Presentation is loading. Please wait.

Presentation is loading. Please wait.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

Similar presentations


Presentation on theme: "20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,"— Presentation transcript:

1 20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module, students will be able to: Install and configure a Network Policy Server (NPS). Configure clients and servers with the Remote Authentication Dial-In User Service (RADIUS) protocol. Explain NPS authentication methods. Monitor and troubleshoot NPS. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411B_08.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Module 8 Installing, Configuring, and Troubleshooting the Network Policy Server Role

2 Monitoring and Troubleshooting a Network Policy Server
Module Overview 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Monitoring and Troubleshooting a Network Policy Server

3 Lesson 1: Installing and Configuring a Network Policy Server
20411B Lesson 1: Installing and Configuring a Network Policy Server 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Demonstration: Configuring General NPS Settings

4 What Is a Network Policy Server?
20411B What Is a Network Policy Server? 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role A Windows Server 2012 Network Policy Server provides the following functions: RADIUS server. NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and dial-up and VPN connections RADIUS proxy. You configure connection request policies that indicate which connection requests that the NPS server will forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests NAP policy server. NPS evaluates statements of health (SoHs) sent by NAP-capable client computers that attempt to connect to the network Describe the NPS role service. Your students should understand that policies created on Routing and Remote Access servers are local to the server that is hosting the role. In the case of NPS as a RADIUS server, an environment with numerous Remote Access Service (RAS) servers can store all the policies in one place--the NPS RADIUS server. This removes the need to duplicate the policies on individual RAS servers. Detailed logging and accounting also is available when you use the RADIUS authentication and authorization service. Explain to students that the Network Access Protection (NAP) scenarios involve NPS to evaluate statements of health (SoH) that are sent by NAP-capable client computers that connect to the network. Access is given depending on the client’s health compared to the server’s NAP policies. A later topic covers this in detail. Secure wired or wireless access requires 802.1x authenticating switches and 802.1x capable wireless access points. RADIUS offers central policy management for Remote Access. It also is used for Connection Authorization policies for Remote Desktop Server. Note: You might want to draw a diagram that shows the relationship between these elements. Use this link to see a sample diagram: RADIUS Proxy Discuss the following examples with the class: The following configuration examples illustrate how you can configure NPS as a RADIUS server and a RADIUS proxy: NPS as a RADIUS server. In this example, you configure NPS as a RADIUS server. The default connection request policy is the only configured policy, and the local NPS server processes all connection requests. The NPS server can authenticate and authorize users whose accounts are in the domain of the NPS server and in trusted domains. NPS as a RADIUS proxy. In this example, you configure the NPS server as a RADIUS proxy that forwards connection requests to remote RADIUS server groups in two different, nontrusted domains. The default connection request policy is deleted, and two new connection-request policies are created to forward requests to two different domains. In this example, NPS does not process any connection requests on the local server. Instead, it forwards connection requests to NPS or other RADIUS servers that you configure as members of remote RADIUS server groups. (More notes on the next slide)

5 20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role NPS as both RADIUS server and RADIUS proxy. In addition to the default connection request policy, which designates that connection requests are processed locally, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. This second policy is named the Proxy policy. In this example, the Proxy policy appears first in the ordered list of policies. If the connection request matches the Proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. If the connection request does not match the Proxy policy, but does match the default connection request policy, NPS processes the connection request on the local server. If the connection request does not match either policy, NPS discards it. NPS as RADIUS server with remote accounting servers. In this example, you do not configure the local NPS server to perform accounting, and you revise the default connection request policy so that RADIUS accounting messages are forwarded to an NPS or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not, and the local NPS server performs these functions for the local and all trusted domains. NPS with Remote RADIUS to Windows User mapping. In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. You can implement this configuration by configuring the Remote RADIUS to Windows User Mapping attribute as a condition of the connection request policy. Additionally, you must create a user account locally that has the same name as the remote user account against which the remote RADIUS server performs authentication.

6 Demonstration: Installing the Network Policy Server Role
20411B Demonstration: Installing the Network Policy Server Role 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role In this demonstration, you will see how to: Install the NPS role Register NPS in AD DS Leave the virtual machine running for subsequent demonstrations. Preparation Steps You require the 20411B-LON-DC1 and 20411B-LON-RTR virtual machines for this demonstration. Demonstration Steps Install the NPS Role Switch to LON-DC1. Sign in as Adatum\Administrator with the password Pa$$w0rd. If necessary, on the taskbar, click Server Manager. In the details pane, click Add roles and features. In the Add Roles and Features Wizard, click Next. On the Select installation type page, click Role-based or feature based installation, and then click Next. On the Select destination server page, click Next. On the Select server roles page, select the Network Policy and Access Services check box. Click Add Features, and then click Next twice. On the Network Policy and Access Services page, click Next. On the Select role services page, verify that the Network Policy Server check box is selected, and then click Next. On the Confirm installation selections page, click Install. Verify that the installation was successful, and then click Close. Close the Server Manager window. (More notes on the next slide)

7 20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Register NPS in AD DS Pause your mouse pointer in the lower-left of the taskbar, and then click Start. Click Network Policy Server. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register server in Active Directory. In the Network Policy Server message box, click OK. In the subsequent Network Policy Server dialog box, click OK. Leave the Network Policy Server console window open.

8 Tools for Configuring a Network Policy Server
20411B Tools for Configuring a Network Policy Server 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Tools used to manage NPS include: NPS management console snap-in Netsh command-line tool: NPS server commands RADIUS client commands Connection request policy commands Remote RADIUS server group commands Network policy commands Network Access Protection commands Accounting Commands Windows PowerShell You can use the NPS console that is available after installation to manage the local NPS server only. For remote NPS administration, use the NPS Microsoft Management Console (MMC) snap-in. The netsh command-line tool also is available for NPS management tasks.

9 Demonstration: Configuring General NPS Settings
20411B Demonstration: Configuring General NPS Settings 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role In this demonstration, you will see how to: Configure a RADIUS server for VPN connections Save the configuration Leave the virtual machine running for subsequent demonstrations. Preparation Steps The required virtual machines 20411B-LON-DC1 and 20411B-LON-RTR should be running after the preceding demonstration. Demonstration Steps Configure a RADIUS server for VPN connections On LON-DC1, in the Network Policy Server console, in the Getting Started details pane, open the drop-down list under Standard Configuration, and then click RADIUS server for Dial-Up or VPN Connections. Under Radius server for Dial-Up or VPN Connections, click Configure VPN or Dial-Up. In the Configure VPN or Dial-Up Wizard, click Virtual Private Network (VPN) Connections, accept the default name, and then click Next. On the RADIUS clients page, click Add. In the New RADIUS Client dialog box, in the Friendly Name box, type LON-RTR, and then click Verify. In the Verify Address dialog box, in the Address box, type LON-RTR, click Resolve, and then click OK. In the New RADIUS Client dialog box, in the Shared secret and Confirm shared secret boxes, type Pa$$w0rd, and then click OK. On the Specify Dial-Up or VPN Server page, click Next. On the Configure Authentication Methods page, ensure that the Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check box is selected, and then click Next. On the Specify User Groups page, click Next. (More notes on the next slide)

10 20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role On the Specify IP Filters page, click Next. On the Specify Encryption Settings page, click Next. On the Specify a Realm Name page, click Next. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page, click Finish. Save the configuration Pause your mouse pointer in the lower-left of the taskbar, and then click Start. In Start, click Windows PowerShell. At the Windows PowerShell® command prompt, type the following command, and then press Enter: Export-NpsConfiguration –path lon-dc1.xml At the Windows PowerShell command prompt, type the following command, and then press Enter: Notepad lon-dc1.xml Scroll through the file, and then discuss the contents. Close the file.

11 Lesson 2: Configuring RADIUS Clients and Servers
20411B Lesson 2: Configuring RADIUS Clients and Servers 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Demonstration: Creating a Connection Request Policy

12 RADIUS clients are network access servers, such as:
20411B What Is a RADIUS Client? 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role NPS is a RADIUS server RADIUS clients are network access servers, such as: Wireless access points 802.1x authenticating switches VPN servers Dial-up servers RADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting Emphasize to students that client computers, such as wireless laptops and other computers that are running client operating systems, are not RADIUS clients. RADIUS clients potentially are network access devices that offer connectivity for the user from the wired local area network (LAN), wireless environments, and remote access solutions.

13 20411B What Is a RADIUS Proxy? 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role A RADIUS proxy receives connection attempts from RADIUS clients, and then forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing A RADIUS proxy is required for: Offering outsourced dial-up, VPN, or wireless network-access services by service providers Providing authentication and authorization for user accounts that are not Active Directory members Performing authentication and authorization by using a database that is not a Windows account database Load-balancing connection requests among multiple RADIUS servers Providing RADIUS for outsourced service providers and limiting traffic types through the firewall Explain that when you configure NPS as a RADIUS proxy, it receives connection attempts from RADIUS clients, and then forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing. Explain the times when an enterprise might require a RADIUS proxy. Ask the students for some examples where the proxy is useful. Engage the students’ ideas to further the discussion and help solidify their understanding.

