Network Policy Server (NPS) Technical Reference Microsoft Corporation Published: October 2008 Author: James McIllece Editor: Scott Somohano Abstract The Windows Server® 2008 Network Policy Server (NPS) Technical Reference provides information describing what NPS is, how NPS works, and NPS tools and settings. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Contents Network Policy Server (NPS) Technical Reference ...................................................................... 13 Windows Server 2008 Editions and NPS ................................................................................... 13 Windows Server 2008 Enterprise and Datacenter Editions ................................................... 14 Windows Server 2008 Standard Edition ................................................................................. 14 Windows Web Server 2008 .................................................................................................... 14 What Is Network Policy Server (NPS)? ......................................................................................... 14 See Also ..................................................................................................................................... 15 Components of a RADIUS Infrastructure ...................................................................................... 15 Access clients ...................................................................................................................... 16 Access servers used as RADIUS clients............................................................................. 17 NPS servers used as RADIUS servers ............................................................................... 17 NPS proxies and RADIUS proxies ...................................................................................... 17 User accounts databases .................................................................................................... 17 See Also ..................................................................................................................................... 18 NPS as a RADIUS Server and Proxy ............................................................................................ 18 RADIUS server ........................................................................................................................... 18 RADIUS proxy ............................................................................................................................ 18 RADIUS clients........................................................................................................................... 21 See Also ..................................................................................................................................... 21 New Features and Name Changes for NPS ................................................................................. 21 Additional features of NPS ......................................................................................................... 22 NPS server administration ...................................................................................................... 22 Authentication methods .......................................................................................................... 23 Authorization methods ............................................................................................................ 23 Centralized user authentication and authorization ................................................................. 23 Centralized administration for all access servers ................................................................... 24 Outsourced dial-up and wireless network access .................................................................. 25 Logging to a SQL Server database ........................................................................................ 25 NPS integration with RRAS .................................................................................................... 25 Scalable configurations ........................................................................................................... 26 Mapping network authentication and authorization for NPS proxy ......................................... 26 Name changes from Windows Server 2003 .............................................................................. 27 See Also ..................................................................................................................................... 27 NPS Terminology........................................................................................................................... 27 Planning NPS as a RADIUS proxy ................................................................................................ 31 Plan NPS server configuration ................................................................................................... 31 Key steps ................................................................................................................................ 31 Plan RADIUS clients .................................................................................................................. 32 Key steps ................................................................................................................................ 32 Plan remote RADIUS server groups .......................................................................................... 33 Key steps ................................................................................................................................ 33 Plan attribute manipulation rules for message forwarding ......................................................... 34 Key steps ................................................................................................................................ 34 Plan connection request policies ................................................................................................ 35 Key steps ................................................................................................................................ 35 Plan NPS accounting ................................................................................................................. 35 Key steps ................................................................................................................................ 35 Planning NPS as a RADIUS server ............................................................................................... 36 Plan NPS server configuration ................................................................................................... 36 Key steps ................................................................................................................................ 36 Plan RADIUS clients .................................................................................................................. 37 Key steps ................................................................................................................................ 37 Plan the use of authentication methods ..................................................................................... 38 Certificate-based authentication methods .............................................................................. 38 EAP-TLS .............................................................................................................................. 38 PEAP-MS-CHAP v2 ............................................................................................................ 39 Key steps ................................................................................................................................ 40 Plan network policies ................................................................................................................. 40 Key steps ................................................................................................................................ 40 Plan NPS accounting ................................................................................................................. 41 Key steps ................................................................................................................................ 41 NPS accounting using local log files ................................................................................... 41 Key steps ......................................................................................................................... 42 NPS SQL Server logging ..................................................................................................... 42 Key steps ......................................................................................................................... 42 Components of NPS ...................................................................................................................... 43 Configuration........................................................................................................................... 44 Standard configuration ........................................................................................................ 44 Advanced configuration ....................................................................................................... 45 NPS logging ............................................................................................................................ 45 RADIUS Clients and Servers ......................................................................................................... 45 RADIUS Clients ............................................................................................................................. 46 RADIUS clients........................................................................................................................... 46 RADIUS client examples ............................................................................................................ 46 RADIUS Access-Request messages...................................................................................... 47 NPS as a RADIUS client ......................................................................................................... 47 RADIUS client properties ........................................................................................................... 47 Remote RADIUS Server Groups ................................................................................................... 48 Configuring RADIUS servers for a group ................................................................................... 49 Policies .......................................................................................................................................... 49 Connection Request Policies ......................................................................................................... 50 Connection Request Policies ..................................................................................................... 50 Configuration examples ............................................................................................................. 51 Conditions .................................................................................................................................. 52 Settings ...................................................................................................................................... 53 Required Authentication Methods ........................................................................................... 53 Allowing unauthenticated access ........................................................................................ 54 Forwarding Connection Request ............................................................................................ 54 Specify a Realm Name ........................................................................................................... 56 RADIUS Attributes .................................................................................................................. 56 Adding a custom vendor-specific attribute (VSA) ................................................................ 57 Default connection request policy .............................................................................................. 57 Network Policies ............................................................................................................................ 58 Network policy properties ........................................................................................................... 59 Overview Properties ...................................................................................................................... 60 Conditions Properties .................................................................................................................... 61 Groups ........................................................................................................................................ 61 HCAP ......................................................................................................................................... 62 Day and time restrictions ............................................................................................................ 62 Network Access Protection ........................................................................................................ 63 Connection properties ................................................................................................................ 64 RADIUS client properties ........................................................................................................... 65 Gateway ..................................................................................................................................... 66 Constraints Properties ................................................................................................................... 66 Settings Properties ........................................................................................................................ 67 RADIUS attributes ...................................................................................................................... 67 Network Access Protection ........................................................................................................ 68 NAP enforcement.................................................................................................................... 68 Network Access Type .......................................................................................................... 68 Remediation Server Group and Troubleshooting URL ....................................................... 69 Autoremediation .................................................................................................................. 69 Extended State ....................................................................................................................... 69 Timeout ...................................................................................................................................... 69 Routing and Remote Access...................................................................................................... 69 Health Policies ............................................................................................................................... 70 Using multiple SHVs in a health policy ...................................................................................... 70 Network Access Protection (NAP) ................................................................................................. 71 System Health Validators .............................................................................................................. 72 WSHV settings ........................................................................................................................... 72 Firewall .................................................................................................................................... 72 Autoremediation .................................................................................................................. 73 Virus protection ....................................................................................................................... 73 Spyware protection ................................................................................................................. 74 Autoremediation .................................................................................................................. 75 Automatic updating ................................................................................................................. 75 Autoremediation .................................................................................................................. 75 Security Update Protection ..................................................................................................... 76 Autoremediation .................................................................................................................. 77 Remediation Server Groups .......................................................................................................... 77 Accounting ..................................................................................................................................... 78 How Network Policy Server Works ................................................................................................ 78 NPS Architecture ........................................................................................................................... 78 External Dependencies ........................................................................................................... 83 RADIUS extension DLLs and NPS architecture ........................................................................ 84 NPS Protocols ............................................................................................................................... 84 Authentication Protocols ................................................................................................................ 85 Authentication methods .............................................................................................................. 86 Certificate-based Authentication Protocols ................................................................................... 86 Certificate types.......................................................................................................................... 87 Certificate deployments and Active Directory replication ........................................................... 88 Extensible Authentication Protocol ................................................................................................ 89 EAP infrastructure ...................................................................................................................... 89 EAP types ................................................................................................................................... 90 EAP-TLS .................................................................................................................................... 90 Using RADIUS as a transport for EAP ....................................................................................... 90 Enabling EAP ............................................................................................................................. 91 Protected Extensible Authentication Protocol ............................................................................... 91 PEAP authentication process ..................................................................................................... 93 Establish a TLS-encrypted channel ........................................................................................ 93 Establish EAP-authenticated communication ......................................................................... 94 EAP types ................................................................................................................................... 94 PEAP with EAP-MS-CHAP v2 ................................................................................................... 94 PEAP with EAP-TLS .................................................................................................................. 95 PEAP fast reconnect .................................................................................................................. 95 Additional information....................................................................................................... 97 Certificate Templates and Requirements ...................................................................................... 97 Understanding authentication with certificates ....................................................................... 98 How trust is established ...................................................................................................... 