Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service This module helps students install, configure, and troubleshoot the Network Policy Server (NPS) Role Service. After completing this module, students will be able to: Install and configure a Network Policy server. Configure Remote Authentication Dial-In User Service (RADIUS) clients and servers. Describe NPS authentication methods. Monitor and troubleshoot a Network Policy server. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6421A_07.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that the Course Companion CD has additional information and resources for this module.

Module Overview Installing and Configuring a Network Policy Server Course 6421A Module Overview Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Installing and Configuring a Network Policy Server Configuring RADIUS Clients and Servers NPS Authentication Methods Monitoring and Troubleshooting a Network Policy Server

Lesson 1: Installing and Configuring a Network Policy Server Course 6421A Lesson 1: Installing and Configuring a Network Policy Server Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service What Is a Network Policy Server? Network Policy Server Usage Scenarios Demonstration: How to Install the Network Policy Server Tools Used for Managing a Network Policy Server Demonstration: Configuring General NPS Settings

What Is a Network Policy Server? Course 6421A What Is a Network Policy Server? Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Windows Server 2008 Network Policy Server (NPS): RADIUS server Describe the NPS Role Service. The students should understand that policies created on Routing and Remote Access servers are local to the server hosting the role. In the case of RADIUS (NPS), an environment with numerous Remote Access Service (RAS) servers can store all the policies in one place--the NPS RADIUS server--thus removing the need to duplicate the policies on individual RAS servers. Detailed logging and accounting also is available when you use the RADIUS authentication and authorization service. References Help Topic: Network Policy Server RADIUS proxy Network Access Protection

Network Policy Server Usage Scenarios Course 6421A Network Policy Server Usage Scenarios Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service NPS is used for the following scenarios: Network Access Protection Enforcement for IPsec traffic Enforcement for 802.1x wired and wireless Enforcement for DHCP Enforcement for VPN Explain to students that the Network Access Protection (NAP) scenarios involve NPS to evaluate SoH (statements of health) that are sent by NAP-capable client computers that connect to the network. Access is given depending on the client’s health compared to the server’s NAP policies. It is covered in detail in a later topic. Secure wire/wireless access requires 802.1x authenticating Switches and 802.1x capable Wireless Access Points. RADIUS offers central policy management for Remote Access. It also is used for Connection Authorization policies for Terminal Server. References Microsoft TechNet: Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=99823&clcid=0x409 Secure Wired and Wireless Access RADIUS Terminal Server Gateway

Demonstration: How to Install the Network Policy Server Course 6421A Demonstration: How to Install the Network Policy Server Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service In this demonstration, you will see how to install the Network Policy Server Install the Network Policy and Access Services server role from Add Roles in Server Manager. On the Select Role Services page, select Network Policy Server, click Next, and then click Install. Open the NPS administrative tool from the Administrative Tools menu.

Tools Used for Managing a Network Policy Server Course 6421A Tools Used for Managing a Network Policy Server Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Tools used to manage NPS include: NPS MMC Console You can use the NPS Console that is available after installation to manage the local NPS server only. For remote NPS administration, use the NPS Microsoft Management Console (MMC) snap-in. The netsh command-line tool also is available for NPS management tasks. References Help Topic: NPS Console Help Topic: Netsh Commands for Network Policy Server (NPS) Netsh command line to configure all aspects of NPS, such as: NPS Server Commands RADIUS Client Commands Connection Request Policy Commands Remote RADIUS Server Group Commands Network Policy Commands Network Access Protection Commands Accounting Commands

Demonstration: Configuring General NPS Settings Course 6421A Demonstration: Configuring General NPS Settings Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service In this demonstration, you will see how to configure general NPS settings Demonstrate how to configure general NPS settings: Open the NPS console: Click Start, point to Administration Tools, and then click Network Policy Server. From the console tree, right-click NPS (local), and select Import or Export, depending on the task: If importing, on the Import NPS Configuration page, browse to the .xml configuration file that you want to use. If exporting, select the I am aware that I am exporting all shared secrets option. Also, be aware that the Microsoft SQL Server logging settings are NOT exported to a file. You must configure SQL manually on the server to which you are importing the config file. Click OK, and specify a file name and the location in which to store the XML file. To start or stop the NPS service, right-click NPS (local) from the console tree, and select the appropriate action from the context menu. Because NPS authorizes connection requests by using network policy and by checking user account dial-in properties in Active Directory® directory service, the server must be registered with Active Directory. Right-click NPS (local) in the console tree, and then click Register in Active Directory. Note: To register the NPS server in the default domain using the netsh command: Log on to the NPS server with an account that has administrative credentials for the domain. Open a command prompt. At the command prompt, type: netsh ras add registeredserver References Help Topic: Register the NPS server in Active Directory

