Download presentation
1
70-411: Administering Windows Server 2012
Chapter 4 Configure a Network Policy Server Infrastructure
2
Objective 4.1: Configuring a Network Policy Server
3
RADIUS Terms Network Policy Server (NPS): Microsoft’s RADIUS server. Authorization: The process that determines what a user is permitted to do on a computer system or network. RADIUS client: A server or device that forwards RADIUS requests to a RADIUS server. Access client: A computer or device that contacts or connects to a RADIUS client, which requires authentication and authorization to connect. © 2013 John Wiley & Sons, Inc.
4
RADIUS servers and clients
A Network with RADIUS RADIUS servers and clients © 2013 John Wiley & Sons, Inc.
5
Configuring RADIUS Server Infrastructures
Multiple RADIUS server configurations: Primary RADIUS server and alternate RADIUS servers A RADIUS proxy located between the RADIUS server and the RADIUS clients © 2013 John Wiley & Sons, Inc.
6
Configuring RADIUS Clients
The standard configuration includes: RADIUS server for dial-up or VPN connections RADIUS server for 802.1X wireless or wired connections NAP policy server © 2013 John Wiley & Sons, Inc.
7
Managing RADIUS Templates
Are designed to reduce the amount of time and cost that it takes to configure RADIUS on one or more servers Creating a RADIUS template does not affect the functionality of NPS. A RADIUS template affects only the NPS server when the template is selected and applied when configuring RADIUS. © 2013 John Wiley & Sons, Inc.
8
Configuring RADIUS Accounting
NPS Server Generates an Accounting-Start message RADIUS Accounting Server Sends an acknowledgment RADIUS Client Generates an Accounting-Stop message © 2013 John Wiley & Sons, Inc.
9
Understanding NPS Authentication Methods
Authentication is usually broken down into the following categories: Password-based credentials Certificate-based credentials © 2013 John Wiley & Sons, Inc.
10
Using Password-Based Authentication
The network access server passes the username and password to the NPS server. The NPS server verifies the credentials against the user account database. Processed from the most secure (Microsoft Challenge-Handshake Authentication Protocol v2 or MS-CHAPv2) to the least secure (unauthenticated access) of those enabled options. For stronger security, use certificate authentication or multi-factor authentication. © 2013 John Wiley & Sons, Inc.
11
Using Certificates for Authentication
Much stronger than password-based authentication methods Certificates are: Customized using certificate templates Issued using a Certificate Authority If smart cards are used, certificates must include: Smart Card Logon purpose Client Authentication purpose © 2013 John Wiley & Sons, Inc.
12
Using Certificates for Authentication
Digital certificate required and NPS server must use a server certificate for: Protected Extensible Authentication Protocol Microsoft Challenge-Handshake Authentication Protocol v2 (PEAP-MS-CHAP v2) Protected Extensible Authentication Protocol Transport Layer Security (PEAP-TLS) Extensible Authentication Protocol Transport Layer Security (EAP-TLS) © 2013 John Wiley & Sons, Inc.
13
Objective 4.2: Configuring NPS Policies
14
Network Policy Server (NPS) Policies
Connection Request Specifies which RADIUS servers perform authentication, authorization, and accounting Network Specifies who is authorized to connect to the network and circumstances under which they can or cannot connect Health Establishes system health validators (SHVs) and other settings that define client computer configuration requirements for NAP-capable computers © 2013 John Wiley & Sons, Inc.
15
Configuring Connection Request Policies
Connection request polices are based on a range of factors such as: The time of day and day of the week The realm name in the connection request The type of connection requested The IP address of the RADIUS client © 2013 John Wiley & Sons, Inc.
16
Configuring Connection Request Policies
When you create a connection request policy, you define these parameters: Type of network access server such as remote access server (VPN dial-up) Condition that species who or what can connect to the network based on one or more RADIUS attributes Settings that are applied to an incoming RADIUS message such as authentication, accounting, and attribute manipulation © 2013 John Wiley & Sons, Inc.
17
Configuring Connection Request Policies
Connection request policy conditions: Are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS Access-Request message. If there are multiple conditions, all of the conditions in the connection request message and in the connection request policy must match in order for the policy to be enforced by NPS. © 2013 John Wiley & Sons, Inc.
18
Configuring Network Policies
An NPS network policy evaluates remote connections based on these three components: Conditions Constraints Settings © 2013 John Wiley & Sons, Inc.
19
Multilink and Bandwidth Allocation
ISDN includes multiple channels, which allow simultaneous voice and data communications. With multilink and Bandwidth Allocation Protocol (BAP) settings, you can specify: Whether multiple connections form a single connection to increase bandwidth How BAP determines when these extra lines are dropped © 2013 John Wiley & Sons, Inc.
