MCSA Guide to Networking with Windows Server 2016, Exam 70-741 First Edition Chapter 7 Implementing Network Policy Server 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Objectives 7.1 Describe the components and flow of Network Policy Server and configure RADIUS 7.2 Install and Configure NPS and RADIUS 7.3 Configure NPS Policies
Network Policy Server Overview With Network Policy Server (NPS) you can define and enforce rules that determine who can access your network and how they can access it The NPS architecture includes four features: Remote Authorization Dial In User Service (RADIUS) server RADIUS proxy RADIUS accounting
The RADIUS Infrastructure (1 of 4) Network Policy Server Microsoft s implementation of the Remote Authentication Dial In User Service (RADIUS) protocol Access client - a user or device attempting to access the network Network access server (NAS) - a protocol-specific device that aids in connecting access clients to the network (wireless access point, VPN server) In the RADIUS infrastructure, an NAS is configured as a RADIUS client An access client makes a connection request to a NAS The RADIUS client sends an Access-Request message to an NPS server acting as a RADIUS server The NPS server evaluates the Access-Request message
The RADIUS Infrastructure (2 of 4) The NPS server can respond with one of three types of messages: Access-Reject - request is rejected Access-Challenge - more information is requested Access-Accept - access is granted The NAS sends an Accounting-Request message to the NPS server to be logged The NPS server sends an Accounting-Response message, which acknowledges the request was received During the session, additional Accounting-Request messages containing information about the current session are sent When the user s connection ends, one last Accounting-Request message with information about the overall use during the session is sent Final message is acknowledged by an Accounting-Response message
The RADIUS Infrastructure (3 of 4) A RADIUS proxy can be inserted between NAS and NPS servers to help manage the load on NPS servers Reasons for RADIUS: RADIUS centralizes control over authentication and authorization Standardizing on RADIUS requires all NAS devices to be RADIUS clients so that only one protocol performs authentication and authorization
The RADIUS Infrastructure (4 of 4)
Installing and Configuring NPS and RADIUS (1 of 5) Two reasons to setup an NPS architecture with RADIUS when you have different connection paths to your network: RADIUS centralizes control over authentication and authorization Standardizing on RADIUS requires all NAS devices to be RADIUS clients After NPS is installed, you can configure the server to be a RADIUS server, RADIUS proxy, or both The NPS standard configuration has wizards that walk you through these policy settings: RADIUS server for Dial-Up or VPN Connections RADIUS server for 802.1X Wireless or Wired Connections A policy must be defined for each type of RADIUS client, such as VPN NAS, in the NPS console
Installing and Configuring NPS and RADIUS (2 of 5) Communication between a RADIUS client and a RADIUS server is validated with a shared secret A text string that acts as a password between RADIUS clients, server, and proxies Guidelines for creating shared secrets: Should be at least 22 characters and should include uppercase and lowercase letters, numbers, and symbols Can be up to 128 characters Use a random combination of letters, numbers, and symbols rather than a phrase
Installing and Configuring NPS and RADIUS (3 of 5) Depending on the type of NAS, two general types of authentication methods are used: password based and certificate based Four password-based methods are supported: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) MS-CHAP version 2 (MS-CHAPv2) Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP)
Installing and Configuring NPS and RADIUS (4 of 5) The certificate-based method is Extensible Authentication Protocol (EAP) Certificate-based authentication is more secure than passwordbased authentication The authentication type for EAP is Transport Layer Security (TLS) Protected Extensible Authentication Protocol (PEAP) - a special way to encrypt a password being sent via MS-CHAPv2 Another part of the network policy is the realm The Active Directory domain where the RADIUS server is located
Installing and Configuring NPS and RADIUS (5 of 5) A simple RADIUS infrastructure in a large network has a few drawbacks: Lack of fault tolerance and possibly overloading the RADIUS server A solution is to use RADIUS proxies with multiple RADIUS servers (RADIUS server group) In a server group, the load can be balanced based on these properties: Priority, weight, and advanced settings
Configuring RADIUS Accounting RADIUS accounting is a log of the different access and accounting requests and responses between RADIUS clients and RADIUS servers NPS logs requests and responses by using one of these methods: Event logging Local text file Microsoft SQL Server XML-compliant database The default setting is to log accounting information in a local text file in C:\Windows\System32\LogFiles
Using Certificates for Authentication (1 of 3) For stronger security, certificate-based authentication is recommended A certificate is a digital document containing information that establishes an entity s identity With this authentication method, a server s or client s identity can be verified Certificates are created and distributed by a certification authority (CA) Two types of CAs: public and private For a certificate to be used for authentication, the CA must be trusted by the client or server Must have a root certificate (also called CA certificate) in the Trusted Root Certification Authorities certificate store
Using Certificates for Authentication (2 of 3) Three other important certificate types: Client computer certificate - verifies a client s computer identity to an NPS server Server certificate - verifies a server s identity to a client User certificate - can be put on a smart card to verify a user s identity Certificate must meet these three criteria: It must be valid It must be configured for the purpose it s presented It must be issued by a trusted CA
