8/13/2019 06_NwPolicy
1/29
www
.technocorp.co.in
8/13/2019 06_NwPolicy
2/29
www
.technocorp.co.in Module 6
Installing, Configuring, andTroubleshooting the Network
Policy Server Role Service
8/13/2019 06_NwPolicy
3/29
www
.technocorp.co.in
Module Overview
Installing and Configuring a Network Policy Server Configuring RADIUS Clients and Servers
NPS Authentication Methods
Monitoring and Troubleshooting a Network Policy Server
8/13/2019 06_NwPolicy
4/29
www
.technocorp.co.in
Lesson 1: Installing and ConfiguringNetwork Policy Server
What Is a Network Policy Server? Demonstration: How to Install the Network Policy Server
Tools Used for Managing a Network Policy Server
Demonstration: How to Configure General NPS Settings
8/13/2019 06_NwPolicy
5/29
www
.technocorp.co.in
What Is a Network Policy Server?Windows Server 2008 R2 Network Policy Server (NPS):
RADIUS server
RADIUS proxy
NAP policy server
8/13/2019 06_NwPolicy
6/29
www
.technocorp.co.in
Demonstration: How to Install theNetworkPolicy Server
In this demonstration, you will see how to:
Install the NPS role
Register NPS in AD DS
8/13/2019 06_NwPolicy
7/29
www
.technocorp.co.in
Tools Used for Managing a NetworkPolicy ServerTools used to manage NPS include:
Netsh command line to configure all aspects of NPS, such as:
NPS Server Commands
RADIUS Client Commands
Connection Request Policy Commands
Remote RADIUS Server Group Commands
Network Policy Commands
Network Access Protection Commands
Accounting Commands
NPS MMC Console
8/13/2019 06_NwPolicy
8/29
www
.technocorp.co.in
Demonstration: How to ConfigureGeneralNPS Settings
In this demonstration, you will see how to:
Configure a RADIUS server for VPN connections
Save the configuration
8/13/2019 06_NwPolicy
9/29
www.technocorp.co.in
Clients and Servers
What Is a RADIUS Client? What Is a RADIUS Proxy?
Demonstration: How to Configure a RADIUS Client
What Is a Connection Request Policy?
Configuring Connection Request Processing
Demonstration: How to Create a New Connection Request P
8/13/2019 06_NwPolicy
10/29
www.technocorp.co.in
What Is a RADIUS Client?
RADIUS clients are network access servers, such as:
Wireless access points
802.1x authenticating switches
VPN servers
Dial-up servers
NPS is a RADIUS server
RADIUS clients send connection requests and accounting
messages to RADIUS servers for authentication, authorization,and accounting
8/13/2019 06_NwPolicy
11/29
www.technocorp.co.in
What Is a RADIUS Proxy?
A RADIUS proxy is required for:
Service providers offering outsourced dial-up, VPN,or wireless network access services
Providing authentication and authorization for useraccounts that are not Active Directory members
Performing authentication and authorization using
a database that is not a Windows account database
Load-balancing connection requests amongmultiple RADIUS servers
A RADIUS proxyreceives connection attempts from RADIUS clients and forwards them to thappropriate RADIUS server or another RADIUS proxy for further routing
Providing RADIUS for outsourced service providersand limiting traffic types through the firewall
8/13/2019 06_NwPolicy
12/29
www.technocorp.co.in
RADIUS Client
In this demonstration, you will see how to:
Configure a RADIUS client
8/13/2019 06_NwPolicy
13/29
www.technocorp.co.in
What Is a Connection Request Polic
Connection Request policies include:
Conditions, such as:
Framed Protocol
Service Type
Tunnel Type
Day and Time restrictions
Connection Request policiesare sets of conditions and settings that designate
which RADIUS servers perform the authentication and authorization of
connection requests that NPS receives from RADIUS clients
Settings, such as:
Authentication
Accounting
Attribute Manipulation
Advanced settings
Custom Connection Request policies are required to forward the request to
another proxy or RADIUS server or server group for authorization and
authentication, or to specify a different server for accounting information
8/13/2019 06_NwPolicy
14/29
www.technocorp.co.in
Configuring Connection RequestProcessingConfiguration Description
Local vs. RADIUSauthentication
Local authentication takes place against the localsecurity account database or Active Directory.
Connection policies exist on that server.
RADIUS authentication forwards the connectionrequest to a RADIUS server for authenticationagainst a security database. RADIUS maintains acentral store of all the connection policies.
RADIUS servergroups
Used where one or more RADIUS servers are capabof handling connection requests. The connectionrequests are load-balanced on criteria specified dur
the creation of the RADIUS server group if there ismore than one RADIUS server in the group.
Default ports foraccounting andauthenticationusing RADIUS
The ports required for accounting and authenticatiorequests being forwarded to a RADIUS server areUDP 1812/1645 and UDP 1813/1646.
8/13/2019 06_NwPolicy
15/29
www.technocorp.co.in
Demonstration: How to Create a NeConnection Request Policy
In this demonstration, you will see how to:
Create a VPN connection request policy
8/13/2019 06_NwPolicy
16/29
www.technocorp.co.in
Lesson 3: NPS Authentication Meth
Password-Based Authentication Methods Using Certificates for Authentication
Required Certificates for NPS Authentication Methods
Deploying Certificates for PEAP and EAP
8/13/2019 06_NwPolicy
17/29
www.technocorp.co.in
Password-Based Authentication MeAuthentication methods for an NPS server include:
MS-CHAPv2
MS-CHAP
CHAP
PAP
Unauthenticated access
8/13/2019 06_NwPolicy
18/29
www.technocorp.co.in
Using Certificates for Authentication
With NPS, you use certificates for network access authentication because:
Provide for stronger security
Eliminate need for less secure, password-based authentication
8/13/2019 06_NwPolicy
19/29
ww
w.technocorp.co.in
Authentication Methods
You require the following certificates to deploy certificate-based authentication in N
CA certificate in the Trusted Root CertificationAuthorities certificate store for the Local Computerand Current User
Client computer certificate in the certificate store of the client
Server certificate in the certificate store of the NPS server
User certificate on a smart card
8/13/2019 06_NwPolicy
20/29
ww
w.technocorp.co.in
Deploying Certificates for PEAP and
For Domain Computer and User accounts, use the auto-enrollmentfeature in Group Policy
Nondomain member enrollment requires an administratorto request a user or computer certificate using theCA Web Enrollment tool
The administrator must save the computer or user certificate to afloppy disk or other removable media, and manually install thecertificate on the nondomain member computer
The administrator can distribute user certificates on a smart card
8/13/2019 06_NwPolicy
21/29
ww
w.technocorp.co.in
Lesson 4: Monitoring andTroubleshooting a Network Policy S
Methods Used to Monitor NPS
Logging NPS Accounting
Configuring SQL Server Logging
Configuring NPS Events to Record in the Event Viewer
8/13/2019 06_NwPolicy
22/29
ww
w.technocorp.co.in
Methods Used to Monitor NPSNPS monitoring methods include:
Event logging The process of logging NPS events in the System Event log
Useful for auditing and troubleshooting connection attempts
Logging user authentication and accounting requests
Useful for connection analysis and billing purposes
Can be in a text format
Can be in a database format within a SQL instance
8/13/2019 06_NwPolicy
23/29
ww
w.technocorp.co.in
Logging NPS AccountingUse the NPS console to configure logging:Open NPS from the Administrative Tools menu
In the console tree, click Accounting
In the details pane, click Configure Local File Logging
On the Settings tab, select the information to be logged
On the Log File tab, select the log type and the frequency
or size attributes of the log files to be generated
1
2
3
4
5
Log files should be stored on a separate partition from the system partition:
If RADIUS accounting fails due to a full hard disk, NPS stopsprocessing connection requests
8/13/2019 06_NwPolicy
24/29
ww
w.technocorp.co.in
Configuring SQL Server LoggingYou can use SQL to log RADIUS accounting data:
Requires SQL to have a stored procedurenamed report_event
NPS formats accounting data as an XML document
Can be a local or remote SQL Server database
8/13/2019 06_NwPolicy
25/29
ww
w.technocorp.co.in
in the Event Viewer
How do I configure NPS events to be recorded in Event Viewer?
NPS is configured by default to record failed connections andsuccessful connections in the event log
You can change this behavior on the General tab of theProperties sheet for the network policy
Common request failure events
What information does the failure event record?
What information does the success event record?
What is Schannel logging, and how do I configure it?
Schannel is a security support provider that supports a set ofInternet security protocols
You can configure Schannel logging in the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
8/13/2019 06_NwPolicy
26/29
ww
w.technocorp.co.in
Network Policy Server Exercise 1: Installing and Configuring the Network Policy Server Role
Service
Exercise 2: Configuring a RADIUS Client
Exercise 3: Configuring Certificate Auto-Enrollment
Exercise 4: Configuring and Testing the VPN
Estimated time: 75minutes
Logon information
Virtual machines 6421B-NYC-DC16421B-NYC-EDGE16421B-NYC-CL1
User name Contoso\Administrator
Password Pa$$w0rd
8/13/2019 06_NwPolicy
27/29
ww
w.technocorp.co.in
Lab ScenarioContoso Ltd. is expanding its remote-access solution to all its branch officeemployees. This will require multiple Routing and Remote Access serverslocated at different points to provide connectivity for its employees. Youmust use RADIUS to centralize authentication and accounting for the
remote-access solution. You have been tasked with installing andconfiguring Network Policy Server into an existing infrastructure to be usedfor NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy.
8/13/2019 06_NwPolicy
28/29
ww
w.technocorp.co.in
Lab Review
What does a RADIUS proxy provide?
What is a RADIUS client, and what are some examples of RAclients?
8/13/2019 06_NwPolicy
29/29
ww
w.technocorp.co.in
Module Review and Takeaways
Review Questions
Tools