar with this guide, review the following sections of this introduction.
When to use this guide This guide assumes a basic understanding of what NPS is, how it works, and why your organization uses it to manage network access, including the authentication, authorization, and accounting for network connections. It also assumes that you have a thorough understanding of how NPS is deployed and managed in your organization before performing any of the actions described in this guide. This guide can be used by organizations that have deployed Windows Server 2008. It includes information that is relevant to different roles within an IT organization, including IT operations management and administrators. This guide contains both general information and more detailed procedures that are designed for operators who have varied levels of expertise and experience. Although the procedures provide operator guidance from start to finish, operators must have a basic proficiency with Microsoft Management Console (MMC) and its snap-ins. They must also know how to start administrative programs, access the command line, and run the Netsh commands for NPS. If operators are not familiar with NPS, it might be necessary for IT planners or IT managers to review the relevant operations in this guide and provide the operators with parameters or data that must be entered when the operation is performed.
7
How to use This guide The operations areas are divided into the following types of content: • Objectives are general goals for managing, monitoring, optimizing and securing NPS. Each objective consists of one or more general tasks that describe how the objective is accomplished. • Tasks are used to group related procedures and provide general guidance for achieving the goals of an objective. •
Procedures provide step-by-step instructions for completing tasks.
If you are an IT manager who will be delegating tasks to operators within your organization: 1. Read through the objectives and tasks to determine how to delegate permissions and whether you need to install tools before operators perform the procedures for each task. 2. Before assigning tasks to individual operators, ensure that you have all the tools installed where operators can use them. 3. When necessary, create “tear sheets” for each task that operators perform in your organization. Cut and paste the task and its related procedures into a separate document, and then either print these documents or store them online, depending on the preference of your organization.
Best Practices for NPS This topic provides best practices for implementing and configuring NPS and is based on recommendations from Microsoft Product Support Services.
Installation Before installing NPS, do the following: • Install and test each of your network access servers by using local authentication methods before you make them RADIUS clients. • After you install and configure NPS, save the configuration by using the netsh nps export command. Use this command to save the NPS configuration to an XML file every time a configuration change is made. • If you install additional Extensible Authentication Protocol (EAP) types on your NPS server, ensure that you document the server configuration in case you need to rebuild the server or duplicate the configuration on other NPS servers. • If you install additional system health validators (SHVs) on your NPS server, ensure that you document the server configuration in case you need to rebuild the server or duplicate the configuration on other NPS servers. • Do not install Windows Server 2008 on the same partition with another version of Windows Server. 8
• Do not configure a server running NPS or the Routing and Remote Access service as a member of a Windows NT Server 4.0 domain if your user accounts database is stored on a domain controller running Windows Server 2008 in another domain. Doing this will cause Lightweight Directory Access Protocol (LDAP) queries from the NPS server to the domain controller to fail. Instead, configure your server running NPS or Routing and Remote Access as a member of a Windows Server 2008 domain. An alternative is to configure a server running NPS as a RADIUS proxy server that forwards authentication and accounting requests from the Windows NT Server 4.0 domain to an NPS server in the Windows Server 2008 domain.
Client computer configuration Following are the best practices for client computer configuration: • Automatically configure all of your domain member 802.1X client computers by using Group Policy. • Automatically configure all of your domain member NAP-capable clients by importing NAP client configuration files into Group Policy.
Authentication Following are the best practices for authentication: • Use authentication methods, such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP), that provide authentication types, such as Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake Authentication Protocol version two (PEAP-MS-CHAP v2), that support the use of certificates for strong authentication. Do not use password-based authentication methods because they are vulnerable to a variety of attacks and are not secure. • Use PEAP, which is required for all Network Access Protection (NAP) enforcement methods. Determine the PEAP authentication types that you want to use, such as PEAP-TLS and PEAP-MS-CHAP v2, and then plan and deploy your public key infrastructure (PKI) to ensure that all computers and users can enroll the certificates required by the authentication types. • Deploy a certification authority (CA) by using Active Directory® Certificate Services (AD CS) if you use strong certificate-based authentication methods that require the use of a server certificate on NPS servers. You can also use your CA to deploy computer certificates to domain member computers and user certificates to members of the Users group in Active Directory.
Security issues Your NPS server provides authentication, authorization, and accounting for connection attempts to your organization network. You can protect your NPS server and RADIUS messages from unwanted internal and external intrusion. 9
When you are administering an NPS server remotely, do not send sensitive or confidential data (for example, shared secrets or passwords) over the network in plaintext. There are two recommended methods for remote administration of NPS servers: •
Use Remote Desktop Connection to access the NPS server.
When Remote Desktop Connection users log on, they can view only their individual client sessions, which are managed by the server and are independent of each other. In addition, Remote Desktop Connection provides 128-bit encryption between client and server. •
Use Internet Protocol security (IPsec) to encrypt confidential data.
If you manage one or more remote NPS servers from a local NPS server by using the NPS Microsoft Management Console (MMC) snap-in, you can use IPsec to encrypt communication between the local NPS server and the remote NPS server.
Accounting There are two types of accounting, or logging, in NPS: • Event logging for NPS. You can use event logging to record NPS events in the system and security event logs. Recording NPS events to the security event log is a new feature in Windows Server 2008, and much more information is logged for NPS than in previous operating system versions for Internet Authentication Service (IAS). This information is used primarily for auditing and troubleshooting connection attempts. • Logging user authentication and accounting requests. You can log user authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server 2000, SQL Server 2005, or SQL Server 2008 database. Request logging is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method of tracking down activity after an attack. To make the most effective use of NPS logging: • Turn on logging (initially) for both authentication and accounting records. Modify these selections after you have determined what is appropriate for your environment. • Ensure that event logging is configured with a capacity that is sufficient to maintain your logs. • Back up all log files on a regular basis because they cannot be recreated after they are damaged or deleted. • For billing purposes, use the RADIUS Class attribute to both track usage and simplify the identification of which department or user to charge for usage. Although the automatically generated Class attribute is unique for each request, duplicate records might exist in cases when the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to accurately track usage. • If you use SQL Server logging, ensure that you store credentials and other connection properties in a secure location. This information is not exported to file when you use the netsh nps export command. 10
• To provide failover and redundancy with SQL Server logging, place two computers running SQL Server on different subnets. Use the SQL Server tools to set up database replication between the two servers. For more information, see SQL Server documentation. Important If your NPS server is configured to log accounting data but cannot write to the configured data store (a log file, a SQL Server database, or both), NPS discards all connection requests and authentication fails. In this circumstance, users cannot access the network by using connections through RADIUS clients. This ensures that accounting data is accurate.
Optimizing NPS Following are ways to tune NPS performance: • To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller. • When universal principal names (UPNs) or Windows Server 2008 and Windows Server 2003 domains are used, NPS uses the global catalog to authenticate users. To minimize the time it takes to do this, install NPS on either a global catalog server or a server that is on the same subnet. • Disable start and stop notification forwarding from network access servers (NASs) to individual servers in each remote RADIUS server group if you are not forwarding accounting requests to the group. For more information, see Disable NAS Notification Forwarding.
Using NPS in large organizations Following are ways to use NPS in large organizations: • If you are using network policies to restrict network access for all but specific groups, create a universal group for all of the users for whom you want to allow access, and then create a network policy that grants access for members of this universal group. Do not put all of your users directly into the universal group, especially if you have a large number of them on your network. Instead, create separate groups that are members of the universal group, and then add users to those groups. • Use a user principal name in network policies to refer to users whenever possible. A user can have the same user principal name regardless of the domain membership of the user account. This practice provides scalability that might be required in organizations that have a large number of domains. • If NPS is on a computer other than a domain controller, and it is receiving a very large number of authentication requests per second, you can improve performance by increasing the number of concurrent authentications between NPS and the domain controller. For more information, see Increase the Number of NPS Concurrent Authentications.
11
Note To effectively balance the load of either a large number of authorizations or a large volume of RADIUS authentication traffic (such as a large wireless implementation using certificate-based authentication), install NPS as a RADIUS server on all of your domain controllers. Next, configure two or more NPS proxies to forward the authentication requests between the access servers and the RADIUS servers. Next, configure your access servers to use the NPS proxies as RADIUS servers.
Network Access Protection (NAP) When NAP is deployed, NPS acts as a NAP policy server, performing client health checks against configured health policies. Following are the best practices for NAP deployment with NPS. • For the most secure and effective NAP deployment on your network, deploy strong enforcement methods, such as Internet Protocol security (IPsec), 802.1X, and virtual private network (VPN) enforcement methods. Strong enforcement methods use certificate-based authentication and secure the channel between clients and servers through which the statement of health (SoH) and statement of health response (SoHR) are sent. The DHCP enforcement method is the least secure enforcement method and should be deployed only in circumstances where secure transmission of the SoH and SoHR are not required. • When you deploy the IPsec enforcement method, enable pass-through authentication in Internet Information Services (IIS). Enabling pass-through authentication ensures that only domain member computers can obtain a health certificate and communicate with other domain member computers. • Before you create health policies for your NAP deployments, if you are using nonMicrosoft products that support NAP, install non-Microsoft system health agents (SHAs) on client computers. In addition, install the corresponding system health validators (SHVs) for the SHAs on NPS servers. • When you deploy NAP by using the VPN or 802.1X enforcement methods with PEAP authentication, you must configure PEAP authentication in the NPS connection request policy even when connection requests are processed locally. • For a streamlined method of creating network policies, connection request policies, and health policies for your NAP deployment, use the New NAP Policies wizard. If you want to modify policies created by using the wizard, open the policy in the NPS console and make required changes. • When you deploy NAP with the IPsec and DHCP enforcement methods, enable client health checks when you configure authentication. You should also configure the Identity Type condition in network policy with the value Computer health check. • To deploy NAP with the DHCP enforcement method, you must install both NPS and DHCP on the same computer.
