Lecture Configuring and troubleshooting a Windows Server 2008 Network Infrastructure - Module 7

Module 7: Installing, configuring, and troubleshooting the network policy server role service. This module explains how to install, configure, and troubleshoot the network policy server role service. Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.

Lesson 4: Monitoring and Troubleshooting a Network Policy Server 7-22 Lab: Configuring and Managing Network Policy Server 7-27

What is a Network Policy Server?

NPS allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request

authorization You also can use NPS as a RADIUS proxy to forward connection requests to NPS or other RADIUS servers that you configure in remote RADIUS server groups

Additional Reading

• Network Policy Server Help: Network Policy Server

Network Policy Usage Scenarios

You can use NPS in Windows Server 2008 as either a RADIUS server or proxy

• As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up and VPN remote access, and router-to-router connections

• As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers

Additional Reading

• Network Policy Server Help: Network Policy Server Overview

Demonstration: How to Install the Network Policy Server

Tools Used for Managing a Network Policy Server

The following tools enable you to manage the Network Policy and Access Services server role:

• NPS MMC snap-in Use the NPS MMC to configure a RADIUS server, RADIUS proxy, or NAP technology

• Netsh commands for NPS The netsh commands for NPS provide a command set that is fully equivalent to all configuration settings that are available

through the NPS MMC snap-in

Additional Reading

• Network Policy Server Help: Network Policy Server Overview

Demonstration: Configuring General NPS Settings

Lesson 2

Configuring RADIUS Clients and Servers

RADIUS is an industry-standard protocol described in RFC 2865, “Remote

Authentication Dial-in User Service (RADIUS),” and RFC 2866, “RADIUS

Accounting.” RADIUS provides network authentication, authorization, and

What is a RADIUS Client?

A network access server (NAS) is a device that provides some level of access to a larger network A NAS using a RADIUS infrastructure also is a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting

Additional Reading

• Network Policy Server Help: RADIUS Clients

What is a RADIUS Proxy?

You can use NPS as a RADIUS proxy to route RADIUS messages between RADIUS clients (access servers) and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt

When you use NPS as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow NPS records

information in an accounting log about forwarded messages

Additional Reading

• Network Policy Server Help: RADIUS Proxy

Demonstration: Configuring a RADIUS Client

Configuring Connection Request Processing

Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform authentication and authorization of connection requests that the NPS server receives from RADIUS clients

The default connection-request policy uses NPS as a RADIUS server and processes all authentication requests locally

Additional Reading

• Network Policy Server Help: Configure NPS UDP Port information

What is a Connection Request Policy?

Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform authentication and authorization of connection requests that the NPS server receives from RADIUS clients You can configure connection request policies to designate which RADIUS servers to use for RADIUS accounting

Additional Reading

• Network Policy Server Help: Connection Request Policies

Demonstration: Creating a New Connection Request Policy

Lesson 3

NPS Authentication Methods

When users attempt to connect to your network through network access servers (also called RADIUS clients), such as wireless access points, 802.1X authenticating switches, dial-up servers, and VPN servers, NPS authenticates and authorizes the connection request before allowing or denying access

Because authentication is the process of verifying the identity of the user or

computer attempting to connect to the network, NPS must receive proof of identity from the user or computer in the form of credentials

Password-Based Authentication Methods

Each authentication method has advantages and disadvantages in terms of

security, usability, and breadth of support However, password-based

authentication methods do not provide strong security and we do not recommend their use We recommend that you use a certificate-based authentication method for all network access methods that support certificate use This is especially true for wireless connections, for which we recommend the use of PEAP-MS-CHAP v2

or PEAP-TLS

Additional Reading

• Help Topic: Password-Based Authentication Methods

Using Certificates for Authentication

Certificates are digital documents that certification authorities (CAs) issue, such as Active Directory Certificate Services (AD CS) or the Verisign public CA You can use certificates for many purposes, such as code signing and securing e-mail communication However, with NPS, you use certificates for network access authentication because they provide strong security for authenticating users and computers, and eliminate the need for less secure, password-based authentication methods

Additional Reading

• Help Topic: Certificates and NPS

Required Certificates for NPS Authentication Methods

The following table details the certificates that are required to successfully deploy each of the listed certificate-based authentication methods

PEAP-CA certificate in the Trusted Root

Certification Authorities certificate store

for the Local Computer and Current User

Yes Yes

Client computer certificate in the

certificate store of the client

Additional Reading

• Help Topic: Certificate Requirements for PEAP and EAP

• Help Topic: Certificates and NPS

Deploying Certificates for PEAP and EAP

All certificates that you use for network access authentication with EAP-TLS and PEAP must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer-Transport Level Security (SSL/TLS) After this minimum requirement is met, both client and server certificates have additional requirements

Additional Reading

• Help Topic: Certificates and NPS

• Help Topic: EAP and NPS

• Help Topic: PEAP and NPS

Lesson 4

Monitoring and Troubleshooting a Network Policy Server

You can monitor NPS by configuring and using logging for events and user

authentication and accounting requests Event logging enables you to record NPS events in the system and security event logs You can use request logging for connection analysis and billing purposes The information that the log files collect

is useful for troubleshooting connection attempts and for security investigation

Methods Used to Monitor NPS

There are two types of accounting, or logging, that you can use to monitor NPS:

• Event logging for NPS You can use event logging to record NPS events in the system and security event logs You use this primarily for auditing and

troubleshooting connection attempts

• Logging user authentication and accounting requests You can log user

authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server 2000 database Use request logging primarily for connection analysis and billing purposes, and as a security investigation tool, as it enables you to identify an attacker’s activity