14 Demonstration: Configuring a RADIUS Client
20411B Demonstration: Configuring a RADIUS Client 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role In this demonstration, you will see how to configure a RADIUS client Leave the virtual machine running for subsequent demonstrations. Preparation Steps The required virtual machines 20411B-LON-DC1 and 20411B-LON-RTR should be running after the preceding demonstration. Demonstration Steps Switch to LON-RTR. Sign in as Adatum\Administrator with the password Pa$$w0rd. Pause your mouse pointer in the lower-left of the taskbar, and then click Start. On the Start screen, click Administrative Tools, and then double-click Routing and Remote Access. If required, at the Enable DirectAccess Wizard dialog box, click Cancel. Click OK. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable Routing and Remote Access. In the dialog box, click Yes. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure and Enable Routing and Remote Access. Click Next, select Remote access (dial-up or VPN), and then click Next. Select the VPN check box, and then click Next. Click the network interface called Local Area Connection 2. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next. On the IP Address Assignment page, select From a specified range of addresses, and then click Next. On the Address Range Assignment page, click New. Type next to Start IP address and next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next. (More notes on the next slide)

15 20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role On the Managing Multiple Remote Access Servers page, click Yes, setup this server to work with a RADIUS server, and then click Next. On the RADIUS Server Selection page, in the Primary RADIUS server box, type LON-DC1. In the Shared secret box, type Pa$$w0rd, and then click Next. Click Finish. In the Routing and Remote Access dialog box, click OK. If prompted again, click OK.

16 What Is a Connection Request Policy?
20411B What Is a Connection Request Policy? 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Connection request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients Review the three sections for each policy: Overview (enable/disable) Conditions Settings (authentication and accounting behaviors) Open the default policy in NPS by launching the NPS console from Administration Tools. Expand Policies in the console tree, select Connection Request Policies, and then double-click Default Policy to view the settings. Ask the students for scenarios that would require custom connection policies. Examples include a scenario in which policies exist with different realm names for RADIUS authentication and authorization, or in which you require a different accounting server. Connection request policies include: Conditions, such as: Framed Protocol Service Type Tunnel Type Day and Time restrictions Settings, such as: Authentication Accounting Attribute Manipulation Advanced settings

17 Configuring Connection-Request Processing
20411B Configuring Connection-Request Processing 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Configuration Description Local vs. RADIUS authentication Local authentication takes place against the local security account database or Active Directory. Connection policies exist on that server. RADIUS authentication forwards the connection request to a RADIUS server for authentication against a security database. RADIUS maintains a central store of all the connection policies. RADIUS server groups Used where one or more RADIUS servers are capable of handling connection requests. The connection requests are load-balanced on criteria specified during the creation of the RADIUS server group if there is more than one RADIUS server in the group. Default ports for accounting and authentication by using RADIUS The ports required for accounting and authentication requests being forwarded to a RADIUS server are UDP 1812/1645 and UDP 1813/1646. Emphasize the RADIUS is ideal for environments that have multiple remote access servers, because it centralizes all of the policies and enables you to create them only once in NPS. Describe the benefits that RADIUS server groups realize regarding load-balancing activities. Regarding ports, mention the security benefit of having a RADIUS proxy outside the firewall, and having firewall policies that allow User Datagram Protocol (UDP) 1812/1645 and 1813/1646 to open for communication between the proxy and RADIUS server internally.

18 Demonstration: Creating a Connection Request Policy
20411B Demonstration: Creating a Connection Request Policy 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role In this demonstration, you will see how to create a VPN connection request policy Revert all virtual machines. Preparation Steps The required virtual machines 20411B-LON-DC1 and 20411B-LON-SVR1 should be running after the preceding demonstration. Demonstration Steps Switch to the LON-DC1 computer. Switch to Network Policy Server console. In Network Policy Server, expand Policies, and then click Connection Request Policies. Notice the presence of the Virtual Private Network (VPN) Connections policies. The wizard created these automatically when you specified the NPS role of this server. Right-click Connection Request Policies, and then click New. In the New Connection Request Policy Wizard, in the Policy name box, type Adatum VPN. In the Type of network access server list, click Remote Access Server (VPN-Dial up), and then click Next. On the Specify Conditions page, click Add. In the Select condition dialog box, select NAS Port Type, and then click Add. In the NAS Port Type dialog box, select the Virtual (VPN) check box, and then click OK. Click Next. On the Specify Connection Request Forwarding page, click Next. On the Specify Authentication Methods page, click Next. On the Configure Settings page, click Next. On the Completing Connection Request Policy Wizard page, click Finish. In the Connection Request Policies list, right-click Adatum VPN, and then click Move Up. Ensure that the Adatum VPN policy has a processing order of 1. If not, repeat step 14.