12
Administering NPS By effectively administering your NPS deployment, you can provide secure network access for your organization, ensuring that authorized organization employees, business partners, and guests can access the network when and where they need to do so. Note The procedures in this guide do not include instructions for those cases in which the User Account Control dialog box opens to request your permission to continue. If this dialog box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue. The following objectives are part of administering NPS: •
Managing NPS Servers
•
Managing Certificates Used with NPS
•
Managing RADIUS Clients
•
Managing Network Policies
Managing NPS Servers Managing NPS servers across your organization means providing NPS server availability, with approved and consistent network policies configured across your NPS deployment. When you manage NPS servers, you ensure that RADIUS clients have access to the servers, that NPS servers have permission to access your user account databases, and that RADIUS traffic is sent and received on the same UDP ports. In addition, you can synchronize server configurations in whole or in part by using Netsh commands for NPS. The following tasks for managing NPS servers are described in this objective: •
Administer NPS by Using Tools
•
Configure NPS on a Multihomed Computer
•
Configure NPS UDP Port Information
•
Disable NAS Notification Forwarding
•
Export an NPS Server Configuration for Import on Another Server
•
Increase the Number of NPS Concurrent Authentications
•
Interpret NPS Database Format Log Files
•
Register an NPS Server in Another Domain
•
Register an NPS Server in its Default Domain
•
Unregister an NPS Server from its Default Domain
•
Verify Configuration After an NPS Server IP Address Change 13
•
Verify Configuration After Renaming an NPS Server
Administer NPS by Using Tools NPS provides three tools that you can use to administer NPS: the NPS console, the NPS Microsoft Management Console (MMC) snap-in, and the Netsh commands for NPS (netsh nps). The following procedures show how to manage NPS using these tools: •
Enable Remote Administration of an NPS Server
•
Enter the Netsh NPS Context on an NPS Server
•
Installing NPS
•
Manage an NPS Server by Using Remote Desktop Connection
•
Manage Multiple NPS Servers by Using the NPS MMC Snap-in
•
Configure the Local NPS Server by Using the NPS Console
Enable Remote Administration of an NPS Server You can use this procedure to enable the Remote administration exception in Windows Firewall with Advanced Security. You can use the Network Policy Server (NPS) Microsoft Management Console (MMC) snap-in to manage both the local and remote NPS servers. To manage remote servers, however, you must first enable the Remote administration exception on the firewall of the NPS server that you want to manage. Administrative Credentials To complete this procedure, you must be a member of the Administrators group. To enable remote administration of an NPS server 1. Click Start, and then click Control Panel. 2. In Control Panel, verify that Control Panel Home is selected. Under Security, click Allow a program through Windows Firewall. The Windows Firewall Settings dialog box opens. 3. In Windows Firewall Settings, verify that the Exceptions tab is selected. 4. In Program or port, scroll to and select the Remote administration check box, and then click OK.
14
Enter the Netsh NPS Context on an NPS Server You can use commands in the Netsh NPS context to show and set the configuration of the authentication, authorization, accounting, and auditing database used both by NPS and the Routing and Remote Access service. Use commands in the Netsh NPS context to: • Configure or reconfigure an NPS server, including all aspects of NPS that are also available for configuration by using the NPS console in the Windows interface. • Export the configuration of one NPS server (the source server), including registry keys and the NPS configuration store, as a Netsh script. • Import the configuration to another NPS server by using a Netsh script and the exported configuration file from the source NPS server. You can run these commands from the Windows Server 2008 command prompt or from the command prompt for the Netsh NPS context. For these commands to work at the Windows Server 2008 command prompt, you must type netsh nps before typing additional commands and their parameters. There are functional differences between Netsh context commands in the Windows Server 2003 family and Netsh commands in Windows Server 2008. Administrative Credentials To perform this procedure, you must be a member of the Administrators group on the local computer. To enter the Netsh NPS context on an NPS server 1. Open Command Prompt. 2. Type netsh, and then press ENTER. 3. Type nps, and then press ENTER.
Installing NPS There are multiple ways to install NPS, and to understand the differences between these methods, an understanding of the Network Policy and Access Services (NPAS) server role is required. The NPAS server role is a logical grouping of the following network access technologies: •
Network Policy Server (NPS)
•
Routing and Remote Access service (RRAS)
•
Health Registration Authority (HRA)
•
Host Credential Authorization Protocol (HCAP) 15
These technologies are the role services of the NPAS server role. When you install the NPAS server role, you can install one or more role service while running the Add Roles Wizard. Note The Add Roles Wizard is opened by using either Server Manager or Initial Configuration Tasks. After you have run the Add Roles Wizard and you have installed one or more role service of the NPAS server role, you cannot install additional role services by using the same wizard. For this reason, if you run the Add Roles Wizard and you install NPAS role services other than NPS, you cannot run the Add Roles Wizard again to install NPS later — you must instead open a similar wizard named the Add Role Services Wizard. If you want to install NPS, and you have not yet installed any other role services of the NPAS server role, follow the instructions in the procedure Install Network Policy Server (NPS). If you want to install NPS, but you have already installed other NPAS role services, follow the instructions in the procedure Install NPS by Using the Add Role Services Wizard.
Install Network Policy Server (NPS) You can use this procedure to install Network Policy Server (NPS) by using the Add Roles Wizard. NPS is a role service of the Network Policy and Access Services server role. Note By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all installed network adapters. If Windows Firewall with Advanced Security is enabled when you install NPS, firewall exceptions for these ports are automatically created during the installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your network access servers are configured to send RADIUS traffic over ports other than these defaults, remove the exceptions created in Windows Firewall with Advanced Security during NPS installation, and create exceptions for the ports that you do use for RADIUS traffic. Administrative Credentials To complete this procedure, you must be a member of the Administrators group. To install NPS 1. Do one of the following: • In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add Roles Wizard opens. • Click Start, and then click Server Manager. In the left pane of Server Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles Wizard opens. 2. In Before You Begin, click Next. 16
Note The Before You Begin page of the Add Roles Wizard is not displayed if you have previously selected Do not show this page again when the Add Roles Wizard was run. 3. In Select Server Roles, in Roles, select Network Policy and Access Services, and then click Next. 4. In Network Policy and Access Services, click Next. 5. In Select Role Services, in Role Services, select Network Policy Server, and then click Next. 6. In Confirm Installation Selections, click Install. 7. In Installation Results, review your installation results, and then click Close.
Install NPS by Using the Add Role Services Wizard You can use this procedure to install Network Policy Server (NPS) as a role service of the Network Policy and Access Services (NPAS) server role in circumstances where you have previously installed other NPAS role services. Important To successfully use this procedure to install NPS, it is required that you previously installed the NPAS server role with a different role service, such as the Routing and Remote Access service (RRAS). If you have not previously installed NPAS, do not use this procedure; instead, use the procedure Install Network Policy Server (NPS). Administrative Credentials To complete this procedure, you must be a member of the Administrators group. To install NPS by using the Add Role Services wizard 1. Click Start, and then click Server Manager. In the left pane of Server Manager, double-click Roles to expand the tree. Browse to and right-click Network Policy and Access Services, and then click Add Role Services. The Add Role Services wizard opens. 2. In Select Role Services, in Role Services, select Network Policy Server, and then click Next. 3. In Confirm Installation Selections, click Install. 4. In Installation Results, review your installation results, and then click Close.
17
Manage an NPS Server by Using Remote Desktop Connection Use this procedure to manage a remote NPS server by using Remote Desktop Connection. By using Remote Desktop Connection, you can remotely manage your NPS servers running Windows Server 2008. You can also remotely manage NPS servers from a computer running Windows Vista. Administrative Credentials To complete this procedure, you must be a member of the Administrators group. To manage an NPS server by using Remote Desktop Connection 1. On each NPS server that you want to manage remotely, in Control Panel, doubleclick System. The System page opens. 2. In System, in Tasks, click Remote settings. The System Properties dialog box opens. 3. In System Properties, ensure that the Remote tab is selected. In Remote Desktop, select an option that allows connections from remote computers. 4. Click Select Users. The Remote Desktop Users dialog box opens. 5. In Remote Desktop Users, to grant permission to a user to connect remotely to the NPS server, click Add, and then type the user name for the user's account. Click OK. 6. Repeat step 5 for each user for whom you want to grant remote access permission to the NPS server. 7. On each NPS server, if Windows Firewall with Advanced Security is enabled, add an exception for Remote Desktop. 8. To connect to a remote NPS server that you have configured by using the previous steps, click Start, click All Programs, click Accessories, and then click Remote Desktop Connection. 9. In Computer, type the NPS server name or IP address. If you want, click Options, configure additional connection options, and then click Save to save the connection for repeated use. 10. Click Connect, and when prompted provide user account credentials for an account that has permissions to log on to and configure the NPS server.