Additional Reading

• Help Topic: NPS Best Practices

Configuring Log File Properties

You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates

Additional Reading

• Help Topic: Configure Log File Properties

• Help Topic: NPS Best Practices

Configure SQL Server Logging

You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates You can use this procedure to configure logging properties and the connection to the server running SQL Server that stores your accounting data The SQL Server database can be on the local

computer or on a remote server

Additional Reading

• Help Topic: Configure SQL Logging in NPS

Configuring NPS Events to Record in the Event Viewer

You can configure NPS event logging to record connection-request failure and success events in the Event Viewer system log

Additional Reading

• Help Topic: NPS Events and Event Viewer

• Help Topic: Configure NPS Event Logging

Lab: Configuring and Managing Network

Policy Server

Objectives:

After completing this lab, you will be able to:

• Install the Network Policy Server role service and configure Network Policy Server settings

• Configure a RADIUS client

• Configure certificate auto-enrollment

Scenario

Woodgrove Bank is expanding its remote-access solution to all its branch office employees This will require multiple Routing and Remote Access servers located

at different points to provide connectivity for its employees You will use RADIUS

to centralize authentication and accounting for the remote-access solution

The Windows Infrastructure Services Technology Specialist has been tasked with installing and configuring Network Policy Server into an existing infrastructure to

be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy

Lab Setup

For this lab, you will use the available virtual machine environment Before you begin the lab, you must:

1 Start the NYC-DC1 and NYC-SVR1 virtual machines

2 Log on to the NYC-SVR1 and NYC-DC1 virtual machines with the user name

administrator and the password Pa$$w0rd

3 Close the Initial Configuration Tasks window that appears after you log on

4 Close the Server Manager window

Exercise 1: Installing and Configuring the Network Policy Server Role Service

Exercise Overview

In this exercise, you will install and configure the Network Policy Server role The main tasks are as follows:

1 Ensure that you have completed the steps in the Lab Setup

2 Open the Server Manager tool on 6421A-NYC-DC1

3 Install the Network Policy and Access Services role

4 Register NPS in Active Directory

5 Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up or VPN

connections

f Task 1: Ensure that you have completed the steps in the Lab Setup

• Review the Lab Setup section and ensure you have completed the steps before you continue with this lab

f Task 2: Open the Server Manager tool on 6421A-NYC-DC1

• On 6421A-NYC-DC1, open Server Manager from the Administrative Tools

menu

f Task 3: Install the Network Policy and Access Services role

1 In the Server Manager list pane, right-click Roles and then click Add Roles

2 Install the Network Policy Server role service from the Network Policy and Access Services role

3 On the Installation Results page, verify Installation succeeded appears in the

details pane and then click Close

The Network Policy Server role is installed on 6421A-NYC-DC1

4 Do not log off or shut down the virtual PCs at this point

f Task 4: Register NPS in Active Directory

1 Open Network Policy Server from the Administrative Tools menu

2 Using the NPS tool, register NPS in Active Directory

The Network Policy server is registered in Active Directory

f Task 5: Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up

or VPN connections

1 In the Network Policy Server management tool list pane, click NPS (Local)

2 In the details pane under Standard Configuration, click RADIUS server for

Dial-Up or VPN Connections

3 Under Radius server for Dial-Up or VPN Connections, click Configure VPN

or Dial-Up and specify Virtual Private Network (VPN) Connections, and

accept the default name

4 In the RADIUS clients dialog box, add NYC-SVR1 as a RADIUS client with an

address of 10.10.0.24

5 In the New RADIUS Client dialog box, specify and confirm the shared secret

of Pa$$w0rd and then click OK

6 In the Specify Dial-Up or VPN Server dialog box, accept the default setting

7 In the Configure Authentication Methods dialog box, select Extensible Authentication Protocol and MS-CHAPv2

8 On the Specify User Groups page, accept the default settings

9 On the Specify IP Filters page, accept the default settings

10 On the Specify Encryption Settings page, deselect Basic encryption and

Exercise 2: Configuring a RADIUS Client

Exercise Overview

In this exercise, you will configure 6421A-NYC-SVR1 to host Routing and Remote Access Services and configure 6421A-NYC-SVR1 as a RADIUS client

The main tasks are as follows:

1 Open the Server Manager tool on 6421A-NYC-SVR1

2 Install the Routing and Remote Access Services role

3 Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for Remote Access clients and specify RADIUS authentication and accounting

f Task 1: Open the Server Manager tool on 6421A-NYC-SVR1

• On 6421A-NYC-SVR1, open Server Manager from the Administrative Tools

menu

f Task 2: Install the Routing and Remote Access Services role on NYC-SVR1

6421A-1 Using Server Manager, install the Network Policy and Access Services role

with the role service of Routing and Remote Access

2 On the Installation Results page, verify Installation succeeded appears in the

details pane, and then click Close

The Routing and Remote Access Services role is installed on

6421A-NYC-SVR1

3 Do not log off or shut down the virtual PCs at this point

f Task 3: Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for Remote Access clients and specify RADIUS

authentication and accounting

1 Open the Routing and Remote Access Services administrative tool and click Configure and Enable Routing and Remote Access

2 Configure the default Remote Access (dial-up or VPN), and on the Remote Access page, select the VPN option

3 On the VPN Connection page, select the Local Area Connection 2 interface

4 On the IP Address Assignment page, select From a specified range of addresses

5 Use the range of 192.168.1.100 with 75 available addresses for the static pool

6 On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server, and then click Next

7 Configure the following settings:

• Primary RADIUS server: NYC-DC1

• Shared secret for the RADIUS server: Pa$$w0rd

• Accept the default settings for the remainder of the configuration process

8 Close the Routing and Remote Access Services administrative tool