19 Lesson 3: NPS Authentication Methods
20411B Lesson 3: NPS Authentication Methods 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Deploying Certificates for PEAP and EAP

20 Password-Based Authentication Methods
8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Authentication methods for an NPS server from the most secure to the least: MS-CHAPv2 Password-based authentication does not provide strong security. Therefore, we do not recommend their use. When password-based authentication is allowed, it is processed from the most secure (MS-CHAPv2) to the least secure (Unauthenticated access). Ensure that the students realize that if the clients using the service are all Microsoft clients, MS-CHAPv2 should be the only method allowed for a password-based solution. If you require support for non-Microsoft clients, then you can use the Challenge Handshake Authentication Protocol (CHAP). Password Authentication Protocol (PAP) is plain text, and any sniffer can capture the transmission in plain text. Unauthenticated access is required for guest account access, and we do not recommend it. MS-CHAP CHAP PAP Unauthenticated access

21 Using Certificates for Authentication
20411B Using Certificates for Authentication 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role With NPS, you use certificates for network access authentication because they: Provide for stronger security Eliminate the need for less secure, password-based authentication Ensure that students understand that certificate-based authentication is the strongest authentication that can take place in NPS, and that we recommend it highly. Consider facilitating a discussion about the advantages and disadvantages of hosting your own certificate server, as well as the advantages and disadvantages of using a public certification authority (CA) vendor for your certificate needs.

22 Required Certificates for Authentication
20411B Required Certificates for Authentication 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role You require the following certificates to deploy certificate-based authentication in NPS: Certificate Description CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User Client computer certificate in the certificate store of the client Server certificate in the certificate store of the NPS server User certificate on a smart card Explain that you can use private or public CAs for certificate needs. However, private CAs are the most cost-effective solution for most organizations. Certificate usage eliminates the possibility that someone can implement less-secure, password-based authentication methods to avoid extra costs for administration and configuration. The added costs are outweighed by the additional security that you can achieve by using this method.

23 Deploying Certificates for PEAP and EAP
20411B Deploying Certificates for PEAP and EAP 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role For Domain Computer and User accounts, use the autoenrollment feature in Group Policy Nondomain member enrollment requires an administrator to request a user or computer certificate by using the CA Web Enrollment tool The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer The administrator can distribute user certificates on a smart card Explain that using the autoenrollment feature greatly simplifies certificate deployment to enterprise users and computers. Leverage the infrastructure to automate as much of the process as possible. Discuss the guidelines for deploying certificates for PEAP and EAP: For Domain Computer and User accounts, you can use the autoenrollment feature in Group Policy to acquire the necessary certificates automatically for authentication at the next Group Policy refresh interval or by forcing Group Policy refresh by using GPupdate. Nondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool. The administrator must save the computer or user certificate to removable media, and manually install the certificate on the nondomain member computer. In cases where the computer is not accessible, a domain user whom the administrator trusts can install the certificate. The administrator can distribute user certificates on a smart card.

24 Lesson 4: Monitoring and Troubleshooting a Network Policy Server
8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Configuring NPS Events to Record in the Event Viewer

25 Methods Used to Monitor NPS
20411B Methods Used to Monitor NPS 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role NPS monitoring methods include: Event logging This method is the process of logging NPS events in the System Event log This method is useful for auditing and troubleshooting connection attempts Logging user authentication and accounting requests This method is useful for connection analysis and billing purposes This method can be in a text format This method can be in a database format within a SQL instance Describe some of the best practices for logging.

26 Logging NPS Accounting
20411B Logging NPS Accounting 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Use the NPS console to configure logging: On the Administrative Tools menu, open NPS In the console tree, click Accounting In the details pane, click Change Log File Properties Log files should be stored on a separate partition from the system partition Ensure that students understand that any logging that occurs should be done off the system partition, and that they should configure it so that the data collected is the most useful for the enterprise. Mention that the output can be sent to external applications via piping, and that you can specify UNC paths for network locations, as well. You can use NPSparse.exe to view the log data.

27 Configuring SQL Server Logging
20411B Configuring SQL Server Logging 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role You can use SQL to log RADIUS accounting data: The SQL Server database must have a stored procedure named report_event NPS formats accounting data as an XML document The SQL Server database can be on a local computer or a remote server Logging to a Microsoft SQL Server® instance is a more favorable option, if SQL is available. You can configure the maximum number of concurrent sessions between SQL and NPS. Explain how to configure SQL server logging in NPS.

