MCSA Guide to Networking with Windows Server 2016, Exam

Similar documents
User Databases. ACS Internal Database CHAPTER

802.1x Port Based Authentication

CRYPTOCard Migration Agent for CRYPTO-MAS

ForeScout CounterACT. Configuration Guide. Version 4.3

NetIQ Advanced Authentication Framework - Extensible Authentication Protocol Server. Administrator's Guide. Version 5.1.0

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Configuring EAP for Wireless Network Connectivity By Victor Zapata

Managing External Identity Sources

Wired Dot1x Version 1.05 Configuration Guide

Protected EAP (PEAP) Application Note

MOC 6421B: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

802.1x Radius Setup Guide Working AirLive AP with Win X Radius Server

Data Structure Mapping

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

Data Structure Mapping

Forescout. Configuration Guide. Version 4.4

Configuring Funk Odyssey Software, Avaya AP-3 Access Point, and Avaya

Data Structure Mapping

Network Access Flows APPENDIXB

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

Data Sheet NCP Secure Enterprise Management

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Securing Wireless LANs with Certificate Services

MCSA Windows Server A Success Guide to Prepare- Microsoft Administering Windows Server edusum.com

Configuring the Client Adapter through the Windows XP Operating System

Remote Support Security Provider Integration: RADIUS Server

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Checkpoint VPN-1 NG/FP3

Authentication. Chapter 2

Configuring SSL CHAPTER

RADIUS - QUICK GUIDE AAA AND NAS?

Configuring the Client Adapter through Windows CE.NET

Configuring 802.1X Settings on the WAP351

Data Structure Mapping

MCSA Windows Server 2012

Configuring the Client Adapter through the Windows XP Operating System

Junos Pulse Access Control Service Release Notes

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

NE Administering Windows Server 2012

Microsoft Certified Solutions Associate (MCSA)

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

How to Configure a Remote Management Tunnel for an F-Series Firewall

NCP Exclusive Remote Access Management

RADIUS Authentication and Authorization Technical Note

CounterACT 802.1X Plugin

Security Provider Integration RADIUS Server

20411D D Enayat Meer

Configuring SSL. SSL Overview CHAPTER

MCSA Guide to Networking with Windows Server 2016, Exam

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

ESET SECURE AUTHENTICATION. Microsoft RRAS with NPS PPTP VPN Integration Guide

ipad in Business Security Overview

Junos Pulse Access Control Service

Secure Access Configuration Guide For Wireless Clients

Configuring SSL. SSL Overview CHAPTER

Cisco PIX. Quick Start Guide. Copyright 2006, CRYPTOCard Corporation, All Rights Reserved

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Chapter 4 Configuring 802.1X Port Security

NE-2277 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services

NCP Secure Enterprise Management (Win) Release Notes

EXAMGOOD QUESTION & ANSWER. Accurate study guides High passing rate! Exam Good provides update free of charge in one year!

Cisco Prime Optical 9.5 Basic External Authentication

Policy User Interface Reference

MCSA Windows Server 2012

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Configuring SSL Security

Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Managing Certificates

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Access Point, PEAP and WPA-PEAP

WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

Message Networking 5.2 Administration print guide

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

Vendor: Microsoft. Exam Code: Exam Name: Administering Windows Server Version: Demo

802.11a g Dual Band Wireless Access Point. User s Manual

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

The safer, easier way to help you pass any IT exams. Exam : Administering Windows Server Title : Version : V16.

Using the Cisco Unified Wireless IP Phone 7921G Web Pages

Cisco Transport Manager Release 9.2 Basic External Authentication

NCP Secure Enterprise Management for Linux Release Notes

NCP Secure Enterprise Management for Windows Release Notes

Zebra Setup Utility, Zebra Mobile Printer, Microsoft IAS, Cisco Access Point, PEAP and WPA-PEAP

Using the Cisco Unified Wireless IP Phone 7921G Web Pages

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

U S E R M A N U A L b/g PC CARD

Zebra Mobile Printer, Microsoft IAS, Cisco Controller TLS and WPA-TLS, Zebra Setup Utility

Implementing Security in Windows 2003 Network (70-299)

Workshop on Windows Server 2012

Configuring L2TP over IPsec

Transcription:

MCSA Guide to Networking with Windows Server 2016, Exam 70-741 First Edition Chapter 7 Implementing Network Policy Server 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Objectives 7.1 Describe the components and flow of Network Policy Server and configure RADIUS 7.2 Install and Configure NPS and RADIUS 7.3 Configure NPS Policies

Network Policy Server Overview With Network Policy Server (NPS) you can define and enforce rules that determine who can access your network and how they can access it The NPS architecture includes four features: Remote Authorization Dial In User Service (RADIUS) server RADIUS proxy RADIUS accounting

