Top Banner

of 29

06_NwPolicy

Jun 04, 2018

Download

Documents

mystic_guy
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript

  • 8/13/2019 06_NwPolicy

    1/29

    www

    .technocorp.co.in

  • 8/13/2019 06_NwPolicy

    2/29

    www

    .technocorp.co.in Module 6

    Installing, Configuring, andTroubleshooting the Network

    Policy Server Role Service

  • 8/13/2019 06_NwPolicy

    3/29

    www

    .technocorp.co.in

    Module Overview

    Installing and Configuring a Network Policy Server Configuring RADIUS Clients and Servers

    NPS Authentication Methods

    Monitoring and Troubleshooting a Network Policy Server

  • 8/13/2019 06_NwPolicy

    4/29

    www

    .technocorp.co.in

    Lesson 1: Installing and ConfiguringNetwork Policy Server

    What Is a Network Policy Server? Demonstration: How to Install the Network Policy Server

    Tools Used for Managing a Network Policy Server

    Demonstration: How to Configure General NPS Settings

  • 8/13/2019 06_NwPolicy

    5/29

    www

    .technocorp.co.in

    What Is a Network Policy Server?Windows Server 2008 R2 Network Policy Server (NPS):

    RADIUS server

    RADIUS proxy

    NAP policy server

  • 8/13/2019 06_NwPolicy

    6/29

    www

    .technocorp.co.in

    Demonstration: How to Install theNetworkPolicy Server

    In this demonstration, you will see how to:

    Install the NPS role

    Register NPS in AD DS

  • 8/13/2019 06_NwPolicy

    7/29

    www

    .technocorp.co.in

    Tools Used for Managing a NetworkPolicy ServerTools used to manage NPS include:

    Netsh command line to configure all aspects of NPS, such as:

    NPS Server Commands

    RADIUS Client Commands

    Connection Request Policy Commands

    Remote RADIUS Server Group Commands

    Network Policy Commands

    Network Access Protection Commands

    Accounting Commands

    NPS MMC Console

  • 8/13/2019 06_NwPolicy

    8/29

    www

    .technocorp.co.in

    Demonstration: How to ConfigureGeneralNPS Settings

    In this demonstration, you will see how to:

    Configure a RADIUS server for VPN connections

    Save the configuration

  • 8/13/2019 06_NwPolicy

    9/29

    www.technocorp.co.in

    Clients and Servers

    What Is a RADIUS Client? What Is a RADIUS Proxy?

    Demonstration: How to Configure a RADIUS Client

    What Is a Connection Request Policy?

    Configuring Connection Request Processing

    Demonstration: How to Create a New Connection Request P

  • 8/13/2019 06_NwPolicy

    10/29

    www.technocorp.co.in

    What Is a RADIUS Client?

    RADIUS clients are network access servers, such as:

    Wireless access points

    802.1x authenticating switches

    VPN servers

    Dial-up servers

    NPS is a RADIUS server

    RADIUS clients send connection requests and accounting

    messages to RADIUS servers for authentication, authorization,and accounting

  • 8/13/2019 06_NwPolicy

    11/29

    www.technocorp.co.in

    What Is a RADIUS Proxy?

    A RADIUS proxy is required for:

    Service providers offering outsourced dial-up, VPN,or wireless network access services

    Providing authentication and authorization for useraccounts that are not Active Directory members

    Performing authentication and authorization using

    a database that is not a Windows account database

    Load-balancing connection requests amongmultiple RADIUS servers

    A RADIUS proxyreceives connection attempts from RADIUS clients and forwards them to thappropriate RADIUS server or another RADIUS proxy for further routing

    Providing RADIUS for outsourced service providersand limiting traffic types through the firewall

  • 8/13/2019 06_NwPolicy

    12/29

    www.technocorp.co.in

    RADIUS Client

    In this demonstration, you will see how to:

    Configure a RADIUS client

  • 8/13/2019 06_NwPolicy

    13/29

    www.technocorp.co.in

    What Is a Connection Request Polic

    Connection Request policies include:

    Conditions, such as:

    Framed Protocol

    Service Type

    Tunnel Type

    Day and Time restrictions

    Connection Request policiesare sets of conditions and settings that designate

    which RADIUS servers perform the authentication and authorization of

    connection requests that NPS receives from RADIUS clients

    Settings, such as:

    Authentication

    Accounting

    Attribute Manipulation

    Advanced settings

    Custom Connection Request policies are required to forward the request to

    another proxy or RADIUS server or server group for authorization and

    authentication, or to specify a different server for accounting information

  • 8/13/2019 06_NwPolicy

    14/29

    www.technocorp.co.in

    Configuring Connection RequestProcessingConfiguration Description

    Local vs. RADIUSauthentication

    Local authentication takes place against the localsecurity account database or Active Directory.

    Connection policies exist on that server.

    RADIUS authentication forwards the connectionrequest to a RADIUS server for authenticationagainst a security database. RADIUS maintains acentral store of all the connection policies.

    RADIUS servergroups

    Used where one or more RADIUS servers are capabof handling connection requests. The connectionrequests are load-balanced on criteria specified dur

    the creation of the RADIUS server group if there ismore than one RADIUS server in the group.

    Default ports foraccounting andauthenticationusing RADIUS

    The ports required for accounting and authenticatiorequests being forwarded to a RADIUS server areUDP 1812/1645 and UDP 1813/1646.