18
Manage Multiple NPS Servers by Using the NPS MMC Snap-in Use this procedure to manage multiple NPS servers by using the NPS Microsoft Management Console (MMC) snap-in. You can also use the instructions below to manage a local NPS server and one or more remote NPS servers from the Microsoft Management Console (MMC) on the local NPS server. Before performing the procedure below, you must install NPS on the local computer and on remote computers. Important Before you can manage a remote NPS server, you must configure the remote server to allow remote administration. For more information, see Enable Remote Administration of an NPS Server. Depending on network conditions and the number of NPS servers you manage by using the NPS MMC snap-in, response of the MMC snap-in might be slow. In addition, NPS server configuration traffic is sent over the network during a remote administration session by using the NPS snap-in. Ensure that your network is physically secure and that malicious users do not have access to this network traffic. Administrative Credentials To complete this procedure, you must be a member of the Administrators group. To manage multiple NPS servers by using the NPS snap-in 1. To open MMC, click Start, click Run, type mmc, and then click OK. 2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Add or Remove Snap-ins, in Available snap-ins, scroll down the list, click Network Policy Server, and then click Add. The Select Computer dialog box opens. 4. In Select Computer, verify that Local computer (the one this console is running on) is selected, and then click OK. The snap-in for the local NPS server is added to the list in Selected snap-ins. 5. In Add or Remove Snap-ins, in Available snap-ins, ensure that Network Policy Server is still selected, and then click Add. The Select Computer dialog box opens again. 6. In Select Computer, click Another computer, and then type the IP address or fully qualified domain name of the remote NPS server that you want to manage by using the NPS snap-in. Optionally, you can click Browse to browse the directory for the computer you want to add. Click OK. 7. Repeat steps 5 and 6 to add more NPS servers to the NPS snap-in. When you have added all the NPS servers you want to manage, click OK. 19
8. To save the NPS snap-in for later use, click File, click Save, type a name for your Microsoft Management Console (.msc) file, and then click Save.
Configure the Local NPS Server by Using the NPS Console After you have installed NPS, you can use this procedure to manage the local NPS server by using the NPS Microsoft Management Console (MMC). The NPS console differs from use of the NPS MMC snap-in in the following ways: •
The NPS console is installed by default when you install NPS.
• The NPS console is used to manage the local NPS server only; you cannot use the NPS console to manage remote NPS servers. • You can use the NPS MMC snap-in to create a custom MMC console that allows you to manage remote NPS servers in addition to managing the local NPS server. Administrative Credentials To complete this procedure, you must be a member of the Administrators group. To configure the local NPS server by using the NPS console 1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. In the NPS console, click NPS (Local). In the details pane, choose either Standard Configuration or Advanced Configuration, and then do one of the following based upon your selection: • If you choose Standard Configuration, select a scenario from the list, and then follow the instructions to start a configuration wizard • If you choose Advanced Configuration, click the arrow to expand Advanced Configuration options, and then review and configure the available options based on the NPS functionality that you want.
Configure NPS on a Multihomed Computer A computer with multiple network adapters installed is known as a multihomed computer. When you use multiple network adapters in an NPS server, you can configure the following: •
The network adapters that do and do not send and receive RADIUS traffic.
20
• On a per-network adapter basis, whether NPS monitors RADIUS traffic on Internet Protocol version 4 (IPv4), IPv6, or both IPv4 and IPv6. • The UDP ports over which RADIUS traffic is sent and received on a per-protocol (IPv4 or IPv6), per-network adapter basis. By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both IPv6 and IPv4 for all installed network adapters. Because NPS automatically uses all network adapters for RADIUS traffic, you only need to specify the network adapters that you want NPS to use for RADIUS traffic when you want to prevent NPS from using an adapter for RADIUS traffic. Note If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS traffic for the uninstalled protocol. On an NPS server that has multiple network adapters installed, you might want to configure NPS to send RADIUS traffic only on a specific adapter. For example, one network adapter installed in the NPS server might lead to a network segment that does not contain RADIUS clients, while a second network adapter provides NPS with a network path to its configured RADIUS clients. In this scenario it is important to direct NPS to use the second network adapter for all RADIUS traffic. In another example, if your NPS server has three network adapters installed, but you only want NPS to use two of the adapters for RADIUS traffic, you should configure port information for the two adapters only. By excluding port configuration for the third adapter, you prevent NPS from using the adapter for RADIUS traffic. When you use the procedure in Configure NPS UDP Port Information, you can configure NPS to listen for and send RADIUS traffic on a network adapter by using the following syntax: • IPv4 traffic syntax: IPAddress:UDPport, where IPAddress is the IPv4 address that is configured on the network adapter over which you want to send RADIUS traffic, and UDPport is the RADIUS port number that you want to use for RADIUS authentication or accounting traffic. • IPv6 traffic syntax: [IPv6Address]:UDPport, where the brackets around IPv6Address are required, IPv6Address is the IPv6 address that is configured on the network adapter over which you want to send RADIUS traffic, and UDPport is the RADIUS port number that you want to use for RADIUS authentication or accounting traffic. The following characters can be used as delimiters for configuring IP address and UDP port information: •
Address/port delimiter: colon (:)
•
Port delimiter: comma (,)
•
Interface delimiter: semicolon (;)
Make sure that your network access servers are configured with the same RADIUS UDP ports that you configure on your NPS servers. The RADIUS standard UDP ports defined in RFCs 2865 and 2866 are 1812 for authentication and 1813 for accounting; however, some access servers are configured by default to use UDP port 1645 for authentication requests and UDP port 1646 for accounting requests. 21
Important If you do not use the default RADIUS ports, you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports.
Configure NPS UDP Port Information Use this procedure to configure User Datagram Protocol (UDP) ports for RADIUS traffic. You can use the following procedure to configure the ports that Network Policy Server (NPS) uses for RADIUS authentication and accounting traffic. By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters. Note If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS traffic for the uninstalled protocol. The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined in RFCs 2865 and 2866. However, by default, many access servers use ports 1645 for authentication requests and 1646 for accounting requests. No matter which ports you decide to use, make sure that NPS and your access server are configured to use the same ones. Important If you do not use the default RADIUS ports, you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To configure NPS UDP port information 1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. In the NPS console, right-click Network Policy Server, and then click Properties. 3. Click the Ports tab, and then prepend the IP address for the network adapter you want to use for RADIUS traffic to the existing port numbers. For example, if you want to use the IP address 192.168.1.2 and RADIUS ports 1812 and 1645 for authentication requests, change the port setting from 1812,1645 to 192.168.1.2:1812,1645. If your RADIUS authentication and RADIUS accounting UDP ports are different from the default values, change the port settings accordingly. 4. To use multiple port settings for authentication or accounting requests, separate the port numbers with commas.
22
Disable NAS Notification Forwarding You can use this procedure to disable the forwarding of start and stop messages from network access servers (NASs) to members of a remote RADIUS server group configured in NPS. When you have remote RADIUS server groups configured and, in NPS Connection Request Policies, you clear the Forward accounting requests to this remote RADIUS server group check box, these groups are still sent NAS start and stop notification messages. This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification forwarding for individual servers in each remote RADIUS server group. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To disable NAS notification forwarding 1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. In the NPS console, double-click RADIUS Clients and Servers, click Remote RADIUS Server Groups, and then double-click the remote RADIUS server group that you want to configure. The remote RADIUS server group Properties dialog box opens. 3. Double-click the group member that you want to configure, and then click the Authentication/Accounting tab. 4. In Accounting, clear the Forward network access server start and stop notifications to this server check box, and then click OK. 5. Repeat steps 3 and 4 for all group members that you want to configure.
Export an NPS Server Configuration for Import on Another Server This procedure allows you to export the entire NPS configuration — including RADIUS clients and servers, network policy, connection request policy, registry, and logging configuration — from one NPS server for import on another NPS server. Important Do not use this procedure if the source NPS database has a higher version number than the version number of the destination NPS database. You can view the version number of the NPS database from the display of the netsh nps show config command. When the netsh import command is run, NPS is automatically refreshed with the updated configuration settings. You do not need to stop NPS on the destination computer to run the netsh
23
import command, however if the NPS console or NPS MMC snap-in is open during the configuration import, changes to the server configuration are not visible until you refresh the view. Note When you use the netsh nps export command, you are required to provide the command parameter exportPSK with the value YES. This parameter and value explicitly state that you understand that you are exporting the NPS server configuration, and that the exported XML file contains unencrypted shared secrets for RADIUS clients and members of remote RADIUS server groups. Because NPS server configurations are not encrypted in the exported XML file, sending it over a network might pose a security risk, so take precautions when moving the XML file from the source server to the destination servers. For example, add the file to an encrypted, password protected archive file before moving the file. In addition, store the file in a secure location to prevent malicious users from accessing it. Note If SQL Server logging is configured on the source NPS server, SQL Server logging settings are not exported to the XML file. After you import the file on another NPS server, you must manually configure SQL Server logging. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To copy an NPS server configuration to another NPS server using Netsh commands 1. On the source NPS server, open Command Prompt, type netsh, and then press ENTER. 2. At the netsh prompt, type nps, and then press ENTER. 3. At the netsh nps prompt, type export filename="path\file.xml" exportPSK=YES, where path is the folder location where you want to save the NPS server configuration file, and file is the name of the XML file that you want to save. Press ENTER. This stores configuration settings (including registry settings) in an XML file. The path can be relative or absolute, or it can be a Universal Naming Convention (UNC) path. After you press ENTER, a message appears indicating whether the export to file was successful. 4. Copy the file you created to the destination NPS server. 5. At a command prompt on the destination NPS server, type netsh nps import filename="path\file.xml", and then press ENTER. A message appears indicating whether the import from the XML file was successful.