Lesson 2: Configuring RADIUS Clients and Servers Course 6421A Lesson 2: Configuring RADIUS Clients and Servers Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service What Is a RADIUS Client? What Is a RADIUS Proxy? Demonstration: Configuring a RADIUS Client Configuring Connection Request Processing What Is a Connection Request Policy? Demonstration: Creating a New Connection Request Policy

What Is a RADIUS Client? NPS is a RADIUS server Course 6421A What Is a RADIUS Client? Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service NPS is a RADIUS server RADIUS clients are network access servers, such as: Wireless access points 802.1x authenticating switches VPN servers Dial-up servers Emphasize to students that client computers, such as wireless laptops and other computers running client operating systems, are not RADIUS clients. RADIUS clients potentially are network access devices that offer connectivity for the user from the wired local area network (LAN), wireless environments, and remote access solutions. References Help Topic: RADIUS Clients RADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting

Course 6421A What Is a RADIUS Proxy? Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service A RADIUS proxy receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing A RADIUS proxy is required for: Explain that when you configure NPS as a RADIUS proxy, it receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing. Explain when a RADIUS proxy is required: You are a service provider who offers outsourced dial-up, VPN, or wireless network access services. Connection requests are forwarded to customer-maintained RADIUS servers for authentication and authorization based on the request’s REALM name. You want to provide authentication and authorization for user accounts that are not Active Directory members. You want to perform authentication and authorization by using a database that is not a Windows account database. You want to load-balance connection requests among multiple RADIUS servers. You want to provide RADIUS for outsourced service providers, and you need to limit traffic types through the firewall. Ask the students for some examples where the proxy is useful. Engage the students’ ideas to further the discussion and help solidify their understanding of it. References Help Topic: RADIUS Proxy Service providers offering outsourced dial-up, VPN, or wireless network access services Providing authentication and authorization for user accounts that are not Active Directory members Performing authentication and authorization using a database that is not a Windows account database Load-balancing connection requests among multiple RADIUS servers Providing RADIUS for outsourced service providers and limiting traffic types through the firewall

Demonstration: Configuring a RADIUS Client Course 6421A Demonstration: Configuring a RADIUS Client Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service In this demonstration, you will see how to: Add a new RADIUS client to NPS Configure Routing and Remote Access as a RADIUS client Demonstrate how to: Use the NPS console to add a RADIUS client: In the NPS console, click RADIUS Clients and Servers in the console tree, and in the details pane, click Configure RADIUS Clients. Right-click RADIUS Client, and then click Configure New Radius Client. Fill in the fields in the New Radius Client dialog box, and then click OK. Use the Routing and Remote Access console to configure Routing and Remote Access as a RADIUS client: In the Routing and Remote Access console, right–click servername, and then click Properties. On the Security tab, specify RADIUS as the Authentication provider and the properties. Do the same for Accounting provider on the Security tab. Note: If NPS is installed on the same server, the dialog boxes to configure Authentication and Accounting do not appear. Instead, you use NPS to create authentication policies. References Routing and Remote Access Help Topic: Server Properties – Security Tab Help Topic: Add a New RADIUS Client

Configuring Connection Request Processing Course 6421A Configuring Connection Request Processing Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Configuration Description Local vs. RADIUS authentication Local authentication takes place against the local security account database or Active Directory. Connection policies exist on that server. RADIUS authentication forwards the connection request to a RADIUS server for authentication against a security database. RADIUS maintains a central store of all the connection policies. RADIUS server groups Used where one or more RADIUS servers are capable of handling connection requests. The connection requests are load-balanced on criteria specified during the creation of the RADIUS server group if there is more than one RADIUS server in the group. Default ports for accounting and authentication using RADIUS The ports required for accounting and authentication requests being forwarded to a RADIUS server are UDP 1812/1645 and UDP 1813/1646. Emphasize the fact that environments with multiple remote access servers are best serviced by RADIUS, where all the policies are located centrally and are created once in NPS. Describe the benefits that RADIUS server groups realize regarding load-balancing activities. Regarding ports, mention the security benefit of having a RADIUS proxy outside the firewall and having firewall policies that allow UDP 1812/1645 and 1813/1646 to open for communication between the proxy and RADIUS server internally. References Help Topic: Remote RADIUS Server Groups Help Topic: Configure NPS UDP Port Information