28 Configuring NPS Events to Record in the Event Viewer
20411B Configuring NPS Events to Record in the Event Viewer 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role How do I configure NPS events to be recorded in Event Viewer? NPS is configured by default to record failed connections and successful connections in the event log You can change this behavior on the General tab of the Properties sheet for the network policy Common request failure events consist of requests that NPS rejects or discards; both failure and success events are recorded What is Schannel logging, and how do I configure it? Schannel is a security support provider that supports a set of Internet security protocols You can configure Schannel logging in the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\EventLogging Explain that connection requests are rejected or ignored for a variety of reasons.

29 Lab: Installing and Configuring a Network Policy Server
8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Exercise 2: Configuring and Testing a RADIUS Client Exercise 1: Installing and Configuring NPS to Support RADIUS You have been tasked with installing an NPS into the existing infrastructure to be used for RADIUS services. In this exercise, you will configure the RADIUS server with appropriate templates to help manage any future implementations. You also need to configure Accounting to log authentication information to a local text file on the server. Exercise 2: Configuring and Testing a RADIUS Client You need to configure a server as a VPN server and a RADIUS client, including the client configuration, and then you need to modify the Network Policy settings. Virtual Machines: B-LON-DC1 20411B-LON-RTR 20411B-LON-CL2 User name: Adatum\Administrator Password: Pa$$w0rd Logon Information Estimated Time: 60 minutes

30 20411B Lab Scenario 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center is located in London, to support the London office and other locations. A. Datum has recently deployed a Windows Server server and client infrastructure.  A. Datum is expanding its remote-access solution to the entire organization. This will require multiple VPN servers that are located at different points to provide connectivity for its employees. You are responsible for performing the tasks necessary to support these VPN connections.

31 What is a RADIUS client, and what are some examples of RADIUS clients?
20411B Lab Review 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role What is a RADIUS client, and what are some examples of RADIUS clients? Question What does a RADIUS proxy provide? Answer When you use NPS as a RADIUS proxy, NPS forwards connection requests to NPS or other RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The proxy does not need to be registered in the AD DS because it does not need access to the dial-in properties of user accounts. Additionally, you do not need to configure network policies on an NPS proxy, because the proxy does not perform authorization for connection requests. The NPS proxy can be a domain member or it can be a stand-alone server with no domain membership. What is a RADIUS client, and what are some examples of RADIUS clients? A NAS is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting. Examples of RADIUS clients are: Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer that is running Windows Server 2012 and the Routing and Remote Access service, which provides either traditional dial-up or VPN remote-access services to an organization’s intranet. Wireless access points that provide physical layer access to an organization’s network by using wireless-based transmission and reception technologies. Switches that provide physical-layer access to an organization’s network, by using traditional LAN technologies such as Ethernet. RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that you configure on the RADIUS proxy.

32 Module Review and Takeaways
20411B Module Review and Takeaways 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Tools Review Questions Question How can you make the most effective use of the NPS logging features? Answer You can make the most effective use of the NPS logging features by performing the following tasks: Turn on logging (initially) for both authentication and accounting records. Modify these selections after you determine what is appropriate for your environment. Ensure that you configure event logging with sufficient capacity to maintain your logs. Back up all log files on a regular basis, because you cannot recreate them when they become damaged or are deleted. Use the RADIUS Class attribute to track usage and simplify the identification of which department or user to charge for usage. Although the Class attribute, which is automatically generated, is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to track usage accurately. To provide failover and redundancy with SQL Server logging, place two computers that are running SQL Server on different subnets. Use the SQL Server Create Publication Wizard to configure database replication between the two servers. What consideration must you follow if you choose to use a nonstandard port assignment for RADIUS traffic? If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports. Why must you register the NPS server in Active Directory? When NPS is a member of an Active Directory domain, NPS performs authentication by comparing user credentials that it receives from network access servers with the user-account credentials that Active Directory stores. NPS authorizes connection requests by using network policy and by checking user account dial-in properties in Active Directory. You must register the NPS server in Active Directory to have permission to access user-account credentials and dial-in properties. (More notes on the next slide)

33 20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Tools Tool Use for Where to find it Network Policy Server Managing and creating Network Policy Network Policy Server on the Administrative Tools menu Netsh command-line tool Creating administrative scripts for configuring and managing the Network Policy Server role In a Command Prompt window, type netsh –c nps to administer from a command prompt Event Viewer Viewing logged information from application, system, and security events Event Viewer on the Administrative Tools menu


Download ppt "20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,"

Similar presentations


Ads by Google