The RADIUS Infrastructure (1 of 4) Network Policy Server Microsoft s implementation of the Remote Authentication Dial In User Service (RADIUS) protocol Access client - a user or device attempting to access the network Network access server (NAS) - a protocol-specific device that aids in connecting access clients to the network (wireless access point, VPN server) In the RADIUS infrastructure, an NAS is configured as a RADIUS client An access client makes a connection request to a NAS The RADIUS client sends an Access-Request message to an NPS server acting as a RADIUS server The NPS server evaluates the Access-Request message

The RADIUS Infrastructure (2 of 4) The NPS server can respond with one of three types of messages: Access-Reject - request is rejected Access-Challenge - more information is requested Access-Accept - access is granted The NAS sends an Accounting-Request message to the NPS server to be logged The NPS server sends an Accounting-Response message, which acknowledges the request was received During the session, additional Accounting-Request messages containing information about the current session are sent When the user s connection ends, one last Accounting-Request message with information about the overall use during the session is sent Final message is acknowledged by an Accounting-Response message

The RADIUS Infrastructure (3 of 4) A RADIUS proxy can be inserted between NAS and NPS servers to help manage the load on NPS servers Reasons for RADIUS: RADIUS centralizes control over authentication and authorization Standardizing on RADIUS requires all NAS devices to be RADIUS clients so that only one protocol performs authentication and authorization

The RADIUS Infrastructure (4 of 4)

Installing and Configuring NPS and RADIUS (1 of 5) Two reasons to setup an NPS architecture with RADIUS when you have different connection paths to your network: RADIUS centralizes control over authentication and authorization Standardizing on RADIUS requires all NAS devices to be RADIUS clients After NPS is installed, you can configure the server to be a RADIUS server, RADIUS proxy, or both The NPS standard configuration has wizards that walk you through these policy settings: RADIUS server for Dial-Up or VPN Connections RADIUS server for 802.1X Wireless or Wired Connections A policy must be defined for each type of RADIUS client, such as VPN NAS, in the NPS console

Installing and Configuring NPS and RADIUS (2 of 5) Communication between a RADIUS client and a RADIUS server is validated with a shared secret A text string that acts as a password between RADIUS clients, server, and proxies Guidelines for creating shared secrets: Should be at least 22 characters and should include uppercase and lowercase letters, numbers, and symbols Can be up to 128 characters Use a random combination of letters, numbers, and symbols rather than a phrase

Installing and Configuring NPS and RADIUS (3 of 5) Depending on the type of NAS, two general types of authentication methods are used: password based and certificate based Four password-based methods are supported: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) MS-CHAP version 2 (MS-CHAPv2) Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP)

Installing and Configuring NPS and RADIUS (4 of 5) The certificate-based method is Extensible Authentication Protocol (EAP) Certificate-based authentication is more secure than passwordbased authentication The authentication type for EAP is Transport Layer Security (TLS) Protected Extensible Authentication Protocol (PEAP) - a special way to encrypt a password being sent via MS-CHAPv2 Another part of the network policy is the realm The Active Directory domain where the RADIUS server is located

Installing and Configuring NPS and RADIUS (5 of 5) A simple RADIUS infrastructure in a large network has a few drawbacks: Lack of fault tolerance and possibly overloading the RADIUS server A solution is to use RADIUS proxies with multiple RADIUS servers (RADIUS server group) In a server group, the load can be balanced based on these properties: Priority, weight, and advanced settings

Configuring RADIUS Accounting RADIUS accounting is a log of the different access and accounting requests and responses between RADIUS clients and RADIUS servers NPS logs requests and responses by using one of these methods: Event logging Local text file Microsoft SQL Server XML-compliant database The default setting is to log accounting information in a local text file in C:\Windows\System32\LogFiles

Using Certificates for Authentication (1 of 3) For stronger security, certificate-based authentication is recommended A certificate is a digital document containing information that establishes an entity s identity With this authentication method, a server s or client s identity can be verified Certificates are created and distributed by a certification authority (CA) Two types of CAs: public and private For a certificate to be used for authentication, the CA must be trusted by the client or server Must have a root certificate (also called CA certificate) in the Trusted Root Certification Authorities certificate store

Using Certificates for Authentication (2 of 3) Three other important certificate types: Client computer certificate - verifies a client s computer identity to an NPS server Server certificate - verifies a server s identity to a client User certificate - can be put on a smart card to verify a user s identity Certificate must meet these three criteria: It must be valid It must be configured for the purpose it s presented It must be issued by a trusted CA

Using Certificates for Authentication (3 of 3) For a client to accept a certificate, the certificate must meet these requirements: The subject name can t be blank The certificate is linked to a trusted root CA The purpose of the certificate is server authentication The algorithm name is RSA, and the minimum key size is at least 2048 If the subject alternative name extension is used the certificate must contain the NPS server s DNS name