98 Public CAs ........................................................................................................................ 99 Private CAs ...................................................................................................................... 99 Required certificates ............................................................................................................ 99 Wireless clients ........................................................................................................................ 101 Server Certificate Requirements ................................................................................................. 101 Computer and User Certificate Requirements ............................................................................ 102 Enrolling Certificates with Templates .......................................................................................... 103 Domain member certificate enrollment ................................................................................. 103 Non-domain member certificate enrollment .......................................................................... 104 Mapping with Certificate-Based Authentication ........................................................................... 107 One-to-One Mapping ......................................................................................................... 107 Many-to-One Mapping ....................................................................................................... 108 Password-based Authentication Protocols .................................................................................. 109 Microsoft Challenge Handshake Authentication Protocol v2 ...................................................... 109 Enabling MS-CHAP v2 ......................................................................................................... 111 Additional considerations .................................................................................................. 111 Microsoft Challenge Handshake Authentication Protocol v1 ...................................................... 111 Enabling MS-CHAP .................................................................................................................. 111 Additional considerations .................................................................................................. 112 Challenge Handshake Authentication Protocol ........................................................................... 112 Additional considerations .................................................................................................. 113 Shiva Password Authentication Protocol ..................................................................................... 113 Additional considerations ...................................................................................................... 113 Password Authentication Protocol ............................................................................................... 114 Additional considerations .................................................................................................. 114 Unauthenticated Access .............................................................................................................. 114 DNIS authorization ............................................................................................................ 115 Additional considerations ............................................................................................... 115 ANI/CLI authentication ...................................................................................................... 115 Guest authentication.......................................................................................................... 116 RADIUS Protocol ......................................................................................................................... 117 RADIUS message format ......................................................................................................... 118 General packet structure .......................................................................................................... 118 Code field .............................................................................................................................. 118 Identifier field......................................................................................................................... 119 Length field ........................................................................................................................... 119 Authenticator field ................................................................................................................. 119 Attributes section .................................................................................................................. 119 RADIUS message example ..................................................................................................... 119 Access-Request message .................................................................................................... 119 Access-Accept message ...................................................................................................... 122 RADIUS Attributes ....................................................................................................................... 123 Type field .............................................................................................................................. 124 Length field ........................................................................................................................... 124 Value field ............................................................................................................................. 124 RADIUS standard attribute types .......................................................................................... 124 Vendor-Specific Attributes ........................................................................................................... 126 Type value ............................................................................................................................ 126 Length value ......................................................................................................................... 126 Vendor-ID value .................................................................................................................... 126 String field ............................................................................................................................. 126 Vendor Type value ................................................................................................................ 127 Vendor Length value ............................................................................................................. 127 Attribute-Specific field ........................................................................................................... 127 NPS Processes and Interactions ................................................................................................. 127 Incoming RADIUS Message Validation ....................................................................................... 128 NPS server validation of RADIUS messages .......................................................................... 128 NPS proxy validation of RADIUS request messages ............................................................... 128 NPS proxy validation of RADIUS response messages ............................................................ 129 Network Access Quarantine Control in NPS ............................................................................... 130 Understanding NAQC and NAP ............................................................................................ 130 Quarantine mode .................................................................................................................. 131 Components of Network Access Quarantine Control ........................................................... 131 NPS and Tunneling ..................................................................................................................... 132 Voluntary tunneling ........................................................................................................ 133 Compulsory tunneling .................................................................................................... 134 NPS Certificate Revocation List (CRL) Checks........................................................................... 137 The certificate has been revoked.......................................................................................... 137 The certificate revocation list (CRL) for the certificate is not reachable or available ............ 137 The publisher of the CRL did not issue the certificate .......................................................... 138 The CRL is not current .......................................................................................................... 138 Processing a User Name Without a Domain Name .................................................................... 138 Connection Request Processing ................................................................................................. 138 NPS Proxy Process Overview.................................................................................................. 139 Access-Request messages .................................................................................................. 140 Access-Accept messages ..................................................................................................... 140 Access-Reject messages ..................................................................................................... 141 Accounting-Request messages ............................................................................................ 141 Accounting-Response messages ......................................................................................... 142 Load Balancing with NPS Proxy .................................................................................................. 142 RADIUS server priority and weight ....................................................................................... 143 Configuring NPS proxy load balancing ................................................................................. 144 Realm Names .............................................................................................................................. 145 Realm names ........................................................................................................................... 145 Acquiring the realm name ........................................................................................................ 146 Attribute manipulation rules ...................................................................................................... 146 Using Pattern-Matching Syntax in NPS ....................................................................................... 147 Pattern-matching reference ...................................................................................................... 147 Examples of using pattern-matching syntax to specify network policy attributes .................... 150 Examples for manipulation of the realm name in the User-Name attribute ............................. 150 Example for RADIUS message forwarding by a proxy server ................................................. 151 NPS Authorization Process ......................................................................................................... 151 Authorization by User and Group ................................................................................................ 153 Authorization by user ............................................................................................................ 153 Authorization by group .......................................................................................................... 154 Dial-In Properties of Accounts ..................................................................................................... 154 MAC Address Authorization ........................................................................................................ 156 Network Policies and Authorization ............................................................................................. 157 Network policy configuration issues ......................................................................................... 158 Access Permission ...................................................................................................................... 159 Access permission ................................................................................................................... 159 Ignore user account dial-in properties ...................................................................................... 159 RADIUS Authentication Process Overview ................................................................................. 160 Access-Request Message Processing ........................................................................................ 162 NPS RADIUS Server Message Processing ................................................................................ 162 RRAS authentication and authorization ................................................................................ 165 NPS RADIUS Proxy Message Processing .................................................................................. 165 NAP Health Policy Server Message Processing ......................................................................... 168 NPS Accounting........................................................................................................................... 172 NPS log file ............................................................................................................................... 173 NPS events and Event Viewer ................................................................................................. 173 Connection request failure events............................................................................................ 173 Connection request success events ........................................................................................ 174 Logging secure channel (Schannel) events ............................................................................. 174 Interpret IAS Format Log Files .................................................................................................... 175 Entries recorded in IAS format log files ................................................................................ 175 Attributes that are not recorded in IAS format log files ......................................................... 184 Interpret NPS Database Format Log Files .................................................................................. 185 Entries recorded in database-compatible log files ................................................................... 185 Interpret Windows System Health Validator Entries in Log Files ................................................ 193 Diagnostic codes ...................................................................................................................... 193 Error codes ............................................................................................................................... 194 Determining the client operating system .............................................................................. 197 Example log file entries ......................................................................................................... 197 First example log file entry ................................................................................................ 197 Second example log file entry ........................................................................................... 198 NPS SQL Server Logging ............................................................................................................ 199 Advantages of SQL Server logging .......................................................................................... 200 Data logged by NPS ................................................................................................................. 200 Requests logged by NPS ......................................................................................................... 201 NPS log file contents ................................................................................................................ 201 Required database fields for session correlation ..................................................................... 201 Configuring accounting to provide the best session correlation .............................................. 202 How NPS creates an XML document from accounting and authentication data ..................... 203 Network Policy Server Tools and Settings .................................................................................. 205 NPS Tools .................................................................................................................................... 205 NPS console............................................................................................................................. 205 NPS MMC snap-in.................................................................................................................... 205 Netsh commands for NPS ........................................................................................................ 205 Network Monitor ....................................................................................................................... 206 NPS API sets............................................................................................................................ 206 NPS Settings ............................................................................................................................... 206 NPS Server Registration in Active Directory ............................................................................... 207 NPS Ports .................................................................................................................................... 207 Connecting to a remote SQL server......................................................................................... 208 NPS Firewall Settings .................................................................................................................. 208 WFAS on the local NPS server ................................................................................................ 208 Other firewalls .......................................................................................................................... 208 Configuring the Internet firewall ............................................................................................... 209 Filters on the Internet interface ............................................................................................. 209 Filters on the perimeter network interface ................................................................................ 210 Configuring the intranet firewall ................................................................................................ 211 Filters on the perimeter network interface ................................................................................ 211 Filters on the intranet interface ................................................................................................. 212 NPS Message-Authenticator Attribute ......................................................................................... 212 NPS Shared Secrets ................................................................................................................... 213 NPS Reason Codes .................................................................................................................... 214 NPS Reason Codes 0 Through 37 .............................................................................................. 215 NPS Reason Codes 38 Through 257 .......................................................................................... 218 NPS Reason Codes 258 Through 282 ........................................................................................ 221 NPS Reason Codes 283 Through 303 ........................................................................................ 225 NPS Registry Entries ................................................................................................................... 228 NPS: Account Lockout ................................................................................................................. 228 Registry path ..................................................................................................................... 