Windows Server 2008 Network Policy Server (NPS) Operations Guide

Microsoft Corporation Published: April 2008 Author: James McIllece Editor: Scott Somohano

Abstract
The Network Policy Server Operations Guide provides information about how to administer NPS after it is installed and deployed. It also includes troubleshooting information for specific problems and scenarios.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents
Windows Server 2008 Network Policy Server (NPS) Operations Guide...........................................1 Abstract....................................................................................................................................1 Contents..........................................................................................................................................3 Network Policy Server Operations Guide.........................................................................................6 Windows Server 2008 Editions and NPS......................................................................................6 Windows Server 2008 Enterprise and Datacenter Editions........................................................6 Windows Server 2008 Standard Edition....................................................................................6 Windows Web Server 2008.......................................................................................................7 NPS resources.............................................................................................................................7 Introduction to Administering NPS....................................................................................................7 When to use this guide.................................................................................................................7 How to use This guide..................................................................................................................8 Best Practices for NPS....................................................................................................................8 Installation....................................................................................................................................8 Client computer configuration.......................................................................................................9 Authentication..............................................................................................................................9 Security issues.............................................................................................................................9 Accounting.................................................................................................................................10 Optimizing NPS..........................................................................................................................11 Using NPS in large organizations............................................................................................11 Network Access Protection (NAP)..............................................................................................12 Administering NPS.........................................................................................................................13 Managing NPS Servers.................................................................................................................13 Administer NPS by Using Tools......................................................................................................14 Enable Remote Administration of an NPS Server...........................................................................14 Enter the Netsh NPS Context on an NPS Server...........................................................................15 Installing NPS................................................................................................................................15 Install Network Policy Server (NPS)...............................................................................................16 Install NPS by Using the Add Role Services Wizard.......................................................................17 Manage an NPS Server by Using Remote Desktop Connection.....................................................18

Manage Multiple NPS Servers by Using the NPS MMC Snap-in....................................................19 Configure the Local NPS Server by Using the NPS Console..........................................................20 Configure NPS on a Multihomed Computer...................................................................................20 Configure NPS UDP Port Information............................................................................................22 Disable NAS Notification Forwarding.............................................................................................23 Export an NPS Server Configuration for Import on Another Server.................................................23 Increase the Number of NPS Concurrent Authentications..............................................................25 Interpret NPS Database Format Log Files......................................................................................25 Entries recorded in database-compatible log files.......................................................................26 Interpret Windows System Health Validator Entries in Log Files.....................................................33 Diagnostic codes........................................................................................................................34 Error codes................................................................................................................................35 Determining the client operating system..................................................................................37 Example log file entries...........................................................................................................37 First example log file entry...................................................................................................37 Second example log file entry..............................................................................................39 Register an NPS Server in Another Domain...................................................................................40 Register an NPS Server in its Default Domain...............................................................................40 Unregister an NPS Server from its Default Domain........................................................................41 Verify Configuration After an NPS Server IP Address Change........................................................41 Verify Configuration After Renaming an NPS Server......................................................................43 Managing Certificates Used with NPS............................................................................................44 Change the Cached TLS Handle Expiry.........................................................................................44 Configure the TLS Handle Expiry Time on Client Computers.........................................................45 Configure the TLS Handle Expiry Time on NPS Servers................................................................46 Obtain the SHA-1 Hash of a Trusted Root CA Certificate...............................................................46 Managing RADIUS Clients.............................................................................................................47 Set up RADIUS Clients..................................................................................................................48 Configure the Network Access Server............................................................................................48 Add the Network Access Server as a RADIUS Client in NPS.........................................................49

Set up RADIUS Clients by IP Address Range................................................................................50 Managing Network Policies............................................................................................................52 An ordered list of rules................................................................................................................52 Configure NPS for VLANs..............................................................................................................53 Configure a Network Policy for VLANs...........................................................................................53 Configure the EAP Payload Size....................................................................................................55 Configure the Framed-MTU Attribute.............................................................................................55 Configure NPS to Ignore User Account Dial-in Properties..............................................................56

In addition. Note In Windows Server 2008. Windows Server 2008 Editions and NPS NPS provides different functionality depending on the edition of Windows Server 2008 that you install. you can configure a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can also configure the NPS proxy to perform authorization locally while forwarding authentication requests to a remote RADIUS server group. When NAP is deployed. virtual private network (VPN) servers.Network Policy Server Operations Guide The Network Policy Server (NPS) Operations Guide provides administration information about NPS in the Windows Server® 2008 operating system. you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. you can configure RADIUS clients by specifying an IP address range. You can define a RADIUS client by using a fully qualified domain name or an IP address. providing centralized network access management. Terminal Services Gateway (TS Gateway) servers. performing client health checks against configured health policies. 802. you can configure NPS as a Network Access Protection (NAP) policy server. Windows Server 2008 Standard Edition With NPS in Windows Server 2008 Standard. NPS forwards authentication and accounting requests to RADIUS servers in a remote RADIUS server group. NPS acts as a NAP policy server. When you configure NPS as a RADIUS server. NPS is the Microsoft implementation of the Remote Authentication Dial-In User Service (RADIUS) protocol. network access servers that are configured as RADIUS clients in NPS forward connection requests to NPS for authentication and authorization. and can be configured to act as a RADIUS server or RADIUS proxy. Network Policy Server replaces the Internet Authentication Service (IAS) component of Windows Server 2003.1X authenticating switches. The network access servers that you can configure as RADIUS clients in NPS are wireless access points. processing them locally on the NPS proxy or forwarding them to other RADIUS servers. and dial-up servers. Windows Server 2008 Enterprise and Datacenter Editions With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. but you cannot define groups of RADIUS clients by 6 . you can customize the processing of accounting requests. When you configure NPS as a RADIUS proxy. In addition. In addition.

and why your organization uses it to manage network access. open the NPS console and press F1.com/fwlink/?LinkId=104545). access the command line. explains how to administer NPS. authorization. 7 . This guide contains both general information and more detailed procedures that are designed for operators who have varied levels of expertise and experience. The objectives. how it works. it might be necessary for IT planners or IT managers to review the relevant operations in this guide and provide the operators with parameters or data that must be entered when the operation is performed. operators must have a basic proficiency with Microsoft Management Console (MMC) and its snap-ins. Although the procedures provide operator guidance from start to finish. They must also know how to start administrative programs. NPS resources For NPS resources in addition to this guide. When to use this guide This guide assumes a basic understanding of what NPS is. the NPS server uses the first IP address returned in the Domain Name System (DNS) query. Introduction to Administering NPS This guide. If you are not familiar with this guide. tasks. see Network Policy Server in the Windows Server 2008 Technical Library (http://go. It also assumes that you have a thorough understanding of how NPS is deployed and managed in your organization before performing any of the actions described in this guide. in conjunction with the NPS procedural Help topics. including the authentication. and procedures described in this guide and in procedural Help topics discuss actions that are part of the operating phase of the information technology (IT) life cycle.microsoft. review the following sections of this introduction. If operators are not familiar with NPS. Windows Web Server 2008 NPS is not included in this edition of Windows Web Server 2008. and accounting for network connections. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses. and run the Netsh commands for NPS.specifying an IP address range. including IT operations management and administrators. It includes information that is relevant to different roles within an IT organization. To access the NPS procedural Help topics. This guide can be used by organizations that have deployed Windows Server 2008.

create “tear sheets” for each task that operators perform in your organization. depending on the preference of your organization. ensure that you document the server configuration in case you need to rebuild the server or duplicate the configuration on other NPS servers. • After you install and configure NPS. Use this command to save the NPS configuration to an XML file every time a configuration change is made. 2. • If you install additional Extensible Authentication Protocol (EAP) types on your NPS server. Each objective consists of one or more general tasks that describe how the objective is accomplished. • If you install additional system health validators (SHVs) on your NPS server. Before assigning tasks to individual operators. ensure that you have all the tools installed where operators can use them. If you are an IT manager who will be delegating tasks to operators within your organization: 1. • Procedures provide step-by-step instructions for completing tasks. Cut and paste the task and its related procedures into a separate document. 8 . Read through the objectives and tasks to determine how to delegate permissions and whether you need to install tools before operators perform the procedures for each task. 3. ensure that you document the server configuration in case you need to rebuild the server or duplicate the configuration on other NPS servers. When necessary.How to use This guide The operations areas are divided into the following types of content: • Objectives are general goals for managing. save the configuration by using the netsh nps export command. monitoring. Best Practices for NPS This topic provides best practices for implementing and configuring NPS and is based on recommendations from Microsoft Product Support Services. do the following: • Install and test each of your network access servers by using local authentication methods before you make them RADIUS clients. • Tasks are used to group related procedures and provide general guidance for achieving the goals of an objective. • Do not install Windows Server 2008 on the same partition with another version of Windows Server. Installation Before installing NPS. and then either print these documents or store them online. optimizing and securing NPS.

You can also use your CA to deploy computer certificates to domain member computers and user certificates to members of the Users group in Active Directory. • Use PEAP. Authentication Following are the best practices for authentication: • Use authentication methods. Doing this will cause Lightweight Directory Access Protocol (LDAP) queries from the NPS server to the domain controller to fail. such as PEAP-TLS and PEAP-MS-CHAP v2. Security issues Your NPS server provides authentication. Client computer configuration Following are the best practices for client computer configuration: • Automatically configure all of your domain member 802. such as Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake Authentication Protocol version two (PEAP-MS-CHAP v2).0 domain if your user accounts database is stored on a domain controller running Windows Server 2008 in another domain.0 domain to an NPS server in the Windows Server 2008 domain. which is required for all Network Access Protection (NAP) enforcement methods. and accounting for connection attempts to your organization network. that support the use of certificates for strong authentication. 9 . An alternative is to configure a server running NPS as a RADIUS proxy server that forwards authentication and accounting requests from the Windows NT Server 4. that provide authentication types.• Do not configure a server running NPS or the Routing and Remote Access service as a member of a Windows NT Server 4. configure your server running NPS or Routing and Remote Access as a member of a Windows Server 2008 domain.1X client computers by using Group Policy. Determine the PEAP authentication types that you want to use. You can protect your NPS server and RADIUS messages from unwanted internal and external intrusion. and then plan and deploy your public key infrastructure (PKI) to ensure that all computers and users can enroll the certificates required by the authentication types. Instead. • Automatically configure all of your domain member NAP-capable clients by importing NAP client configuration files into Group Policy. • Deploy a certification authority (CA) by using Active Directory® Certificate Services (AD CS) if you use strong certificate-based authentication methods that require the use of a server certificate on NPS servers. such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP). authorization. Do not use password-based authentication methods because they are vulnerable to a variety of attacks and are not secure.