20
Encryption Options Basic Encryption (MPPE 40-Bit): For dial-up and PPTP-based VPN connections, MPPE is used with a 40-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used. Strong Encryption (MPPE 56-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 56-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used. Strongest Encryption (MPPE 128-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 128-bit key. For L2TP/IPsec VPN connections, 168-bit Triple DES encryption is used. No Encryption: This option allows unencrypted connections that match the remote access policy conditions. Clear this option to require encryption. © 2013 John Wiley & Sons, Inc.
21
IP Addressing IP settings include these options:
Server Must Supply An IP Address Client May Request An IP Address Server Settings Determine IP Address Assignment (the default setting) Assign A Static IP Address © 2013 John Wiley & Sons, Inc.
22
Managing NPS Templates
NPS template types available in Templates Management: Shared Secrets RADIUS Clients Remote RADIUS Servers IP Filters Health Policies Remediation Server Groups © 2013 John Wiley & Sons, Inc.
23
Objective 4.3: Configuring Network Access Protection (NAP)
24
Network Access Protection (NAP)
NAP is Microsoft’s software for controlling network access for computers based on the health of the host. NAP can be used on any computer that runs Windows and supports NAP. Types of computers that connect to a network: Desktop computers Roaming laptops Unmanaged home computers Visiting laptops © 2013 John Wiley & Sons, Inc.
25
NAP Built-In Enforcement Methods
DHCP IPsec VPN 802.1x Remote Desktop Gateway (RD Gateway) © 2013 John Wiley & Sons, Inc.
26
DHCP Enforcement To control network access, DHCP enforcement sets the following: DHCP Router option is set to so noncompliant computers do not have a configured default gateway. Subnet mask is set to so that there are no routes to the attached subnet. © 2013 John Wiley & Sons, Inc.
27
NAP Architecture Components
NAP client-side components NAP enforcement points NAP health policy server System Health Agents (SHAs) © 2013 John Wiley & Sons, Inc.
28
NAP Architecture Components (cont.)
Statement of Health (SoH) NAP Agent Health Registration Authority (HRA) Health requirements server Remediation servers © 2013 John Wiley & Sons, Inc.
29
Installing Network Access Protection
Because NAP is offered through NPS, the installation is similar to installing NPS However, you want to add HRA, which is used to issue health certificates to NAP client computers that are compliant with network health requirements. For HRA to function, you need to have a CA available. © 2013 John Wiley & Sons, Inc.
30
System Health Validators
System Health Validators (SHVs) settings define the requirements for client computers that connect to your network. You configure SHVs using the Network Policy Server console. Windows 8 includes a Windows Security Health Validator SHA that monitors the Windows Security Center settings. Windows Server 2012 includes a corresponding Windows Security Health Validator SHV. © 2013 John Wiley & Sons, Inc.
31
Configuring System Health Validators
SHV options: Firewall Settings Antivirus Settings Spyware Protection Settings Automatic Updates Settings Security Updates Settings © 2013 John Wiley & Sons, Inc.
32
Configuring Health Policies
Health policies consist of one or more system health validators and other settings that enable you to define client computer configuration requirements for the NAP-capable computers that attempt to connect to your network. Health policy pairs: NAP-compliant NAP-noncompliant © 2013 John Wiley & Sons, Inc.
33
Configuring Health Policies
NAP enforcement settings: • NAP DHCP-compliant: Allow full network access. • NAP DHCP-noncompliant: Allow limited access. • NAP DHCP nonNAPcapable properties: Allow full network access. © 2013 John Wiley & Sons, Inc.
34
Configuring Isolation and Remediation
If a computer is noncompliant, it should be isolated from production network. When you configure NAP, you can configure either a monitor only policy or an isolation policy. © 2013 John Wiley & Sons, Inc.
35
Configuring Isolation and Remediation
Remediation servers typically consist of: • DHCP servers to provide IP configuration • Naming servers including DNS servers and WINS servers • Active Directory domain controllers (read-only domain controllers are recommended to minimize security risks) • Internet proxy servers so that noncompliant NAP clients can access the Internet © 2013 John Wiley & Sons, Inc.
36
Configuring Isolation and Remediation
Remediation servers typically consist of (continued): • HRAs so that noncompliant NAP clients can obtain a health certificate for the IPsec enforcement method • Web server that contains the troubleshooting URL server, so users can access information on compliance • Anti-virus/anti-malware servers to retrieve updated anti-virus/anti-malware updates • Software update servers so that clients can get Windows updates © 2013 John Wiley & Sons, Inc.
37
Configuring NAP Client Settings
You can use the Enable Security Center in the Group Policy procedure to enable Security Center on NAP-capable clients using Group Policy. Some NAP deployments that use Windows Security Health Validator require Security Center. Open the Services console to start and set the startup type to Automatic in the Network Access Protection Agent service. © 2013 John Wiley & Sons, Inc.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.