229 To enable remote access account lockout ........................................................................... 229 To modify the amount of time before the failed attempts counter is reset............................ 229 To manually reset a user account that has been locked out before the failed attempts counter is automatically reset ......................................................................................................... 230 NPS CRL Check Registry Settings.............................................................................................. 230 NPS CRL check registry settings ............................................................................................. 230 IgnoreNoRevocationCheck ................................................................................................... 230 IgnoreRevocationOffline ....................................................................................................... 231 NoRevocationCheck ............................................................................................................. 231 NoRootRevocationCheck ..................................................................................................... 231 NPS: Default Domain .................................................................................................................. 231 Configuring the Default Domain Name .................................................................................... 231 Creating the DefaultDomain Registry Key ............................................................................... 232 Registry path ..................................................................................................................... 232 To specify the NPS-supplied domain.................................................................................... 232 NPS: Default User Identity........................................................................................................... 232 Registry path ..................................................................................................................... 232 NPS: LAN Manager Authentication ............................................................................................. 233 Registry path ..................................................................................................................... 233 To enable LAN Manager authentication ............................................................................... 233 To disable LAN Manager authentication .............................................................................. 233 NPS: MaxConcurrentApi ............................................................................................................. 233 Registry path ............................................................................................................................ 234 To increase concurrent authentication ..................................................................................... 234 NPS: Override User-Name .......................................................................................................... 234 Registry path ..................................................................................................................... 234 NPS: Ping User-Name ................................................................................................................. 234 Registry path ......................................................................................................................... 235 To add Ping User-Name to the registry ................................................................................ 235 NPS: SCHANNEL ........................................................................................................................ 235 Registry path ..................................................................................................................... 236 To enable secure channel events ......................................................................................... 236 NPS: User Identity Attribute ......................................................................................................... 236 Registry path ..................................................................................................................... 236 Additional NPS Resources .......................................................................................................... 237 Network Policy Server (NPS) Technical Reference In this guide What Is Network Policy Server (NPS)? How Network Policy Server Works Network Policy Server Tools and Settings Network Policy Server (NPS) is a networking component of Windows Server® 2008 that allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. In addition, you can use a server running NPS as a RADIUS proxy to forward connection requests to NPS or other Remote Authentication Dial-In User Service (RADIUS) servers that you configure in remote RADIUS server groups. The Network Policy Server (NPS) Technical Reference provides a detailed description of NPS, including how NPS works, and the tools and settings you can use to deploy, administer, and troubleshoot NPS. In Windows Server® 2008, Network Policy Server (NPS) is included in the Network Policy and Access Services (NPAS) server role. The NPAS server role is a logical grouping in the Add Roles installation wizard of the following network access technologies: Network Policy Server (NPS) Routing and Remote Access service (RRAS) Health Registration Authority (HRA) Host Credentials Authorization Protocol (HCAP) These technologies are the role services of the NPAS server role. When you install the NPAS server role, you can install one or more role services while running the Add Roles Wizard. The Add Roles Wizard is accessible in both Initial Configuration Tasks and Server Manager in the Windows Server 2008 graphical user interface. Note In Windows Server 2008, Network Policy Server (NPS) replaces the Internet Authentication Service (IAS) component of Windows Server 2003. Windows Server 2008 Editions and NPS NPS provides different functionality depending on the edition of Windows Server 2008 that you install. 13 Windows Server 2008 Enterprise and Datacenter Editions With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range. Windows Server 2008 Standard Edition With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query. Windows Web Server 2008 NPS is not included in this edition of Windows Server 2008. What Is Network Policy Server (NPS)? In this section Components of a RADIUS Infrastructure NPS as a RADIUS Server and Proxy New Features and Name Changes for NPS NPS Terminology Planning NPS as a RADIUS proxy Planning NPS as a RADIUS server Components of NPS When you provide your organization’s employees and their computers with network connectivity through network access servers, such as virtual private network (VPN) servers, wireless access points, and dial-up servers, you can use NPS to create, centrally manage, and enforce the network access policies that determine whether users and computers can or cannot access the network. During a connection attempt, users and computers typically provide account credentials in the form of a user name and password or a certificate. NPS can examine these credentials and use them to verify the identity of – or authenticate – the user or computer before allowing network access. NPS can also determine whether the user or computer has permission to access the network by authorizing the connection request against user account properties, network policies that you have created, or both. 14 NPS provides you with the advantage of configuring network policies at one server (the server running NPS) that are applied at many servers (the network access servers). For example, if you have 10 wireless access points and are not using NPS, you must configure access policies 10 times; but if you use NPS, you must configure each policy only one time. By using NPS, you can centrally manage network access for organizations of all sizes, including small businesses, medium organizations, enterprise-level organizations, and Internet service providers (ISPs). NPS provides you with the ability to secure and manage network access across a variety of network access scenarios such as the following: Employees connecting to your organization network through dial-up, VPN, wireless, Terminal Services Gateway (TS Gateway), and wired connections, using a variety of devices, including organization computers, personal digital assistants, and non-domain member computers, such as employee-owned devices. Employees connecting to other networks, including the Internet and business partner networks. Business partners connecting to your organization network. The underlying protocol that provides NPS with the ability to communicate with such a broad range of network access servers is the Remote Authentication Dial-In User Service (RADIUS) protocol. See Also Network Policy Server (NPS) Technical Reference Components of a RADIUS Infrastructure Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. NPS and network access servers use the RADIUS protocol to securely transmit RADIUS messages. The RADIUS protocol is used solely between RADIUS servers and proxies, such as servers and proxies running NPS, and RADIUS-compliant network access servers. A fully functioning RADIUS infrastructure also contains components that do not use the RADIUS protocol, however, such as access clients and user accounts databases. Note RADIUS is an industry standard. For more information about RADIUS, see RFC 2865, “Remote Authentication Dial-In User Service (RADIUS),” and RFC 2866, “RADIUS Accounting.” For information about standards that apply to NPS in Windows Server 2008, see RFC 2868, “RADIUS Attributes for Tunnel Protocol Support,” and RFC 2869, “RADIUS Extensions.” 15 There are five components to an NPS or RADIUS infrastructure: access clients, access servers (RADIUS clients), NPS servers (RADIUS servers), NPS proxies (RADIUS proxies), and user account databases. A RADIUS infrastructure is used to perform authentication, authorization and accounting of user network access attempts. Authentication is the process of verifying the credentials of the users attempting to connect to a network. The authorization process determines whether users have permission to connect to the network, and the conditions under which permission has been granted. Accounting is an option that provides record keeping of successful or failed connection attempts. The following figure, “Components of an NPS Infrastructure,” illustrates the relationships between the five components of an NPS infrastructure. Components of an NPS Infrastructure Access clients An access client is a device that requires some level of access to a larger network. Examples of access clients are dial-up or virtual private network (VPN) clients, wireless clients, or local area network (LAN) clients connected to an authenticating switch. Note Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. 16 Access servers used as RADIUS clients An access server is a device that provides some level of access to a larger network. An access server using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server. NPS servers used as RADIUS servers An NPS or RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients or RADIUS proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. NPS proxies and RADIUS proxies An NPS or RADIUS proxy is a device that forwards or routes RADIUS connection requests and accounting messages between RADIUS clients and RADIUS servers. The RADIUS proxy uses information within the RADIUS message, such as the User-Name or Called-Station-ID RADIUS attributes, to route the RADIUS message to the appropriate RADIUS server. A RADIUS proxy can be used as a forwarding point for RADIUS messages when the authentication, authorization, and accounting must occur at multiple RADIUS servers in different organizations. User accounts databases The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information. The user account databases that NPS can use are the local Security Accounts Manager (SAM); a Microsoft Windows NT Server 4.0 domain; the Active Directory directory service and user accounts database included with Windows Server 2003 and Windows 2000; and the user accounts database provided with Active Directory Domain Services (AD DS) in Windows Server 2008. When NPS is a domain member of an AD DS domain, NPS can provide authentication and authorization for user or computer accounts that exist in the following locations: In the domain in which the NPS server is a member. In domains for which there is a two-way trust with the NPS server domain. In trusted forests with domain controllers running Windows Server 2008 and AD DS. If the user accounts for authentication reside in a different type of database, NPS can be configured as a RADIUS proxy to forward the authentication request to a RADIUS server that does have access to the user account database. Different databases for Active Directory include untrusted forests, untrusted domains, or one-way trusted domains. 17 See Also What Is Network Policy Server (NPS)? NPS as a RADIUS Server and Proxy RADIUS servers process connection requests, whereas RADIUS proxies forward connection requests to other RADIUS servers for processing. You can configure a server running NPS to act as a RADIUS server, a RADIUS proxy, or both. RADIUS server When you deploy NPS as a RADIUS server, NPS receives connection requests from network access servers, and then processes the requests. NPS performs centralized connection authentication, authorization, and accounting for many types of network access. When NPS is used as a RADIUS server, it provides the following: A central authentication and authorization service for all access requests that are sent by RADIUS clients. NPS uses a Microsoft Windows NT Server 4.0 domain, an Active Directory domain, or the local SAM to authenticate user credentials for a connection attempt. NPS uses the dial-in properties of the user account and network policies to authorize a connection. A central accounting recording service for all accounting requests that RADIUS clients send. Accounting requests are stored in a local log file or a SQL server database for analysis. RADIUS proxy As a RADIUS proxy, NPS provides the routing of RADIUS messages between RADIUS clients (access servers), other RADIUS proxies, and the RADIUS servers that perform AAAA for the connection attempt. When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow. Note When you configure NPS as a RADIUS proxy, network access servers are configured as RADIUS clients on the RADIUS proxy. In other words, connection requests originate at and are sent by RADIUS clients to the RADIUS proxy. Because the RADIUS proxy forwards these connection requests to remote RADIUS servers for processing, the proxy is acting as a RADIUS client to the remote RADIUS server. The following illustration shows NPS as a RADIUS proxy between RADIUS clients (access servers) and either RADIUS servers or another RADIUS proxy. 18 You can use NPS as a RADIUS proxy when: You are a service provider who offers outsourced dial-up, VPN, or wireless network access services to multiple customers. Your network access servers send connection requests to the NPS RADIUS proxy. Based on the realm portion of the user name in the connection request, the NPS RADIUS proxy forwards the connection request to a RADIUS server that is maintained by the customer and can authenticate and authorize the connection attempt. For more information, see Realm Names. You want to provide authentication and authorization for user accounts that are not members of either the domain in which the NPS server is a member or another domain that has a twoway trust with the domain in which the NPS server is a member. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm name portion of the user name and forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be authenticated for network access servers in another domain or forest. 19 NPS supports authentication across forests without a RADIUS proxy when the two forests contain only domains that consist of domain controllers running Windows Server 2008, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. The forest functional level must be Windows Server 2008 or Windows Server 2003, and there must be a two-way trust relationship between forests. If you use EAP-TLS or PEAP-TLS with certificates as your authentication method, you must use a RADIUS proxy for authentication across forests that consist of Windows Server 2008 and Windows Server 2003 domains. You want to perform authentication and authorization by using a database that is not a Windows account database. In this case, connection requests that match a specified realm name are forwarded to a RADIUS server, which has access to a different database of user accounts and authorization data. Examples of other user databases include Novell Directory Services (NDS) and Structured Query Language (SQL) databases. You want to process a large number of connection requests. In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers and increases the processing of large numbers of RADIUS clients and authentications per second. You want to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration. An intranet firewall is between your perimeter network (the network between your intranet and the Internet) and intranet. By placing an NPS server on your perimeter network, the firewall between your perimeter network and intranet must allow traffic to flow between the NPS server and multiple domain controllers. When replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow between the NPS proxy and one or multiple NPS servers within your intranet. The following illustration shows the path of an Access-Request message from a network access server to a RADIUS proxy, and then on to a RADIUS server in a remote RADIUS server group. On the RADIUS proxy, the network access server is configured as a RADIUS client; and on each RADIUS server, the RADIUS proxy is configured as a RADIUS client. 20 RADIUS clients NPS can be used as a RADIUS server or proxy with any network access servers that are compliant with RADIUS RFCs 2865 and 2866. Network access servers are also called RADIUS clients. NPS enables the use of a heterogeneous or homogenous set of wireless, switch, remote access, or VPN equipment. You can use NPS to authenticate and authorize network connection requests when you deploy the following types of network access servers and technologies: Wired access with 802.1X-secured and RADIUS-compliant authenticating switches Wireless access with 802.1X-secured and RADIUS-compliant wireless access points Dial-up access with a computer running Windows Server 2008 and RRAS configured as a dial-up server, or other dial-up servers that are RADIUS-compliant Terminal services access with a computer running Windows Server 2008 and Terminal Services Gateway (TS Gateway) VPN access with a computer running Windows Server 2008 and RRAS configured as a VPN server, or other VPN servers that are RADIUS-compliant For more information, see RADIUS Clients. See Also What Is Network Policy Server (NPS)? New Features and Name Changes for NPS NPS provides the following new functionality in Windows Server 2008: Network Access Protection (NAP). A client health policy creation, enforcement, and remediation technology that is included in the Windows Vista operating system and Windows Server 2008. With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network. Network shell (Netsh) commands for NPS. A comprehensive command set that allows you to manage all aspects of NPS using commands at the netsh prompt and in scripts and batch files. The Netsh NPS command reference is available in HTML format in the Network Shell (Netsh) Technical Reference in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=110825. In addition, the entire Network Shell (Netsh) Technical Reference is available for download in Windows Help format from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=113659 New Windows interface. Windows interface improvements, including policy creation wizards for NAP, network policy, and connection request policy; and wizards designed specifically for deployments of 802.1X wired and wireless and VPN and dial-up connections. 21 Support for Internet Protocol version 6 (IPv6). NPS can be deployed in IPv6-only environments, IPv4-only environments, and in mixed environments where both IPv4 and IPv6 are used. Integration with Cisco Network Admission Control (NAC). With Host Credential Authorization Protocol (HCAP) and NPS, you can integrate Network Access Protection (NAP) with Cisco NAC. NPS provides the Extended State and Policy Expiration attributes in network policy for Cisco integration. Attributes to identify access clients. The operating system and access client conditions allow you to create network access policies that apply to clients you specify and to clients running operating system versions you specify. Integration with Server Manager. NPS is integrated with Server Manager, which allows you to manage multiple technologies from one Windows interface location. Network policies that match the network connection method. You can create network policies that are applied only if the network connection method, such as VPN, TS Gateway, or DHCP, matches the policy. This allows NPS to process only the policies that match the type of RADIUS client used for the connection. Common Criteria support. NPS can be deployed in environments where support for Common Criteria is required. For more information, see the Common Criteria portal at http://go.microsoft.com/fwlink/?LinkId=95567. NPS extension library. NPS provides extensibility that enables non-Microsoft organizations and companies to implement custom RADIUS solutions by authoring NPS extension dynamic-link libraries (DLLs). NPS recovers from failures in non-Microsoft extension DLLs. XML NPS configuration import and export. You can export an NPS server configuration to an XML file and then, on another NPS server, import the NPS server configuration from the XML file. These procedures are performed using the netsh NPS commands. EAPHost and EAP policy support. NPS supports EAPHost, which is also available in Windows Vista. EAPHost is a Windows service that implements RFC 3748 and supports all RFC-compliant EAP methods, including expanded EAP types. EAPHost also supports multiple implementations of the same EAP method. NPS administrators can configure network policy and connection request policy based on EAPHost EAP methods. Additional features of NPS Following are additional features provided by NPS. NPS server administration After you install NPS, you can administer NPS servers: Locally, by using the NPS Microsoft Management Console (MMC) snap-in, the static NPS console in Administrative Tools, or the network shell (Netsh) commands for NPS. From a remote NPS server, by using the NPS MMC snap-in, the Netsh commands for NPS, or Remote Desktop Connection. 22 From a remote workstation, by using Remote Desktop Connection. Authentication methods The protection of user account credentials during the authentication of users attempting connections is an important security concern. NPS supports a variety of authentication protocols and allows you to use arbitrary authentication methods to meet your requirements for authentication: Password-based Point-to-Point Protocol (PPP) authentication protocols. PPP is a set of industry-standard framing and authentication protocols that enables remote access solutions to be interoperable in a multivendor network. NPS supports the authentication protocols within PPP, such as Password Authentication Protocol, CHAP, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v1), MS-CHAP version 2 (MS-CHAP v2), and Extensible Authentication Protocol (EAP). Extensible Authentication Protocol (EAP) and Protected EAP (PEAP). EAP is an Internet standards–based infrastructure that allows the addition of arbitrary authentication methods, such as smart cards, certificates, one-time passwords, and token cards. A specific authentication method that uses the EAP infrastructure is an EAP type. NPS includes support for EAP-Transport Layer Security (EAP-TLS), as well as PEAP-MS-CHAP v2 and PEAP-TLS. Authorization methods NPS supports a number of authorization methods and allows you to add custom methods that meet your authorization requirements. The supported authorization methods are: Dialed Number Identification Service (DNIS). The authorization of a connection attempt that is based on the number called. DNIS supplies the number that was called to the call receiver and is provided by most standard telephone companies. Automatic Number Identification/Calling Line Identification (ANI/CLI). The authorization of a connection attempt that is based on the phone number of the caller. ANI/CLI service supplies the number of the caller to the call receiver and is provided by most standard telephone companies. Guest authorization. The authorization of a connection when the caller does not send a user name or password during the authentication process. If unauthenticated access is enabled, the Guest account is used by default as the identity of the caller. In addition, you can configure authorization by user with Active Directory Domain Services (AD DS) user and computer account dial-in properties or authorization by group using NPS network policy. Centralized user authentication and authorization To authenticate a connection request, NPS validates the connection credentials against user and computer accounts in the local computer security accounts manager (SAM) database (also called Local Users and Groups), a Windows NT Server 4.0 domain, or an Active Directory domain. For 23 an Active Directory domain, NPS supports the use of Active Directory user principal names (UPNs) and universal groups. To authorize a connection request, NPS uses the dial-in properties of the user account that correspond to both the connection credentials and network policies. One of the elements used during authorization is the network access permission setting, which can be set both on the user or computer account and in the network policy. Although it is relatively easy to manage network access permission for each user account, this approach does not scale well as an organization grows. NPS network policies provide a more powerful and flexible way to manage network access permission. With network policies, you can authorize network access based on various conditions, including: User account membership in a group. The time of day, the day of the week, or both. The type of media by which the user is connecting (for example, wireless, Ethernet switch, modem, or VPN). The phone number that the user calls. The access server from which the request arrives. In network policies you can control many connection parameters, including: The use of specific authentication methods. The idle time-out. The maximum time of a single session. The number of links in a multilink session. The use of encryption and its strength. The use of packet filters to control what resources the connecting user can access. For example, you can use filters to control which IP addresses, hosts, and ports the user is allowed to use in sending or receiving packets. The creation of a compulsory tunnel that forces all packets from that connection to be securely tunneled through the Internet and then terminated in a private network. The virtual local area network identifier for wireless or Ethernet connections. Centralized administration for all access servers Support for the RADIUS standard allows NPS to control connection parameters for any network access server (NAS) that implements RADIUS. The RADIUS standard also allows individual access server vendors to create proprietary extensions called vendor-specific attributes (VSAs). NPS has incorporated the extensions from a number of vendors in its dictionary of attributes. In circumstances where an attribute is not included in the NPS dictionary of attributes, additional VSAs can be created and added to the profile of individual network policies. 24 Outsourced dial-up and wireless network access Outsourced dialing (also known as wholesale dialing) provides a contract between an organization and an ISP. The ISP allows employees of the organization to connect to its network before the VPN tunnel to the private network of the organization is established. When an employee of the organization connects to the network access server of the ISP, the authentication and records of usage are forwarded to the NPS server at the organization. The NPS server enables the organization to control user authentication, track usage, and determine which employees are allowed to access the network of the ISP. The advantages of outsourced dialing are the potential financial and administrative savings. By using an ISP’s hardware and wide area network (WAN) links instead of purchasing and installing your own, you might save a great deal on infrastructure costs. If traveling or remotely located employees dial in to an ISP that has worldwide connections, making a local rather than a long distance connection, you might significantly decrease your long-distance phone bill. And by moving support requirements to the provider, you might eliminate administrative costs. You can also outsource wireless access. A vendor can provide wireless access in a remote location and use NPS as a RADIUS proxy to forward your employee connection requests to a RADIUS server on your network for authentication and authorization. Logging to a SQL Server database You can use Microsoft SQL Server to log NPS accounting information, such as user authentication requests, accounting requests, and periodic data, to a database that warehouses data from multiple NPS servers. You can configure NPS RADIUS accounting to record accounting information to a stored procedure in a Microsoft SQL Server 2000, SQL Server 2005, or SQL Server 2008 database. NPS integration with RRAS You can configure RRAS to use Windows authentication and accounting or to use RADIUS authentication and accounting. When RADIUS authentication or accounting is selected, any RFCcompliant RADIUS server can be used to provide authentication and authorization for connection requests; using an NPS server is recommended, however, to achieve the optimum level of integration with RRAS in Windows Server 2008 and Windows Server 2003 environments. NPS and the Routing and Remote Access service share the same network policies and authentication capabilities. When the Routing and Remote Access service is configured for Windows authentication, local RRAS network policies are used, and logging is recorded in a local file by default. You can also configure the Routing and Remote Access service to log accounting data to a database on a computer running Microsoft SQL Server. When the Routing and Remote Access service is configured as a RADIUS client to an NPS server, the network policies of the NPS server are used and logging is recorded in a local file on the NPS server or, when NPS SQL Server logging is configured on the NPS server, to a SQL Server database. 25 Because the policies within NPS at a central large site can be exported to the independent remote access server in a small site, a consistent implementation across NPS and the Routing and Remote Access service is provided. It allows you to deploy the Routing and Remote Access service at small sites without the need for a separate, centralized NPS server; it also provides the capability to scale up to a centralized remote access management model when the need arises to do so. In this case, NPS in conjunction with remote access servers implements a single point of administration for remote access to your network for outsourced-dial, demand-dial, and VPN access. Scalable configurations You can scale NPS to network configurations of varying size, from stand-alone servers for small networks to large corporate and ISP networks. As your network grows, you can add access servers, NPS proxy servers, and NPS servers to scale up and out, exporting and importing server configurations to minimize administrative overhead. NPS logging to SQL Server databases also provides the ability to scale the logging of network session information. Mapping network authentication and authorization for NPS proxy When you map a user account in a remote user accounts database to a user account in a local user accounts database, the proxy component of NPS can separate the authentication and authorization of connection requests. NPS sends the authentication request to the remote NPS server while also processing the authorization request locally. The NPS proxy can forward password-based user credentials to an external RADIUS server for authentication, and perform authorization against a user account in an Active Directory domain and a locally configured network policy. Note Members of a remote RADIUS server group can be NPS servers that authenticate connection requests by using Active Directory or they can be third-party RADIUS servers that can perform authentication by using other user account databases. Regardless of the user accounts database or RADIUS server used with account mapping, authorization is performed on the local NPS proxy. To configure NPS to split authentication and authorization between two different NPS servers and user accounts databases, you can map the realm portion of a user name to a remote RADIUS server for authentication, even if that RADIUS server is located on another private network. For example, NPS can authenticate a visitor from a partner organization by using the partner organization RADIUS server and user accounts database. NPS then authorizes access to your network by using connection request policy settings on your NPS server and a Windows user accounts database in an Active Directory domain that is established for visitor accounts. You can configure the proxy component with the Remote-RADIUS-to-Windows-User-Mapping attribute in the advanced properties of a connection request policy. 26 Name changes from Windows Server 2003 Internet Authentication Service (IAS) in Windows Server 2003 is named Network Policy Server (NPS) in Windows Server 2008. IAS remote access policies in Windows Server 2003 are named network policies in NPS in Windows Server 2008. The Remote Access Permission setting in user account dial-in properties in the Active Directory Users and Computers MMC snap-in is named Network Access Permission in Windows Server 2008 AD DS. The Control access through Remote Access Policy setting in user account dial-in properties in Active Directory Users and Computers is named Control access through NPS Network Policy in Windows Server 2008 AD DS. See Also Network Policy Server (NPS) Technical Reference What Is Network Policy Server (NPS)? NPS as a RADIUS Server and Proxy Network Access Protection (NAP) Components of a RADIUS Infrastructure NPS Terminology The following section provides common RADIUS, NPS, and other terms and their definitions. Access client. A computer or other device, such as a personal digital assistant (PDA), that initiates a connection attempt to a network by contacting a RADIUS client. Authentication. The process of verifying the identity of a user or computer. NPS authenticates users and computers by verifying their supplied credentials (a user name and password or a certificate) against the credentials in the user account database. Authorization. The process of determining whether a user or computer has permission to access the network. NPS authorizes users and computers by using user account dial-in properties in AD DS, with network policies, or by using both user account dial-in properties and network policies. Certificate. A digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. Most certificates in common use are based on the X.509v3 certificate standard. Because certificates are generally used to establish identity and create trusts for the secure exchange of information, certification authorities (CAs) can issue certificates to people, to devices (such as computers), and to services running on computers (such as IPsec). 27 Certificate store. A location on a computer hard drive that contains, or stores, certificates that are issued to the computer, user, or to services running on the computer. In Windows Vista and Windows Server 2008, the certificate store can be viewed by using the Certificates Microsoft Management Console (MMC) snap-in. Connection request. A RADIUS Access-Request message that contains RADIUS attributes and other information and is sent by a RADIUS client to either a RADIUS proxy or a RADIUS server. RADIUS clients, or network access servers, create connection requests when users, computers, and other devices contact the RADIUS client in an effort to gain access to their network. Connection request policy. A set of conditions and settings that allow network administrators to designate which RADIUS servers perform the authentication and authorization of connection requests that the server running NPS receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. If you configure authentication in a connection request policy, the settings override authentication settings in all network policies. Important When you deploy Network Access Protection (NAP) by using the VPN or 802.1X enforcement methods with PEAP authentication, you must configure PEAP authentication in the connection request policy even when connection requests are processed locally. Extensible Authentication Protocol (EAP). An extension of Point-to-Point Protocol (PPP) that allows arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to demand for authentication methods that use security devices, such as smart cards, token cards, and crypto-calculators. EAP provides an industrystandard architecture for supporting additional authentication methods within PPP. Message-Authenticator attribute. An attribute that contains the encrypted shared secret that is configured on both a RADIUS client and on the NPS server to provide protection from spoofed Access-Request messages and RADIUS message tampering. Enabling the use of the MessageAuthenticator attribute provides additional security when PAP, CHAP, MS-CHAP, and MS-CHAP v2 are used for authentication. EAP uses the Message-Authenticator attribute by default. Network Access Protection (NAP). A client health policy creation, enforcement, and remediation technology that is included in Windows Vista and Windows Server 2008. With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network. Network access server (NAS). A computer or other device, such as a wireless access point, dedicated VPN device, or authenticating switch, that serves as a gateway between access clients and a network. When a NAS is compliant with the RADIUS protocol, is also called a RADIUS client. Network policy. A set of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. When you deploy NAP, health policy is added to the network policy configuration so that 28 NPS performs client health checks during the authorization process. Network policy settings are applied to the connection when they are returned in an Access-Accept message to the RADIUS client from the NPS server. NPS dictionary. A read-only list of vendor-specific attributes that is stored by NPS in dnary.xml. Protected EAP (PEAP) . PEAP uses Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS server or RADIUS server. PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. Remote Authentication Dial-In User Service (RADIUS). An industry standard protocol described in Request for Comments (RFC) 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." RADIUS is used to provide network authentication, authorization, accounting, and auditing services for network administrators that deploy local or remote access to their networks. RADIUS Access-Accept message. A message created by a RADIUS server that is sent to a RADIUS client. The Access-Accept message tells the RADIUS client that the user or computer can access the network, and can include NPS network policy settings that allow the RADIUS client to start delivery of service to the access client. RADIUS Access-Challenge message. A message created by a RADIUS server that is sent to a RADIUS client when the RADIUS server requires more information than was provided in the original Access-Request message. RADIUS Access-Reject message. A message created by a RADIUS server that is sent to a RADIUS client when the RADIUS server is rejecting a connection attempt. Connection requests can result in an Access-Reject if no network policy matches the connection request, if the user’s or computer’s identity cannot be verified, if the user or computer is not authorized to access the network, or for many other reasons. RADIUS Access-Request message. A message created by a RADIUS client that contains such attributes as the port ID the user is accessing and the results of the authentication process, such as the user name, the challenge string, and the response of the access client. Also called a connection request. RADIUS accounting. Part of the RADIUS protocol that allows you to log user authentication and accounting requests to a local file or to a SQL Server database. Accounting logs are used for billing, security, and troubleshooting purposes. RADIUS Accounting-Request message. A message created by a RADIUS client that is sent to a RADIUS server that contains accounting information for service that is provided to an access client or user. If the RADIUS server is configured to do so, the accounting information can be recorded in an accounting log. NPS provides the ability to log accounting information in a local text file or in a SQL Server database. 29 RADIUS Accounting-Response message. A message that is created by a RADIUS server that is sent to a RADIUS client upon receipt of an Accounting-Request message and successful recording of the accounting data. RADIUS attributes. Containers that include a Type, a Length, and a Value that hold information that is sent in RADIUS messages between RADIUS clients and RADIUS servers. One RADIUS message can include multiple RADIUS attributes, each of which holds a specific type of information for which the attribute was designed. For example, the Calling-Station-ID attribute can include a value that is the telephone number from which a dial-up networking session was initiated. A dial-in server that is configured as a RADIUS client can send the Calling-Station-ID attribute, along with other attributes and information, in an Access-Request RADIUS message to a RADIUS server. The RADIUS standard attributes are described in Request for Comments (RFC) 2865 and RFC 2866. RADIUS client. A network access server — such as a dial-up server, VPN server, TS Gateway server, RADIUS proxy, 802.1X-capable switch, or wireless access point — that is compliant with the RADIUS protocol and uses the RADIUS protocol to communicate with RADIUS servers. RADIUS proxy. A RADIUS client that is compliant with the RADIUS protocol and that can receive and forward RADIUS messages between other RADIUS clients and RADIUS servers. RADIUS proxies can be configured to forward connection requests to multiple sets of remote RADIUS servers, and are used for load balancing and to provide network access for users whose accounts are located in remote or untrusted domains and forests. RADIUS server. An authenticating server that is compliant with the RADIUS protocol, and that processes connection requests that it receives from RADIUS clients and RADIUS proxies. Remote RADIUS server group. A collection of one or more RADIUS servers that is configured on a RADIUS proxy. The RADIUS proxy forwards connection requests to members of remote RADIUS server groups for processing. Shared secret. A password that is configured on both a RADIUS server and its configured RADIUS clients that assists these entities in verifying the identity of the device with which they are communicating. When the Message-Authenticator attribute is used during the authentication process, the shared secret is encrypted and used as proof of identity during communication between the RADIUS client and server. User accounts database. The list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information. User accounts databases can also include accounts for computers and other devices. Vendor specific attribute (VSA). A RADIUS attribute that is created and supported only by specific RADIUS client manufacturers. VSAs allow RADIUS client vendors, such as the manufacturers of wireless access points, 802.1X authenticating switches, and devices that act as virtual private network (VPN) servers, to support their own proprietary RADIUS attributes that are not included in the RFCs. NPS includes VSAs from a number of vendors in its dictionary; however, the NPS dictionary does not include VSAs for all vendors. Some network access server (NAS) manufacturers use VSAs to provide functionality that is not supported in RADIUS standard 30 attributes. NPS enables you to create or edit VSAs to take advantage of proprietary functionality supported by some NAS vendors. Planning NPS as a RADIUS proxy When you deploy Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, NPS receives connection requests from RADIUS clients, such as network access servers or other RADIUS proxies, and then forwards these connection requests to servers running NPS or other RADIUS servers. You can use these planning guidelines to simplify your RADIUS deployment. These planning guidelines do not include circumstances in which you want to deploy NPS as a RADIUS server. When you deploy NPS as a RADIUS server, NPS performs authentication, authorization, and accounting for connection requests for the local domain and for domains that trust the local domain. Before you deploy NPS as a RADIUS proxy on your network, use the following guidelines to plan your deployment: Plan NPS server configuration. Plan RADIUS clients. Plan remote RADIUS server groups. Plan attribute manipulation rules for message forwarding. Plan connection request policies. Plan NPS accounting. Plan NPS server configuration When you use NPS as a RADIUS proxy, NPS forwards connection requests to an NPS server or other RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The proxy does not need to be registered in Active Directory Domain Services (AD DS) because it does not need access to the dial-in properties of user accounts. In addition, you do not need to configure network policies on an NPS proxy because the proxy does not perform authorization for connection requests. The NPS proxy can be a domain member or it can be a stand-alone server with no domain membership. NPS must be configured to communicate with RADIUS clients, also called network access servers, by using the RADIUS protocol. In addition, you can configure the types of events that NPS records in the event log and you can enter a description for the server. Key steps During the planning for NPS proxy configuration, the following steps can be used: 31 Determine the RADIUS ports that the NPS proxy uses to receive RADIUS messages from RADIUS clients and to send RADIUS messages to members of remote RADIUS server groups. The default User Datagram Protocol (UDP) ports are 1812 and 1645 for RADIUS authentication messages and UDP ports 1813 and 1646 for RADIUS accounting messages. If the NPS proxy is configured with multiple network adapters, determine the adapters over which you want RADIUS traffic to be allowed. Determine the types of events that you want NPS to record in the Event Log. You can log rejected connection requests, successful connection requests, or both. Determine whether you are deploying more than one NPS proxy. To provide fault tolerance, use at least two NPS proxies. One NPS proxy is used as the primary RADIUS proxy and the other is used as a backup. Each RADIUS client is then configured on both NPS proxies. If the primary NPS proxy becomes unavailable, RADIUS clients then send Access-Request messages to the alternate NPS proxy. Plan the script used to copy one NPS proxy configuration to other NPS proxies to save on administrative overhead and to prevent the incorrect configuration of a server. NPS provides the Netsh commands that allow you to copy all or part of an NPS proxy configuration for import onto another NPS proxy. You can run the commands manually at the Netsh prompt. However, if you save your command sequence as a script, you can run the script at a later date if you decide to change your proxy configurations. Plan RADIUS clients RADIUS clients are network access servers, such as wireless access points, virtual private network (VPN) servers, 802.1X-capable switches, and dial-up servers. RADIUS proxies, which forward connection request messages to RADIUS servers, are also RADIUS clients. NPS supports all network access servers and RADIUS proxies that comply with the RADIUS protocol, as described in RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." In addition, both wireless access points and switches must be capable of 802.1X authentication. If you want to deploy Extensible Authentication Protocol (EAP) or Protected Extensible Authentication Protocol (PEAP), access points and switches must support the use of EAP. To test basic interoperability for PPP connections for wireless access points, configure the access point and the access client to use Password Authentication Protocol (PAP). Use additional PPPbased authentication protocols, such as PEAP, until you have tested the ones that you intend to use for network access. Key steps During the planning for RADIUS clients, the following steps can be used: Document the vendor-specific attributes (VSAs) you must configure in NPS. If your NASs require VSAs, log the VSA information for later use when you configure your network policies in NPS. 32 Document the IP addresses of RADIUS clients and your NPS proxy to simplify the configuration of all devices. When you deploy your RADIUS clients, you must configure them to use the RADIUS protocol, with the NPS proxy IP address entered as the authenticating server. And when you configure NPS to communicate with your RADIUS clients, you must enter the RADIUS client IP addresses into the NPS snap-in. Create shared secrets for configuration on the RADIUS clients and in the NPS snap-in. You must configure RADIUS clients with a shared secret, or password, that you will also enter into the NPS snap-in while configuring RADIUS clients in NPS. Plan remote RADIUS server groups When you configure a remote RADIUS server group on an NPS proxy, you are telling the NPS proxy where to send some or all connection request messages that it receives from network access servers and NPS proxies or other RADIUS proxies. You can use NPS as a RADIUS proxy to forward connection requests to one or more remote RADIUS server groups, and each group can contain one or more RADIUS servers. When you want the NPS proxy to forward messages to multiple groups, configure one connection request policy per group. The connection request policy contains additional information, such as attribute manipulation rules, that tell the NPS proxy which messages to send to the remote RADIUS server group specified in the policy. You can configure remote RADIUS server groups by using the Netsh commands for NPS, by configuring groups directly in the NPS snap-in under Remote RADIUS Server Groups, or by running the New Connection Request Policy wizard. Key steps During the planning for remote RADIUS server groups, the following steps can be used: Determine the domains that contain the RADIUS servers to which you want the NPS proxy to forward connection requests. These domains contain the user accounts for users that connect to the network through the RADIUS clients you deploy. Determine whether you need to add new RADIUS servers in domains where RADIUS is not already deployed. Document the IP addresses of RADIUS servers that you want to add to remote RADIUS server groups. Determine how many remote RADIUS server groups you need to create. In some cases, it is best to create one remote RADIUS server group per domain, and then add the RADIUS servers for the domain to the group. However, there might be cases in which you have a large amount of resources in one domain, including a large number of users with user accounts in the domain, a large number of domain controllers, and a large number of RADIUS servers. Or your domain might cover a large geographical area, causing you to have network access servers and RADIUS servers in locations that are distant from each other. In 33 these and possibly other cases, you can create multiple remote RADIUS server groups per domain. Create shared secrets for configuration on the NPS proxy and on the remote RADIUS servers. Plan attribute manipulation rules for message forwarding Attribute manipulation rules, which are configured in connection request policies, allow you to identify the Access-Request messages that you want to forward to a specific remote RADIUS server group. You can configure NPS to forward all connection requests to one remote RADIUS server group without using attribute manipulation rules. If you have more than one location to which you want to forward connection requests, however, you must create a connection request policy for each location, then configure the policy with the remote RADIUS server group to which you want to forward messages as well as with the attribute manipulation rules that tell NPS which messages to forward. You can create rules for the following attributes: Called-Station-ID. The phone number of the network access server (NAS). The value of this attribute is a character string. You can use pattern-matching syntax to specify area codes. Calling-Station-ID. The phone number used by the caller. The value of this attribute is a character string. You can use pattern-matching syntax to specify area codes. User-Name. The user name that is provided by the access client and that is included by the NAS in the RADIUS Access-Request message. The value of this attribute is a character string that typically contains a realm name and a user account name. To correctly replace or convert realm names in the user name of a connection request, you must configure attribute manipulation rules for the User-Name attribute on the appropriate connection request policy. Key steps During the planning for attribute manipulation rules, the following steps can be used: Plan message routing from the NAS through the proxy to the remote RADIUS servers to verify that you have a logical path with which to forward messages to the RADIUS servers. Determine one or more attributes that you want to use for each connection request policy. Document the attribute manipulation rules that you plan to use for each connection request policy, and match the rules to the remote RADIUS server group to which messages are forwarded. 34 Plan connection request policies The default connection request policy is configured for NPS when it is used as a RADIUS server. Additional connection request policies can be used to define more specific conditions, create attribute manipulation rules that tell NPS which messages to forward to remote RADIUS server groups, and to specify advanced attributes. Use the New Connection Request Policy Wizard to create either common or custom connection request policies. Key steps During the planning for connection request policies, the following steps can be used” Delete the default connection request policy on each server running NPS that functions solely as a RADIUS proxy. Plan additional conditions and settings that are required for each policy, combining this information with the remote RADIUS server group and the attribute manipulation rules planned for the policy. Design the plan to distribute common connection request policies to all NPS proxies. Create policies common to multiple NPS proxies on one NPS server, and then use the Netsh commands for NPS to import the connection request policies and server configuration on all other proxies. Plan NPS accounting When you configure NPS as a RADIUS proxy, you can configure it to perform RADIUS accounting by using NPS format log files, database-compatible format log files, or NPS SQL Server logging. You can also forward accounting messages to a remote RADIUS server group that performs accounting by using one of these logging formats. Key steps During the planning for NPS accounting, the following steps can be used: Determine whether you want the NPS proxy to perform accounting services or to forward accounting messages to a remote RADIUS server group for accounting. Plan to disable local NPS proxy accounting if you plan to forward accounting messages to other servers. Plan connection request policy configuration steps if you plan to forward accounting messages to other servers. If you disable local accounting for the NPS proxy, each connection request policy that you configure on that proxy must have accounting message forwarding enabled and configured properly. Determine the logging format that you want to use: IAS format log files, database-compatible format log files, or NPS SQL Server logging. 35 Planning NPS as a RADIUS server When you deploy Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server, NPS performs authentication, authorization, and accounting for connection requests for the local domain and for domains that trust the local domain. You can use these planning guidelines to simplify your RADIUS deployment. These planning guidelines do not include circumstances in which you want to deploy NPS as a RADIUS proxy. When you deploy NPS as a RADIUS proxy, NPS forwards connection requests to a server running NPS or other RADIUS servers in remote domains, untrusted domains, or both. Before you deploy NPS as a RADIUS server on your network, use the following guidelines to plan your deployment: Plan NPS server configuration. Plan RADIUS clients. Plan the use of authentication methods. Plan network policies. Plan NPS accounting. Plan NPS server configuration You must decide in which domain the NPS server is a member. For multiple-domain environments, an NPS server can authenticate credentials for user accounts in the domain of which it is a member and for all domains that trust the local domain of the NPS server. To allow the NPS server to read the dial-in properties of user accounts during the authorization process, you must add the computer account of the NPS server to the RAS and NPS servers group for each domain. After you have determined the domain membership of the NPS server, the server must be configured to communicate with RADIUS clients, also called network access servers, by using the RADIUS protocol. In addition, you can configure the types of events that NPS records in the event log and you can enter a description for the server. Key steps During the planning for NPS server configuration, the following steps can be used: Determine the RADIUS ports that the NPS server uses to receive RADIUS messages from RADIUS clients. The default ports are UDP ports 1812 and 1645 for RADIUS authentication messages and ports 1813 and 1646 for RADIUS accounting messages. If the NPS server is configured with multiple network adapters, determine the adapters over which you want RADIUS traffic to be allowed. Determine the types of events that you want NPS to record in the Event Log. You can log rejected authentication requests, successful authentication requests, or both types of requests. 36 Determine whether you are deploying more than one NPS server. To provide fault tolerance for RADIUS-based authentication and accounting, use at least two NPS servers. One NPS server is used as the primary RADIUS server and the other is used as a backup. Each RADIUS client is then configured on both NPS servers. If the primary NPS server becomes unavailable, RADIUS clients then send Access-Request messages to the alternate NPS server. Plan the script used to copy one NPS server configuration to other NPS servers to save on administrative overhead and to prevent the incorrect cofiguration of a server. NPS provides the Netsh commands that allow you to copy all or part of an NPS server configuration for import onto another NPS server. You can run the commands manually at the Netsh prompt. However, if you save your command sequence as a script, you can run the script at a later date if you decide to change your server configurations. Plan RADIUS clients RADIUS clients are network access servers, such as wireless access points, virtual private network (VPN) servers, 802.1X-capable switches, and dial-up servers. RADIUS proxies, which forward connection request messages to RADIUS servers, are also RADIUS clients. NPS supports all network access servers and RADIUS proxies that comply with the RADIUS protocol as described in RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." Important Access clients, such as client computers, are not RADIUS clients. Only network access servers and proxy servers that support the RADIUS protocol are RADIUS clients. In addition, both wireless access points and switches must be capable of 802.1X authentication. If you want to deploy Extensible Authentication Protocol (EAP) or Protected Extensible Authentication Protocol (PEAP), access points and switches must support the use of EAP. To test basic interoperability for PPP connections for wireless access points, configure the access point and the access client to use Password Authentication Protocol (PAP). Use additional PPPbased authentication protocols, such as PEAP, until you have tested the ones that you intend to use for network access. Key steps During the planning for RADIUS clients, the following steps can be used: Document the vendor-specific attributes (VSAs) you must configure in NPS. If your network access servers require VSAs, log the VSA information for later use when you configure your network policies in NPS. Document the IP addresses of RADIUS clients and your NPS server to simplify the configuration of all devices. When you deploy your RADIUS clients, you must configure them to use the RADIUS protocol, with the NPS server IP address entered as the authenticating 37 server. And when you configure NPS to communicate with your RADIUS clients, you must enter the RADIUS client IP addresses into the NPS snap-in. Create shared secrets for configuration on the RADIUS clients and in the NPS snap-in. You must configure RADIUS clients with a shared secret, or password, that you will also enter into the NPS snap-in while configuring RADIUS clients in NPS. Plan the use of authentication methods NPS supports both password-based and certificate-based authentication methods. However, not all network access servers support the same authentication methods. In some cases, you might want to deploy a different authentication method based on the type of network access. For example, you might want to deploy both wireless and VPN access for your organization, but use a different authentication method for each type of access: EAP-TLS for VPN connections, due to the strong security that EAP with Transport Layer Security (EAP-TLS) provides, and PEAP-MS-CHAP v2 for 802.1X wireless connections. PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) provides a feature named fast reconnect that is specifically designed for use with portable computers and other wireless devices. Fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new access point. This provides a better experience for wireless users and allows them to move between access points without having to retype their credentials. Because of fast reconnect and the security that PEAP-MS-CHAP v2 provides, PEAP-MS-CHAP v2 is a logical choice as an authentication method for wireless connections. For VPN connections, EAP-TLS is a certificate-based authentication method that provides strong security that protects network traffic even as it is transmitted across the Internet from home or mobile computers to your organization VPN servers. Certificate-based authentication methods Certificate-based authentication methods have the advantage of providing strong security; and they have the disadvantage of being more difficult to deploy than password-based authentication methods. Both PEAP-MS-CHAP v2 and EAP-TLS are certificate-based authentication methods, but there are many differences between them and the way in which they are deployed. EAP-TLS EAP-TLS uses certificates for both client and server authentication, and requires that you deploy a public key infrastructure (PKI) in your organization. Deploying a PKI can be complex, and requires a planning phase that is independent of planning for the use of NPS as a RADIUS server. With EAP-TLS, the NPS server enrolls a server certificate from a certification authority (CA), and the certificate is saved on the local computer in the certificate store. During the authentication 38 process, server authentication occurs when the NPS server sends its server certificate to the access client to prove its identity to the access client. The access client examines various certificate properties to determine whether the certificate is valid and is appropriate for use during server authentication. If the server certificate meets the minimum server certificate requirements and is issued by a CA that the access client trusts, the NPS server is successfully authenticated by the client. Similarly, client authentication occurs during the authentication process when the client sends its client certificate to the NPS server to prove its identity to the NPS server. The NPS server examines the certificate, and if the client certificate meets the minimum client certificate requirements and is issued by a CA that the NPS server trusts, the access client is successfully authenticated by the NPS server. Although it is required that the server certificate is stored in the certificate store on the NPS server, the client or user certificate can be stored in either the certificate store on the client or on a smart card. For this authentication process to succeed, it is required that all computers have your organization's CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and the Current User. PEAP-MS-CHAP v2 PEAP-MS-CHAP v2 uses a certificate for server authentication and password-based credentials for user authentication. Because certificates are used only for server authentication, you are not required to deploy a PKI in order to use PEAP-MS-CHAP v2. When you deploy PEAP-MSCHAP v2, you can obtain a server certificate for the NPS server in one of the following two ways: You can install Active Directory Certificate Services (AD CS), and then autoenroll certificates to NPS servers. If you use this method, you must also enroll the CA certificate to client computers connecting to your network so that they trust the certificate issued to the NPS server. You can purchase a server certificate from a public CA such as VeriSign. If you use this method, make sure that you select a CA that is already trusted by client computers. To determine whether client computers trust a CA, open the Certificates Microsoft Management Console (MMC) snap-in on a client computer, and then view the Trusted Root Certification Authorities store for the Local Computer and for the Current User. If there is a certificate from the CA in these certificate stores, the client computer trusts the CA and will therefore trust any certificate issued by the CA. During the authentication process with PEAP-MS-CHAP v2, server authentication occurs when the NPS server sends its server certificate to the client computer. The access client examines various certificate properties to determine whether the certificate is valid and is appropriate for use during server authentication. If the server certificate meets the minimum server certificate requirements and is issued by a CA that the access client trusts, the NPS server is successfully authenticated by the client. 39 User authentication occurs when a user attempting to connect to the network types passwordbased credentials and tries to log on. NPS receives the credentials and performs authentication and authorization. If the user is authenticated and authorized successfully, and if the client computer successfully authenticated the NPS server, the connection request is granted. Key steps During the planning for the use of authentication methods, the following steps can be used: Identify the types of network access you plan to offer, such as wireless, VPN, 802.1X-capable switch, and dial-up access. Determine the authentication method or methods that you want to use for each type of access. It is recommended that you use the certificate-based authentication methods that provide strong security; however, it might not be practical for you to deploy a PKI, so other authentication methods might provide a better balance of what you need for your network. If you are deploying EAP-TLS, plan your PKI deployment. This includes planning the certificate templates you are going to use for server certificates and client computer certificates. It also includes determining how to enroll certificates to domain member and nondomain member computers, and determining whether you want to use smart cards. If you are deploying PEAP-MS-CHAP v2, determine whether you want to install AD CS to issue server certificates to your NPS servers or whether you want to purchase server certificates from a public CA, such as VeriSign. Plan network policies Network policies are used by NPS to determine whether connection requests received from RADIUS clients are authorized. NPS also uses the dial-in properties of the user account to make an authorization determination. Because network policies are processed in the order in which they appear in the NPS snap-in, plan to place your most restrictive policies first in the list of policies. For each connection request, NPS attempts to match the conditions of the policy with the connection request properties. NPS examines each network policy in order until it finds a match. If it does not find a match, the connection request is rejected. Key steps During the planning for the use of authentication methods, the following steps can be used: Determine the preferred NPS processing order of network policies, from most restrictive to least restrictive. Determine the policy state. The policy state can have the value of enabled or disabled. If the policy is enabled, NPS evaluates the policy while performing authorization. If the policy is not enabled, it is not evaluated. 40 Determine the policy type. You must determine whether the policy is designed to grant access when the conditions of the policy are matched by the connection request or whether the policy is designed to deny access when the conditions of the policy are matched by the connection request. For example, if you want to explicitly deny wireless access to the members of a Windows group, you can create a network policy that specifies the group, the wireless connection method, and that has a policy type setting of Deny access. Determine whether you want NPS to ignore the dial-in properties of user accounts that are members of the group on which the policy is based. When this setting is not enabled, the dialin properties of user accounts override settings that are configured in network policies. For example, if a network policy is configured that grants access to a user but the dial-in properties of the user account for that user are set to deny access, the user is denied access. But if you enable the policy type setting Ignore user account dial-in properties, the same user is granted access to the network. Determine whether the policy uses the policy source setting. This setting allows you to easily specify a source for all access requests. Possible sources are a Terminal Services Gateway (TS Gateway), a remote access server (VPN or dial-up), a DHCP server, a wireless access point, and a Health Registration Authority server. Alternatively, you can specify a vendorspecific source. Determine the conditions that must be matched in order for the network policy to be applied. Determine the settings that are applied if the conditions of the network policy are matched by the connection request. Determine whether you want to use, modify, or delete the default network policies. Plan NPS accounting NPS provides the ability to log RADIUS accounting data, such as user authentication and accounting requests, in three formats: IAS format, database-compatible format, and Microsoft SQL Server logging. IAS format and database-compatible format create log files on the local NPS server in text file format. SQL Server logging provides the ability to log to a SQL Server 2000 or SQL Server 2005 XML-compliant database, extending RADIUS accounting to leverage the advantages of logging to a relational database. Key steps During the planning for NPS accounting, the following steps can be used: Determine whether you want to store NPS accounting data in log files or in a SQL Server database. NPS accounting using local log files Recording user authentication and accounting requests in log files is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method for tracking the activity of a malicious user after an attack. 41 Key steps During the planning for NPS accounting using local log files, the following steps can be used: Determine the text file format that you want to use for your NPS log files. Choose the type of information that you want to log. You can log accounting requests, authentication requests, and periodic status. Determine the hard disk location where you want to store your log files. Design your log file backup solution. The hard disk location where you store your log files should be a location that allows you to easily back up your data. In addition, the hard disk location should be protected by configuring the access control list (ACL) for the folder where the log files are stored. Determine the frequency at which you want new log files to be created. If you want log files to be created based on the file size, determine the maximum file size allowed before a new log file is created by NPS. Determine whether you want NPS to delete older log files if the hard disk runs out of storage space. Determine the application or applications that you want to use to view accounting data and produce reports. NPS SQL Server logging NPS SQL Server logging is used when you need session state information, for report creation and data analysis purposes, and to centralize and simplify management of your accounting data. NPS provides the ability to use SQL Server logging to record user authentication and accounting requests received from one or more network access servers to a data source on a computer running the Microsoft SQL Server Desktop Engine (MSDE 2000), SQL Server 2000, or SQL Server 2005. Accounting data is passed from NPS in XML format to a stored procedure in the database, which supports both structured query language (SQL) and XML (SQLXML). Recording user authentication and accounting requests in an XML-compliant SQL Server database enables multiple NPS servers to have one data source. Key steps During the planning for NPS accounting by using NPS SQL Server logging, the following steps can be used: Determine whether you or another member of your organization has SQL Server 2000 or SQL Server 2005 relational database development experience and you understand how to use these products to create, modify, administer, and manage SQL Server databases. Determine whether SQL Server is installed on the NPS server or on a remote computer. Design the stored procedure that you will use in your SQL Server database to process incoming XML files that contain NPS accounting data. Design the SQL Server database replication structure and flow. 42 Determine the application or applications that you want to use to view accounting data and produce reports. Plan to use network access servers that send the Class attribute in all accounting-requests. The Class attribute is sent to the RADIUS client in an Access-Accept message, and is useful for correlating Accounting-Request messages with authentication sessions. If the Class attribute is sent by the network access server in the accounting request messages, it can be used to match the accounting and authentication records. The combination of the attributes Unique-Serial-Number, Service-Reboot-Time, and Server-Address must be a unique identification for each authentication that the server accepts. Plan to use network access servers that support interim accounting. Plan to use network access servers that send Accounting-on and Accounting-off messages. Plan to use network access servers that support the storing and forwarding of accounting data. Network access servers that support this feature can store accounting data when the network access server cannot communicate with the NPS server. When the NPS server is available, the network access server forwards the stored records to the NPS server, providing increased reliability in accounting over network access servers that do not provide this feature. Plan to always configure the Acct-Interim-Interval attribute in network policies. The AcctInterim-Interval attribute sets the interval (in seconds) between each interim update that the network access server sends. According to RFC 2869, the value of the Acct-Interim-Interval attribute must not be smaller than 60 seconds, or one minute, and should not be smaller than 600 seconds, or 10 minutes. For more information, see RFC 2869, "RADIUS Extensions." Ensure that logging of periodic status is enabled on your NPS servers. Components of NPS The following sections describe Network Policy Server (NPS) components that you can use to deploy NPS as a RADIUS server, RADIUS proxy, or as a NAP health policy server. You can configure these components by using the NPS console, the NPS Microsoft Management Console (MMC) snap-in, or the Netsh commands for NPS. In this section RADIUS Clients and Servers Policies Network Access Protection (NAP) Accounting NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with the following three features: RADIUS server. NPS performs centralized connection authentication, authorization, and accounting for wireless, 802.1X-capable switch, remote access dial-up, and virtual private 43 network (VPN) connections. When you use a server running NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database. Network Access Protection (NAP) policy server. When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. NPS also acts as a RADIUS server when configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and Remediation Server Groups that allow client computers to update their configuration to become compliant with your organization's network policy. RADIUS proxy. When you use NPS as a RADIUS proxy, you configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group. You can configure NPS with any combination of the preceding features. For example, you can configure one NPS server to act as a NAP policy server using one or more enforcement methods, while also configuring NPS as a RADIUS server for dial-up connections and as a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain. Configuration To configure NPS as a RADIUS server or a NAP policy server, you can use either standard configuration or advanced configuration in the NPS console. Note To configure NPS as a RADIUS proxy, you must use advanced configuration. Standard configuration With standard configuration, wizards are provided to help you configure NPS for the following scenarios: NAP policy server RADIUS server for dial-up or VPN connections RADIUS server for 802.1X wireless or wired connections To configure NPS using a wizard, open the NPS console, select one of the preceding scenarios, and then click the link that opens the wizard. 44 Advanced configuration When you use advanced configuration, you individually configure NPS features to configure NPS as a RADIUS server, NAP policy server, or RADIUS proxy. Wizards are provided to assist you with policy and NAP configuration; however, these wizards are opened from the NPS folder tree in the NPS console rather than from the Getting Started section in the details pane of the console. To configure NPS by using advanced configuration, open the NPS console and then click the arrow next to Advanced Configuration to expand this section. The following advanced configuration items are provided: Configure RADIUS server To configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting. Configure RADIUS server To configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting. Configure NAP policy server To deploy NAP, you must configure NAP components in addition to configuring RADIUS clients and network policy. NPS logging NPS logging is also called RADIUS accounting, and should be configured to your requirements whether NPS is used as a RADIUS server, proxy, NAP policy server, or any combination of the three configurations. To configure NPS logging, you must configure the events logged and viewed with Event Viewer and determine other information you want to log. In addition, you must decide whether you want to log user authentication and accounting information to text log files stored on the local computer or to a SQL Server database on either the local computer or a remote computer. RADIUS Clients and Servers In this section RADIUS Clients Remote RADIUS Server Groups All network access servers from which you want NPS to receive connection requests must be configured in the NPS console as RADIUS clients. When you configure RADIUS clients in the NPS console, you are enabling NPS to receive connection requests from the network access servers. In addition, you must separately configure the physical network access servers to send connection requests to the NPS server. 45 If you configure the NPS server as a RADIUS proxy, NPS forwards connection requests to other RADIUS servers for processing. These RADIUS servers, which can be NPS servers or other RADIUS servers, must be configured in the NPS console as members of a remote RADIUS server group. When you configure RADIUS servers as members of a remote RADIUS server group in the NPS console, you are enabling NPS to forward connection requests to the remote RADIUS servers. In addition, you must separately configure the physical RADIUS servers to receive connection requests from the NPS proxy server. The following topics provide more detail about RADIUS clients and remote RADIUS server groups. RADIUS Clients RADIUS clients A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting. Important Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. To deploy NPS as a RADIUS server, a RADIUS proxy, or a Network Access Protection (NAP) policy server, you must configure RADIUS clients in NPS. RADIUS client examples Examples of network access servers are: Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running the Windows Server® 2008 operating system and the Routing and Remote Access service that provides either traditional dial-up or virtual private network (VPN) remote access services to an organization intranet. Wireless access points that provide physical layer access to an organization network using wireless-based transmission and reception technologies. Switches that provide physical layer access to an organization's network, using traditional LAN technologies, such as Ethernet. RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that is configured on the RADIUS proxy. 46 RADIUS Access-Request messages RADIUS clients either create RADIUS Access-Request messages and forward them to a RADIUS proxy or RADIUS server, or they forward Access-Request messages to a RADIUS server that they have received from another RADIUS client but have not created themselves. RADIUS clients do not process Access-Request messages by performing authentication, authorization, and accounting. Only RADIUS servers perform these functions. NPS, however, can be configured as both a RADIUS proxy and a RADIUS server simultaneously, so that it processes some Access-Request messages and forwards other messages. NPS as a RADIUS client NPS acts as a RADIUS client when you configure it as a RADIUS proxy to forward AccessRequest messages to other RADIUS servers for processing. When you use NPS as a RADIUS proxy, the following general configuration steps are required: 1. Network access servers, such as wireless access points and VPN servers, are configured with the IP address of the NPS proxy as the designated RADIUS server or authenticating server. This allows the network access servers, which create Access-Request messages based on information they receive from access clients, to forward messages to the NPS proxy. 2. The NPS proxy is configured by adding each network access server as a RADIUS client. This configuration step allows the NPS proxy to receive messages from the network access servers and to communicate with them throughout authentication. In addition, connection request policies on the NPS proxy are configured to specify which Access-Request messages to forward to one or more RADIUS servers. These policies are also configured with a remote RADIUS server group, which tells NPS where to send the messages it receives from the network access servers. 3. The NPS or other RADIUS servers that are members of the remote RADIUS server group on the NPS proxy are configured to receive messages from the NPS proxy. This is accomplished by configuring the NPS proxy as a RADIUS client. RADIUS client properties When you add a RADIUS client to the NPS configuration through the NPS snap-in or through the use of the netsh commands for NPS, you are configuring NPS to receive RADIUS AccessRequest messages from either a network access server or a RADIUS proxy. When you configure a RADIUS client in NPS, you can designate the following properties: Client name A friendly name for the RADIUS client, which makes it easier to identify when using the NPS snap-in or netsh commands for NPS. IP address 47 The Internet Protocol version 4 (IPv4) address or the Domain Name System (DNS) name of the RADIUS client. Client-Vendor The vendor of the RADIUS client. Otherwise, you can use the RADIUS standard value for Client-Vendor. Shared secret A text string that is used as a password between RADIUS clients, RADIUS servers, and RADIUS proxies. When the Message Authenticator attribute is used, the shared secret is also used as the key to encrypt RADIUS messages. This string must be configured on the RADIUS client and in the NPS snap-in. Message Authenticator attribute Described in RFC 2869, "RADIUS Extensions," a Message Digest 5 (MD5) hash of the entire RADIUS message. If the RADIUS Message Authenticator attribute is present, it is verified. If it fails verification, the RADIUS message is discarded. If the client settings require the Message Authenticator attribute and it is not present, the RADIUS message is discarded. Use of the Message Authenticator attribute is recommended. Note The Message Authenticator attribute is required and enabled by default when you use EAP authentication. Client is NAP-capable A designation that the RADIUS client is compatible with Network Access Protection (NAP), and NPS sends NAP attributes to the RADIUS client in the Access-Accept message. Remote RADIUS Server Groups When you configure Network Policy Server (NPS) as a RADIUS proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages. When you configure a remote RADIUS server group in NPS and you configure a connection request policy with the group, you are designating the location where NPS is to forward connection requests. 48 Configuring RADIUS servers for a group A remote RADIUS server group is a named group that contains one or more RADIUS servers. If you configure more than one server, you can specify load balancing settings to either determine the order in which the servers are used by the proxy or to distribute the flow of RADIUS messages across all servers in the group to prevent overloading one or more servers with too many connection requests. Each server in the group has the following settings: Name or address Each group member must have a unique name within the group. The name can be an IP address or a name that can be resolved to its IP address. Authentication and accounting Load balancing A priority setting is used to indicate which member of the group is the primary server (the priority is set to 1). For group members that have the same priority, a weight setting is used to calculate how often RADIUS messages are sent to each server. You can use additional settings to configure the way in which the NPS server detects when a group member first becomes unavailable and when it becomes available after it has been determined to be unavailable. After a remote RADIUS server group is configured, it can be specified in the authentication and accounting settings of a connection request policy. Because of this, configure a remote RADIUS server group first, and then configure the connection request policy to use the newly configured remote RADIUS server group. Alternatively, you can use the New Connection Request Policy Wizard to create a new remote RADIUS server group while you are creating the connection request policy. Note Remote RADIUS server groups are unrelated to and separate from Windows groups and Network Access Protection (NAP) remediation server groups. Policies In this section Connection Request Policies Network Policies Health Policies NPS evaluates each policy type in the following manner: Connection request policies. Evaluation is performed on the policies in the order in which they appear in the NPS console. 49 Network policies. Evaluation is performed on the policies in the order in which they appear in the NPS console. Health policies. Evaluation is performed only when a health policy is configured as a condition of a network policy that matches the connection request. Connection Request Policies Connection Request Policies Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. Important When you deploy Network Access Protection (NAP) using the VPN or 802.1X enforcement methods with PEAP authentication, you must configure PEAP authentication in connection request policy even when connection requests are processed locally. You can create connection request policies so that some RADIUS request messages sent from RADIUS clients are processed locally (NPS is being used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (NPS is being used as a RADIUS proxy). With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on factors like the following: The time of day and day of the week The realm name in the connection request The type of connection being requested The IP address of the RADIUS client RADIUS Access-Request messages are processed or forwarded by NPS only if the settings of the incoming message match at least one of the connection request policies configured on the NPS server. If the policy settings match and the policy requires that the NPS server process the message, NPS acts as a RADIUS server, authenticating and authorizing the connection request. If the policy settings match and the policy requires that the NPS server forwards the message, NPS acts as a RADIUS proxy and forwards the connection request to a remote RADIUS server for processing. If the settings of an incoming RADIUS Access-Request message do not match at least one of the connection request policies, an Access-Reject message is sent to the RADIUS client and the user or computer attempting to connect to the network is denied access. 50 Configuration examples The following configuration examples demonstrate how connection request policies can be used. NPS as a RADIUS server The default connection request policy is the only configured policy. In this example, NPS is configured as a RADIUS server and all connection requests are processed by the local NPS server. The NPS server can authenticate and authorize users whose accounts are in the domain of the NPS server domain and in trusted domains. NPS as a RADIUS proxy The default connection request policy is deleted, and two new connection request policies are created to forward requests to two different domains. In this example, NPS is configured as a RADIUS proxy. NPS does not process any connection requests on the local server. Instead, it forwards connection requests to NPS or other RADIUS servers that are configured as members of remote RADIUS server groups. NPS as both RADIUS server and RADIUS proxy In addition to the default connection request policy, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. In this example, the proxy policy appears first in the ordered list of policies. If the connection request matches the proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. If the connection request does not match the proxy policy but does match the default connection request policy, NPS processes the connection request on the local server. If the connection request does not match either policy, it is discarded. NPS as RADIUS server with remote accounting servers In this example, the local NPS server is not configured to perform accounting and the default connection request policy is revised so that RADIUS accounting messages are forwarded to an NPS or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the local NPS server performs these functions for the local and all trusted domains. NPS with Remote RADIUS to Windows User Mapping In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. This configuration is implemented by configuring the Remote RADIUS to Windows User Mapping attribute as a condition of the connection request policy. (In addition, a user account must be created locally that has the same name as the remote user account against which authentication is performed by the remote RADIUS server.) 51 Conditions Connection request policy conditions are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS Access-Request message. If there are multiple conditions, then all of the conditions in the connection request message and in the connection request policy must match in order for the policy to be enforced by NPS. Following are the available condition attributes that you can configure in connection request policies. The Connection Properties attribute group contains the following attributes. Framed Protocol. Used to designate the type of framing for incoming packets. Examples are PPP, SLIP, Frame Relay, and X.25. Service Type. Used to designate the type of service being requested. Examples include framed (for example, PPP connections) and login (for example, Telnet connections). For more information about RADIUS service types, see RFC 2865, "Remote Authentication Dialin User Service (RADIUS)." Tunnel Type. Used to designate the type of tunnel that is being created by the requesting client. Tunnel types include the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol (L2TP). The Day and Time Restrictions attribute group contains the Day and Time Restrictions attribute. With this attribute, you can designate the day of the week and the time of day of the connection attempt. The day and time is relative to the day and time of the NPS server. The Gateway attribute group contains the following attributes. Called Station ID. Used to designate the phone number of the network access server. This attribute is a character string. You can use pattern-matching syntax to specify area codes. NAS Identifier. Used to designate the name of the network access server (NAS). This attribute is a character string. You can use pattern-matching syntax to specify NAS identifiers. NAS IPv4 Address. Used to designate the Internet Protocol version 4 (IPv4) address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks. NAS IPv6 Address. Used to designate the Internet Protocol version 6 (IPv6) address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks. NAS Port Type. Used to designate the type of media used by the access client. Examples are analog phone lines (known as async), ISDN, tunnels or virtual private networks (VPNs), IEEE 802.11 wireless, and Ethernet switches. The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in the policy. The RADIUS Client Properties attribute group contains the following attributes. 52 Calling Station ID. Used to designate the phone number used by the caller (the access client). This attribute is a character string. You can use pattern-matching syntax to specify area codes. Client Friendly Name. Used to designate the name of the RADIUS client computer that is requesting authentication. This attribute is a character string. You can use pattern-matching syntax to specify client names. Client IPv4 Address. Used to designate the IPv4 address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks. Client IPv6 Address. Used to designate the IPv6 address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks. Client Vendor. Used to designate the vendor of the network access server that is requesting authentication. A computer running the Routing and Remote Access service is the Microsoft NAS manufacturer. You can use this attribute to configure separate policies for different NAS manufacturers. This attribute is a character string. You can use pattern-matching syntax. The User Name attribute group contains the User Name attribute. With this attribute, you can designate the user name, or a portion of the user name, that must match the user name supplied by the access client in the RADIUS message. This attribute is a character string that typically contains a realm name and a user account name. You can use pattern-matching syntax to specify user names. Settings Connection request policy settings are a set of properties that are applied to an incoming RADIUS message. Settings consist of the following groups of properties: Required Authentication Methods Forwarding Connection Request Specify a Realm Name RADIUS Attributes Required Authentication Methods On the Settings tab of a connection request policy, in Required Authentication Methods, you can select Authentication Methods and then, in the details pane, enable the Override network policy authentication settings check box. If you enable this check box, you can override the authentication settings that are configured in all network policies and you can designate the authentication methods and types that are required to connect to your network. Important If you configure an authentication method in connection request policy that is less secure than the authentication method you configure in network policy, the more secure 53 authentication method that you configure in network policy is overridden. For example, if you have one network policy that requires the use of PEAP-MS-CHAP v2, which is a password-based authentication method for secure wireless, and then you also configure a connection request policy to allow unauthenticated access, no clients are required to authenticate using PEAP-MS-CHAP v2. In this example, all clients connecting to your network are granted unauthenticated access. Allowing unauthenticated access If you choose to override the authentication settings that are configured in all network policies and to enable the connection request policy authentication setting Allow clients to connect without negotiating an authentication method, it is recommended that you also configure the connection request policy with the Authenticate requests on this server setting, as follows: 1. On the connection request policy Settings tab, in Forwarding Connection Request, click Authentication. 2. In the details pane of the NPS console, ensure that Authenticate requests on this server is selected. With Authenticate requests on this server enabled, NPS logs client and connection request properties when clients connect; without this property enabled, access clients can connect to the network without authentication and client properties are not logged. Forwarding Connection Request In Forwarding Connection Request, you can select either Authentication or Accounting to specify whether NPS forwards the authentication request or accounting request to a remote RADIUS server group or whether NPS processes the authentication or accounting request locally. Authentication requests and accounting requests do not have to be processed by the same NPS server, even if the authentication and accounting requests are part of the same connection request. For example, if you configure Authentication to forward requests to a remote RADIUS server group, you can also configure Accounting to be processed locally or forwarded to a different remote RADIUS server group than the server used for the authentication request. By using the Authentication setting, you can configure NPS to process authentication requests locally or, if you enable Forward requests to the following remote RADIUS server group for authentication, you can select or create a remote RADIUS server group to which the local NPS server forwards authentication requests. You can specify the following forwarding request settings that are used for RADIUS AccessRequest messages: Authenticate requests on this server. With this setting, NPS uses a Windows NT 4.0 domain, Active Directory, or the local Security Accounts Manager (SAM) user accounts database to authenticate the connection request. This setting also specifies that the matching network policy configured in NPS, along with the dial-in properties of the user account, are used by NPS to 54 authorize the connection request. In this case, the NPS server is configured to perform as a RADIUS server. Forward requests to the following remote RADIUS server group. With this setting, NPS forwards connection requests to the remote RADIUS server group that you specify. If the NPS server receives a valid Access-Accept message that corresponds to the Access-Request message, the connection attempt is authenticated and authorized. In this case, the NPS server acts as a RADIUS proxy. Accept users without validating credentials. With this setting, NPS does not verify the identity of the user attempting to connect to the network and NPS does not attempt to verify that the user or computer has the right to connect to the network. When NPS is configured to allow unauthenticated access and it receives a connection request, NPS immediately sends an AccessAccept message to the RADIUS client and the user or computer is granted network access. This setting is used for some types of compulsory tunneling where the access client is tunneled before the user's credentials are authenticated. Note This authentication setting cannot be used when the authentication protocol of the access client is MS-CHAP v2, PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS, all of which provide mutual authentication. In mutual authentication, the access client proves that it is a valid access client to the authenticating server (the NPS server), and the authenticating server proves that it is a valid authenticating server to the access client. When this authentication setting is used, the Access-Accept message is returned. However, the authenticating server does not provide validation to the access client and mutual authentication fails, resulting in a failed connection request. By using the Accounting setting, you can configure NPS to forward accounting information to a server running NPS or other RADIUS server in a remote RADIUS server group so that the remote RADIUS server group performs accounting. Note If you have multiple RADIUS servers and you want accounting information for all servers stored in one central RADIUS accounting database, you can use the connection request policy accounting setting in a policy on each RADIUS server to forward accounting data from all of the servers to one NPS or other RADIUS server that is designated as an accounting server. Connection request policy accounting settings function independently from the accounting configuration of the local NPS server. In other words, if you configure the local NPS server to log RADIUS accounting information to a local file or to a Microsoft® SQL Server™ database, it will do so regardless of whether you configure a connection request policy to forward accounting messages to a remote RADIUS server group. Because of this, if you configure both local logging and a connection request policy to forward accounting requests, accounting information is logged on the local server and on the remote server. 