Presentation on theme: "Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module."— Presentation transcript:
1 Course 6421AModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServicePresentation: 60 minutesLab: 60 minutesModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceThis module helps students install, configure, and troubleshoot the Network Policy Server (NPS) Role Service.After completing this module, students will be able to:Install and configure a Network Policy server.Configure Remote Authentication Dial-In User Service (RADIUS) clients and servers.Describe NPS authentication methods.Monitor and troubleshoot a Network Policy server.Required materialsTo teach this module, you need the Microsoft® Office PowerPoint® file 6421A_07.ppt.Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Practice performing the demonstrations and the lab exercises.Work through the Module Review and Takeaways section, and determine how you will use thissection to reinforce student learning and promote knowledge transfer to on-the-job performance.Make sure that students are aware that the Course Companion CD has additional information and resources for this module.
2 Module Overview Installing and Configuring a Network Policy Server Course 6421AModule OverviewModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceInstalling and Configuring a Network Policy ServerConfiguring RADIUS Clients and ServersNPS Authentication MethodsMonitoring and Troubleshooting a Network Policy Server
3 Lesson 1: Installing and Configuring a Network Policy Server Course 6421ALesson 1: Installing and Configuring a Network Policy ServerModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceWhat Is a Network Policy Server?Network Policy Server Usage ScenariosDemonstration: How to Install the Network Policy ServerTools Used for Managing a Network Policy ServerDemonstration: Configuring General NPS Settings
4 What Is a Network Policy Server? Course 6421AWhat Is a Network Policy Server?Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceWindows Server 2008 Network Policy Server (NPS):RADIUS serverDescribe the NPS Role Service.The students should understand that policies created on Routing and Remote Access servers are local to the server hosting the role. In the case of RADIUS (NPS), an environment with numerous Remote Access Service (RAS) servers can store all the policies in one place--the NPS RADIUS server--thus removing the need to duplicate the policies on individual RAS servers.Detailed logging and accounting also is available when you use the RADIUS authentication and authorization service.ReferencesHelp Topic: Network Policy ServerRADIUS proxyNetwork Access Protection
5 Network Policy Server Usage Scenarios Course 6421ANetwork Policy Server Usage ScenariosModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceNPS is used for the following scenarios:Network Access ProtectionEnforcement for IPsec trafficEnforcement for 802.1x wired and wirelessEnforcement for DHCPEnforcement for VPNExplain to students that the Network Access Protection (NAP) scenarios involve NPS to evaluate SoH (statements of health) that are sent by NAP-capable client computers that connect to the network. Access is given depending on the client’s health compared to the server’s NAP policies. It is covered in detail in a later topic.Secure wire/wireless access requires 802.1x authenticating Switches and 802.1x capable Wireless Access Points.RADIUS offers central policy management for Remote Access. It also is used for Connection Authorization policies for Terminal Server.ReferencesMicrosoft TechNet: Windows Server 2008 Technical Library:Secure Wired and Wireless AccessRADIUSTerminal Server Gateway
6 Demonstration: How to Install the Network Policy Server Course 6421ADemonstration: How to Install the Network Policy ServerModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceIn this demonstration, you will see how to install the Network Policy ServerInstall the Network Policy and Access Services server role from Add Roles in Server Manager. On the Select Role Services page, select Network Policy Server, click Next, and then click Install.Open the NPS administrative tool from the Administrative Tools menu.
7 Tools Used for Managing a Network Policy Server Course 6421ATools Used for Managing a Network Policy ServerModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceTools used to manage NPS include:NPS MMC ConsoleYou can use the NPS Console that is available after installation to manage the local NPS server only. For remote NPS administration, use the NPS Microsoft Management Console (MMC) snap-in.The netsh command-line tool also is available for NPS management tasks.ReferencesHelp Topic: NPS ConsoleHelp Topic: Netsh Commands for Network Policy Server (NPS)Netsh command line to configure all aspects of NPS, such as:NPS Server CommandsRADIUS Client CommandsConnection Request Policy CommandsRemote RADIUS Server Group CommandsNetwork Policy CommandsNetwork Access Protection CommandsAccounting Commands
8 Demonstration: Configuring General NPS Settings Course 6421ADemonstration: Configuring General NPS SettingsModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceIn this demonstration, you will see how to configure general NPS settingsDemonstrate how to configure general NPS settings:Open the NPS console:Click Start, point to Administration Tools, and then click Network Policy Server.From the console tree, right-click NPS (local), and select Import or Export, depending on the task:If importing, on the Import NPS Configuration page, browse to the .xml configuration file that you want to use.If exporting, select the I am aware that I am exporting all shared secrets option. Also, be aware that the Microsoft SQL Server logging settings are NOT exported to a file. You must configure SQL manually on the server to which you are importing the config file. Click OK, and specify a file name and the location in which to store the XML file.To start or stop the NPS service, right-click NPS (local) from the console tree, and select the appropriate action from the context menu.Because NPS authorizes connection requests by using network policy and by checking user account dial-in properties in Active Directory® directory service, the server must be registered with Active Directory. Right-click NPS (local) in the console tree, and then click Register in Active Directory.Note: To register the NPS server in the default domain using the netsh command:Log on to the NPS server with an account that has administrative credentials for the domain.Open a command prompt.At the command prompt, type: netsh ras add registeredserverReferencesHelp Topic: Register the NPS server in Active Directory
9 Lesson 2: Configuring RADIUS Clients and Servers Course 6421ALesson 2: Configuring RADIUS Clients and ServersModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceWhat Is a RADIUS Client?What Is a RADIUS Proxy?Demonstration: Configuring a RADIUS ClientConfiguring Connection Request ProcessingWhat Is a Connection Request Policy?Demonstration: Creating a New Connection Request Policy
10 What Is a RADIUS Client? NPS is a RADIUS server Course 6421AWhat Is a RADIUS Client?Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceNPS is a RADIUS serverRADIUS clients are network access servers, such as:Wireless access points802.1x authenticating switchesVPN serversDial-up serversEmphasize to students that client computers, such as wireless laptops and other computers running client operating systems, are not RADIUS clients. RADIUS clients potentially are network access devices that offer connectivity for the user from the wired local area network (LAN), wireless environments, and remote access solutions.ReferencesHelp Topic: RADIUS ClientsRADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting
11 Course 6421AWhat Is a RADIUS Proxy?Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceA RADIUS proxy receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routingA RADIUS proxy is required for:Explain that when you configure NPS as a RADIUS proxy, it receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing.Explain when a RADIUS proxy is required:You are a service provider who offers outsourced dial-up, VPN, or wireless network access services. Connection requests are forwarded to customer-maintained RADIUS servers for authentication and authorization based on the request’s REALM name.You want to provide authentication and authorization for user accounts that are not Active Directory members.You want to perform authentication and authorization by using a database that is not a Windows account database.You want to load-balance connection requests among multiple RADIUS servers.You want to provide RADIUS for outsourced service providers, and you need to limit traffic types through the firewall.Ask the students for some examples where the proxy is useful. Engage the students’ ideas to further the discussion and help solidify their understanding of it.ReferencesHelp Topic: RADIUS ProxyService providers offering outsourced dial-up, VPN, or wireless network access servicesProviding authentication and authorization for user accounts that are not Active Directory membersPerforming authentication and authorization using a database that is not a Windows account databaseLoad-balancing connection requests among multiple RADIUS serversProviding RADIUS for outsourced service providers and limiting traffic types through the firewall
12 Demonstration: Configuring a RADIUS Client Course 6421ADemonstration: Configuring a RADIUS ClientModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceIn this demonstration, you will see how to:Add a new RADIUS client to NPSConfigure Routing and Remote Access as a RADIUS clientDemonstrate how to:Use the NPS console to add a RADIUS client:In the NPS console, click RADIUS Clients and Servers in the console tree, and in the details pane, click Configure RADIUS Clients.Right-click RADIUS Client, and then click Configure New Radius Client.Fill in the fields in the New Radius Client dialog box, and then click OK.Use the Routing and Remote Access console to configure Routing and Remote Access as a RADIUS client:In the Routing and Remote Access console, right–click servername, and then click Properties.On the Security tab, specify RADIUS as the Authentication provider and the properties. Do the same for Accounting provider on the Security tab.Note: If NPS is installed on the same server, the dialog boxes to configure Authentication and Accounting do not appear. Instead, you use NPS to create authentication policies.ReferencesRouting and Remote Access Help Topic: Server Properties – Security TabHelp Topic: Add a New RADIUS Client
13 Configuring Connection Request Processing Course 6421AConfiguring Connection Request ProcessingModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceConfigurationDescriptionLocal vs. RADIUS authenticationLocal authentication takes place against the local security account database or Active Directory. Connection policies exist on that server.RADIUS authentication forwards the connection request to a RADIUS server for authentication against a security database. RADIUS maintains a central store of all the connection policies.RADIUS server groupsUsed where one or more RADIUS servers are capable of handling connection requests. The connection requests are load-balanced on criteria specified during the creation of the RADIUS server group if there is more than one RADIUS server in the group.Default ports for accounting and authentication using RADIUSThe ports required for accounting and authentication requests being forwarded to a RADIUS server are UDP 1812/1645 and UDP 1813/1646.Emphasize the fact that environments with multiple remote access servers are best serviced by RADIUS, where all the policies are located centrally and are created once in NPS.Describe the benefits that RADIUS server groups realize regarding load-balancing activities.Regarding ports, mention the security benefit of having a RADIUS proxy outside the firewall and having firewall policies that allow UDP 1812/1645 and 1813/1646 to open for communication between the proxy and RADIUS server internally.ReferencesHelp Topic: Remote RADIUS Server GroupsHelp Topic: Configure NPS UDP Port Information
14 What Is a Connection Request Policy? Course 6421AWhat Is a Connection Request Policy?Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceConnection Request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clientsGo over the three sections for each policy:Overview (enable/disable)ConditionsSettings (authentication and accounting behaviors)Open the default policy in NPS by launching the NPS console from Administration Tools. Expand Policies in the console tree, select Connection Request Policies, and then double- click Default Policy to view the settings.Ask the students for some scenarios where custom connection policies would be required. Examples include a scenario in which policies exist with different REALM names for RADIUS authentication and authorization or a scenario in which a different accounting server is required.ReferencesHelp Topic: Connection Request PoliciesNPS Help Topic: Connection Request PoliciesConnection Request policies include:Conditions, such as:Framed ProtocolService TypeTunnel TypeDay and Time restrictionsSettings, such as:AuthenticationAccountingAttribute ManipulationAdvanced settingsCustom Connection Request policies are required to forward the request to another proxy or RADIUS server or server group for authorization and authentication, or to specify a different server for accounting information
15 Demonstration: Creating a New Connection Request Policy Course 6421ADemonstration: Creating a New Connection Request PolicyModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceIn this demonstration, you will see how to:Use the Connection Request Policy wizard to create a new connection request policyDisable or delete a connection request policyDemonstrate how to add a new connection request policy using the Windows interface and how to disable a policy.Note: Membership in the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer is required to complete this procedure.To add a new connection request policy using the Windows interface:Open the NPS console, and then double-click Policies.In the console tree, right-click Connection Request Policies, and then click New Connection Request Policy.Use the New Connection Request Policy Wizard to configure your connection request policy and, if not previously configured, a remote RADIUS server group.Note: The processing order for these policies is from the top down, so make sure the policies are arranged in the order you want them processed.To disable a policy:Right-click the policy in the Details pane, and from the context menu, click Disabled. You also can open the policy, and deselect Policy Enabled on the Overview tab.After you create custom policies in NPS, you can delete the default policy or move it to the bottom of the list so that it is processed last. To delete the default policy, right-click the policy, and click Delete from the context menu.ReferencesHelp Topic: Add a Connection Request PolicyHelp Topic: Connection Request Processing
16 Lesson 3: NPS Authentication Methods Course 6421ALesson 3: NPS Authentication MethodsModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServicePassword-Based Authentication MethodsUsing Certificates for AuthenticationRequired Certificates for NPS Authentication MethodsDeploying Certificates for PEAP and EAP
17 Password-Based Authentication Methods Course 6421APassword-Based Authentication MethodsModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceAuthentication methods for an NPS server include:MS-CHAPv2Password-based authentication does not provide strong security. Therefore, we do not recommend their use. When password-based authentication is allowed, it is processed from the most secure (MS-CHAPv2) to the least secure (Unauthenticated access).Ensure that the students realize that if the clients using the service are all MS clients, MS- CHAPv2 should be the only method allowed for a password-based solution.Challenge Handshake Authentication Protocol (CHAP) may be allowed if support for non-MS clients is necessary.Password Authentication Protocol (PAP) is plain-text, and any sniffer can capture the transmission in plain text.Unauthenticated access is required for Guest account access, and we do not recommend it.ReferencesHelp Topic: Password-Based Authentication MethodsMS-CHAPCHAPPAPUnauthenticated access
18 Using Certificates for Authentication Course 6421AUsing Certificates for AuthenticationModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceCertificate-based authentication in NPS:Certificate types:CA certificate: Verifies the trust path of other certificatesClient computer certificate: Issued to the computer to prove its identity to NPS during authenticationServer certificate: Issued to an NPS server to prove its identity to client computers during authenticationUser certificate: Issued to individuals to prove their identity to NPS servers for authenticationEnsure that students understand that certificate-based authentication is the strongest authentication that can take place in NPS and that we recommend it highly.Consider facilitating a discussion about the advantages and disadvantages of hosting your own certificate server, as well as the advantages and disadvantages of using a public certificate authority (CA) vendor for your certificate needs.ReferencesHelp Topic: Certificates and NPSCertificates can be obtained from public CA providers or you can host your own Active Directory certificate servicesTo specify certificate-based authentication in a network policy, configure the authentication methods on the Constraints tab
19 Required Certificates for NPS Authentication Methods Course 6421ARequired Certificates for NPS Authentication MethodsModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceAll certificates must meet the requirements for X.509 and must work for connections that use SSL/TLSTypeRequirementsServer certificatesMust contain a Subject attribute that is not NULLMust chain to a trusted-root CAConfigured with Server Authentication purpose in EKU extensionsConfigured with required algorithm of RSA with a minimum 2048 key lengthSubject Alternative Name extension, if used, must contain the DNS nameClient certificatesIssued by an Enterprise CA or mapped to an account in Active DirectoryFor computer certificates, the Subject Alternative Name must contain the FQDNFor user certificates, the Subject Alternative Name must contain the UPNExplain that you can use private or public CAs for certificate needs. However, private CAs are the most cost-effective solution for most organizations. Certificate usage eliminates the possibility of the implementation of less secure password-based authentication methods to avoid extra costs for administration and configuration.The added costs are outweighed by the additional security that can be achieved by using this method.ReferencesHelp Topic: Certificate Requirements for PEAP and EAPHelp Topic: Certificates and NPS
20 Deploying Certificates for PEAP and EAP Course 6421ADeploying Certificates for PEAP and EAPModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceFor Domain Computer and User accounts, use the auto-enrollment feature in Group PolicyExplain that certificate deployment to enterprise users and computers is greatly simplified by using the auto-enrollment feature. Leverage the infrastructure to automate as much of the process as possible.Discuss the guidelines for deploying certificates for Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP):For Domain Computer and User accounts, the auto-enrollment feature in Group Policy can be used to acquire the necessary certificates automatically for authentication at the next Group Policy refresh interval or by forcing Group Policy refresh by using GPupdate.Nondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool.The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer. In cases where the computer is not accessible, a domain user whom the administrator trusts can install the certificate.The administrator can distribute user certificates on a smart card.ReferencesHelp Topic: Certificates and NPSHelp Topic: EAP and NPSHelp Topic: PEAP and NPSNondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment toolThe administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computerThe administrator can distribute user certificates on a smart card
21 Lesson 4: Monitoring and Troubleshooting a Network Policy Server Course 6421ALesson 4: Monitoring and Troubleshooting a Network Policy ServerModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceMethods Used to Monitor NPSConfiguring Log File PropertiesConfiguring SQL Server LoggingConfiguring NPS Events to Record in the Event Viewer
22 Methods Used to Monitor NPS Course 6421AMethods Used to Monitor NPSModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceNPS monitoring methods include:Event loggingThe process of logging NPS events in the System Event logUseful for auditing and troubleshooting connection attemptsDescribe some of the best practices for logging:Turn on logging for both authentication and accounting records. Make modifications after you determine what is appropriate for your environment.Ensure that you configure event logging with sufficient capacity to maintain the logs.Back up log files regularly, because they cannot be recreated if damaged or deleted.Use redundant SQL servers on different subnets configured for database replication.Use the RADIUS Class attribute to track usage and identify which department or user to charge for usage.Use the resources for more best practice information related to NPS logging.ReferencesHelp Topic: NPS Best PracticesLogging user authentication and accounting requestsUseful for connection analysis and billing purposesCan be in a text formatCan be in a database format within a SQL instance
23 Configuring Log File Properties Course 6421AConfiguring Log File PropertiesModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceUse the NPS console to configure logging:Open NPS from the Administrative Tools menu1In the console tree, click Accounting2Ensure that students understand that any logging that takes place should be done off the system partition and should be configured so that the data collected is the most useful for the enterprise in which NPS is being used.Mention that the output can be sent to external applications via piping, and you also can specify UNC paths for network locations.NPSparse.exe can be used to view the log data.ReferencesHelp Topic: Configure Log file propertiesHelp Topic: NPS Best PracticesIn the details pane, click Configure Local File Logging3On the Settings tab, select the information to be logged4On the Log File tab, select the log type and the frequency or size attributes of the log files to be generated5Log files should be stored on a separate partition from the system partition:If RADIUS accounting fails due to a full hard disk, NPS stops processing connection requests
24 Configuring SQL Server Logging Course 6421AConfiguring SQL Server LoggingModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceYou can use SQL to log RADIUS accounting data:Requires SQL to have a stored procedure named report_eventLogging to a SQL instance is a more favorable option, if SQL be available. You can configure the maximum number of concurrent sessions between SQL and NPS.Explain how to configure SQL server logging in NPS:Open the Network Policy Server MMC, and in the console tree, click Accounting.In the details pane, in SQL Server Logging, click Configure SQL Server Logging. The SQL Server dialog box opens.Specify the information you wish to log in the Log the Following Information section.Configure the maximum number of concurrent connections between NPS and SQL.Click Configure to configure the SQL Server data source.ReferencesHelp Topic: Configure SQL Logging in NPSNPS formats accounting data as an XML documentCan be a local or remote SQL Server database
25 Configuring NPS Events to Record in the Event Viewer Course 6421AConfiguring NPS Events to Record in the Event ViewerModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceHow do I configure NPS events to be recorded in Event Viewer?NPS is configured by default to record failed connections and successful connections in the event logYou can change this behavior on the General tab of the Properties sheet for the network policyCommon request failure eventsWhat information does the failure event record?What information does the success event record?Explain that connection requests are rejected or ignored for a variety of reasons, including:The RADIUS message is not formatted to Request for Comments (RFCs) 2865 or 2866.The RADIUS client is unknown.The RADIUS client has multiple IP addresses and sent the request on an address other than the one defined in NPS.The shared secret is invalid.The message authenticator that the client sent is invalid.NPS was unable to locate the user’s domain.NPS was unable to connect to the user’s domain.NPS was unable to access the user account in the domain.When NPS rejects a request, the information in the event text includes the user name, access server identifiers, the authentication type, the name of the first matching policy, the reason for rejection, and other information.When NPS accepts a request, the information in the event text includes the user name, access server identifiers, the authentication type, and the name of the first matching policy.Logging Schannel events:Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Level Security (TLS). These protocols provide identity authentication and secure, private communication through encryption.Logging of client certificate validation failures is a secure channel event and is not enabled on the NPS server by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type) to 3 (REG_DWORD type):HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\EventLoggingReferencesHelp Topic: NPS Events and Event ViewerWhat is Schannel logging, and how do I configure it?Schannel is a security support provider that supports a set of Internet security protocolsYou can configure Schannel logging in the following Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\EventLogging
26 Lab: Configuring and Managing Network Policy Server Course 6421ALab: Configuring and Managing Network Policy ServerModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceExercise 1: Installing and Configuring the Network Policy Server Role ServiceExercise 2: Configuring a RADIUS ClientExercise 3: Configuring Certificate Auto-EnrollmentLab objectives:Install the Network Policy Server role service, and configure Network Policy Server settingsConfigure a RADIUS ClientConfigure certificate auto-enrollmentScenario:The Windows Infrastructure Services Technology Specialist has been tasked with installing and configuring Network Policy Server into an existing infrastructure to be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy.Exercise 1: Installing and Configuring the Network Policy Server Role ServiceThe student will install the NPS role service and configure general server settings, such as Active Directory registration.Exercise 3: Configuring a RADIUS ClientGiven a scenario and network diagram, the student will configure a RADIUS client.Exercise 4: Configuring Certificate Auto-EnrollmentThe student will configure and deploy certificate auto-enrollment to support advanced authentication.Inputs:Provided scenarioVirtual machines (One configured as a CA)Output:NPS role service installed and configuredRADIUS server configured with client settingsComputers obtaining auto-enrolled certificates for authenticationLogon informationVirtual machine6421A-NYC-DC1 and 6421A-NYC-SVR1User nameAdministratorPasswordPa$$w0rdEstimated time: 60 minutes
27 Lab Review What does a RADIUS proxy provide? Course 6421ALab ReviewModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceWhat does a RADIUS proxy provide?What is a RADIUS client, and what are some examples of RADIUS clients?Lab Review Questions and AnswersQuestion: What does a RADIUS proxy provide?Answer: When you use NPS as a RADIUS proxy, NPS forwards connection requests to NPS or other RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The proxy does not need to be registered in the Active Directory because it does not need access to the dial-in properties of user accounts. Additionally, you do not need to configure network policies on an NPS proxy, because the proxy does not perform authorization for connection requests. The NPS proxy can be a domain member or it can be a standalone server with no domain membership.Question: What is a RADIUS client, and what are some examples of RADIUS clients?Answer: A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure also is a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.Examples of network access servers are:Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running Windows Server 2008 and the Routing and Remote Access service that provides either traditional dial-up or virtual private network (VPN) remote access services to an organization intranet.Wireless access points that provide physical layer access to an organization network using wireless-based transmission and reception technologies.Switches that provide physical-layer access to an organization’s network, using traditional LAN technologies such as Ethernet.RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that is configured on the RADIUS proxy.
28 Module Review and Takeaways Course 6421AModule Review and TakeawaysModule 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role ServiceReview questionsBest PracticesSecurity IssuesToolsReview Questions and AnswersQuestion: Why must you register the NPS server in Active Directory?Answer: When NPS is a member of an Active Directory domain, NPS performs authentication by comparing user credentials that it receives from network access servers with the credentials that Active Directory stores for the user account. NPS authorizes connection requests by using network policy and by checking user account dial-in properties in Active Directory. The NPS server must be registered in Active Directory to have permission to access user-account credentials and dial-in properties.Question 2: How can you make the most effective use of the NPS logging features?Answer: You can make the most effective use of the NPS logging features by performing the following tasks:Turn on logging (initially) for both authentication and accounting records. Modify these selections after you determine what is appropriate for your environment.Ensure that event logging is configured with sufficient capacity to maintain your logs.Back up all log files on a regular basis, because they cannot be recreated when damaged or deleted.Use the RADIUS Class attribute to track usage and simplify the identification of which department or user to charge for usage. Although the Class attribute, which is generated automatically, is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to track usage accurately.To provide failover and redundancy with SQL Server logging, place two computers running SQL Server on different subnets. Use the SQL Server Create Publication Wizard to set up database replication between the two servers.