Remote Desktop Connection provides 128-bit encryption between client and server. This information is not exported to file when you use the netsh nps export command. in NPS: • Event logging for NPS. • Back up all log files on a regular basis because they cannot be recreated after they are damaged or deleted. and much more information is logged for NPS than in previous operating system versions for Internet Authentication Service (IAS). To make the most effective use of NPS logging: • Turn on logging (initially) for both authentication and accounting records. 10 . This information is used primarily for auditing and troubleshooting connection attempts. ensure that you store credentials and other connection properties in a secure location.When you are administering an NPS server remotely. • Use Internet Protocol security (IPsec) to encrypt confidential data. Recording NPS events to the security event log is a new feature in Windows Server 2008. shared secrets or passwords) over the network in plaintext. You can use event logging to record NPS events in the system and security event logs. You can log user authentication and accounting requests to log files in text format or database format. Accounting There are two types of accounting. There are two recommended methods for remote administration of NPS servers: • Use Remote Desktop Connection to access the NPS server. they can view only their individual client sessions. and is also useful as a security investigation tool. do not send sensitive or confidential data (for example. SQL Server 2005. If you manage one or more remote NPS servers from a local NPS server by using the NPS Microsoft Management Console (MMC) snap-in. • For billing purposes. or SQL Server 2008 database. In addition. or you can log to a stored procedure in a SQL Server 2000. • Ensure that event logging is configured with a capacity that is sufficient to maintain your logs. • If you use SQL Server logging. You might need to delete duplicate requests from your logs to accurately track usage. you can use IPsec to encrypt communication between the local NPS server and the remote NPS server. use the RADIUS Class attribute to both track usage and simplify the identification of which department or user to charge for usage. Modify these selections after you have determined what is appropriate for your environment. When Remote Desktop Connection users log on. duplicate records might exist in cases when the reply to the access server is lost and the request is resent. which are managed by the server and are independent of each other. Request logging is used primarily for connection analysis and billing purposes. Although the automatically generated Class attribute is unique for each request. providing you with a method of tracking down activity after an attack. or logging. • Logging user authentication and accounting requests.

• If NPS is on a computer other than a domain controller. install NPS on a domain controller. To minimize the time it takes to do this. place two computers running SQL Server on different subnets. Use the SQL Server tools to set up database replication between the two servers. Do not put all of your users directly into the universal group. especially if you have a large number of them on your network. • When universal principal names (UPNs) or Windows Server 2008 and Windows Server 2003 domains are used. and it is receiving a very large number of authentication requests per second. • Use a user principal name in network policies to refer to users whenever possible. a SQL Server database. and then add users to those groups. For more information. and then create a network policy that grants access for members of this universal group. see Increase the Number of NPS Concurrent Authentications. install NPS on either a global catalog server or a server that is on the same subnet. In this circumstance. see SQL Server documentation. Important If your NPS server is configured to log accounting data but cannot write to the configured data store (a log file. or both). you can improve performance by increasing the number of concurrent authentications between NPS and the domain controller. create a universal group for all of the users for whom you want to allow access. This ensures that accounting data is accurate.• To provide failover and redundancy with SQL Server logging. • Disable start and stop notification forwarding from network access servers (NASs) to individual servers in each remote RADIUS server group if you are not forwarding accounting requests to the group. Using NPS in large organizations Following are ways to use NPS in large organizations: • If you are using network policies to restrict network access for all but specific groups. A user can have the same user principal name regardless of the domain membership of the user account. Optimizing NPS Following are ways to tune NPS performance: • To optimize NPS authentication and authorization response times and minimize network traffic. Note To effectively balance the load of either a large number of authorizations or a large volume of RADIUS authentication traffic (such as a large wireless implementation using certificate11 . NPS discards all connection requests and authentication fails. Instead. see Disable NAS Notification Forwarding. This practice provides scalability that might be required in organizations that have a large number of domains. users cannot access the network by using connections through RADIUS clients. create separate groups that are members of the universal group. For more information. For more information. NPS uses the global catalog to authenticate users.

Network Access Protection (NAP) When NAP is deployed. Next. enable client health checks when you configure authentication. if you are using non-Microsoft products that support NAP. In addition. If you want to modify policies created by using the wizard. • To deploy NAP with the DHCP enforcement method. • When you deploy the IPsec enforcement method. performing client health checks against configured health policies. Enabling pass-through authentication ensures that only domain member computers can obtain a health certificate and communicate with other domain member computers. • When you deploy NAP by using the VPN or 802. you must install both NPS and DHCP on the same computer. The DHCP enforcement method is the least secure enforcement method and should be deployed only in circumstances where secure transmission of the SoH and SoHR are not required. install the corresponding system health validators (SHVs) for the SHAs on NPS servers. configure two or more NPS proxies to forward the authentication requests between the access servers and the RADIUS servers. and virtual private network (VPN) enforcement methods. use the New NAP Policies wizard. enable pass-through authentication in Internet Information Services (IIS). 802. • Before you create health policies for your NAP deployments. • When you deploy NAP with the IPsec and DHCP enforcement methods. install non-Microsoft system health agents (SHAs) on client computers. Strong enforcement methods use certificate-based authentication and secure the channel between clients and servers through which the statement of health (SoH) and statement of health response (SoHR) are sent. NPS acts as a NAP policy server. • For the most secure and effective NAP deployment on your network. 12 . open the policy in the NPS console and make required changes. you must configure PEAP authentication in the NPS connection request policy even when connection requests are processed locally. You should also configure the Identity Type condition in network policy with the value Computer health check.1X. deploy strong enforcement methods.1X enforcement methods with PEAP authentication. Next. such as Internet Protocol security (IPsec).based authentication). configure your access servers to use the NPS proxies as RADIUS servers. install NPS as a RADIUS server on all of your domain controllers. connection request policies. and health policies for your NAP deployment. • For a streamlined method of creating network policies. Following are the best practices for NAP deployment with NPS.

you ensure that RADIUS clients have access to the servers. In addition. you can synchronize server configurations in whole or in part by using Netsh commands for NPS.Administering NPS By effectively administering your NPS deployment. When you manage NPS servers. The following objectives are part of administering NPS: • • • • Managing NPS Servers Managing Certificates Used with NPS Managing RADIUS Clients Managing Network Policies Managing NPS Servers Managing NPS servers across your organization means providing NPS server availability. and if the dialog box was opened in response to your actions. you can provide secure network access for your organization. with approved and consistent network policies configured across your NPS deployment. business partners. The following tasks for managing NPS servers are described in this objective: • • • • • • • • • • • Administer NPS by Using Tools Configure NPS on a Multihomed Computer Configure NPS UDP Port Information Disable NAS Notification Forwarding Export an NPS Server Configuration for Import on Another Server Increase the Number of NPS Concurrent Authentications Interpret NPS Database Format Log Files Register an NPS Server in Another Domain Register an NPS Server in its Default Domain Unregister an NPS Server from its Default Domain Verify Configuration After an NPS Server IP Address Change 13 . and guests can access the network when and where they need to do so. ensuring that authorized organization employees. click Continue. and that RADIUS traffic is sent and received on the same UDP ports. If this dialog box opens while you are performing the procedures in this guide. that NPS servers have permission to access your user account databases. Note The procedures in this guide do not include instructions for those cases in which the User Account Control dialog box opens to request your permission to continue.

however. and the Netsh commands for NPS (netsh nps). Click Start. 3. To manage remote servers. verify that the Exceptions tab is selected. and then click Control Panel.• Verify Configuration After Renaming an NPS Server Administer NPS by Using Tools NPS provides three tools that you can use to administer NPS: the NPS console. click Allow a program through Windows Firewall. verify that Control Panel Home is selected. and then click OK. The following procedures show how to manage NPS using these tools: • • • • • • Enable Remote Administration of an NPS Server Enter the Netsh NPS Context on an NPS Server Installing NPS Manage an NPS Server by Using Remote Desktop Connection Manage Multiple NPS Servers by Using the NPS MMC Snap-in Configure the Local NPS Server by Using the NPS Console Enable Remote Administration of an NPS Server You can use this procedure to enable the Remote administration exception in Windows Firewall with Advanced Security. In Program or port. you must first enable the Remote administration exception on the firewall of the NPS server that you want to manage. In Windows Firewall Settings. 2. you must be a member of the Administrators group. The Windows Firewall Settings dialog box opens. 14 . scroll to and select the Remote administration check box. In Control Panel. You can use the Network Policy Server (NPS) Microsoft Management Console (MMC) snap-in to manage both the local and remote NPS servers. Administrative Credentials To complete this procedure. To enable remote administration of an NPS server 1. Under Security. 4. the NPS Microsoft Management Console (MMC) snap-in.

and then press ENTER.Enter the Netsh NPS Context on an NPS Server You can use commands in the Netsh NPS context to show and set the configuration of the authentication. • Import the configuration to another NPS server by using a Netsh script and the exported configuration file from the source NPS server. Use commands in the Netsh NPS context to: • Configure or reconfigure an NPS server. Installing NPS There are multiple ways to install NPS. The NPAS server role is a logical grouping of the following network access technologies: • • • • Network Policy Server (NPS) Routing and Remote Access service (RRAS) Health Registration Authority (HRA) Host Credential Authorization Protocol (HCAP) 15 . as a Netsh script. including all aspects of NPS that are also available for configuration by using the NPS console in the Windows interface. Type netsh. You can run these commands from the Windows Server 2008 command prompt or from the command prompt for the Netsh NPS context. To enter the Netsh NPS context on an NPS server 1. and then press ENTER. Type nps. accounting. and auditing database used both by NPS and the Routing and Remote Access service. you must be a member of the Administrators group on the local computer. For these commands to work at the Windows Server 2008 command prompt. and to understand the differences between these methods. 3. you must type netsh nps before typing additional commands and their parameters. Open Command Prompt. Administrative Credentials To perform this procedure. • Export the configuration of one NPS server (the source server). There are functional differences between Netsh context commands in the Windows Server 2003 family and Netsh commands in Windows Server 2008. 2. authorization. an understanding of the Network Policy and Access Services (NPAS) server role is required. including registry keys and the NPS configuration store.