What Is a Connection Request Policy? Course 6421A What Is a Connection Request Policy? Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Connection Request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients Go over the three sections for each policy: Overview (enable/disable) Conditions Settings (authentication and accounting behaviors) Open the default policy in NPS by launching the NPS console from Administration Tools. Expand Policies in the console tree, select Connection Request Policies, and then double- click Default Policy to view the settings. Ask the students for some scenarios where custom connection policies would be required. Examples include a scenario in which policies exist with different REALM names for RADIUS authentication and authorization or a scenario in which a different accounting server is required. References Help Topic: Connection Request Policies NPS Help Topic: Connection Request Policies Connection Request policies include: Conditions, such as: Framed Protocol Service Type Tunnel Type Day and Time restrictions Settings, such as: Authentication Accounting Attribute Manipulation Advanced settings Custom Connection Request policies are required to forward the request to another proxy or RADIUS server or server group for authorization and authentication, or to specify a different server for accounting information

Demonstration: Creating a New Connection Request Policy Course 6421A Demonstration: Creating a New Connection Request Policy Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service In this demonstration, you will see how to: Use the Connection Request Policy wizard to create a new connection request policy Disable or delete a connection request policy Demonstrate how to add a new connection request policy using the Windows interface and how to disable a policy. Note: Membership in the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer is required to complete this procedure. To add a new connection request policy using the Windows interface: Open the NPS console, and then double-click Policies. In the console tree, right-click Connection Request Policies, and then click New Connection Request Policy. Use the New Connection Request Policy Wizard to configure your connection request policy and, if not previously configured, a remote RADIUS server group. Note: The processing order for these policies is from the top down, so make sure the policies are arranged in the order you want them processed. To disable a policy: Right-click the policy in the Details pane, and from the context menu, click Disabled. You also can open the policy, and deselect Policy Enabled on the Overview tab. After you create custom policies in NPS, you can delete the default policy or move it to the bottom of the list so that it is processed last. To delete the default policy, right-click the policy, and click Delete from the context menu. References Help Topic: Add a Connection Request Policy Help Topic: Connection Request Processing

Lesson 3: NPS Authentication Methods Course 6421A Lesson 3: NPS Authentication Methods Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Password-Based Authentication Methods Using Certificates for Authentication Required Certificates for NPS Authentication Methods Deploying Certificates for PEAP and EAP

Password-Based Authentication Methods Course 6421A Password-Based Authentication Methods Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Authentication methods for an NPS server include: MS-CHAPv2 Password-based authentication does not provide strong security. Therefore, we do not recommend their use. When password-based authentication is allowed, it is processed from the most secure (MS-CHAPv2) to the least secure (Unauthenticated access). Ensure that the students realize that if the clients using the service are all MS clients, MS- CHAPv2 should be the only method allowed for a password-based solution. Challenge Handshake Authentication Protocol (CHAP) may be allowed if support for non-MS clients is necessary. Password Authentication Protocol (PAP) is plain-text, and any sniffer can capture the transmission in plain text. Unauthenticated access is required for Guest account access, and we do not recommend it. References Help Topic: Password-Based Authentication Methods MS-CHAP CHAP PAP Unauthenticated access

Using Certificates for Authentication Course 6421A Using Certificates for Authentication Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Certificate-based authentication in NPS: Certificate types: CA certificate: Verifies the trust path of other certificates Client computer certificate: Issued to the computer to prove its identity to NPS during authentication Server certificate: Issued to an NPS server to prove its identity to client computers during authentication User certificate: Issued to individuals to prove their identity to NPS servers for authentication Ensure that students understand that certificate-based authentication is the strongest authentication that can take place in NPS and that we recommend it highly. Consider facilitating a discussion about the advantages and disadvantages of hosting your own certificate server, as well as the advantages and disadvantages of using a public certificate authority (CA) vendor for your certificate needs. References Help Topic: Certificates and NPS Certificates can be obtained from public CA providers or you can host your own Active Directory certificate services To specify certificate-based authentication in a network policy, configure the authentication methods on the Constraints tab

Required Certificates for NPS Authentication Methods Course 6421A Required Certificates for NPS Authentication Methods Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service All certificates must meet the requirements for X.509 and must work for connections that use SSL/TLS Type Requirements Server certificates Must contain a Subject attribute that is not NULL Must chain to a trusted-root CA Configured with Server Authentication purpose in EKU extensions Configured with required algorithm of RSA with a minimum 2048 key length Subject Alternative Name extension, if used, must contain the DNS name Client certificates Issued by an Enterprise CA or mapped to an account in Active Directory For computer certificates, the Subject Alternative Name must contain the FQDN For user certificates, the Subject Alternative Name must contain the UPN Explain that you can use private or public CAs for certificate needs. However, private CAs are the most cost-effective solution for most organizations. Certificate usage eliminates the possibility of the implementation of less secure password-based authentication methods to avoid extra costs for administration and configuration. The added costs are outweighed by the additional security that can be achieved by using this method. References Help Topic: Certificate Requirements for PEAP and EAP Help Topic: Certificates and NPS

Deploying Certificates for PEAP and EAP Course 6421A Deploying Certificates for PEAP and EAP Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service For Domain Computer and User accounts, use the auto-enrollment feature in Group Policy Explain that certificate deployment to enterprise users and computers is greatly simplified by using the auto-enrollment feature. Leverage the infrastructure to automate as much of the process as possible. Discuss the guidelines for deploying certificates for Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP): For Domain Computer and User accounts, the auto-enrollment feature in Group Policy can be used to acquire the necessary certificates automatically for authentication at the next Group Policy refresh interval or by forcing Group Policy refresh by using GPupdate. Nondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool. The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer. In cases where the computer is not accessible, a domain user whom the administrator trusts can install the certificate. The administrator can distribute user certificates on a smart card. References Help Topic: Certificates and NPS Help Topic: EAP and NPS Help Topic: PEAP and NPS Nondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer The administrator can distribute user certificates on a smart card

Lesson 4: Monitoring and Troubleshooting a Network Policy Server Course 6421A Lesson 4: Monitoring and Troubleshooting a Network Policy Server Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Methods Used to Monitor NPS Configuring Log File Properties Configuring SQL Server Logging Configuring NPS Events to Record in the Event Viewer

Methods Used to Monitor NPS Course 6421A Methods Used to Monitor NPS Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service NPS monitoring methods include: Event logging The process of logging NPS events in the System Event log Useful for auditing and troubleshooting connection attempts Describe some of the best practices for logging: Turn on logging for both authentication and accounting records. Make modifications after you determine what is appropriate for your environment. Ensure that you configure event logging with sufficient capacity to maintain the logs. Back up log files regularly, because they cannot be recreated if damaged or deleted. Use redundant SQL servers on different subnets configured for database replication. Use the RADIUS Class attribute to track usage and identify which department or user to charge for usage. Use the resources for more best practice information related to NPS logging. References Help Topic: NPS Best Practices Logging user authentication and accounting requests Useful for connection analysis and billing purposes Can be in a text format Can be in a database format within a SQL instance

Configuring Log File Properties Course 6421A Configuring Log File Properties Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Use the NPS console to configure logging: Open NPS from the Administrative Tools menu 1 In the console tree, click Accounting 2 Ensure that students understand that any logging that takes place should be done off the system partition and should be configured so that the data collected is the most useful for the enterprise in which NPS is being used. Mention that the output can be sent to external applications via piping, and you also can specify UNC paths for network locations. NPSparse.exe can be used to view the log data. References Help Topic: Configure Log file properties Help Topic: NPS Best Practices In the details pane, click Configure Local File Logging 3 On the Settings tab, select the information to be logged 4 On the Log File tab, select the log type and the frequency or size attributes of the log files to be generated 5 Log files should be stored on a separate partition from the system partition: If RADIUS accounting fails due to a full hard disk, NPS stops processing connection requests

Configuring SQL Server Logging Course 6421A Configuring SQL Server Logging Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service You can use SQL to log RADIUS accounting data: Requires SQL to have a stored procedure named report_event Logging to a SQL instance is a more favorable option, if SQL be available. You can configure the maximum number of concurrent sessions between SQL and NPS. Explain how to configure SQL server logging in NPS: Open the Network Policy Server MMC, and in the console tree, click Accounting. In the details pane, in SQL Server Logging, click Configure SQL Server Logging. The SQL Server dialog box opens. Specify the information you wish to log in the Log the Following Information section. Configure the maximum number of concurrent connections between NPS and SQL. Click Configure to configure the SQL Server data source. References Help Topic: Configure SQL Logging in NPS NPS formats accounting data as an XML document Can be a local or remote SQL Server database

Configuring NPS Events to Record in the Event Viewer Course 6421A Configuring NPS Events to Record in the Event Viewer Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service How do I configure NPS events to be recorded in Event Viewer? NPS is configured by default to record failed connections and successful connections in the event log You can change this behavior on the General tab of the Properties sheet for the network policy Common request failure events What information does the failure event record? What information does the success event record? Explain that connection requests are rejected or ignored for a variety of reasons, including: The RADIUS message is not formatted to Request for Comments (RFCs) 2865 or 2866. The RADIUS client is unknown. The RADIUS client has multiple IP addresses and sent the request on an address other than the one defined in NPS. The shared secret is invalid. The message authenticator that the client sent is invalid. NPS was unable to locate the user’s domain. NPS was unable to connect to the user’s domain. NPS was unable to access the user account in the domain. When NPS rejects a request, the information in the event text includes the user name, access server identifiers, the authentication type, the name of the first matching policy, the reason for rejection, and other information. When NPS accepts a request, the information in the event text includes the user name, access server identifiers, the authentication type, and the name of the first matching policy. Logging Schannel events: Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Level Security (TLS). These protocols provide identity authentication and secure, private communication through encryption. Logging of client certificate validation failures is a secure channel event and is not enabled on the NPS server by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type) to 3 (REG_DWORD type): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\EventLogging References Help Topic: NPS Events and Event Viewer What is Schannel logging, and how do I configure it? Schannel is a security support provider that supports a set of Internet security protocols You can configure Schannel logging in the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\EventLogging

Lab: Configuring and Managing Network Policy Server Course 6421A Lab: Configuring and Managing Network Policy Server Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Exercise 1: Installing and Configuring the Network Policy Server Role Service Exercise 2: Configuring a RADIUS Client Exercise 3: Configuring Certificate Auto-Enrollment Lab objectives: Install the Network Policy Server role service, and configure Network Policy Server settings Configure a RADIUS Client Configure certificate auto-enrollment Scenario: The Windows Infrastructure Services Technology Specialist has been tasked with installing and configuring Network Policy Server into an existing infrastructure to be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy. Exercise 1: Installing and Configuring the Network Policy Server Role Service The student will install the NPS role service and configure general server settings, such as Active Directory registration. Exercise 3: Configuring a RADIUS Client Given a scenario and network diagram, the student will configure a RADIUS client. Exercise 4: Configuring Certificate Auto-Enrollment The student will configure and deploy certificate auto-enrollment to support advanced authentication. Inputs: Provided scenario Virtual machines (One configured as a CA) Output: NPS role service installed and configured RADIUS server configured with client settings Computers obtaining auto-enrolled certificates for authentication Logon information Virtual machine 6421A-NYC-DC1 and 6421A-NYC-SVR1 User name Administrator Password Pa$$w0rd Estimated time: 60 minutes

Lab Review What does a RADIUS proxy provide? Course 6421A Lab Review Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service What does a RADIUS proxy provide? What is a RADIUS client, and what are some examples of RADIUS clients? Lab Review Questions and Answers Question: What does a RADIUS proxy provide? Answer: When you use NPS as a RADIUS proxy, NPS forwards connection requests to NPS or other RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The proxy does not need to be registered in the Active Directory because it does not need access to the dial-in properties of user accounts. Additionally, you do not need to configure network policies on an NPS proxy, because the proxy does not perform authorization for connection requests. The NPS proxy can be a domain member or it can be a standalone server with no domain membership. Question: What is a RADIUS client, and what are some examples of RADIUS clients? Answer: A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure also is a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting. Examples of network access servers are: Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running Windows Server 2008 and the Routing and Remote Access service that provides either traditional dial-up or virtual private network (VPN) remote access services to an organization intranet. Wireless access points that provide physical layer access to an organization network using wireless-based transmission and reception technologies. Switches that provide physical-layer access to an organization’s network, using traditional LAN technologies such as Ethernet. RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that is configured on the RADIUS proxy.

Module Review and Takeaways Course 6421A Module Review and Takeaways Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Review questions Best Practices Security Issues Tools Review Questions and Answers Question: Why must you register the NPS server in Active Directory? Answer: When NPS is a member of an Active Directory domain, NPS performs authentication by comparing user credentials that it receives from network access servers with the credentials that Active Directory stores for the user account. NPS authorizes connection requests by using network policy and by checking user account dial-in properties in Active Directory. The NPS server must be registered in Active Directory to have permission to access user-account credentials and dial-in properties. Question 2: How can you make the most effective use of the NPS logging features? Answer: You can make the most effective use of the NPS logging features by performing the following tasks: Turn on logging (initially) for both authentication and accounting records. Modify these selections after you determine what is appropriate for your environment. Ensure that event logging is configured with sufficient capacity to maintain your logs. Back up all log files on a regular basis, because they cannot be recreated when damaged or deleted. Use the RADIUS Class attribute to track usage and simplify the identification of which department or user to charge for usage. Although the Class attribute, which is generated automatically, is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to track usage accurately. To provide failover and redundancy with SQL Server logging, place two computers running SQL Server on different subnets. Use the SQL Server Create Publication Wizard to set up database replication between the two servers.