  • 8/13/2019 06_NwPolicy

    15/29

    www.technocorp.co.in

    Demonstration: How to Create a NeConnection Request Policy

    In this demonstration, you will see how to:

    Create a VPN connection request policy

  • 8/13/2019 06_NwPolicy

    16/29

    www.technocorp.co.in

    Lesson 3: NPS Authentication Meth

    Password-Based Authentication Methods Using Certificates for Authentication

    Required Certificates for NPS Authentication Methods

    Deploying Certificates for PEAP and EAP

  • 8/13/2019 06_NwPolicy

    17/29

    www.technocorp.co.in

    Password-Based Authentication MeAuthentication methods for an NPS server include:

    MS-CHAPv2

    MS-CHAP

    CHAP

    PAP

    Unauthenticated access

  • 8/13/2019 06_NwPolicy

    18/29

    www.technocorp.co.in

    Using Certificates for Authentication

    With NPS, you use certificates for network access authentication because:

    Provide for stronger security

    Eliminate need for less secure, password-based authentication

  • 8/13/2019 06_NwPolicy

    19/29

    ww

    w.technocorp.co.in

    Authentication Methods

    You require the following certificates to deploy certificate-based authentication in N

    CA certificate in the Trusted Root CertificationAuthorities certificate store for the Local Computerand Current User

    Client computer certificate in the certificate store of the client

    Server certificate in the certificate store of the NPS server

    User certificate on a smart card

  • 8/13/2019 06_NwPolicy

    20/29

    ww

    w.technocorp.co.in

    Deploying Certificates for PEAP and

    For Domain Computer and User accounts, use the auto-enrollmentfeature in Group Policy

    Nondomain member enrollment requires an administratorto request a user or computer certificate using theCA Web Enrollment tool

    The administrator must save the computer or user certificate to afloppy disk or other removable media, and manually install thecertificate on the nondomain member computer

    The administrator can distribute user certificates on a smart card

  • 8/13/2019 06_NwPolicy

    21/29

    ww

    w.technocorp.co.in

    Lesson 4: Monitoring andTroubleshooting a Network Policy S

    Methods Used to Monitor NPS

    Logging NPS Accounting

    Configuring SQL Server Logging

    Configuring NPS Events to Record in the Event Viewer

  • 8/13/2019 06_NwPolicy

    22/29

    ww

    w.technocorp.co.in

    Methods Used to Monitor NPSNPS monitoring methods include:

    Event logging The process of logging NPS events in the System Event log

    Useful for auditing and troubleshooting connection attempts

    Logging user authentication and accounting requests

    Useful for connection analysis and billing purposes

    Can be in a text format

    Can be in a database format within a SQL instance

  • 8/13/2019 06_NwPolicy

    23/29

    ww

    w.technocorp.co.in

    Logging NPS AccountingUse the NPS console to configure logging:Open NPS from the Administrative Tools menu

    In the console tree, click Accounting

    In the details pane, click Configure Local File Logging

    On the Settings tab, select the information to be logged

    On the Log File tab, select the log type and the frequency

    or size attributes of the log files to be generated

    1

    2

    3

    4

    5

    Log files should be stored on a separate partition from the system partition:

    If RADIUS accounting fails due to a full hard disk, NPS stopsprocessing connection requests

  • 8/13/2019 06_NwPolicy

    24/29

    ww

    w.technocorp.co.in

    Configuring SQL Server LoggingYou can use SQL to log RADIUS accounting data:

    Requires SQL to have a stored procedurenamed report_event

    NPS formats accounting data as an XML document

    Can be a local or remote SQL Server database

  • 8/13/2019 06_NwPolicy

    25/29

    ww

    w.technocorp.co.in

    in the Event Viewer

    How do I configure NPS events to be recorded in Event Viewer?

    NPS is configured by default to record failed connections andsuccessful connections in the event log

    You can change this behavior on the General tab of theProperties sheet for the network policy

    Common request failure events

    What information does the failure event record?

    What information does the success event record?

    What is Schannel logging, and how do I configure it?

    Schannel is a security support provider that supports a set ofInternet security protocols

    You can configure Schannel logging in the following Registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging

  • 8/13/2019 06_NwPolicy

    26/29

    ww

    w.technocorp.co.in

    Network Policy Server Exercise 1: Installing and Configuring the Network Policy Server Role

    Service

    Exercise 2: Configuring a RADIUS Client

    Exercise 3: Configuring Certificate Auto-Enrollment

    Exercise 4: Configuring and Testing the VPN

    Estimated time: 75minutes

    Logon information

    Virtual machines 6421B-NYC-DC16421B-NYC-EDGE16421B-NYC-CL1

    User name Contoso\Administrator

    Password Pa$$w0rd

  • 8/13/2019 06_NwPolicy

    27/29

    ww

    w.technocorp.co.in

    Lab ScenarioContoso Ltd. is expanding its remote-access solution to all its branch officeemployees. This will require multiple Routing and Remote Access serverslocated at different points to provide connectivity for its employees. Youmust use RADIUS to centralize authentication and accounting for the

    remote-access solution. You have been tasked with installing andconfiguring Network Policy Server into an existing infrastructure to be usedfor NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy.

  • 8/13/2019 06_NwPolicy

    28/29

    ww

    w.technocorp.co.in

    Lab Review

    What does a RADIUS proxy provide?

    What is a RADIUS client, and what are some examples of RAclients?

  • 8/13/2019 06_NwPolicy

    29/29

    ww

    w.technocorp.co.in

    Module Review and Takeaways

    Review Questions

    Tools