in Customize This Server. you cannot install additional role services by using the same wizard. remove the exceptions created in Windows Firewall with Advanced Security during NPS installation. but you have already installed other NPAS role services. In the left pane of Server Manager. 1645. follow the instructions in the procedure Install Network Policy Server (NPS). If you want to install NPS. and you have not yet installed any other role services of the NPAS server role. click Add Roles. After you have run the Add Roles Wizard and you have installed one or more role service of the NPAS server role. firewall exceptions for these ports are automatically created during the installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. The Add Roles Wizard opens. If Windows Firewall with Advanced Security is enabled when you install NPS. click Roles. 16 . 1813. and 1646 on all installed network adapters. you cannot run the Add Roles Wizard again to install NPS later — you must instead open a similar wizard named the Add Role Services Wizard. and then click Server Manager. The Add Roles Wizard opens. in Roles Summary. • Click Start.These technologies are the role services of the NPAS server role. Note The Add Roles Wizard is opened by using either Server Manager or Initial Configuration Tasks. if you run the Add Roles Wizard and you install NPAS role services other than NPS. NPS is a role service of the Network Policy and Access Services server role. Install Network Policy Server (NPS) You can use this procedure to install Network Policy Server (NPS) by using the Add Roles Wizard. If you want to install NPS. 2. Note By default. click Next. you can install one or more role service while running the Add Roles Wizard. In Before You Begin. Do one of the following: • In Initial Configuration Tasks. If your network access servers are configured to send RADIUS traffic over ports other than these defaults. you must be a member of the Administrators group. NPS listens for RADIUS traffic on ports 1812. and in the details pane. For this reason. Administrative Credentials To complete this procedure. To install NPS 1. and create exceptions for the ports that you do use for RADIUS traffic. follow the instructions in the procedure Install NPS by Using the Add Role Services Wizard. click Add roles. When you install the NPAS server role.

do not use this procedure.Note The Before You Begin page of the Add Roles Wizard is not displayed if you have previously selected Do not show this page again when the Add Roles Wizard was run. and then click Server Manager. In Network Policy and Access Services. such as the Routing and Remote Access service (RRAS). review your installation results. Click Start. it is required that you previously installed the NPAS server role with a different role service. use the procedure Install Network Policy Server (NPS). 5. in Role Services. In Select Role Services. and then click Close. In Select Server Roles. and then click Add Role Services. 17 . click Install. in Role Services. 4. click Install. If you have not previously installed NPAS. In Select Role Services. instead. To install NPS by using the Add Role Services wizard 1. In Installation Results. Administrative Credentials To complete this procedure. Install NPS by Using the Add Role Services Wizard You can use this procedure to install Network Policy Server (NPS) as a role service of the Network Policy and Access Services (NPAS) server role in circumstances where you have previously installed other NPAS role services. in Roles. and then click Next. 3. and then click Next. double-click Roles to expand the tree. click Next. In Confirm Installation Selections. you must be a member of the Administrators group. 7. In Installation Results. review your installation results. Browse to and right-click Network Policy and Access Services. select Network Policy and Access Services. In Confirm Installation Selections. Important To successfully use this procedure to install NPS. 6. In the left pane of Server Manager. 2. select Network Policy Server. The Add Role Services wizard opens. and then click Close. 3. 4. and then click Next. select Network Policy Server.

9. add an exception for Remote Desktop. 2. In System Properties. if Windows Firewall with Advanced Security is enabled. 7. 4. In Remote Desktop Users. The Remote Desktop Users dialog box opens. click All Programs. Administrative Credentials To complete this procedure. to grant permission to a user to connect remotely to the NPS server. double-click System. and when prompted provide user account credentials for an account that has permissions to log on to and configure the NPS server. and then click Remote Desktop Connection. In System. ensure that the Remote tab is selected. click Accessories. configure additional connection options. In Computer. select an option that allows connections from remote computers. If you want. To connect to a remote NPS server that you have configured by using the previous steps. 5. in Tasks. Repeat step 5 for each user for whom you want to grant remote access permission to the NPS server. You can also remotely manage NPS servers from a computer running Windows Vista. in Control Panel. The System page opens. click Add. and then type the user name for the user's account. 6. you can remotely manage your NPS servers running Windows Server 2008. click Options. click Remote settings. By using Remote Desktop Connection. 10. 18 . In Remote Desktop. click Start. On each NPS server that you want to manage remotely. 3. 8.Manage an NPS Server by Using Remote Desktop Connection Use this procedure to manage a remote NPS server by using Remote Desktop Connection. and then click Save to save the connection for repeated use. Click Select Users. Click OK. The System Properties dialog box opens. To manage an NPS server by using Remote Desktop Connection 1. Click Connect. type the NPS server name or IP address. On each NPS server. you must be a member of the Administrators group.

2. click File. type a name for your 19 . When you have added all the NPS servers you want to manage. in Available snap-ins. 6. verify that Local computer (the one this console is running on) is selected. scroll down the list. and then click OK. In Select Computer. ensure that Network Policy Server is still selected. in Available snap-ins. To manage multiple NPS servers by using the NPS snap-in 1. and then type the IP address or fully qualified domain name of the remote NPS server that you want to manage by using the NPS snap-in. Repeat steps 5 and 6 to add more NPS servers to the NPS snap-in. In addition. click OK. click Another computer.Manage Multiple NPS Servers by Using the NPS MMC Snap-in Use this procedure to manage multiple NPS servers by using the NPS Microsoft Management Console (MMC) snap-in. click Save. Before performing the procedure below. you must configure the remote server to allow remote administration. 7. The Add or Remove Snap-ins dialog box opens. 3. you must be a member of the Administrators group. NPS server configuration traffic is sent over the network during a remote administration session by using the NPS snap-in. In Select Computer. To open MMC. you must install NPS on the local computer and on remote computers. click Start. To save the NPS snap-in for later use. Ensure that your network is physically secure and that malicious users do not have access to this network traffic. On the File menu. In Add or Remove Snap-ins. 5. In Add or Remove Snap-ins. Administrative Credentials To complete this procedure. and then click Add. click Run. 8. see Enable Remote Administration of an NPS Server. click Network Policy Server. and then click OK. You can also use the instructions below to manage a local NPS server and one or more remote NPS servers from the Microsoft Management Console (MMC) on the local NPS server. Important Before you can manage a remote NPS server. click Add/Remove Snap-in. The Select Computer dialog box opens again. you can click Browse to browse the directory for the computer you want to add. Optionally. Click OK. The snap-in for the local NPS server is added to the list in Selected snap-ins. The Select Computer dialog box opens. type mmc. response of the MMC snap-in might be slow. and then click Add. Depending on network conditions and the number of NPS servers you manage by using the NPS MMC snap-in. 4. For more information.

In the NPS console.Microsoft Management Console (. and then click Network Policy Server. you must be a member of the Administrators group. Configure the Local NPS Server by Using the NPS Console After you have installed NPS. and then click Save. In the details pane. IPv6. • The NPS console is used to manage the local NPS server only. • On a per-network adapter basis. Click Start. select a scenario from the list. Configure NPS on a Multihomed Computer A computer with multiple network adapters installed is known as a multihomed computer. • You can use the NPS MMC snap-in to create a custom MMC console that allows you to manage remote NPS servers in addition to managing the local NPS server. click Administrative Tools. and then follow the instructions to start a configuration wizard • If you choose Advanced Configuration. 2. click NPS (Local). and then do one of the following based upon your selection: • If you choose Standard Configuration. When you use multiple network adapters in an NPS server. or both IPv4 and IPv6. Administrative Credentials To complete this procedure. To configure the local NPS server by using the NPS console 1. you can use this procedure to manage the local NPS server by using the NPS Microsoft Management Console (MMC).msc) file. you can configure the following: • The network adapters that do and do not send and receive RADIUS traffic. choose either Standard Configuration or Advanced Configuration. you cannot use the NPS console to manage remote NPS servers. The NPS console opens. The NPS console differs from use of the NPS MMC snap-in in the following ways: • The NPS console is installed by default when you install NPS. and then review and configure the available options based on the NPS functionality that you want. click the arrow to expand Advanced Configuration options. 20 . whether NPS monitors RADIUS traffic on Internet Protocol version 4 (IPv4).

and UDPport is the RADIUS port number that you want to use for RADIUS authentication or accounting traffic.) Make sure that your network access servers are configured with the same RADIUS UDP ports that you configure on your NPS servers. By default. while a second network adapter provides NPS with a network path to its configured RADIUS clients. Because NPS automatically uses all network adapters for RADIUS traffic. but you only want NPS to use two of the adapters for RADIUS traffic. and 1646 for both IPv6 and IPv4 for all installed network adapters. where IPAddress is the IPv4 address that is configured on the network adapter over which you want to send RADIUS traffic.• The UDP ports over which RADIUS traffic is sent and received on a per-protocol (IPv4 or IPv6). and UDPport is the RADIUS port number that you want to use for RADIUS authentication or accounting traffic. if your NPS server has three network adapters installed. 1645. 1813. you should configure port information for the two adapters only.) Interface delimiter: semicolon (. where the brackets around IPv6Address are required. The RADIUS standard UDP ports defined in RFCs 2865 and 2866 are 1812 for authentication and 1813 for accounting. you only need to specify the network adapters that you want NPS to use for RADIUS traffic when you want to prevent NPS from using an adapter for RADIUS traffic. By excluding port configuration for the third adapter. For example. IPv6Address is the IPv6 address that is configured on the network adapter over which you want to send RADIUS traffic. NPS listens for RADIUS traffic on ports 1812. 21 . some access servers are configured by default to use UDP port 1645 for authentication requests and UDP port 1646 for accounting requests. however. When you use the procedure in Configure NPS UDP Port Information. you can configure NPS to listen for and send RADIUS traffic on a network adapter by using the following syntax: • IPv4 traffic syntax: IPAddress:UDPport. In another example. The following characters can be used as delimiters for configuring IP address and UDP port information: • • • Address/port delimiter: colon (:) Port delimiter: comma (. you prevent NPS from using the adapter for RADIUS traffic. per-network adapter basis. NPS does not monitor RADIUS traffic for the uninstalled protocol. • IPv6 traffic syntax: [IPv6Address]:UDPport. you might want to configure NPS to send RADIUS traffic only on a specific adapter. Note If you uninstall either IPv4 or IPv6 on a network adapter. On an NPS server that has multiple network adapters installed. one network adapter installed in the NPS server might lead to a network segment that does not contain RADIUS clients. In this scenario it is important to direct NPS to use the second network adapter for all RADIUS traffic.

change the port settings accordingly. You can use the following procedure to configure the ports that Network Policy Server (NPS) uses for RADIUS authentication and accounting traffic. Click Start. and then click Properties.2 and RADIUS ports 1812 and 1645 for authentication requests. click Administrative Tools. Configure NPS UDP Port Information Use this procedure to configure User Datagram Protocol (UDP) ports for RADIUS traffic. Note If you uninstall either IPv4 or IPv6 on a network adapter. For example. To configure NPS UDP port information 1. However. make sure that NPS and your access server are configured to use the same ones. To use multiple port settings for authentication or accounting requests. If your RADIUS authentication and RADIUS accounting UDP ports are different from the default values.168. you must be a member of the Administrators group. and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters. and then prepend the IP address for the network adapter you want to use for RADIUS traffic to the existing port numbers. change the port setting from 1812. The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined in RFCs 2865 and 2866. Administrative credentials To complete this procedure.Important If you do not use the default RADIUS ports.1645. you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports. NPS listens for RADIUS traffic on ports 1812. Click the Ports tab. In the NPS console. you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports. 22 .2:1812. The NPS console opens. 3. 1813.1.168. 2. By default. if you want to use the IP address 192. by default. and then click Network Policy Server.1645 to 192. separate the port numbers with commas. NPS does not monitor RADIUS traffic for the uninstalled protocol. No matter which ports you decide to use. many access servers use ports 1645 for authentication requests and 1646 for accounting requests. Important If you do not use the default RADIUS ports. 1645. 4. right-click Network Policy Server.1.

The remote RADIUS server group Properties dialog box opens. 2. you clear the Forward accounting requests to this remote RADIUS server group check box. network policy. In Accounting. registry. Administrative credentials To complete this procedure. When you have remote RADIUS server groups configured and. You can view the version number of the NPS database from the display of the netsh nps show config command. When the netsh import command is run. Click Start. NPS is automatically refreshed with the updated configuration settings. disable NAS notification forwarding for individual servers in each remote RADIUS server group. these groups are still sent NAS start and stop notification messages. 5. double-click RADIUS Clients and Servers. Export an NPS Server Configuration for Import on Another Server This procedure allows you to export the entire NPS configuration — including RADIUS clients and servers. To disable NAS notification forwarding 1. and logging configuration — from one NPS server for import on another NPS server. and then double-click the remote RADIUS server group that you want to configure. connection request policy. 4. Double-click the group member that you want to configure. You do not need to stop NPS on the destination computer to run the netsh 23 . The NPS console opens. 3. you must be a member of the Administrators group. In the NPS console. in NPS Connection Request Policies. clear the Forward network access server start and stop notifications to this server check box. click Remote RADIUS Server Groups. click Administrative Tools. To eliminate this traffic. and then click the Authentication/Accounting tab. Important Do not use this procedure if the source NPS database has a higher version number than the version number of the destination NPS database.Disable NAS Notification Forwarding You can use this procedure to disable the forwarding of start and stop messages from network access servers (NASs) to members of a remote RADIUS server group configured in NPS. and then click OK. This creates unnecessary network traffic. and then click Network Policy Server. Repeat steps 3 and 4 for all group members that you want to configure.

The path can be relative or absolute. At the netsh prompt. sending it over a network might pose a security risk. Copy the file you created to the destination NPS server. changes to the server configuration are not visible until you refresh the view. a message appears indicating whether the export to file was successful. open Command Prompt. To copy an NPS server configuration to another NPS server using Netsh commands 1. password protected archive file before moving the file. type netsh nps import filename="path\file. or it can be a Universal Naming Convention (UNC) path. Administrative credentials To complete this procedure. Because NPS server configurations are not encrypted in the exported XML file. Note When you use the netsh nps export command. where path is the folder location where you want to save the NPS server configuration file.xml" exportPSK=YES.xml". type export filename="path\file. add the file to an encrypted. 4. and file is the name of the XML file that you want to save. 3. Note If SQL Server logging is configured on the source NPS server. type netsh. A message appears indicating whether the import from the XML file was successful. On the source NPS server. so take precautions when moving the XML file from the source server to the destination servers. 5. Press ENTER. At a command prompt on the destination NPS server. type nps. After you import the file on another NPS server. This stores configuration settings (including registry settings) in an XML file. For example. SQL Server logging settings are not exported to the XML file. and then press ENTER. you must manually configure SQL Server logging. you are required to provide the command parameter exportPSK with the value YES. however if the NPS console or NPS MMC snap-in is open during the configuration import.import command. This parameter and value explicitly state that you understand that you are exporting the NPS server configuration. and then press ENTER. 24 . and then press ENTER. After you press ENTER. 2. and that the exported XML file contains unencrypted shared secrets for RADIUS clients and members of remote RADIUS server groups. you must be a member of the Administrators group. In addition. At the netsh nps prompt. store the file in a secure location to prevent malicious users from accessing it.

To increase the number of concurrent authentications 1. Administrative Credentials To complete this procedure. 6. click Run. or NPS might place an excessive load on the domain controller. Registry Editor opens. In Value data. 4. Do not enter a value higher than 5. and then press ENTER. Note Although NPS supports both IAS-formatted and database-compatible log files. use the database-compatible log format in most instances because it supports tools compliant with Open Database Connectivity (ODBC). 2. If the NPS server is on a computer other than a domain controller and it is receiving a very large number of authentication requests per second. Interpret NPS Database Format Log Files Unlike IAS-formatted log files. Right-click MaxConcurrentApi. you should back up any valued data on the computer. browse to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 3. Caution Incorrectly editing the registry can severely damage your system. and then press ENTER. Click Start. Data can be easily exported to a database. database-compatible log files present the data in a standard sequence and use a structure that is identical. type regedit. 5. type a value between 2 and 5. regardless of the format used by the network access server (NAS) that sends the data. you must be a member of the Administrators group. 25 . point to New. This consistent sequence and structure helps simplify accounting and authentication records. Before making changes to the registry. Right-click Parameters. Click OK. Replace the default text for the new key by typing the text MaxConcurrentApi. and then click Modify. you can improve performance by increasing the number of concurrent authentications between the NPS server and the domain controller. In Registry Editor. and then click DWORD (32-bit) Value. The Edit DWORD (32-bit) Value dialog box opens.Increase the Number of NPS Concurrent Authentications You can use this procedure to increase the number of concurrent authentications between NPS and domain controllers when NPS is not installed on a domain controller.

This is the first example: "CLIENTCOMP".....0.. Value shown in example Attribute Data type Description "CLIENTCOMP" ComputerName Text The name of the server where the packet was received (this is an IAS-internal attribute).... This table shows the values for the example entries of an IAS-internal attribute....10.1.....9."IAS"."IAS".. Note In the examples below.... then they are replaced with a double set of double quotes........Entries recorded in database-compatible log files The following are example entries (Access-Request and Access-Accept) from a databasecompatible log file.... octet strings. In NPS accounting data.. When you create a database into which log files are imported.. the term IAS refers to the Network Policy Server service.0. you must define each field for the data type of the attribute value that will be imported into it..9..10" ..10.. In Windows Server 2008..1.10. This is the second example: "CLIENTCOMP".....10.....1... or time) for each attribute..11 03/07/2008 20:04:30 1".."npsclient".. The date at the NPS or Routing and Remote Access server (this is an IAS26 "IAS" ServiceName Text 03/07/2008 Record-Date Time .."311 1 10..... text values (such as strings.."npsclientdc/Users/client"."npsclient"...... and how the preceding examples are interpreted.13:04:33.03/07/2008..10.13:04:33. "IAS" refers to Internet Authentication Service. number..03/07/2008.2... If the double quotes appear within the string. The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute).. the sequence in which they are recorded. Additional information • A blank field in the first column of the table indicates that the network access server did not include a value with the attribute in the packets for the preceding example entries..2. ."Allow access if dial-in permission is enabled". In database-compatible log files....10. • The Data type column identifies the data type (text.... The following table shows the attributes that can be contained in a record in the databasecompatible log file........"10.. NPS replaces IAS....... and IP addresses) are always surrounded by double quotes."10."client".......10".

The type of packet. The physical port number of the network access server originating the request. The text that identifies the network access server originating the request. The user name in canonical format (this is an IAS-internal attribute).Value shown in example Attribute Data type Description internal attribute). The callback phone number.10. The date and time that this event occurred 27 Text Text Text Text Text Text Number Number Text Text Time . The IP address of the RADIUS client (this is an IAS-internal attribute).10" "npsclient" Client-Vendor Client-IP-Address Client-FriendlyName Event-Timestamp Text Text The user identity. 13:04:33 Record-Time Time The time at the NPS or Routing and Remote Access server (this is an IAS-internal attribute). which can be: • • • • 1 = Access-Request 2 = Access-Accept 3 = Access-Reject 4 = Accounting-Request 1 Packet-Type Number This is an IAS-internal attribute. The IP address of the network access server originating the request. The friendly name for the RADIUS client (this is an IAS-internal attribute). The phone number dialed by the user.10. The framed address to be configured for the user. as specified by the user. The phone number from which the call originated. The manufacturer of the network access server (this is an IAS-internal attribute). "client" User-Name Fully-QualifiedDistinguishedName Called-Station-ID Calling-Station-ID Callback-Number Framed-IPAddress NAS-Identifier NAS-IP-Address NAS-Port 9 "10.

then this attribute is blank. Typical information includes connection speed and data encoding protocols. The protocol to be used. If a user is rejected because none of the network policies matched. The authentication scheme. which can be: • • • 0 = IAS_SUCCESS 1 = IAS_INTERNAL_ERROR 2 = IAS_ACCESS_DENIED 28 0 Reason-Code Number . Port-Limit NAS-Port-Type Number Number The maximum number of ports that the network access server provides to the user. The reason for rejecting a user. Policy-Name Text The friendly name of the network policy that either granted or denied access. The type of physical port that is used by the network access server originating the request. The type of service that the user has requested. Information that is used by the network access server to specify the type of connection made. This attribute is logged in Access-Accept and Access-Reject messages.Value shown in example Attribute Data type Description on the network access server. which is used to verify the user and can be: • • • • • • • 1 = PAP 2 = CHAP 3 = MS-CHAP 4 = MS-CHAP v2 5 = EAP 7 = None 8 = Custom Connect-Info Text Framed-Protocol Service-Type 1 AuthenticationType Number Number Number This is an IAS-internal attribute.

Value shown in example Attribute Data type Description • 3 = IAS_MALFORMED_REQUEST • 4= IAS_GLOBAL_CATALOG_UNAVAILAB LE • • • • • 5 = IAS_DOMAIN_UNAVAILABLE 6 = IAS_SERVER_UNAVAILABLE 7 = IAS_NO_SUCH_DOMAIN 8 = IAS_NO_SUCH_USER 16 = IAS_AUTH_FAILURE • 17 = IAS_CHANGE_PASSWORD_FAILURE • 18 = IAS_UNSUPPORTED_AUTH_TYPE • 32 = IAS_LOCAL_USERS_ONLY • 33 = IAS_PASSWORD_MUST_CHANGE • • 34 = IAS_ACCOUNT_DISABLED 35 = IAS_ACCOUNT_EXPIRED • 36 = IAS_ACCOUNT_LOCKED_OUT • 37 = IAS_INVALID_LOGON_HOURS • 38 = IAS_ACCOUNT_RESTRICTION • • • • 48 = IAS_NO_POLICY_MATCH 64 = IAS_DIALIN_LOCKED_OUT 65 = IAS_DIALIN_DISABLED 66 = IAS_INVALID_AUTH_TYPE • 67 = IAS_INVALID_CALLING_STATION • 68 = IAS_INVALID_DIALIN_HOURS • 69 = IAS_INVALID_CALLED_STATION • • 70 = IAS_INVALID_PORT_TYPE 71 = IAS_INVALID_RESTRICTION 29 .