24
Increase the Number of NPS Concurrent Authentications You can use this procedure to increase the number of concurrent authentications between NPS and domain controllers when NPS is not installed on a domain controller. If the NPS server is on a computer other than a domain controller and it is receiving a very large number of authentication requests per second, you can improve performance by increasing the number of concurrent authentications between the NPS server and the domain controller. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Administrative Credentials To complete this procedure, you must be a member of the Administrators group. To increase the number of concurrent authentications 1. Click Start, click Run, type regedit, and then press ENTER. Registry Editor opens. 2. In Registry Editor, browse to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter s 3. Right-click Parameters, point to New, and then click DWORD (32-bit) Value. 4. Replace the default text for the new key by typing the text MaxConcurrentApi, and then press ENTER. 5. Right-click MaxConcurrentApi, and then click Modify. The Edit DWORD (32-bit) Value dialog box opens. 6. In Value data, type a value between 2 and 5. Do not enter a value higher than 5, or NPS might place an excessive load on the domain controller. Click OK.
Interpret NPS Database Format Log Files Unlike IAS-formatted log files, database-compatible log files present the data in a standard sequence and use a structure that is identical, regardless of the format used by the network access server (NAS) that sends the data. This consistent sequence and structure helps simplify accounting and authentication records. Data can be easily exported to a database. Note Although NPS supports both IAS-formatted and database-compatible log files, use the database-compatible log format in most instances because it supports tools compliant with Open Database Connectivity (ODBC). 25
Entries recorded in database-compatible log files The following are example entries (Access-Request and Access-Accept) from a databasecompatible log file. Note In the examples below, "IAS" refers to Internet Authentication Service. In Windows Server 2008. NPS replaces IAS. In NPS accounting data, the term IAS refers to the Network Policy Server service. This is the first example: "CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,, ,,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
This is the second example: "CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.1 0","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
The following table shows the attributes that can be contained in a record in the databasecompatible log file, the sequence in which they are recorded, and how the preceding examples are interpreted. Additional information • A blank field in the first column of the table indicates that the network access server did not include a value with the attribute in the packets for the preceding example entries. • The Data type column identifies the data type (text, number, or time) for each attribute. When you create a database into which log files are imported, you must define each field for the data type of the attribute value that will be imported into it. In database-compatible log files, text values (such as strings, octet strings, and IP addresses) are always surrounded by double quotes. If the double quotes appear within the string, then they are replaced with a double set of double quotes. This table shows the values for the example entries of an IAS-internal attribute. Value shown in
Attribute
Data type
Description
"CLIENTCOMP"
ComputerName
Text
The name of the server where the packet was received (this is an IAS-internal attribute).
"IAS"
ServiceName
Text
The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute).
03/07/2008
Record-Date
Time
The date at the NPS or Routing and Remote Access server (this is an IAS-
example
26
Value shown in
Attribute
Data type
Description
example
internal attribute). 13:04:33
Record-Time
Time
The time at the NPS or Routing and Remote Access server (this is an IASinternal attribute).
1
Packet-Type
Number
The type of packet, which can be: •
1 = Access-Request
•
2 = Access-Accept
•
3 = Access-Reject
•
4 = Accounting-Request
This is an IAS-internal attribute. "client"
User-Name
Text
The user identity, as specified by the user.
Fully-QualifiedDistinguishedName
Text
The user name in canonical format (this is an IAS-internal attribute).
Called-Station-ID
Text
The phone number dialed by the user.
Calling-Station-ID
Text
The phone number from which the call originated.
Callback-Number
Text
The callback phone number.
Framed-IPAddress
Text
The framed address to be configured for the user.
NAS-Identifier
Text
The text that identifies the network access server originating the request.
NAS-IP-Address
Text
The IP address of the network access server originating the request.
NAS-Port
Number
The physical port number of the network access server originating the request.
9
Client-Vendor
Number
The manufacturer of the network access server (this is an IAS-internal attribute).
"10.10.10.10"
Client-IP-Address
Text
The IP address of the RADIUS client (this is an IAS-internal attribute).
"npsclient"
Client-FriendlyName
Text
The friendly name for the RADIUS client (this is an IAS-internal attribute).
Event-Timestamp
Time
The date and time that this event occurred 27
Value shown in
Attribute
Data type
Description
example
on the network access server.
1
Port-Limit
Number
The maximum number of ports that the network access server provides to the user.
NAS-Port-Type
Number
The type of physical port that is used by the network access server originating the request.
Connect-Info
Text
Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols.
Framed-Protocol
Number
The protocol to be used.
Service-Type
Number
The type of service that the user has requested.
AuthenticationType
Number
The authentication scheme, which is used to verify the user and can be: •
1 = PAP
•
2 = CHAP
•
3 = MS-CHAP
•
4 = MS-CHAP v2
•
5 = EAP
•
7 = None
•
8 = Custom
This is an IAS-internal attribute.
0
Policy-Name
Text
The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank.
Reason-Code
Number
The reason for rejecting a user, which can be: •
0 = IAS_SUCCESS
•
1 = IAS_INTERNAL_ERROR 28
Value shown in
Attribute
Data type
Description
example
•
2 = IAS_ACCESS_DENIED
•
3 = IAS_MALFORMED_REQUEST
• 4= IAS_GLOBAL_CATALOG_UNAVAILAB LE •
5 = IAS_DOMAIN_UNAVAILABLE
•
6 = IAS_SERVER_UNAVAILABLE
•
7 = IAS_NO_SUCH_DOMAIN
•
8 = IAS_NO_SUCH_USER
•
16 = IAS_AUTH_FAILURE
• 17 = IAS_CHANGE_PASSWORD_FAILUR E • 18 = IAS_UNSUPPORTED_AUTH_TYPE •
32 = IAS_LOCAL_USERS_ONLY
• 33 = IAS_PASSWORD_MUST_CHANGE •
34 = IAS_ACCOUNT_DISABLED
•
35 = IAS_ACCOUNT_EXPIRED
• 36 = IAS_ACCOUNT_LOCKED_OUT • 37 = IAS_INVALID_LOGON_HOURS • 38 = IAS_ACCOUNT_RESTRICTION •
48 = IAS_NO_POLICY_MATCH
•
64 = IAS_DIALIN_LOCKED_OUT
•
65 = IAS_DIALIN_DISABLED
•
66 = IAS_INVALID_AUTH_TYPE
• 67 = IAS_INVALID_CALLING_STATION • 68 = IAS_INVALID_DIALIN_HOURS • 69 = IAS_INVALID_CALLED_STATION 29
Value shown in
Attribute
Data type
Description
example
•
70 = IAS_INVALID_PORT_TYPE
•
71 = IAS_INVALID_RESTRICTION
•
80 = IAS_NO_RECORD
•
96 = IAS_SESSION_TIMEOUT
• 97 = IAS_UNEXPECTED_REQUEST This is an IAS-internal attribute. Class
Text
The attribute that is sent to the client in an Access-Accept packet.
Session-Timeout
Number
The length of time (in seconds) before the session is terminated.
Idle-Timeout
Number
The length of idle time (in seconds) before the session is terminated.
TerminationAction
Number
The action that the network access server takes when service is completed.
EAP-FriendlyName
Text
The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAPFriendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2)."
Acct-Status-Type
Number
The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Server session.
Acct-Delay-Time
Number
The length of time (in seconds) for which the network access server has been sending the same accounting packet.
Acct-Input-Octets
Number
The number of octets received during the session.
Acct-OutputOctets
Number
The number of octets sent during the session.
Acct-Session-Id
Text
The unique numeric string that identifies 30
Value shown in
Attribute
Data type
Description
example
the server session. Acct-Authentic
Number
The number that specifies which server authenticated an incoming call.
Acct-SessionTime
Number
The length of time (in seconds) for which the session has been active.
Acct-InputPackets
Number
The number of packets received during the session.
Acct-OutputPackets
Number
The number of packets sent during the session.
Acct-TerminateCause
Number
The reason that a connection was terminated.
Acct-Multi-Ssn-ID
Text
The unique numeric string that identifies the multilink session.
Acct-Link-Count
Number
The number of links in a multilink session.
Acct-InterimInterval
Number
The length of interval (in seconds) between each interim update that the network access server sends.
Tunnel-Type
Number
The tunneling protocol to be used.
Tunnel-MediumType
Number
The medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers.
Tunnel-ClientEndpt
Text
The IP address of the tunnel client.
Tunnel-ServerEndpt
Text
The IP address of the tunnel server.
Acct-Tunnel-Conn
Text
An identifier assigned to the tunnel.
Tunnel-PvtGroup-ID
Text
The group ID for a specific tunneled session.
TunnelAssignment-ID
Text
The tunnel to which a session is assigned.
TunnelPreference
Number
The preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server. 31
Value shown in
Attribute
Data type
Description
MS-Acct-AuthType
Number
A Routing and Remote Access service attribute. For more information, see RFC 2548.