Using Certificates for Authentication (3 of 3) For a client to accept a certificate, the certificate must meet these requirements: The subject name can t be blank The certificate is linked to a trusted root CA The purpose of the certificate is server authentication The algorithm name is RSA, and the minimum key size is at least 2048 If the subject alternative name extension is used the certificate must contain the NPS server s DNS name
Configuring NPS Policies NPS policies define who can connect, when they can connect, and how they connect to the network Two policy types are available: Connection request policies - specify which RADIUS servers handle connection requests from RADIUS client Network policies - specify which users and groups have access and the times they have access
Configuring Connection Request Policies (1 of 3) Connection request policies are used to specify which RADIUS servers perform authentication and authorization of RADIUS clients connection requests Can also specify to which servers RADIUS accounting requests are sent You can define connection request policies for the following NAS types: Unspecified Remote Desktop Gateway Remote access server (VPN-dial up) Vendor specific
Configuring Connection Request Policies (2 of 3) When a RADIUS server receives a RADIUS Access-Request message from a RADIUS client The client s attributes are checked against the connection request policy s conditions Attributes in the Access-Request message must match at least one of the conditions in the policy before the NPS server acts as a RADIUS server or a RADIUS proxy Creating conditions allows you to control: Who can access the network How they can access it When they can access it based on the NAS that the client is using to request access
Configuring Connection Request Policies (3 of 3) The following groups of condition attributes can be used in a connection request policy to compare with the attributes of the RADIUS Access-Request message: User name Connection properties Day and time restrictions RADIUS client properties Gateway properties
Configuring Network Policies (1 of 2) Connection request policies are specific to an NAS type, but network policies affect all clients who are trying to connect Groups of conditions for determining access: Groups Day and time restrictions Connection properties RADIUS client properties Gateway
Configuring Network Policies (2 of 2) In addition to network conditions, you can specify network policy constraints Constraints are similar to conditions, with one major difference: If a constraint doesn t match the connection request, no further policies are checked You can configure the following constraints: Authentication method Idle timeout Session timeout Called station ID Day and time restrictions NAS port type
Configuring Network Policies for Virtual Private Networks The authentication type for a VPN can be password based or certificate based Certificate based are more secure But you must have a valid CA certificate installed on every computer connecting via the VPN and client certificates installed on each computer Network policy settings that are applicable to VPNs: Multilink and Bandwidth Allocation Protocol (BAP) - handle connection types that include multiple channels IP filters - filter access based on the client computer s IP address Encryption settings - specify which encryption strengths you allow IP settings - adjust how IP addresses are assigned to the access client
Managing NPS and RADIUS Templates Templates can reduce the amount of work and minimize the chance of error Especially when many RADIUS servers and clients need to be configured Templates are in the Network Policy Server console under Templates Management node There are four template types: Shared Secrets RADIUS Clients Remote RADIUS Servers IP Filters
Exporting and Importing Templates NPS can export templates to an XML file that can then be imported to another NPS server To export a template, open the Network Policy Server console, right-click Templates Management, click Export Templates to a File Select a location for the file, enter a name, and click Save To import a template, open the Network Policy Server console, right-click Templates Management, click Import Templates from a File You can also click Import Templates from a Computer and enter the name of another NPS server on your network
Importing and Exporting NPS Policies (1 of 2) After configuring policies and templates, you can back up the entire NPS configuration by exporting it to an XML file To export an NPS backup file, follow these steps in the Network Policy Server console: 1. In the left pane, right-click the NPS node and click Export Configuration, click OK 2. Choose a name and location to save the XML file, and click Save 3. To restore the configuration, right-click the NPS node and click Import Configuration
Importing and Exporting NPS Policies (2 of 2) To export an NPS backup file from the command line, follow these steps: 1. From a command prompt, type netsh and press Enter. At the netsh prompt, type nps and press Enter 2. Type export filename=path\npsconfig.xml exportpsk=yes 3. To import the file on this server or another server, type netsh and press Enter 4. Type nps and press Enter, and then type import filename= path\filename.xml and press Enter
Chapter Summary (1 of 2) Ensuring that unauthorized access to the network is blocked is the first line of defense Network Policy Server is Microsoft s implementation of the RADIUS protocol, a proposed IETF standard that s widely used to centralize authentication, authorization, and accounting RADIUS accounting is essentially a log of access and accounting requests and responses sent between RADIUS clients and RADIUS servers For stronger security, certificate-based authentication is recommended Connection request policies are used to specify which RADIUS servers perform authentication and authorization of RADIUS clients connection requests
Chapter Summary (2 of 2) You need to specify who can connect to the network by creating a network policy VPNs are common methods of accessing networks remotely and securely The authentication type for a VPN can be password based or certificate based Templates can reduce the amount of work and minimize the change of error when configuring RADIUS servers NPS can export templates to an XML file that can be imported to another NPS server After configuring policies and templates, you can back up the entire NPS configuration by exporting it to an XML file