For example. The action that the network access server takes when service is completed. The unique numeric string that identifies the server session. routing. The length of time (in seconds) for which the network access server has been sending the same accounting packet. The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. or Terminal Server session. The length of idle time (in seconds) before the session is terminated. The number of octets received during the session. the value of EAPFriendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2). The length of time (in seconds) before the session is terminated. The number of octets sent during the session. The number that specifies which server 30 Termination-Action Number EAP-FriendlyName Text Acct-Status-Type Number Acct-Delay-Time Number Acct-Input-Octets Acct-OutputOctets Acct-Session-Id Acct-Authentic Number Number Text Number ." The number that specifies whether an accounting packet starts or stops a bridging.Value shown in example Attribute Data type Description • • 80 = IAS_NO_RECORD 96 = IAS_SESSION_TIMEOUT • 97 = IAS_UNEXPECTED_REQUEST This is an IAS-internal attribute. Class Session-Timeout Idle-Timeout Text Number Number The attribute that is sent to the client in an Access-Accept packet. if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2.

The number of packets received during the session. The tunneling protocol to be used. The preference of the tunnel type. An identifier assigned to the tunnel. The length of interval (in seconds) between each interim update that the network access server sends.Value shown in example Attribute Data type Description authenticated an incoming call. For more information. The IP address of the tunnel client. see RFC 31 Number Number Text Text Text Tunnel-Pvt-Group. The unique numeric string that identifies the multilink session.Text ID TunnelAssignment-ID Text Tunnel-Preference Number MS-Acct-AuthType Number . For example. The tunnel to which a session is assigned. L2TP packets can be sent over multiple link layers. A Routing and Remote Access service attribute. The reason that a connection was terminated. The IP address of the tunnel server. The medium to use when creating a tunnel for protocols. The number of packets sent during the session. The number of links in a multilink session. as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server. Acct-SessionTime Acct-InputPackets Acct-OutputPackets Acct-TerminateCause Acct-Multi-Ssn-ID Acct-Link-Count Acct-InterimInterval Tunnel-Type Tunnel-MediumType Tunnel-ClientEndpt Tunnel-ServerEndpt Acct-Tunnel-Conn Number Number Number Number Text Number Number The length of time (in seconds) for which the session has been active. The group ID for a specific tunneled session.

A string value that corresponds to ProviderType. see RFC 2548. 1. Possible values are "None" for a Provider-Type value of 0. MS-Acct-EAPType MS-RAS-Version Number A Routing and Remote Access service attribute. Specifies the location where authentication occurs. The name of the connection request policy that matched the connection request. For more information. For more information. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication. see RFC 2548. A value of 0 indicates that no authentication occurred.Value shown in example Attribute Data type Description 2548. A Routing and Remote Access service attribute. and 2. Possible values are 0. A Routing and Remote Access service attribute. A Routing and Remote Access service attribute. 32 Text MS-RAS-Vendor Number MS-CHAP-Error Text MS-CHAPDomain MS-MPPEEncryption-Types MS-MPPEEncryption-Policy Proxy-PolicyName Provider-Type Text Number Number Text Number Provider-Name Text . A Routing and Remote Access service attribute. see RFC 2548. For more information. A Routing and Remote Access service attribute. and "Radius Proxy" for Provider-Type value of 2. see RFC 2548. "Windows" for a Provider-Type value of 1. For more information. For more information. A Routing and Remote Access service attribute. see RFC 2548. see RFC 2548. see RFC 2548. For more information. For more information. A value of 1 indicates that authentication occurs on the local NPS server.

Value. must be at least 7 and less than 40. and value. Value. which specifies the computer name of the endpoint that is requesting network access. vendor-type. including the vendor ID. The Vendor-Length of the Value field.Value shown in example Attribute Data type Description Remote-ServerAddress "CLIENTCOMP" MS-RAS-ClientName IP address The IP address of the remote RADIUS server to which the connection request was forwarded for authentication. must be at least 7. . NPS logs statement of health responses (SoHRs) in the NPS log file or to a Microsoft® SQL Server™ database. Text MS-RAS-ClientVersion Number The operating system version that is installed on the remote access client. vendor-type. The valid character set for the computer name includes letters. You can use the information in this topic to interpret WSHV entries in NPS accounting logs. and one or more health policies are configured with the Windows Security Health Validator (WSHV)._ { } ~. 33 . numbers. and the following symbols: ! @ # $ % ^ & ‘ ) ( . depending on your accounting configuration. The Vendor-Length of the Value field. including the vendor ID. vendor-length. vendor-length. which specifies the version of the operating system on a remote access client. is a string that is in network byte order. and value. is sent in ASCII format and is null terminated. Interpret Windows System Health Validator Entries in Log Files When NPS is configured as a Network Access Protection (NAP) policy server. The name of the remote access client.

as in the case of Windows Automatic Updates or signatures for an antispyware application.On/Off 5. The WSHV log file entries always present the WSHV list of elements as diagnostic codes. Antispyware . Security Updates . or Microsoft Update) For item 9 above. If the Windows SHV is not configured to enforce any specific element. and Windows Automatic Updates. such as firewalls. as in the case of a firewall application. you can use the following severity levels. the log file code is 0x00024000. and these codes are always presented in the following order: 1. When each of the other eight elements is evaluated as compliant by NPS. Antivirus . the diagnostic code is 0x0. antivirus applications.Up-to-date status 6. if both Windows Update and Microsoft Update are legitimate sources. log entries for the element are not relevant and should be ignored. the corresponding component on the client computer is either on. When an element of the SHV is compliant. Firewall (On/Off) 2. Windows Server Update Services. or it is up-to-date. The Security Updates element provides a severity rating. Automatic Updates (On/Off) 7.Up-to-date status 4. the log file entry combines the codes.Legitimate Source (Windows Update. To interpret the severity rating when reviewing the NPS log file. such as Firewall or Security Updates.Severity 9. the following codes are possible values in the log file.On/Off 3.Compliance code 8. Update source Diagnostic code Windows Update Windows Server Update Services (WSUS) Microsoft Update Important 0x00004000 0x00010000 0x00020000 If the configuration allows the receipt of updates from more than one source. Security Updates . Security Updates . Severity level Code in NPS log Unspecified 0x0040 34 . For example. Antivirus . Antispyware .Diagnostic codes The WSHV entries contain elements that correspond to components that might be installed or enabled on client computers.

When the NAP agent sends a statement of health (SoH) to NPS. which monitors the components on the client operating system.Severity level Code in NPS log Low Moderate Important Critical 0x0080 0x0100 0x0200 0x0400 Error codes On the client computer. 0xC0FF0003 E_MSSHAV_WSC_SERVICE_DOWN The Windows Security Center service is not running. Click the Try again button after configuration is done for the changes to take effect. In turn. 0x00FF0008 E_MSSHAV_WUA_SERVICE_NOT_STARTED_SINCE_BOOT The Windows Server Update Services has not started. 0xC0FF000C E_MSSHAV_NO_WUS_SERVER The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server. the statement contains information about errors on the client computer. Error code Description 0xC0FF0001 E_MSSHV_PRODUCT_NOT_ENABLED A system health component is not enabled. An administrator must configure the Windows Update Agent service. 0xC0FF0004 E_MSSHV_PRODUCT_NOT_UPTODATE The signatures for a specific system health component are not up to date. such as firewalls and antivirus applications. 0xC0FF000D E_MSSHAV_NO_CLIENT_ID 35 . An administrator must try to start the service manually. the NAP agent can receive errors from the Windows System Health Agent. The following table provides the possible error codes that can be logged by NPS. 0xC0FF0002 E_MSSHAV_PRODUCT_NOT_INSTALLED A system health component is not installed. NPS records the error in the NPS log file.

0xC0FF0010 E_MSSHAV_UPDATES_INSTALLED_REQUIRE_REBOOT Security updates have been installed and require this computer to be restarted. 0xC0FF0012 E_MSSHV_WUS_SHC_FAILURE The NPS server failed to validate the security update status of this computer. An administrator must enable the service. An administrator must try to start the service manually. 0xC0FF000E E_MSSHAV_WUA_SERVICE_DISABLED The Windows Update Agent service has been disabled or not configured to start automatically. 0xC0FF000F E_MSSHAV_WUA_COMM_FAILURE The periodic scan of this computer for security updates failed. 0xC0FF0014 E_MSSHV_UNKNOWN_CLIENT Unknown client 0xC0FF0017 E_MSSHV_INVALID_SOH The Windows Security Health Validator did not process the latest Statement of Health (SoH) because the SoH is not valid. 0xC0FF004EL E_MSSHAV_BAD_UPDATE_SOURCE_MU 36 . An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server. 0xC0FF0047 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_ENABLED A third-party system health component is not enabled. 0xC0FF0048 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_UPTODATE The signatures for a specific third-party system health component are not up to date. An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server. 0xC0FF0018 E_MSSHAV_WSC_SERVICE_NOT_STARTED_SINCE_BOOT The Windows Security Center service has not started.Error code Description Windows failed to determine the Windows Server Update Services client ID of this computer. Please close all applications and restart this computer.

An administrator must configure the Windows Update Agent service to receive updates from Microsoft Update. Example log file entries The first example log file entry depicts an entry for a client computer running Windows Vista that is not configured to synchronize with a Windows Server Update Services server. 2. The text in italics is added to clarify the meaning of the diagnostic codes and does not normally appear in NPS log entries. An administrator must configure the Windows Update Agent service to receive updates from Windows Update or Microsoft Update. First example log file entry Machine testclient was quarantined. Examine the field OS-Version in the NPS log. 0xC0FF004FL E_MSSHAV_BAD_UPDATE_SOURCE_WUMU This computer is not configured to receive security updates from a source approved for this network. 0xC0FF0051L E_MSSHAV_NO_UPDATE_SOURCE The Windows Update Agent on this computer is not configured to receive security updates.Error code Description This computer is not configured to receive security updates from a source approved for this network. The NAP agent might have to be restarted for changes to take effect. you can determine whether the client computer is running Windows Vista or Windows XP in one of two ways: 1. Count the number of diagnostic codes recorded in the log file. NPS logs all eight diagnostic codes. 0xC0FF0050L E_MSSHAV_BAD_UPDATE_SOURCE_MUWSUS This computer is not configured to receive security updates from a source approved for this network. If the client computer is running Windows Vista. NPS logs only six diagnostic codes because the monitoring of antispyware status is not supported in WSHV for Windows XP. 37 . Determining the client operating system When you review Windows SHV entries in the NPS log file. An administrator must configure the Windows Update Agent service. If the client computer is running Windows XP. An administrator must configure the Windows Update Agent service to receive updates from Windows Server Update Services or Microsoft Update.

An administrator must configure the Windows Update Agent service.5495 0.391Z Quarantine-Help-URL = <undetermined> Quarantine-System-Health-Result = Windows Security Health Validator NonCompliant None (0x0-) Firewall is compliant (0x0-) Anti Virus is compliant (0x0-) Anti Virus signatures are compliant (0x0-) Anti Spyware is compliant (0x0-) Anti Spyware signatures are compliant (0x0-) Automatic Update is compliant (0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server.2006-08-28 23:44:32.0 x86 Workstation Fully-Qualified-Machine-Name = <undetermined> Fully-Qualified-User-Name = <undetermined> NAS-IP-Address = <not present> NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1 NAS-Identifier = testserver Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Account-Session-Identifier = F1290E5E59241D44A57539224835F0FDC46427E9FBCAC601 Proxy-Policy-Name = Use Windows authentication for all users Policy-Name = Access Denied Quarantine-Session-Identifier = {5E0E29F1-2459-441D-A575-39224835F0FD} .) Diagnostic code for Security Updates from Diagnostic Code table (0x40-) Unspecified Severity Level from Severity level table (0x00004000-) Legitimate update source is Windows Update 38 .0.OS-Version = 6. Please click on the 'try again' button after configuration is done for the changes to take effect.

An administrator must configure the Windows Update Agent service. the diagnostic codes for the Windows SHV do not have meaning and should be ignored.) (0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server. Because Windows Security Center is disabled.585Z Quarantine-Help-URL = <undetermined> Quarantine-System-Health-Result = Windows Security Health Validator NonCompliant None (0xc0ff0003-The Windows Security Center service is not running. Machine testclient was quarantined. antivirus. as is detailed in the log file entry.) (0x0-) (0x0-) (0xc0ff0003-The Windows Security Center service is not running.Second example log file entry The second example log file entry depicts an entry for a client computer running Windows Vista that is configured to use the Windows Security Center for the firewall.) (0x0-) (0xc0ff0003-The Windows Security Center service is not running.5495 0.0 x86 Workstation Fully-Qualified-Machine-Name = <undetermined> Fully-Qualified-User-Name = <undetermined> NAS-IP-Address = <not present> NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1 NAS-Identifier = testserver Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Account-Session-Identifier = 32049473A12646448AB5DCFD9BF69271B0477E2E58CCC601 Proxy-Policy-Name = Use Windows authentication for all users Policy-Name = Access Denied Quarantine-Session-Identifier = {73940432-26A1-4446-8AB5-DCFD9BF69271} .0.) (0x40-) 39 . OS-Version = 6. antispyware and Automatic Updates.2006-08-30 17:17:33. Please click on the 'try again' button after configuration is done for the changes to take effect.

In the preceding command. Open Command Prompt. To register an NPS server in another domain by using Netsh commands for NPS 1. 2. you must be a member of the Administrators group. click the Members tab. navigate to the domain where you want the NPS server to read user account information. The Active Directory Users and Computers console opens. You can use this procedure to register an NPS server in a domain where the NPS server is not a domain member. and then click Properties. and then click the Users folder. and server is the name of the NPS server computer. On the domain controller. Administrative credentials 40 . In the RAS and IAS Servers Properties dialog box. 2. Register an NPS Server in its Default Domain You can use this procedure to register an NPS server in the domain where the server is a domain member. The RAS and IAS Servers Properties dialog box opens. domain is the DNS domain name of the domain where you want to register the NPS server. 4. and then press ENTER.Register an NPS Server in Another Domain To provide an NPS server with permission to read the dial-in properties of user accounts in Active Directory. In the console tree. and then click Active Directory Users and Computers. Type the following at the command prompt: netsh nps add registeredserver domain server. NPS servers must be registered in Active Directory so that they have permission to read the dial-in properties of user accounts during the authorization process. In the details pane. Administrative credentials To complete this procedure. add each of the NPS servers that you want to register in the domain. You can perform this procedure by using the following methods: To register an NPS server in another domain 1. the NPS server must be registered in the domain where the accounts reside. click Administrative Tools. Registering an NPS server adds the server to the RAS and IAS Servers group in Active Directory. click Start. right-click RAS and IAS Servers. 3. and then click OK.

and then click Register Server in Active Directory. and then click OK. click Start.To complete this procedure. and then click OK again. you must be a member of the Administrators group. or accounting on your network. click Administrative Tools. Click Users. 4. 3. you must be a member of the Administrators group. 2. The Active Directory Users and Computers console opens. you might find it useful to move an NPS server to another domain. it is necessary to reconfigure portions of your NPS deployment. unregister the NPS server in the Active Directory domains where the NPS server has permission to read the properties of user accounts in Active Directory. The Network Policy Server dialog box opens. such as when you move the server to a different IP subnet. In Network Policy Server. Open the NPS console. to replace an NPS server. To unregister an NPS server 1. Verify Configuration After an NPS Server IP Address Change There might be circumstances where you need to change the IP address of an NPS server or proxy. 2. and then select the NPS server that you want to unregister. click Yes. and then click Active Directory Users and Computers. click OK. 41 . and then double-click RAS and IAS servers. To register an NPS server in its default domain 1. When you move or decommission an NPS server. 3. Use the following general guidelines to assist you in verifying that an IP address change does not interrupt network access authentication. Unregister an NPS Server from its Default Domain In the process of managing your NPS server deployment. Administrative credentials To complete this procedure. authorization. On the domain controller. Click Remove. If you change an NPS server or proxy IP address. Click the Members tab. Right-click NPS (Local). or to retire an NPS server.

such as wireless access points and VPN servers. Reconfigure all RADIUS clients. Double-click NPS (Local). 5. 4. To verify configuration after an NPS proxy IP address change 1. such as wireless access points and VPN servers. To accomplish this task. click RADIUS Clients. If you have configured the NPS server to use SQL Server logging. you must be a member of the Administrators group. verify that connectivity between the computer running SQL Server and the NPS server is still functioning properly. double-click RADIUS Clients and Servers. If the NPS server is a member of a remote RADIUS server group. If you have deployed IPsec to secure RADIUS traffic between your NPS server and an NPS proxy or other servers or devices. in Address (IP or DNS). If the NPS server is multihomed and you have configured the server to bind to a specific network adapter. 42 . at each NPS server that has the NPS proxy configured as a RADIUS client: a. type the new IP address of the NPS proxy. b. verify that connectivity between the computer running SQL Server and the NPS proxy is still functioning properly. To verify configuration after an NPS server IP address change 1. 3. double-click the RADIUS client that you want to change. reconfigure NPS port settings with the new IP address.Administrative credentials To complete this procedure. reconfigure the NPS proxy with the new IP address of the NPS server. Reconfigure all RADIUS clients. with the new IP address of the NPS proxy. 4. In RADIUS client Properties. If the NPS proxy is multihomed and you have configured the proxy to bind to a specific network adapter. If you have configured the NPS proxy to use SQL Server logging. 2. and then in the details pane. 3. reconfigure the IPsec policy or the connection security rule in Windows Firewall with Advanced Security to use the new IP address of the NPS server. reconfigure NPS port settings with the new IP address. 2. with the new IP address of the NPS server. Reconfigure all members of all remote RADIUS server groups with the proxy server IP address.

such as when you redesign the naming conventions for your servers. request that the CA administrator revoke the old certificate. b. 5. The default CRL expiry is one week. Open Command Prompt. you can refresh Group Policy to obtain a new certificate through autoenrollment. To refresh Group Policy: a. verify that connectivity between the computer running SQL Server and the NPS server is still functioning properly. This time period might be different depending on whether the Certificate Revocation List (CRL) expiry and the Transport Layer Security (TLS) cache time expiry have been modified from their defaults. If certificate-based authentication methods are deployed at the NPS server. you can manually reconfigure network policies with the new certificate. If you have configured the NPS server to use SQL Server logging. the name change invalidates the server certificate. the old certificate remains valid for a maximum time of one week and 10 hours. If you want to configure NPS to use the new certificate immediately. To verify configuration after an NPS server or proxy name change 1. however. 3. the default TLS cache time expiry is 10 hours. it is necessary to reconfigure portions of your NPS deployment. 2. After the old certificate is revoked. You can request a new certificate from the certification authority (CA) administrator or. 43 . After the old certificate expires. Type gpupdate. Use the following general guidelines to assist you in verifying that a server name change does not interrupt network access authentication.Verify Configuration After Renaming an NPS Server There might be circumstances when you need to change the name of an NPS server or proxy. you must be a member of the Administrators group. After you have a new server certificate. authorization. If you change an NPS server or proxy name. and then press ENTER. NPS will continue to use it until the old certificate expires. or accounting. Administrative credentials To complete this procedure. 4. reconfigure the remote RADIUS server group with the new NPS server name. If the NPS server is a member of a remote RADIUS server group and the group is configured with computer names rather than IP addresses. By default. if the computer is a domain member computer and you autoenroll certificates to domain members. NPS automatically begins using the new certificate.

Protected Extensible Authentication Protocol-Transport Layer Security (PEAPTLS).microsoft. Each individual collection of these TLS connection properties is called a TLS handle. and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2). such as EAP-TLS. Client computers can cache the TLS handles for multiple authenticators. The following objectives are part of managing NPS server certificates: • • Change the Cached TLS Handle Expiry Obtain the SHA-1 Hash of a Trusted Root CA Certificate Change the Cached TLS Handle Expiry During the initial authentication processes for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). or PEAPMS-CHAP v2. determines that it is a reconnect. The client also caches a portion of the NPS server's TLS connection properties. while NPS servers can cache the TLS handles of many client computers. when a wireless computer reauthenticates with an NPS server. or is a CA that you have deployed for your public key infrastructure (PKI) by using Active Directory Certificate Services (AD CS) in Windows Server 2008. In some circumstances. The cached TLS handles on the client and server allows the reauthentication process to occur more rapidly. you must enroll a server certificate to all of your NPS servers. The server certificate must: • Meet the minimum server certificate requirements as described in Certificate Requirements for PEAP and EAP at http://go. the NPS server caches a portion of the connecting client's TLS connection properties. Correspondingly. The NPS server authorizes the connection without performing full authentication. For example.com/fwlink/?LinkID=101491. A CA is trusted when its certificate exists in the Trusted Root Certification Authorities certificate store for the current user and local computer. such as Verisign. 44 . the client examines the TLS handle for the NPS server. On computers running Windows Vista and Windows Server 2008. The following objectives assist in managing NPS server certificates in deployments where the trusted root CA is a third-party CA. • Be issued by a certification authority (CA) that is trusted by client computers. the NPS server can examine the TLS handle for the wireless client and can quickly determine that the client connection is a reconnect. you might want to increase or decrease the TLS handle expiry time. and does not need to perform server authentication.Managing Certificates Used with NPS If you deploy a certificate-based authentication method. PEAP-TLS. the default TLS handle expiry is 10 hours.

Browse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCH ANNEL 3. 6. After successfully authenticating an NPS server. 45 . the user can still connect to the network if an NPS server has a cached TLS handle that has not expired. and then press ENTER. The propagation of these changes to all domain controllers might also be delayed. click New. On an NPS server. 4. and then click DWORD (32-bit) Value. Administrative credentials To complete this procedure. The TLS handle has a default duration of 10 hours (36. To configure the TLS handle expiry time on client computers 1. not on a client computer. Important This procedure must be performed on an NPS server. Use the following tasks to configure the TLS handle expiry: • • Configure the TLS Handle Expiry Time on Client Computers Configure the TLS Handle Expiry Time on NPS Servers Configure the TLS Handle Expiry Time on Client Computers Use this procedure to change the amount of time that client computers cache the Transport Layer Security (TLS) handle of an NPS server. and then click Key. Right-click ClientCacheTime.000 milliseconds).000. You can increase or decrease the TLS handle expiry time by using the following procedure. 2. Type the amount of time. that you want client computers to cache the TLS handle of an NPS server after the first successful authentication attempt by the NPS server. click New. 5. client computers cache TLS connection properties of the NPS server as a TLS handle. In this scenario. Note The best solution to this scenario is to disable the user account in Active Directory. however. On the Edit menu. open Registry Editor. due to replication latency. you must be a member of the Administrators group.For example. Type ClientCacheTime. or to remove the user account from the Active Directory group that is granted permission to connect to the network in network policy. in milliseconds. you might want to decrease the TLS handle expiry time is in a scenario where a user's certificate is revoked by an administrator and the certificate has expired. Reducing the TLS handle expiry might help prevent such users with revoked certificates from reconnecting.

When using Group Policy.Configure the TLS Handle Expiry Time on NPS Servers Use this procedure to change the amount of time that NPS servers cache the Transport Layer Security (TLS) handle of client computers. On the Edit menu. it is necessary to designate a certificate by using the SHA-1 hash of the certificate. 4. and then click DWORD (32-bit) Value. Type the amount of time. In some circumstances. open Registry Editor. you must be a member of the Administrators group. 2. To configure the TLS handle expiry time on NPS servers using the Windows interface 1. The TLS handle has a default duration of 10 hours (36. such as when deploying Group Policy. Administrative credentials To complete this procedure. 5. Type ServerCacheTime. NPS servers cache TLS connection properties of the client computer as a TLS handle. that you want NPS servers to cache the TLS handle of a client computer after the first successful authentication attempt by the client. Important This procedure must be performed on an NPS server. You can increase or decrease the TLS handle expiry time by using the following procedure. On an NPS server. After successfully authenticating an access client. click New. and then click Key.000. and then press ENTER. 6. click New. you can designate one or more trusted root CA certificates that clients must use in order to authenticate the NPS server during the process of mutual authentication with 46 . in milliseconds.000 milliseconds). not on a client computer. Right-click ServerCacheTime. Browse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCH ANNEL 3. Obtain the SHA-1 Hash of a Trusted Root CA Certificate Use this procedure to obtain the Secure Hash Algorithm (SHA-1) hash of a trusted root certification authority (CA) from a certificate that is installed on the local computer.

5. scroll to and select Thumbprint. In the details pane. In Add or Remove Snap-ins. Click the Certificates folder. The Certificates folder is a subfolder of the Trusted Root Certification Authorities folder. To obtain the SHA-1 hash of a trusted root CA certificate 1. and then press the Windows keyboard shortcut for the Paste command (CTRL+V). you can enter the SHA-1 hash of the certificate. In the left pane. The Certificate dialog box opens. This procedure demonstrates how to obtain the SHA-1 hash of a trusted root CA certificate by using the Certificates Microsoft Management Console (MMC) snap-in. you must be a member of the Users group on the local computer. click the Details tab. and then click OK. Managing RADIUS Clients You can configure any of the following types of RADIUS clients in NPS: • • • • • • Virtual private network (VPN) servers Wireless access points 802. double-click Certificates. 7. 2. ensure that Local computer (the computer this console is running on) is selected. correctly locate the cursor. In Select Computer. and then press the Windows keyboard shortcut for the Copy command (CTRL+C) to copy the hash to the Windows clipboard. Select the SHA-1 hash. type mmc. To designate a trusted root CA certificate that clients must use to validate the server certificate. 6. and then click OK. Click Start. click Finish. browse to the certificate for your trusted root CA. In the Certificate dialog box. The Add or Remove Snap-ins dialog box opens. Click Computer account. 8. Double-click the certificate. and then click Next. 3. In the lower pane. and then double-click the Trusted Root Certification Authorities folder.1X authenticating switches Dial-up servers NPS proxies Terminal Services Gateway (TS Gateway) servers 47 . 9. in Available snap-ins. the hexadecimal string that is the SHA-1 hash of your certificate is displayed. 10. Open the location to which you want to paste the SHA-1 hash. In the list of fields. click Run. Administrative credentials To complete this procedure.EAP or PEAP. The Certificates snap-in wizard opens. double-click Certificates (Local Computer). 4.

48 . In this circumstance.To use NPS to manage network access. or dial-up server) to your network. are not RADIUS clients. RADIUS clients are network access servers— such as wireless access points. This step is also necessary when your NPS server is a member of a remote RADIUS server group that is configured on an NPS proxy. you must configure one or more RADIUS clients in NPS. perform the following procedures: • • Configure the Network Access Server Add the Network Access Server as a RADIUS Client in NPS Configure the Network Access Server Use this procedure to configure network access servers for use with NPS. configure a remote RADIUS server group that contains the NPS server. such as wireless laptop computers and other computers running client operating systems. wireless access point. The following objectives are part of managing RADIUS clients: • • Set up RADIUS Clients Set up RADIUS Clients by IP Address Range Set up RADIUS Clients When you add a new network access server (VPN server. Task requirements The following are required to perform the procedures for this task: • You must have at least one network access server (VPN server. If you are configuring an NPS proxy as a RADIUS client on an NPS server. configure the NPS proxy as a RADIUS client. To complete this task. the NPS proxy must also be configured with RADIUS clients that forward connection requests to the proxy. 802. you must add the server as a RADIUS client in NPS. When you deploy network access servers (NASs) as RADIUS clients. Important Client computers. wireless access point. authenticating switch. The proxy forwards the connection request to a remote RADIUS server group based on the connection request processing rules defined on the proxy. and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. On the remote NPS server.1X authenticating switches. and then configure the RADIUS client to communicate with the NPS server. in addition to performing the steps in this task on the NPS proxy. you must do the following: • • On the NPS proxy. you must configure the clients to communicate with the NPS servers where the NASs are configured as clients. authenticating switch. virtual private network (VPN) servers. or dial-up server) or NPS proxy physically installed on your network.

1X authenticating switches. In Secret or Shared secret. 49 . or EAPTLS. Administrative credentials To complete this procedure. in RADIUS settings. type a strong password. you will use the same password. 802. and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. If you are configuring a wireless access point. 3. virtual private network (VPN) servers. are not RADIUS clients. select RADIUS authentication on User Datagram Protocol (UDP) port 1812 and RADIUS accounting on UDP port 1813. 5. see your NAS product documentation. for specific instructions on how to configure the device you are deploying on your network. 2.1X and WEP. When you configure the NAS as a RADIUS client in NPS. PEAP-TLS. you must be a member of the Administrators group. so do not forget it. RADIUS clients are network access servers— such as wireless access points. depending on the requirements of the NAS.This procedure provides general guidelines about the settings you should use to configure your NASs. specify your NPS server by IP address or fully qualified domain name (FQDN). 4. enable IEEE 802. This name is broadcast by access points to wireless clients and is visible to users at your wireless fidelity (Wi-Fi) hotspots. which is an alphanumeric string that serves as the network name. If you are configuring a wireless access point. Add the Network Access Server as a RADIUS Client in NPS Use this procedure to add a network access server as a RADIUS client in NPS. such as wireless laptop computers and other computers running client operating systems. Important Client computers. in SSID. To configure the network access server 1. If you are using PEAP or EAP as an authentication method. Administrative credentials To complete this procedure. On the NAS. specify a Service Set Identifier (SSID). You can use this procedure to configure a network access server (NAS) as a RADIUS client by using the NPS console. In Authentication server or RADIUS server. configure the NAS to use EAP authentication.1X authentication if you want to deploy PEAP-MS-CHAP v2. 6. you must be a member of the Administrators group. in 802.

On the NPS server. if you plan on deploying Network Access Protection (NAP) and your NAS supports NAP. This allows you to add a large number of RADIUS clients (such as wireless access points) to the NPS console at one time. You cannot configure RADIUS clients by IP address range if you are running NPS on Windows Server 2008 Standard. rather than adding each RADIUS client individually. and then in Shared secret. in Additional Options. • Select Generate. and then click Generate to automatically generate a shared secret. and if your NAS supports use of the message authenticator attribute. type a display name for the NAS. Retype the shared secret in Confirm shared secret. 6. Your NAS appears in the list of RADIUS clients configured on the NPS server. specify the NAS manufacturer name. click Verify if you want to verify that the name is correct and maps to a valid IP address. verify that the Enable this RADIUS client check box is selected. if you are using any authentication methods other than EAP and PEAP. 5. double-click RADIUS Clients and Servers. type the NAS IP address or fully qualified domain name (FQDN). Save the generated shared secret for configuration on the NAS so that it can communicate with the NPS server. In New RADIUS Client. 4. 8. In the NPS console. In New RADIUS Client. select RADIUS client is NAPcapable. In New RADIUS Client. type the strong password that is also entered on the NAS. in Friendly name. 9. select Access Request messages must contain the Message Authenticator attribute. do one of the following: • Ensure that Manual is selected. In New RADIUS Client.To add a network access server as a RADIUS client in NPS 1. select RADIUS standard. 3. In New RADIUS Client. Right-click RADIUS Clients. Set up RADIUS Clients by IP Address Range Use this procedure to configure two or more network access servers as RADIUS clients in NPS by using an IP address range. click Administrative Tools. and then click Network Policy Server. 2. Click OK. you can configure RADIUS clients in NPS by IP address range. In New RADIUS Client. 50 . in Additional Options. in Shared secret. in Vendor. click Start. If you are running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. 7. In Address (IP or DNS). If you are not sure of the NAS manufacturer name. and then click New RADIUS Client. The NPS console opens. If you enter the FQDN.

Administrative credentials To complete this procedure. select RADIUS client is NAPcapable. 9. in Vendor.0. in Friendly name type a display name for the collection of NASs. type 10. On the NPS server. do one of the following: • Ensure that Manual is selected. Right-click RADIUS Clients. In New RADIUS Client. in Address (IP or DNS). in Shared secret. Your NASs appears in the list of RADIUS clients configured on the NPS server.Use this procedure to add a group of network access servers (NASs) as RADIUS clients that are all configured with IP addresses from the same IP address range. In New RADIUS Client. 4.10. if the IP address range for the NASs is 10. For example. and if all of your NASs support use of the message authenticator attribute. In New RADIUS Client. In the NPS console. The NPS console opens.10. if you plan on deploying Network Access Protection (NAP) and all of your NASs support NAP. select Access Request messages must contain the Message Authenticator attribute. 8. 3. double-click RADIUS Clients and Servers. select RADIUS Standard. type the strong password that is also configured on all of the NASs.0/16. in Additional Options. To set up RADIUS clients by IP address range 1. 51 . type the IP address range for the RADIUS clients by using Classless Inter-Domain Routing (CIDR) notation. In New RADIUS Client. In New RADIUS Client. If you are not sure of the NAS manufacturer name. Retype the shared secret in Confirm shared secret. you must be a member of the Administrators group. Click OK.0. and then click Generate to automatically generate a shared secret. if you are using any authentication methods other than EAP and PEAP. click Start. 2. Save the generated shared secret for configuration on the NASs so that they can communicate with the NPS server. All of the RADIUS clients in the range must use the same configuration and shared secret. click Administrative Tools. 7. • Select Generate. and then click Network Policy Server. In New RADIUS Client. specify the NAS manufacturer name. and then in Shared secret. and then click New RADIUS Client. 6. or if you have NASs from multiple vendors.0. in Additional Options. 5.

on the Dial-in tab of user account properties. If the network policy that denies wireless access to Domain Users is evaluated before the Wireless Users policy is evaluated. NPS uses the policy to determine whether to grant or deny access to the user or computer connection. the value of Network Access Permission is set to Control access through NPS Network Policy. NPS evaluates the policies in listed order from first to last. the Network Access Permission setting is used by NPS to make authorization decisions. For example. ensure that rules created in one policy do not unintentionally counteract the rules in a different policy. when you create a user account. as follows: • If the value of Network Access Permission is Deny access. By default. the policies are an ordered list of rules. it performs authorization to determine whether to grant the user or computer permission to connect. Note For ease of administration of network access.Managing Network Policies This section provides information about how to manage NPS network policies. members of the Wireless Users group are granted access when connecting by wireless. In the Active Directory Users and Computers snap-in. Authorization is performed when NPS checks the dial-in properties of user accounts in Active Directory and when NPS evaluates the connection request against the network policies configured in the NPS console. if your forest functional level is Windows Server 2008. the user is always denied access to the network by NPS. You can also specify connection settings in an NPS network policy that are applied after the connection is authenticated and authorized. a member of the Domain Users group might also be a member of the Wireless Users group that is created (by you or by another administrator) in Active Directory. regardless of any settings in network policy. it is recommended that the Network Access Permission setting is always set to Control access through NPS Network Policy. the user is allowed network access unless there is a network policy that explicitly denies access to the user. NPS makes authorization decisions based solely on network policy settings. so members of the Domain Users group are denied access when connecting through wireless access points. For example. you can define IP filters for the connection that specify the network resources to which the user has permission to connect. however. An ordered list of rules When you configure multiple network policies in NPS. Perhaps your organization has limited wireless resources. When you order the network policies in the NPS console. If there is a network policy that matches the connection request. • If the value of Network Access Permission is Control access through NPS Network Policy. • If the value of Network Access Permission is Allow access. After NPS authenticates users or computers connecting to your network. NPS denies 52 .

When you use VLAN-aware network hardware. 53 . you can provide visitors with wireless access to the Internet without allowing them access to your organization network. the connection attempt does not match the Wireless Users policy. but you can place all of these resources on one VLAN using the same IP address range. Instead. After you have determined how you want to define your groups. This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions. when a member of the Wireless Users group attempts to connect. For example. so that policy is not evaluated by NPS. VLANs allow you to logically group network resources that exist in different physical locations or on different physical subnets. NPS evaluates the Wireless Users policy first and then authorizes the connection. In this circumstance. such as routers. When NPS receives a wireless connection attempt from a member of the Domain Users group that is not also a member of the Wireless Users group. In addition. The solution to this problem is to move the Wireless Users network policy higher in the list of policies in the NPS console so that it is evaluated before the Domain Users policy is evaluated. The following objectives are part of managing NPS network policies: • • • Configure NPS for VLANs Configure the EAP Payload Size Configure NPS to Ignore User Account Dial-in Properties Configure NPS for VLANs By using VLAN-aware network access servers and NPS in Windows Server 2008. For example. and then add members to the groups. might be located in several different buildings at your organization. from the end-user perspective. switches. such as client computers.access to members of the Wireless Users group when they attempt to connect by wireless — even though your intention is to grant them access. you can provide groups of users with access only to the network resources that are appropriate for their security permissions. and then denies the connection to the member of the Domain Users group. servers. and printers. as a single subnet. and access controllers. Use the following procedure to configure a network policy using VLANs: • Configure a Network Policy for VLANs Configure a Network Policy for VLANs Use this procedure to configure a network policy that assigns users to a VLAN. you can create security groups in the Active Directory Users and Computers snap-in. The VLAN then functions. You can also use VLANs when you want to segregate a network between different groups of users. NPS moves down to the Domain Users wireless policy. you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. members of your sales department and their network resources.

In policy Properties. Double-click Policies. c. 8. Tunnel-Type. In Add Standard RADIUS Attribute. click Add. 4. To configure a network policy for VLANs 1. Select a value appropriate to the previous selections you have made for the policy. You can use the following procedure to create a network policy that assigns users to a VLAN. 7. In policy Properties. Select Virtual LANs (VLAN). ensure that Standard is selected. and then click Add. you must configure the attributes Tunnel-Medium-Type. b. and then click Network Policy Server. b. and then in the details pane doubleclick the policy that you want to configure. the Service-Type attribute is configured with a default value of Framed. This procedure is provided as a guideline. 2. c. In the policy Properties dialog box. click Network Policies. If your NAS documentation does not mention this attribute. for policies with access methods of VPN and dial-up. use the following steps to add the Tunnel-Tag attribute to the network policy. click Administrative Tools. Tunnel-Pvt-Group-ID. click Add. The Attribute Information dialog box opens. The NPS console opens. and Tunnel-Tag. in Settings. Tunnel-Type. your network configuration might require different settings than those provided below. in RADIUS Attributes. If your network access server (NAS) requires use of the Tunnel-Tag attribute. For example. click Close. you must be a member of the Administrators group. In the details pane. 5. To specify additional connection attributes required for VLANs. the Framed-Protocol attribute is configured with a value of PPP. Administrative credentials To complete this procedure. On the NPS server. scroll down to and select Tunnel-Tag. select Value: 802 (Includes all 802 media plus Ethernet canonical format). In the details pane. in Settings. The Add Vendor Specific Attribute dialog box opens. 3. The Add Standard RADIUS Attribute dialog box opens. By default. In Add Standard RADIUS Attribute.When you configure the settings of an NPS network policy for use with VLANs. Enter the integer that represents the VLAN number to which group members will be assigned. in Attributes. do not add it to the policy. if the network policy you are configuring is a wireless policy. in RADIUS Attributes. click Vendor Specific. in Attributes. click the Settings tab. scroll down to and add the following attributes: a. Tunnel-Pvt-Group-ID. 54 . Tunnel-Medium-Type. click Start. In Attributes. Add the attributes as follows: a. 6.

When you deploy NPS with network policies that use the Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS). click Network Policies. The 55 . click Standard. In Attribute value. a router or firewall positioned between the RADIUS client and the NPS server might silently discard some fragments. 4. the default maximum transmission unit (MTU) that NPS uses for EAP payloads is 1500 bytes. and then click Network Policy Server. To configure the Framed-MTU attribute 1. routers or firewalls drop packets because they are configured to discard packets that require fragmentation. This maximum size for the EAP payload can create RADIUS messages that require fragmentation by a router or firewall between the NPS server and a RADIUS client. In the details pane. resulting in authentication failure and the inability of the access client to connect to the network. Configure the EAP Payload Size In some cases. 2. and then in the details pane doubleclick the policy that you want to configure. Perform this procedure if you have routers or firewalls that are not capable of performing fragmentation. Administrative credentials To complete this procedure. Double-click Policies.d. You can lower the EAP payload size by configuring the Framed-MTU attribute in network policy settings properties in the NPS console. Click Start. Use the following procedure to lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344: • Configure the Framed-MTU Attribute Configure the Framed-MTU Attribute Use this procedure to lower the maximum EAP payload size by using the Framed-MTU attribute in an NPS network policy. 3. If this is the case. click Administrative Tools. click the Settings tab. type the value that you obtained from your hardware documentation. In the policy Properties dialog box. or EAP-TLS. The recommended Framed-MTU value in this circumstance is 1344 bytes or less. you must be a member of the Administrators group. click Add. The NPS console opens. In Settings. as an authentication method. in RADIUS Attributes.

some user accounts might have the Network Access Permission property of the user account set to Deny access or Allow access. If a connection request matches the network policy where this check box is selected. Click Start. type a value equal to or less than 1344. select the Ignore user account dial-in properties check box. 3. For example. and then click OK. and then click OK. and then click Network Policy Server. Click OK. Double-click Policies. scroll down to and click Framed-MTU. In the policy Properties dialog box. 5. NPS does not use the dial-in properties of the user account to determine whether the user or computer is authorized to access the network. To configure NPS to ignore user account dial-in properties 1. on the Overview tab. You can use this procedure to configure NPS to ignore user account dial-in properties. click Administrative Tools. in Access Permission. and then in the details pane doubleclick the policy that you want to configure. In Attributes. you must be a member of the Administrators group. There are two circumstances where you might want to configure NPS to ignore the dial-in properties of user accounts in Active Directory: • When you want to simplify NPS authorization by using network policy but not all of your user accounts have the Network Access Permission property set to Control access through NPS Network Policy. 2.Add Standard RADIUS Attribute dialog box opens. click Network Policies. and then click Add. click Close. In Attribute Value. properties other than the Network Access Permission setting are applicable only to dial-in or VPN connections. Configure NPS to Ignore User Account Dialin Properties Use this procedure to configure an NPS network policy to ignore the dial-in properties of user accounts in Active Directory during the authorization process. Administrative credentials To complete this procedure. For example. 6. • When other dial-in properties of user accounts are not applicable to the connection type configured in the network policy. User accounts in Active Directory Users and Computers have dial-in properties that NPS evaluates during the authorization process unless the Network Access Permission property of the user account is set to Control access through NPS Network Policy. The NPS console opens. but the network policy you are creating is for wireless or authenticating switch connections. only the settings in the network policy are used to determine authorization. 56 . The Attribute Information dialog box opens.

57 .

Sign up to vote on this title
UsefulNot useful