MS-Acct-EAPType
Number
A Routing and Remote Access service attribute. For more information, see RFC 2548.
MS-RAS-Version
Text
A Routing and Remote Access service attribute. For more information, see RFC 2548.
MS-RAS-Vendor
Number
A Routing and Remote Access service attribute. For more information, see RFC 2548.
MS-CHAP-Error
Text
A Routing and Remote Access service attribute. For more information, see RFC 2548.
MS-CHAPDomain
Text
A Routing and Remote Access service attribute. For more information, see RFC 2548.
MS-MPPEEncryption-Types
Number
A Routing and Remote Access service attribute. For more information, see RFC 2548.
MS-MPPEEncryption-Policy
Number
A Routing and Remote Access service attribute. For more information, see RFC 2548.
Proxy-PolicyName
Text
The name of the connection request policy that matched the connection request.
Provider-Type
Number
Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication.
Provider-Name
Text
A string value that corresponds to ProviderType. Possible values are "None" for a Provider-Type value of 0, "Windows" for a
example
32
Value shown in
Attribute
Data type
Description
example
Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2.
"CLIENTCOMP"
Remote-ServerAddress
IP address
The IP address of the remote RADIUS server to which the connection request was forwarded for authentication.
MS-RAS-ClientName
Text
The name of the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7 and less than 40. Value, which specifies the computer name of the endpoint that is requesting network access, is sent in ASCII format and is null terminated. The valid character set for the computer name includes letters, numbers, and the following symbols: ! @ # $ % ^ & ‘ ) ( . - _ { } ~.
MS-RAS-ClientVersion
Number
The operating system version that is installed on the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7. Value, which specifies the version of the operating system on a remote access client, is a string that is in network byte order.
Interpret Windows System Health Validator Entries in Log Files When NPS is configured as a Network Access Protection (NAP) policy server, and one or more health policies are configured with the Windows Security Health Validator (WSHV), NPS logs statement of health responses (SoHRs) in the NPS log file or to a Microsoft® SQL Server™ database, depending on your accounting configuration. You can use the information in this topic to interpret WSHV entries in NPS accounting logs. 33
Diagnostic codes The WSHV entries contain elements that correspond to components that might be installed or enabled on client computers, such as firewalls, antivirus applications, and Windows Automatic Updates. The WSHV log file entries always present the WSHV list of elements as diagnostic codes, and these codes are always presented in the following order: 1. Firewall (On/Off) 2. Antivirus - On/Off 3. Antivirus - Up-to-date status 4. Antispyware - On/Off 5. Antispyware - Up-to-date status 6. Automatic Updates (On/Off) 7. Security Updates - Compliance code 8. Security Updates - Severity 9. Security Updates - Legitimate Source (Windows Update, Windows Server Update Services, or Microsoft Update) For item 9 above, the following codes are possible values in the log file. Update source
Diagnostic code
Windows Update
0x00004000
Windows Server Update Services (WSUS)
0x00010000
Microsoft Update
0x00020000
Important If the configuration allows the receipt of updates from more than one source, the log file entry combines the codes. For example, if both Windows Update and Microsoft Update are legitimate sources, the log file code is 0x00024000. When each of the other eight elements is evaluated as compliant by NPS, the diagnostic code is 0x0. When an element of the SHV is compliant, the corresponding component on the client computer is either on, as in the case of a firewall application, or it is up-to-date, as in the case of Windows Automatic Updates or signatures for an antispyware application. If the Windows SHV is not configured to enforce any specific element, such as Firewall or Security Updates, log entries for the element are not relevant and should be ignored. The Security Updates element provides a severity rating. To interpret the severity rating when reviewing the NPS log file, you can use the following severity levels. Severity level
Code in NPS log
Unspecified
0x0040 34
Severity level
Code in NPS log
Low
0x0080
Moderate
0x0100
Important
0x0200
Critical
0x0400
Error codes On the client computer, the NAP agent can receive errors from the Windows System Health Agent, which monitors the components on the client operating system, such as firewalls and antivirus applications. When the NAP agent sends a statement of health (SoH) to NPS, the statement contains information about errors on the client computer. In turn, NPS records the error in the NPS log file. The following table provides the possible error codes that can be logged by NPS. Error code
Description
0xC0FF0001
E_MSSHV_PRODUCT_NOT_ENABLED A system health component is not enabled.
0xC0FF0002
E_MSSHAV_PRODUCT_NOT_INSTALLED A system health component is not installed.
0xC0FF0003
E_MSSHAV_WSC_SERVICE_DOWN The Windows Security Center service is not running.
0xC0FF0004
E_MSSHV_PRODUCT_NOT_UPTODATE The signatures for a specific system health component are not up to date.
0x00FF0008
E_MSSHAV_WUA_SERVICE_NOT_STARTED_SINCE_BOOT The Windows Server Update Services has not started. An administrator must try to start the service manually.
0xC0FF000C
E_MSSHAV_NO_WUS_SERVER The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server. An administrator must configure the Windows Update Agent service. Click the Try again button after configuration is done for the changes to take effect.
0xC0FF000D
E_MSSHAV_NO_CLIENT_ID
35
Error code
Description
Windows failed to determine the Windows Server Update Services client ID of this computer. 0xC0FF000E
E_MSSHAV_WUA_SERVICE_DISABLED The Windows Update Agent service has been disabled or not configured to start automatically. An administrator must enable the service.
0xC0FF000F
E_MSSHAV_WUA_COMM_FAILURE The periodic scan of this computer for security updates failed. An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server.
0xC0FF0010
E_MSSHAV_UPDATES_INSTALLED_REQUIRE_REBOOT Security updates have been installed and require this computer to be restarted. Please close all applications and restart this computer.
0xC0FF0012
E_MSSHV_WUS_SHC_FAILURE The NPS server failed to validate the security update status of this computer. An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server.
0xC0FF0014
E_MSSHV_UNKNOWN_CLIENT Unknown client
0xC0FF0017
E_MSSHV_INVALID_SOH The Windows Security Health Validator did not process the latest Statement of Health (SoH) because the SoH is not valid.
0xC0FF0018
E_MSSHAV_WSC_SERVICE_NOT_STARTED_SINCE_BOOT The Windows Security Center service has not started. An administrator must try to start the service manually.
0xC0FF0047
E_MSSHV_THIRD_PARTY_PRODUCT_NOT_ENABLED A third-party system health component is not enabled.
0xC0FF0048
E_MSSHV_THIRD_PARTY_PRODUCT_NOT_UPTODATE The signatures for a specific third-party system health component are not up to date.
0xC0FF004EL
E_MSSHAV_BAD_UPDATE_SOURCE_MU 36
Error code
Description
This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Microsoft Update. 0xC0FF004FL
E_MSSHAV_BAD_UPDATE_SOURCE_WUMU This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Windows Update or Microsoft Update.
0xC0FF0050L
E_MSSHAV_BAD_UPDATE_SOURCE_MUWSUS This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Windows Server Update Services or Microsoft Update.
0xC0FF0051L
E_MSSHAV_NO_UPDATE_SOURCE The Windows Update Agent on this computer is not configured to receive security updates. An administrator must configure the Windows Update Agent service. The NAP agent might have to be restarted for changes to take effect.
Determining the client operating system When you review Windows SHV entries in the NPS log file, you can determine whether the client computer is running Windows Vista or Windows XP in one of two ways: 1. Examine the field OS-Version in the NPS log. 2. Count the number of diagnostic codes recorded in the log file. If the client computer is running Windows Vista, NPS logs all eight diagnostic codes. If the client computer is running Windows XP, NPS logs only six diagnostic codes because the monitoring of antispyware status is not supported in WSHV for Windows XP.
Example log file entries The first example log file entry depicts an entry for a client computer running Windows Vista that is not configured to synchronize with a Windows Server Update Services server. The text in italics is added to clarify the meaning of the diagnostic codes and does not normally appear in NPS log entries.
37
First example log file entry Machine testclient was quarantined. OS-Version = 6.0.5495 0.0 x86 Workstation Fully-Qualified-Machine-Name = Fully-Qualified-User-Name = NAS-IP-Address = <not present> NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1 NAS-Identifier = testserver Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Account-Session-Identifier = F1290E5E59241D44A57539224835F0FDC46427E9FBCAC601 Proxy-Policy-Name = Use Windows authentication for all users Policy-Name = Access Denied Quarantine-Session-Identifier = {5E0E29F1-2459-441D-A575-39224835F0FD} - 2006-08-28 23:44:32.391Z Quarantine-Help-URL = Quarantine-System-Health-Result = Windows Security Health Validator NonCompliant None (0x0-) Firewall is compliant (0x0-) Anti Virus is compliant (0x0-) Anti Virus signatures are compliant (0x0-) Anti Spyware is compliant (0x0-) Anti Spyware signatures are compliant (0x0-) Automatic Update is compliant (0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server.
An administrator must configure the Windows Update Agent
service. Please click on the 'try again' button after configuration is done for the changes to take effect.) Diagnostic code for Security Updates from Diagnostic Code table (0x40-) Unspecified Severity Level from Severity level table (0x00004000-) Legitimate update source is Windows Update
38
Second example log file entry The second example log file entry depicts an entry for a client computer running Windows Vista that is configured to use the Windows Security Center for the firewall, antivirus, antispyware and Automatic Updates. Because Windows Security Center is disabled, as is detailed in the log file entry, the diagnostic codes for the Windows SHV do not have meaning and should be ignored. Machine testclient was quarantined. OS-Version = 6.0.5495 0.0 x86 Workstation Fully-Qualified-Machine-Name = Fully-Qualified-User-Name = NAS-IP-Address = <not present> NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1 NAS-Identifier = testserver Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Account-Session-Identifier = 32049473A12646448AB5DCFD9BF69271B0477E2E58CCC601 Proxy-Policy-Name = Use Windows authentication for all users Policy-Name = Access Denied Quarantine-Session-Identifier = {73940432-26A1-4446-8AB5-DCFD9BF69271} - 2006-08-30 17:17:33.585Z Quarantine-Help-URL = Quarantine-System-Health-Result = Windows Security Health Validator NonCompliant None (0xc0ff0003-The Windows Security Center service is not running.) (0x0-) (0x0-) (0xc0ff0003-The Windows Security Center service is not running.) (0x0-) (0xc0ff0003-The Windows Security Center service is not running.) (0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server.
An administrator must configure the
Windows Update Agent service. Please click on the 'try again' button after configuration is done for the changes to take effect.) (0x40-)
39
Register an NPS Server in Another Domain To provide an NPS server with permission to read the dial-in properties of user accounts in Active Directory, the NPS server must be registered in the domain where the accounts reside. You can use this procedure to register an NPS server in a domain where the NPS server is not a domain member. Administrative credentials To complete this procedure, you must be a member of the Administrators group. You can perform this procedure by using the following methods: To register an NPS server in another domain 1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens. 2. In the console tree, navigate to the domain where you want the NPS server to read user account information, and then click the Users folder. 3. In the details pane, right-click RAS and IAS Servers, and then click Properties. The RAS and IAS Servers Properties dialog box opens. 4. In the RAS and IAS Servers Properties dialog box, click the Members tab, add each of the NPS servers that you want to register in the domain, and then click OK. To register an NPS server in another domain by using Netsh commands for NPS 1. Open Command Prompt. 2. Type the following at the command prompt: netsh nps add registeredserver domain server, and then press ENTER. In the preceding command, domain is the DNS domain name of the domain where you want to register the NPS server, and server is the name of the NPS server computer.
Register an NPS Server in its Default Domain You can use this procedure to register an NPS server in the domain where the server is a domain member. NPS servers must be registered in Active Directory so that they have permission to read the dialin properties of user accounts during the authorization process. Registering an NPS server adds the server to the RAS and IAS Servers group in Active Directory. Administrative credentials 40
To complete this procedure, you must be a member of the Administrators group. To register an NPS server in its default domain 1. Open the NPS console. 2. Right-click NPS (Local), and then click Register Server in Active Directory. The Network Policy Server dialog box opens. 3. In Network Policy Server, click OK, and then click OK again.
Unregister an NPS Server from its Default Domain In the process of managing your NPS server deployment, you might find it useful to move an NPS server to another domain, to replace an NPS server, or to retire an NPS server. When you move or decommission an NPS server, unregister the NPS server in the Active Directory domains where the NPS server has permission to read the properties of user accounts in Active Directory. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To unregister an NPS server 1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens. 2. Click Users, and then double-click RAS and IAS servers. 3. Click the Members tab, and then select the NPS server that you want to unregister. 4. Click Remove, click Yes, and then click OK.
Verify Configuration After an NPS Server IP Address Change There might be circumstances where you need to change the IP address of an NPS server or proxy, such as when you move the server to a different IP subnet. If you change an NPS server or proxy IP address, it is necessary to reconfigure portions of your NPS deployment. Use the following general guidelines to assist you in verifying that an IP address change does not interrupt network access authentication, authorization, or accounting on your network. 41
Administrative credentials To complete this procedure, you must be a member of the Administrators group. To verify configuration after an NPS server IP address change 1. Reconfigure all RADIUS clients, such as wireless access points and VPN servers, with the new IP address of the NPS server. 2. If the NPS server is a member of a remote RADIUS server group, reconfigure the NPS proxy with the new IP address of the NPS server. 3. If you have configured the NPS server to use SQL Server logging, verify that connectivity between the computer running SQL Server and the NPS server is still functioning properly. 4. If you have deployed IPsec to secure RADIUS traffic between your NPS server and an NPS proxy or other servers or devices, reconfigure the IPsec policy or the connection security rule in Windows Firewall with Advanced Security to use the new IP address of the NPS server. 5. If the NPS server is multihomed and you have configured the server to bind to a specific network adapter, reconfigure NPS port settings with the new IP address. To verify configuration after an NPS proxy IP address change 1. Reconfigure all RADIUS clients, such as wireless access points and VPN servers, with the new IP address of the NPS proxy. 2. If the NPS proxy is multihomed and you have configured the proxy to bind to a specific network adapter, reconfigure NPS port settings with the new IP address. 3. Reconfigure all members of all remote RADIUS server groups with the proxy server IP address. To accomplish this task, at each NPS server that has the NPS proxy configured as a RADIUS client: a. Double-click NPS (Local), double-click RADIUS Clients and Servers, click RADIUS Clients, and then in the details pane, double-click the RADIUS client that you want to change. b. In RADIUS client Properties, in Address (IP or DNS), type the new IP address of the NPS proxy. 4. If you have configured the NPS proxy to use SQL Server logging, verify that connectivity between the computer running SQL Server and the NPS proxy is still functioning properly.
42
Verify Configuration After Renaming an NPS Server There might be circumstances when you need to change the name of an NPS server or proxy, such as when you redesign the naming conventions for your servers. If you change an NPS server or proxy name, it is necessary to reconfigure portions of your NPS deployment. Use the following general guidelines to assist you in verifying that a server name change does not interrupt network access authentication, authorization, or accounting. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To verify configuration after an NPS server or proxy name change 1. If the NPS server is a member of a remote RADIUS server group and the group is configured with computer names rather than IP addresses, reconfigure the remote RADIUS server group with the new NPS server name. 2. If certificate-based authentication methods are deployed at the NPS server, the name change invalidates the server certificate. You can request a new certificate from the certification authority (CA) administrator or, if the computer is a domain member computer and you autoenroll certificates to domain members, you can refresh Group Policy to obtain a new certificate through autoenrollment. To refresh Group Policy: a. Open Command Prompt. b. Type gpupdate, and then press ENTER. 3. After you have a new server certificate, request that the CA administrator revoke the old certificate. After the old certificate is revoked, NPS will continue to use it until the old certificate expires. By default, the old certificate remains valid for a maximum time of one week and 10 hours. This time period might be different depending on whether the Certificate Revocation List (CRL) expiry and the Transport Layer Security (TLS) cache time expiry have been modified from their defaults. The default CRL expiry is one week; the default TLS cache time expiry is 10 hours. If you want to configure NPS to use the new certificate immediately, however, you can manually reconfigure network policies with the new certificate. 4. After the old certificate expires, NPS automatically begins using the new certificate. 5. If you have configured the NPS server to use SQL Server logging, verify that connectivity between the computer running SQL Server and the NPS server is still functioning properly.
43
Managing Certificates Used with NPS If you deploy a certificate-based authentication method, such as EAP-TLS, PEAP-TLS, or PEAPMS-CHAP v2, you must enroll a server certificate to all of your NPS servers. The server certificate must: • Meet the minimum server certificate requirements as described in Certificate Requirements for PEAP and EAP at http://go.microsoft.com/fwlink/?LinkID=101491. • Be issued by a certification authority (CA) that is trusted by client computers. A CA is trusted when its certificate exists in the Trusted Root Certification Authorities certificate store for the current user and local computer. The following objectives assist in managing NPS server certificates in deployments where the trusted root CA is a third-party CA, such as Verisign, or is a CA that you have deployed for your public key infrastructure (PKI) by using Active Directory Certificate Services (AD CS) in Windows Server 2008. The following objectives are part of managing NPS server certificates: •
Change the Cached TLS Handle Expiry
•
Obtain the SHA-1 Hash of a Trusted Root CA Certificate
Change the Cached TLS Handle Expiry During the initial authentication processes for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), the NPS server caches a portion of the connecting client's TLS connection properties. The client also caches a portion of the NPS server's TLS connection properties. Each individual collection of these TLS connection properties is called a TLS handle. Client computers can cache the TLS handles for multiple authenticators, while NPS servers can cache the TLS handles of many client computers. The cached TLS handles on the client and server allows the reauthentication process to occur more rapidly. For example, when a wireless computer reauthenticates with an NPS server, the NPS server can examine the TLS handle for the wireless client and can quickly determine that the client connection is a reconnect. The NPS server authorizes the connection without performing full authentication. Correspondingly, the client examines the TLS handle for the NPS server, determines that it is a reconnect, and does not need to perform server authentication. On computers running Windows Vista and Windows Server 2008, the default TLS handle expiry is 10 hours. In some circumstances, you might want to increase or decrease the TLS handle expiry time. 44
For example, you might want to decrease the TLS handle expiry time is in a scenario where a user's certificate is revoked by an administrator and the certificate has expired. In this scenario, the user can still connect to the network if an NPS server has a cached TLS handle that has not expired. Reducing the TLS handle expiry might help prevent such users with revoked certificates from reconnecting. Note The best solution to this scenario is to disable the user account in Active Directory, or to remove the user account from the Active Directory group that is granted permission to connect to the network in network policy. The propagation of these changes to all domain controllers might also be delayed, however, due to replication latency. Use the following tasks to configure the TLS handle expiry: •
Configure the TLS Handle Expiry Time on Client Computers
•
Configure the TLS Handle Expiry Time on NPS Servers
Configure the TLS Handle Expiry Time on Client Computers Use this procedure to change the amount of time that client computers cache the Transport Layer Security (TLS) handle of an NPS server. After successfully authenticating an NPS server, client computers cache TLS connection properties of the NPS server as a TLS handle. The TLS handle has a default duration of 10 hours (36,000,000 milliseconds). You can increase or decrease the TLS handle expiry time by using the following procedure. Important This procedure must be performed on an NPS server, not on a client computer. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To configure the TLS handle expiry time on client computers 1. On an NPS server, open Registry Editor. 2. Browse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SC HANNEL 3. On the Edit menu, click New, and then click Key. 4. Type ClientCacheTime, and then press ENTER. 5. Right-click ClientCacheTime, click New, and then click DWORD (32-bit) Value. 6. Type the amount of time, in milliseconds, that you want client computers to cache the TLS handle of an NPS server after the first successful authentication attempt by the NPS server. 45
Configure the TLS Handle Expiry Time on NPS Servers Use this procedure to change the amount of time that NPS servers cache the Transport Layer Security (TLS) handle of client computers. After successfully authenticating an access client, NPS servers cache TLS connection properties of the client computer as a TLS handle. The TLS handle has a default duration of 10 hours (36,000,000 milliseconds). You can increase or decrease the TLS handle expiry time by using the following procedure. Important This procedure must be performed on an NPS server, not on a client computer. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To configure the TLS handle expiry time on NPS servers using the Windows interface 1. On an NPS server, open Registry Editor. 2. Browse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SC HANNEL 3. On the Edit menu, click New, and then click Key. 4. Type ServerCacheTime, and then press ENTER. 5. Right-click ServerCacheTime, click New, and then click DWORD (32-bit) Value. 6. Type the amount of time, in milliseconds, that you want NPS servers to cache the TLS handle of a client computer after the first successful authentication attempt by the client.
Obtain the SHA-1 Hash of a Trusted Root CA Certificate Use this procedure to obtain the Secure Hash Algorithm (SHA-1) hash of a trusted root certification authority (CA) from a certificate that is installed on the local computer. In some circumstances, such as when deploying Group Policy, it is necessary to designate a certificate by using the SHA-1 hash of the certificate. When using Group Policy, you can designate one or more trusted root CA certificates that clients must use in order to authenticate the NPS server during the process of mutual authentication with 46
EAP or PEAP. To designate a trusted root CA certificate that clients must use to validate the server certificate, you can enter the SHA-1 hash of the certificate. This procedure demonstrates how to obtain the SHA-1 hash of a trusted root CA certificate by using the Certificates Microsoft Management Console (MMC) snap-in. Administrative credentials To complete this procedure, you must be a member of the Users group on the local computer. To obtain the SHA-1 hash of a trusted root CA certificate 1. Click Start, click Run, type mmc, and then click OK. The Add or Remove Snap-ins dialog box opens. 2. In Add or Remove Snap-ins, in Available snap-ins, double-click Certificates. The Certificates snap-in wizard opens. Click Computer account, and then click Next. 3. In Select Computer, ensure that Local computer (the computer this console is running on) is selected, click Finish, and then click OK. 4. In the left pane, double-click Certificates (Local Computer), and then double-click the Trusted Root Certification Authorities folder. 5. The Certificates folder is a subfolder of the Trusted Root Certification Authorities folder. Click the Certificates folder. 6. In the details pane, browse to the certificate for your trusted root CA. Double-click the certificate. The Certificate dialog box opens. 7. In the Certificate dialog box, click the Details tab. 8. In the list of fields, scroll to and select Thumbprint. 9. In the lower pane, the hexadecimal string that is the SHA-1 hash of your certificate is displayed. Select the SHA-1 hash, and then press the Windows keyboard shortcut for the Copy command (CTRL+C) to copy the hash to the Windows clipboard. 10. Open the location to which you want to paste the SHA-1 hash, correctly locate the cursor, and then press the Windows keyboard shortcut for the Paste command (CTRL+V).
Managing RADIUS Clients You can configure any of the following types of RADIUS clients in NPS: •
Virtual private network (VPN) servers
•
Wireless access points
•
802.1X authenticating switches
•
Dial-up servers
•
NPS proxies 47
•
Terminal Services Gateway (TS Gateway) servers
To use NPS to manage network access, you must configure one or more RADIUS clients in NPS. If you are configuring an NPS proxy as a RADIUS client on an NPS server, the NPS proxy must also be configured with RADIUS clients that forward connection requests to the proxy. The proxy forwards the connection request to a remote RADIUS server group based on the connection request processing rules defined on the proxy. The following objectives are part of managing RADIUS clients: •
Set up RADIUS Clients
•
Set up RADIUS Clients by IP Address Range
Set up RADIUS Clients When you add a new network access server (VPN server, wireless access point, authenticating switch, or dial-up server) to your network, you must add the server as a RADIUS client in NPS, and then configure the RADIUS client to communicate with the NPS server. Important Client computers, such as wireless laptop computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers —such as wireless access points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. This step is also necessary when your NPS server is a member of a remote RADIUS server group that is configured on an NPS proxy. In this circumstance, in addition to performing the steps in this task on the NPS proxy, you must do the following: • On the NPS proxy, configure a remote RADIUS server group that contains the NPS server. •
On the remote NPS server, configure the NPS proxy as a RADIUS client.
Task requirements The following are required to perform the procedures for this task: • You must have at least one network access server (VPN server, wireless access point, authenticating switch, or dial-up server) or NPS proxy physically installed on your network. To complete this task, perform the following procedures: •
Configure the Network Access Server
•
Add the Network Access Server as a RADIUS Client in NPS
48
Configure the Network Access Server Use this procedure to configure network access servers for use with NPS. When you deploy network access servers (NASs) as RADIUS clients, you must configure the clients to communicate with the NPS servers where the NASs are configured as clients. This procedure provides general guidelines about the settings you should use to configure your NASs; for specific instructions on how to configure the device you are deploying on your network, see your NAS product documentation. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To configure the network access server 1. On the NAS, in RADIUS settings, select RADIUS authentication on User Datagram Protocol (UDP) port 1812 and RADIUS accounting on UDP port 1813. 2. In Authentication server or RADIUS server, specify your NPS server by IP address or fully qualified domain name (FQDN), depending on the requirements of the NAS. 3. In Secret or Shared secret, type a strong password. When you configure the NAS as a RADIUS client in NPS, you will use the same password, so do not forget it. 4. If you are using PEAP or EAP as an authentication method, configure the NAS to use EAP authentication. 5. If you are configuring a wireless access point, in SSID, specify a Service Set Identifier (SSID), which is an alphanumeric string that serves as the network name. This name is broadcast by access points to wireless clients and is visible to users at your wireless fidelity (Wi-Fi) hotspots. 6. If you are configuring a wireless access point, in 802.1X and WEP, enable IEEE 802.1X authentication if you want to deploy PEAP-MS-CHAP v2, PEAP-TLS, or EAPTLS.
Add the Network Access Server as a RADIUS Client in NPS Use this procedure to add a network access server as a RADIUS client in NPS. You can use this procedure to configure a network access server (NAS) as a RADIUS client by using the NPS console. Important Client computers, such as wireless laptop computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers —such as wireless access points, 802.1X authenticating switches, virtual private network 49
(VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To add a network access server as a RADIUS client in NPS 1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client. 3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected. 4. In New RADIUS Client, in Friendly name, type a display name for the NAS. In Address (IP or DNS), type the NAS IP address or fully qualified domain name (FQDN). If you enter the FQDN, click Verify if you want to verify that the name is correct and maps to a valid IP address. 5. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard. 6. In New RADIUS Client, in Shared secret, do one of the following: • Ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret. • Select Generate, and then click Generate to automatically generate a shared secret. Save the generated shared secret for configuration on the NAS so that it can communicate with the NPS server. 7. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute. 8. In New RADIUS Client, in Additional Options, if you plan on deploying Network Access Protection (NAP) and your NAS supports NAP, select RADIUS client is NAPcapable. 9. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.