Configuring NPS Policies NPS policies define who can connect, when they can connect, and how they connect to the network Two policy types are available: Connection request policies - specify which RADIUS servers handle connection requests from RADIUS client Network policies - specify which users and groups have access and the times they have access

Configuring Connection Request Policies (1 of 3) Connection request policies are used to specify which RADIUS servers perform authentication and authorization of RADIUS clients connection requests Can also specify to which servers RADIUS accounting requests are sent You can define connection request policies for the following NAS types: Unspecified Remote Desktop Gateway Remote access server (VPN-dial up) Vendor specific

Configuring Connection Request Policies (2 of 3) When a RADIUS server receives a RADIUS Access-Request message from a RADIUS client The client s attributes are checked against the connection request policy s conditions Attributes in the Access-Request message must match at least one of the conditions in the policy before the NPS server acts as a RADIUS server or a RADIUS proxy Creating conditions allows you to control: Who can access the network How they can access it When they can access it based on the NAS that the client is using to request access

Configuring Connection Request Policies (3 of 3) The following groups of condition attributes can be used in a connection request policy to compare with the attributes of the RADIUS Access-Request message: User name Connection properties Day and time restrictions RADIUS client properties Gateway properties

Configuring Network Policies (1 of 2) Connection request policies are specific to an NAS type, but network policies affect all clients who are trying to connect Groups of conditions for determining access: Groups Day and time restrictions Connection properties RADIUS client properties Gateway

Configuring Network Policies (2 of 2) In addition to network conditions, you can specify network policy constraints Constraints are similar to conditions, with one major difference: If a constraint doesn t match the connection request, no further policies are checked You can configure the following constraints: Authentication method Idle timeout Session timeout Called station ID Day and time restrictions NAS port type

Configuring Network Policies for Virtual Private Networks The authentication type for a VPN can be password based or certificate based Certificate based are more secure But you must have a valid CA certificate installed on every computer connecting via the VPN and client certificates installed on each computer Network policy settings that are applicable to VPNs: Multilink and Bandwidth Allocation Protocol (BAP) - handle connection types that include multiple channels IP filters - filter access based on the client computer s IP address Encryption settings - specify which encryption strengths you allow IP settings - adjust how IP addresses are assigned to the access client

Managing NPS and RADIUS Templates Templates can reduce the amount of work and minimize the chance of error Especially when many RADIUS servers and clients need to be configured Templates are in the Network Policy Server console under Templates Management node There are four template types: Shared Secrets RADIUS Clients Remote RADIUS Servers IP Filters

Exporting and Importing Templates NPS can export templates to an XML file that can then be imported to another NPS server To export a template, open the Network Policy Server console, right-click Templates Management, click Export Templates to a File Select a location for the file, enter a name, and click Save To import a template, open the Network Policy Server console, right-click Templates Management, click Import Templates from a File You can also click Import Templates from a Computer and enter the name of another NPS server on your network

Importing and Exporting NPS Policies (1 of 2) After configuring policies and templates, you can back up the entire NPS configuration by exporting it to an XML file To export an NPS backup file, follow these steps in the Network Policy Server console: 1. In the left pane, right-click the NPS node and click Export Configuration, click OK 2. Choose a name and location to save the XML file, and click Save 3. To restore the configuration, right-click the NPS node and click Import Configuration

Importing and Exporting NPS Policies (2 of 2) To export an NPS backup file from the command line, follow these steps: 1. From a command prompt, type netsh and press Enter. At the netsh prompt, type nps and press Enter 2. Type export filename=path\npsconfig.xml exportpsk=yes 3. To import the file on this server or another server, type netsh and press Enter 4. Type nps and press Enter, and then type import filename= path\filename.xml and press Enter

Chapter Summary (1 of 2) Ensuring that unauthorized access to the network is blocked is the first line of defense Network Policy Server is Microsoft s implementation of the RADIUS protocol, a proposed IETF standard that s widely used to centralize authentication, authorization, and accounting RADIUS accounting is essentially a log of access and accounting requests and responses sent between RADIUS clients and RADIUS servers For stronger security, certificate-based authentication is recommended Connection request policies are used to specify which RADIUS servers perform authentication and authorization of RADIUS clients connection requests

Chapter Summary (2 of 2) You need to specify who can connect to the network by creating a network policy VPNs are common methods of accessing networks remotely and securely The authentication type for a VPN can be password based or certificate based Templates can reduce the amount of work and minimize the change of error when configuring RADIUS servers NPS can export templates to an XML file that can be imported to another NPS server After configuring policies and templates, you can back up the entire NPS configuration by exporting it to an XML file

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback