1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.
Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Remote Networking Architectures
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Windows Server 2008 Chapter 9 Last Update
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Configuring Mobile Computing and Remote Access
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Module 6: Configuring and Troubleshooting Routing and Remote Access
Hands-On Microsoft Windows Server 2008
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Configuring and Troubleshooting Remote Access
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Module 8: Configuring Network Access Protection
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Configuring Network Access Protection
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Network Infrastructure Microsoft Windows 2003 Network Infrastructure MCSE Study Guide for Exam
Administering Microsoft Windows Server 2003 Chapter 2.
Configure and Security Remote Acess. Chapter 8 Advance Computer Network Lecture Sorn Pisey
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Module 9: Configuring Network Access
Module Overview Installing and Configuring a Network Policy Server
Implementing Network Access Protection
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
Server-to-Client Remote Access and DirectAccess
Goals Introduce the Windows Server 2003 family of operating systems
Presentation transcript:

1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot a Network Policy Server

2 What Is a VPN Connection? Large Branch Office Medium Branch Office Small Branch Office Home Office with VPN Client Remote User with VPN Client Corporate Headquarters VPN VPN Server

3 Components of a VPN Connection VPN Tunnel VPN Client VPN Server IP Configuration DHCP Server Domain Controller Authentication Virtual Network Client Operating System Routing and Remote Access

4 Tunneling Protocols for a VPN Connection PPTP: GRE header IP header PPP trailer PPP payload (IPv4 packet) Encrypted PPP frame IP header PPP header L2TP header PPP payload (IP diagram, IPX datagram, NetBEUI frame) UDP header L2TP: PPP frame L2TP frame UDP message SSTP: Encapsulates PPP frames in IP datagrams, and uses port 443 (TCP) for tunnel management and PPP data frames Encryption is performed by the SSL channel of the HTTPS protocol

5 Components of a Dial-Up Connection Dial-Up Client Address and Name Server Allocation DHCP Server Domain Controller Authentication Remote Access Server Remote Access Server WAN Options: Telephone, ISDN, X.25, or ATM WAN Options: Telephone, ISDN, X.25, or ATM LAN and Remote Access Protocols LAN and Remote Access Protocols

6 What Is the Connection Manager Administration Kit? The Connection Manager Administration Kit: The connection profile can be distributed to users in the following ways: Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks Creates an executable file that can be run on a client computer to establish a network connection that you have designed Reduces the likelihood of user errors when they configure their own connection objects As part of an image for new computers On removable media for the user to install manually With software distribution tools, such as Systems Management Server or System Center Configuration Manager 2007

7 Process for Configuring a Connection Profile Use the CMAK Connection Profile Wizard to configure: The target operating system Support for VPN Support for Dial-up, including the custom phone book Proxy Custom Help file Custom support information The CMAK Connection Profile Wizard assists in the process of creating custom connection profiles for users

What Is a Network Policy? A network policy consists of the following elements: Conditions Constraints Settings

Process for Creating and Configuring a Network Policy Determine authorization by user or group Determine appropriate settings for the user account’s network access permissions Configure the New Network Policy Wizard: Configure Network Policy conditions Configure Network Policy constraints Configure Network Policy settings

How Are Network Policies Processed? Are there policies to process? START Does connection attempt match policy conditions? Yes Reject connection attempt Is the remote access permission for the user account set to Deny Access ? Is the remote access permission for the user account set to Allow Access ? Yes No Go to next policy No Yes Is the remote access permission on the policy set to Deny remote access permission ? Does the connection attempt match the user object and profile settings? No Yes Accept connection attempt Reject connection attempt No Yes No

11 Network Policy Server Usage Scenarios NPS is used for the following scenarios: Network Access Protection Enforcement for IPsec traffic Enforcement for 802.1x wired and wireless Enforcement for DHCP Enforcement for VPN Secure Wired and Wireless Access RADIUS Terminal Server Gateway

12 Tools Used for Managing a Network Policy Server Tools used to manage NPS include: Netsh command line to configure all aspects of NPS, such as: NPS Server Commands RADIUS Client Commands Connection Request Policy Commands Remote RADIUS Server Group Commands Network Policy Commands Network Access Protection Commands Accounting Commands NPS MMC Console

13 What Is a RADIUS Client? RADIUS clients are network access servers, such as: Wireless access points 802.1x authenticating switches VPN servers Dial-up servers NPS is a RADIUS server RADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting

14 What Is a RADIUS Proxy? A RADIUS proxy is required for: Service providers offering outsourced dial-up, VPN, or wireless network access services Providing authentication and authorization for user accounts that are not Active Directory members Performing authentication and authorization using a database that is not a Windows account database Load-balancing connection requests among multiple RADIUS servers A RADIUS proxy receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing Providing RADIUS for outsourced service providers and limiting traffic types through the firewall

15 Configuring Connection Request Processing ConfigurationDescription Local vs. RADIUS authentication Local authentication takes place against the local security account database or Active Directory. Connection policies exist on that server. RADIUS authentication forwards the connection request to a RADIUS server for authentication against a security database. RADIUS maintains a central store of all the connection policies. RADIUS server groups Used where one or more RADIUS servers are capable of handling connection requests. The connection requests are load-balanced on criteria specified during the creation of the RADIUS server group if there is more than one RADIUS server in the group. Default ports for accounting and authentication using RADIUS The ports required for accounting and authentication requests being forwarded to a RADIUS server are UDP 1812/1645 and UDP 1813/1646.

16 What Is a Connection Request Policy? Connection Request policies include: Conditions, such as: Framed Protocol Service Type Tunnel Type Day and Time restrictions Connection Request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients Settings, such as: Authentication Accounting Attribute Manipulation Advanced settings Custom Connection Request policies are required to forward the request to another proxy or RADIUS server or server group for authorization and authentication, or to specify a different server for accounting information

17 Password-Based Authentication Methods Authentication methods for an NPS server include: MS-CHAPv2 MS-CHAP CHAP PAP Unauthenticated access

18 Using Certificates for Authentication Certificate-based authentication in NPS: Certificate types: CA certificate: Verifies the trust path of other certificates Client computer certificate : Issued to the computer to prove its identity to NPS during authentication Server certificate : Issued to an NPS server to prove its identity to client computers during authentication User certificate : Issued to individuals to prove their identity to NPS servers for authentication Certificates can be obtained from public CA providers or you can host your own Active Directory certificate services To specify certificate-based authentication in a network policy, configure the authentication methods on the Constraints tab

19 Required Certificates for NPS Authentication Methods TypeRequirements Server certificates Must contain a Subject attribute that is not NULL Must chain to a trusted-root CA Configured with Server Authentication purpose in EKU extensions Configured with required algorithm of RSA with a minimum 2048 key length Subject Alternative Name extension, if used, must contain the DNS name Client certificates Issued by an Enterprise CA or mapped to an account in Active Directory Must chain to a trusted-root CA For computer certificates, the Subject Alternative Name must contain the FQDN For user certificates, the Subject Alternative Name must contain the UPN All certificates must meet the requirements for X.509 and must work for connections that use SSL/TLS

20 Deploying Certificates for PEAP and EAP For Domain Computer and User accounts, use the auto-enrollment feature in Group Policy Nondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer The administrator can distribute user certificates on a smart card

21 Methods Used to Monitor NPS NPS monitoring methods include: Event logging The process of logging NPS events in the System Event log Useful for auditing and troubleshooting connection attempts Logging user authentication and accounting requests Useful for connection analysis and billing purposes Can be in a text format Can be in a database format within a SQL instance

22 Configuring Log File Properties Use the NPS console to configure logging: Open NPS from the Administrative Tools menu In the console tree, click Accounting In the details pane, click Configure Local File Logging On the Settings tab, select the information to be logged On the Log File tab, select the log type and the frequency or size attributes of the log files to be generated Log files should be stored on a separate partition from the system partition: If RADIUS accounting fails due to a full hard disk, NPS stops processing connection requests

23 Configuring SQL Server Logging You can use SQL to log RADIUS accounting data: Requires SQL to have a stored procedure named report_event NPS formats accounting data as an XML document Can be a local or remote SQL Server database

24 Configuring NPS Events to Record in the Event Viewer How do I configure NPS events to be recorded in Event Viewer? NPS is configured by default to record failed connections and successful connections in the event log You can change this behavior on the General tab of the Properties sheet for the network policy Common request failure events What information does the failure event record? What information does the success event record? What is Schannel logging, and how do I configure it? Schannel is a security support provider that supports a set of Internet security protocols You can configure Schannel logging in the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\EventLogging

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.