Set up RADIUS Clients by IP Address Range Use this procedure to configure two or more network access servers as RADIUS clients in NPS by using an IP address range. If you are running Windows Server 2008 Enterprise or Windows 50
Server 2008 Datacenter, you can configure RADIUS clients in NPS by IP address range. This allows you to add a large number of RADIUS clients (such as wireless access points) to the NPS console at one time, rather than adding each RADIUS client individually. You cannot configure RADIUS clients by IP address range if you are running NPS on Windows Server 2008 Standard. Use this procedure to add a group of network access servers (NASs) as RADIUS clients that are all configured with IP addresses from the same IP address range. All of the RADIUS clients in the range must use the same configuration and shared secret. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To set up RADIUS clients by IP address range 1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client. 3. In New RADIUS Client, in Friendly name type a display name for the collection of NASs. 4. In New RADIUS Client, in Address (IP or DNS), type the IP address range for the RADIUS clients by using Classless Inter-Domain Routing (CIDR) notation. For example, if the IP address range for the NASs is 10.10.0.0, type 10.10.0.0/16. 5. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, or if you have NASs from multiple vendors, select RADIUS Standard. 6. In New RADIUS Client, in Shared secret, do one of the following: • Ensure that Manual is selected, and then in Shared secret, type the strong password that is also configured on all of the NASs. Retype the shared secret in Confirm shared secret. • Select Generate, and then click Generate to automatically generate a shared secret. Save the generated shared secret for configuration on the NASs so that they can communicate with the NPS server. 7. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if all of your NASs support use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute. 8. In New RADIUS Client, in Additional Options, if you plan on deploying Network Access Protection (NAP) and all of your NASs support NAP, select RADIUS client is NAP-capable. 9. Click OK. Your NASs appears in the list of RADIUS clients configured on the NPS server. 51
Managing Network Policies This section provides information about how to manage NPS network policies. After NPS authenticates users or computers connecting to your network, it performs authorization to determine whether to grant the user or computer permission to connect. Authorization is performed when NPS checks the dial-in properties of user accounts in Active Directory and when NPS evaluates the connection request against the network policies configured in the NPS console. In the Active Directory Users and Computers snap-in, on the Dial-in tab of user account properties, the Network Access Permission setting is used by NPS to make authorization decisions, as follows: • If the value of Network Access Permission is Deny access, the user is always denied access to the network by NPS, regardless of any settings in network policy. • If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user. • If the value of Network Access Permission is Control access through NPS Network Policy, NPS makes authorization decisions based solely on network policy settings. Note For ease of administration of network access, it is recommended that the Network Access Permission setting is always set to Control access through NPS Network Policy. By default, if your forest functional level is Windows Server 2008, when you create a user account, the value of Network Access Permission is set to Control access through NPS Network Policy. You can also specify connection settings in an NPS network policy that are applied after the connection is authenticated and authorized. For example, you can define IP filters for the connection that specify the network resources to which the user has permission to connect.
An ordered list of rules When you configure multiple network policies in NPS, the policies are an ordered list of rules. NPS evaluates the policies in listed order from first to last. If there is a network policy that matches the connection request, NPS uses the policy to determine whether to grant or deny access to the user or computer connection. When you order the network policies in the NPS console, ensure that rules created in one policy do not unintentionally counteract the rules in a different policy. For example, a member of the Domain Users group might also be a member of the Wireless Users group that is created (by you or by another administrator) in Active Directory. Perhaps your organization has limited wireless resources, so members of the Domain Users group are denied 52
access when connecting through wireless access points; however, members of the Wireless Users group are granted access when connecting by wireless. If the network policy that denies wireless access to Domain Users is evaluated before the Wireless Users policy is evaluated, NPS denies access to members of the Wireless Users group when they attempt to connect by wireless — even though your intention is to grant them access. The solution to this problem is to move the Wireless Users network policy higher in the list of policies in the NPS console so that it is evaluated before the Domain Users policy is evaluated. In this circumstance, when a member of the Wireless Users group attempts to connect, NPS evaluates the Wireless Users policy first and then authorizes the connection. When NPS receives a wireless connection attempt from a member of the Domain Users group that is not also a member of the Wireless Users group, the connection attempt does not match the Wireless Users policy, so that policy is not evaluated by NPS. Instead, NPS moves down to the Domain Users wireless policy, and then denies the connection to the member of the Domain Users group. The following objectives are part of managing NPS network policies: •
Configure NPS for VLANs
•
Configure the EAP Payload Size
•
Configure NPS to Ignore User Account Dial-in Properties
Configure NPS for VLANs By using VLAN-aware network access servers and NPS in Windows Server 2008, you can provide groups of users with access only to the network resources that are appropriate for their security permissions. For example, you can provide visitors with wireless access to the Internet without allowing them access to your organization network. In addition, VLANs allow you to logically group network resources that exist in different physical locations or on different physical subnets. For example, members of your sales department and their network resources, such as client computers, servers, and printers, might be located in several different buildings at your organization, but you can place all of these resources on one VLAN using the same IP address range. The VLAN then functions, from the end-user perspective, as a single subnet. You can also use VLANs when you want to segregate a network between different groups of users. After you have determined how you want to define your groups, you can create security groups in the Active Directory Users and Computers snap-in, and then add members to the groups. Use the following procedure to configure a network policy using VLANs: •
Configure a Network Policy for VLANs
53
Configure a Network Policy for VLANs Use this procedure to configure a network policy that assigns users to a VLAN. When you use VLAN-aware network hardware, such as routers, switches, and access controllers, you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions. When you configure the settings of an NPS network policy for use with VLANs, you must configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and TunnelTag. You can use the following procedure to create a network policy that assigns users to a VLAN. This procedure is provided as a guideline; your network configuration might require different settings than those provided below. Administrative credentials To complete this procedure, you must be a member of the Administrators group. To configure a network policy for VLANs 1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. Double-click Policies, click Network Policies, and then in the details pane doubleclick the policy that you want to configure. 3. In the policy Properties dialog box, click the Settings tab. 4. In policy Properties, in Settings, in RADIUS Attributes, ensure that Standard is selected. 5. In the details pane, in Attributes, the Service-Type attribute is configured with a default value of Framed. By default, for policies with access methods of VPN and dial-up, the Framed-Protocol attribute is configured with a value of PPP. To specify additional connection attributes required for VLANs, click Add. The Add Standard RADIUS Attribute dialog box opens. 6. In Add Standard RADIUS Attribute, in Attributes, scroll down to and add the following attributes: a. Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format). b. Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. c.
Tunnel-Type. Select Virtual LANs (VLAN).
7. In Add Standard RADIUS Attribute, click Close. 8. If your network access server (NAS) requires use of the Tunnel-Tag attribute, use the 54
following steps to add the Tunnel-Tag attribute to the network policy. If your NAS documentation does not mention this attribute, do not add it to the policy. Add the attributes as follows: a. In policy Properties, in Settings, in RADIUS Attributes, click Vendor Specific. b. In the details pane, click Add. The Add Vendor Specific Attribute dialog box opens. c. In Attributes, scroll down to and select Tunnel-Tag, and then click Add. The Attribute Information dialog box opens. d. In Attribute value, type the value that you obtained from your hardware documentation.
Configure the EAP Payload Size In some cases, routers or firewalls drop packets because they are configured to discard packets that require fragmentation. When you deploy NPS with network policies that use the Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), or EAP-TLS, as an authentication method, the default maximum transmission unit (MTU) that NPS uses for EAP payloads is 1500 bytes. This maximum size for the EAP payload can create RADIUS messages that require fragmentation by a router or firewall between the NPS server and a RADIUS client. If this is the case, a router or firewall positioned between the RADIUS client and the NPS server might silently discard some fragments, resulting in authentication failure and the inability of the access client to connect to the network. Use the following procedure to lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344: •
Configure the Framed-MTU Attribute
Configure the Framed-MTU Attribute Use this procedure to lower the maximum EAP payload size by using the Framed-MTU attribute in an NPS network policy. You can lower the EAP payload size by configuring the Framed-MTU attribute in network policy settings properties in the NPS console. Perform this procedure if you have routers or firewalls that are not capable of performing fragmentation. The recommended Framed-MTU value in this circumstance is 1344 bytes or less. Administrative credentials To complete this procedure, you must be a member of the Administrators group. 55
To configure the Framed-MTU attribute 1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. Double-click Policies, click Network Policies, and then in the details pane doubleclick the policy that you want to configure. 3. In the policy Properties dialog box, click the Settings tab. 4. In Settings, in RADIUS Attributes, click Standard. In the details pane, click Add. The Add Standard RADIUS Attribute dialog box opens. 5. In Attributes, scroll down to and click Framed-MTU, and then click Add. The Attribute Information dialog box opens. 6. In Attribute Value, type a value equal to or less than 1344. Click OK, click Close, and then click OK.
Configure NPS to Ignore User Account Dialin Properties Use this procedure to configure an NPS network policy to ignore the dial-in properties of user accounts in Active Directory during the authorization process. User accounts in Active Directory Users and Computers have dial-in properties that NPS evaluates during the authorization process unless the Network Access Permission property of the user account is set to Control access through NPS Network Policy. There are two circumstances where you might want to configure NPS to ignore the dial-in properties of user accounts in Active Directory: • When you want to simplify NPS authorization by using network policy but not all of your user accounts have the Network Access Permission property set to Control access through NPS Network Policy. For example, some user accounts might have the Network Access Permission property of the user account set to Deny access or Allow access. • When other dial-in properties of user accounts are not applicable to the connection type configured in the network policy. For example, properties other than the Network Access Permission setting are applicable only to dial-in or VPN connections, but the network policy you are creating is for wireless or authenticating switch connections. You can use this procedure to configure NPS to ignore user account dial-in properties. If a connection request matches the network policy where this check box is selected, NPS does not use the dial-in properties of the user account to determine whether the user or computer is authorized to access the network; only the settings in the network policy are used to determine authorization. Administrative credentials To complete this procedure, you must be a member of the Administrators group. 56
To configure NPS to ignore user account dial-in properties 1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens. 2. Double-click Policies, click Network Policies, and then in the details pane doubleclick the policy that you want to configure. 3. In the policy Properties dialog box, on the Overview tab, in Access Permission, select the Ignore user account dial-in properties check box, and then click OK.
57