55 If you want accounting information logged remotely but not locally, you must configure the local NPS server not to perform accounting, while also configuring accounting in a connection request policy to forward accounting data to a remote RADIUS server group. Specify a Realm Name You can use this setting to configure a set of find-and-replace rules that manipulate the text strings of one of the following attributes: User Name Called Station ID Calling Station ID Find-and-replace rule processing occurs for one of the preceding attributes before the RADIUS message is subject to authentication and accounting settings. Attribute manipulation rules apply only to a single attribute. You cannot configure attribute manipulation rules for each attribute. In addition, the list of attributes that you can manipulate is a static list; you cannot add to the list of attributes available for manipulation. Note If you are using the MS-CHAP v2 authentication protocol, you cannot manipulate the User Name attribute if the connection request policy is used to forward the RADIUS message. The only exception occurs when a backslash character (\)is used and the manipulation only affects the information to the left of it. A backslash character is typically used to indicate a domain name (the information to the left of the backslash character) and a user account name within the domain (the information to the right of the backslash character). In this case, only attribute manipulation rules that modify or replace the domain name are allowed. RADIUS Attributes In RADIUS Attributes, you can select Standard or Vendor Specific to add attributes to the connection request policy settings. You can specify the series of RADIUS attributes that are: Added to the RADIUS response message when the NPS server is being used as a RADIUS authentication or accounting server. When there are attributes specified on both a network policy and the connection request policy, the attributes that are sent in the RADIUS response message are the combination of the two sets of attributes. Added to the RADIUS message when the NPS server is being used as a RADIUS authentication or accounting proxy. If the attribute already exists in the message that is forwarded, it is replaced with the value of the attribute specified in the connection request policy. In addition, some attributes that are available for configuration on the connection request policy Settings tab provide specialized functionality. For example, you can configure the Remote 56 RADIUS to Windows User Mapping attribute when you want to split the authentication and authorization of a connection request between two user accounts databases. The Remote RADIUS to Windows User Mapping attribute specifies that Windows authorization occurs for users who are authenticated by a remote RADIUS server. In other words, a remote RADIUS server performs authentication against a user account in a remote user accounts database, but the local NPS server authorizes the connection request against a user account in a local user accounts database. This is useful when you want to allow visitors access to your network. For example, visitors from partner organizations can be authenticated by their organization's RADIUS server, and can use a Windows user account at your organization to access a guest local area network (LAN) on your network. Other attributes that provide specialized functionality are: MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout. These attributes are used when you deploy Network Access Quarantine Control (NAQC) with your Routing and Remote Access VPN deployment. Passport-User-Mapping-UPN-Suffix. This attribute allows you to authenticate connection requests that contain Windows Live™ ID user account credentials. Tunnel-Tag. This attribute designates the VLAN ID number to which the connection should be assigned by the NAS when you deploy virtual local area networks (VLANs). Adding a custom vendor-specific attribute (VSA) If your RADIUS client requires a VSA that is not in the list of VSAs provided in the NPS console, you can create a custom VSA by using the parameters supplied by the RADIUS client vendor. To create a custom VSA in the settings of a connection request policy, open the policy, click Settings, click Vendor Specific, and then, in the details pane, click Add. In the Add VendorSpecific Attribute dialog box, click Vendor, click Custom, and then click Add. Configure your VSA according to the RADIUS client vendor requirements. Default connection request policy A default connection request policy is created when you install NPS. This policy has the following configuration: Authentication is not configured. Accounting is not configured to forward accounting information to a remote RADIUS server group. Attribute is not configured with attribute manipulation rules that forward connection requests to remote RADIUS server groups. Forwarding Request is configured so that connection requests are authenticated and authorized on the local NPS server. Advanced attributes are not configured. 57 The default connection request policy uses NPS as a RADIUS server. To configure a server running NPS to act as a RADIUS proxy, you must also configure a remote RADIUS server group. You can create a new remote RADIUS server group while you are creating a new connection request policy with the New Connection Request Policy Wizard. You can either delete the default connection request policy or verify that the default connection request policy is the last policy processed. Note If NPS and the Routing and Remote Access service are installed on the same computer, and the Routing and Remote Access service is configured for Windows authentication and accounting, it is possible for Routing and Remote Access authentication and accounting requests to be forwarded to a RADIUS server. This can occur when Routing and Remote Access authentication and accounting requests match a connection request policy that is configured to forward them to a remote RADIUS server group. Network Policies A network policy is a set of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. When you deploy Network Access Protection (NAP), health policy is added to the network policy configuration so that a server running Network Policy Server (NPS) performs client health checks during the authorization process. In this section Overview Properties Access Permission Conditions Properties Constraints Properties Settings Properties When processing connection requests as a RADIUS server, NPS performs both authentication and authorization for the connection request. During the authentication process, NPS verifies the identity of the user or computer that is connecting to the network. During the authorization process, NPS determines whether the user or computer is allowed to access the network. To make this determination, NPS uses network policies that are configured in the NPS Microsoft Management Console (MMC) snap-in. NPS also examines the dial-in properties of the user account in Active Directory Domain Services (AD DS) to perform authorization. Note In Internet Authentication Service (IAS) in the Windows Server 2003 operating systems, network policies were called remote access policies. Network policies can be viewed as rules. Each rule has a set of conditions and settings. NPS compares the conditions of the rule to the properties of connection requests. If a match occurs 58 between the rule and the connection request, the settings defined in the rule are applied to the connection. When multiple network policies are configured in NPS, they are an ordered set of rules. NPS checks each connection request against the first rule in the list, then the second, and so on, until a match is found. Each network policy has a Policy State setting that allows you to enable or disable the policy. When you disable a network policy, NPS does not evaluate the policy when authorizing connection requests. Important If you want NPS to evaluate a network policy when performing authorization for connection requests, you must configure the Policy State setting by selecting the Policy enabled check box. Network policy properties There are four categories of properties for each network policy: Overview These properties allow you to specify whether the policy is enabled, whether the policy grants or denies access, and whether a specific network connection method, or type of network access server, is required for connection requests. Overview properties also allow you to specify whether the dial-in properties of user accounts in AD DS are ignored. If you select this option, only the settings in the network policy are used by NPS to determine whether the connection is authorized. Conditions These properties allow you to specify the conditions that the connection request must have in order to match the network policy; if the conditions configured in the policy match the connection request, NPS applies the settings designated in the network policy to the connection. For example, if you specify the network access server IPv4 address (NAS IPv4 Address) as a condition of the network policy and NPS receives a connection request from a NAS that has the specified IP address, the condition in the policy matches the connection request. Constraints Constraints are additional parameters of the network policy that are required to match the connection request. If a constraint is not matched by the connection request, NPS automatically rejects the request. Unlike the NPS response to unmatched conditions in the network policy, if a constraint is not matched, NPS does not evaluate additional network policies; the connection request is just denied. Settings These properties allow you to specify the settings that NPS applies to the connection request if all of the network policy conditions for the policy are matched. 59 When you add a new network policy by using the NPS MMC snap-in, you must use the New Network Policy Wizard. After you have created a network policy using the wizard, you can customize the policy by double-clicking the policy in NPS to obtain the policy properties. Overview Properties On the Overview tab of a network policy or while running the New Network Policy wizard, you can configure the following: Policy name. Type a friendly name for the network policy. Policy State. Designate whether the policy is enabled or disabled. Access Permission. Designate whether the policy grants or denies access. Also specify whether you want the server running Network Policy Server (NPS) to ignore the dial-in properties of user accounts in Active Directory Domain Services (AD DS) when using the policy to perform authorization for a connection attempt. For more information, see Access Permission. Note If you have many user accounts in AD DS, it is recommended that you configure the dial-in properties of user accounts so that network access is controlled through network policy; however, you can accomplish the same result for individual policies by configuring them to ignore the dial-in properties of user accounts. Network connection method. When used for most or all network policies, this setting allows NPS to filter policies and to process only relevant policies when it receives a connection request from a specific type of network access server. For example, if NPS receives a connection request from an Ethernet switch, it will not process network policies for Routing and Remote Access service (RRAS) servers or Terminal Services Gateway (TS Gateway) servers, but it will evaluate policies for Ethernet switches. (If NPS does not find an Ethernet policy that matches the connection request, NPS then evaluates policies with a Type of network access server value of Unspecified.) Choose from the following network connection methods: Unspecified. If selected, NPS evaluates the network policy for all connection requests that originate from any type of network access server and for any connection method. This includes connections from TS Gateway servers, RRAS servers that provide VPN and dial-up access, DHCP servers, 802.1X wireless access points, 802.1X-capable switches, Health Registration Authority (HRA) servers, and Host Credentials Authorization Protocol (HCAP) servers. Important When you configure network policies for wireless access points, you must use a Type of network access server value of Unspecified. 60 Remote Access Server (VPN-Dial-up). If specified, NPS evaluates the network policy for connection requests that originate from a computer running the Routing and Remote Access service configured as a dial-up or VPN server. If another dial-up or VPN server is used, the server must support the RADIUS protocol and the authentication protocols provided by NPS for dial-up and VPN connections. Ethernet. If specified, NPS evaluates the network policy for all connection requests that originate from IEEE 802.1X-capable switches. Terminal Services Gateway. If specified, NPS evaluates the network policy for connection requests that originate from servers that are running Terminal Services Gateway (TS Gateway). Health Registration Authority. If specified, NPS evaluates the network policy for connection requests that originate from servers that are running Health Registration Authority (HRA). HCAP server. If specified, NPS evaluates the network policy for connection requests that originate from servers that are running Host Credentials Authorization Protocol (HCAP). DHCP Server. If specified, NPS evaluates the network policy for connection requests that originate from servers that are running Dynamic Host Configuration Protocol (DHCP). Conditions Properties Every network policy must have at least one configured condition. NPS provides many condition groups that allow you to clearly define the properties that the connection request received by NPS must have in order to match the policy. The available condition groups are: Groups HCAP Day and time restrictions Network Access Protection Connection properties RADIUS client properties Gateway Groups Groups conditions specify user or computer groups that you configure in Active Directory Domain Services (AD DS) and to which you want the other rules of the network policy to apply when group members attempt to connect to the network. Following are the Groups conditions you can configure in a network policy: 61 Windows Groups Specifies that the connecting user or computer must belong to one of the specified groups. Machine Groups Specifies that the connecting computer must belong to one of the specified groups. User Groups Specifies that the connecting user must belong to one of the specified groups. HCAP Host Credentials Authorization Protocol (HCAP) conditions are used only when you want to integrate your NPS Network Access Protection (NAP) solution with Cisco Network Admission Control. To use these conditions, you must deploy Cisco Network Admission Control and NAP. You must also deploy an HCAP server running both Internet Information Services (IIS) and NPS. Following are the HCAP conditions you can configure in a network policy: Location Groups Specifies the user's or computer's HCAP location group membership required to match this policy. HCAP User Groups Specifies the user's HCAP user group membership required to match this policy. Day and time restrictions Following is the day and time restriction condition that you can configure in a network policy: Day and Time Restrictions Allows you to specify, at a weekly interval, whether connections are allowed or denied on a specific set of days and times. For example, you can configure this condition to allow access to your network only between the hours of 8 A.M. and 5 P.M. Monday through Thursday. With this condition value, users whose connection requests match all conditions of the network policy cannot connect to the network on Fridays, Saturdays, Sundays, and during other weekdays between the hours of 5 P.M. and 8 A.M., but they can connect between Monday and Thursday between 8 A.M. and 5 P.M. Conversely, you can specify the days and times when connections to the network are denied. If you specify days and times when connections are denied, users are allowed access to your network on the unspecified days and times. For example, if you configure this condition to deny connections all day on Sunday, users cannot connect at any time on Sundays, but they can connect Monday through Saturday at any time. To configure the Day and Time Restrictions condition, obtain the properties of a network policy, click the Conditions tab, and then click Add. Scroll to and click Day and Time Restrictions, and then click Add. In Time of day constraints, click Permitted, click the grid 62 pattern of days and times, and then use your mouse to select the days and times that you want to specify. Note You can designate specific days and times when network access is allowed only if you select Permitted. If you select Denied, network access is always denied. Network Access Protection Following are the NAP conditions that you can configure in a network policy: Identity Type Used for NAP DHCP and IPsec deployments to allow client health checks in circumstances where NPS does not receive an Access-Request message that contains a value for the UserName attribute; in these circumstances, client health checks are performed but authentication and authorization are not performed. RADIUS Access-Request messages typically include the User-Name attribute, which allows NPS to authenticate and authorize a connection request. When a value for the User-Name attribute is absent, NPS provides a default user name. However, for scenarios such as NAP enforcement with DHCP or IPsec, where a client health check occurs without authentication or authorization (such as when a DHCP client renews an IP address lease) the User-Name attribute is not present and NPS does not provide a default user name. When NPS receives a request for a client health check that does not include the User Name attribute and the Identity Type condition is configured with a value of Computer health check, the request matches the policy and, if all other conditions and constraints configured in the policy are also matched, the policy settings are applied. In addition, in network policy constraints, you can enable the Perform machine health check only authentication method setting. MS-Service Class Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile. Health Policies Restricts the policy to clients that meet the health criteria specified in the health policy. For example, you might have two health policies that you have configured by using the Windows Security Health Validator (WSHV) — one health policy created for circumstances where client computers pass all health checks and one policy created for circumstances where client computers fail all health checks specified in the WSHV. If you select the health policy that designates that all client computers must pass all health checks, the statement of health 63 (SoH) sent to NPS from the NAP agent on the client computer must state that the client passed all health checks required by the Windows SHV in order for the conditions of the network policy to be met. NAP-Capable Computers Restricts the policy to either clients that are capable of participating in NAP or clients that are not capable of participating in NAP. This capability is determined by whether the client sends a SoH to NPS. Operating System Specifies the operating system (operating system version, service pack number, or both), role (client or server), and architecture (x86, x64, or ia64) required for the computer configuration to match the policy. In the Windows interface, in the Operating System Properties dialog box, both Operating System Version and Service Pack (SP) Number have default values of five zeroes, a decimal point, and then five zeroes (00000.00000). This value equals zero (0). To edit these fields, you must place the cursor to the left of the character (0) that you want to replace, and then type the new number. For example, to enter an Operating System Version of 6.1, place the cursor after the fourth zero, and then type 61. Policy Expiration Specifies when the network policy expires; after the expiration date and time that you specify, the network policy is no longer evaluated by NPS. This condition is useful for circumstances where the network policy is designed with the NAP Enforcement setting that allows client computers full network access for a limited time. At the same time that the NAP Enforcement time setting expires, the network policy can also expire. In this circumstance, create a second network policy that enforces NAP after the expiration time of the first policy. Connection properties Following are the connection properties that you can configure in a network policy: Access Client IPv4 Address Specifies the IPv4 address of the access client that is required to match the conditions of the policy. Access Client IPv6 Address Specifies the IPv6 address of the access client that is required to match the conditions of the policy. Authentication Type Specifies the authentication methods that are required for the connection request to match the network policy. Allowed EAP Types Specifies the EAP types that are required in order for the authentication method used by the client computer to match the policy. This condition is useful when connection request policy is configured with authentication. When authentication is configured in a connection request 64 policy, the authentication settings in the network policy are overridden; however the use of the Allowed EAP Types condition causes NPS to verify the authentication method being used; if the specified EAP type is not being used, NPS does not use the network policy for authorization and continues to seek a policy whose conditions match the connection request. Framed Protocol Restricts the policy to clients that specify a certain framing protocol for incoming packets, such as PPP or SLIP. Service Type Restricts the policy to only clients specifying a certain type of service, such as Telnet or Point-to-Point Protocol connections. Tunnel Type Restricts the policy to only clients that create a specific type of tunnel, such as PPTP or L2TP. The Tunnel Type attribute is typically used when you deploy virtual local area networks (VLANs). RADIUS client properties Following are the RADIUS client conditions that you can configure in a network policy: Important Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. Calling Station ID Specifies the network access server telephone number that was dialed by the dial-up access client. Client Friendly Name Specifies the name of the RADIUS client that forwarded the connection request to the NPS server. Client IPv4 Address Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the connection request to the NPS server. Client IPv6 Address Specifies the Internet Protocol (IP) version 6 address of the RADIUS client that forwarded the connection request to the NPS server. Client Vendor Specifies the name of the vendor or manufacturer of the RADIUS client that sends connection requests to the NPS server. 65 MS RAS Vendor Specifies the vendor identification number of the network access server that is requesting authentication. Gateway Following are the gateway properties that you can configure in a network policy: Called Station ID Allows you to specify the phone number of the network access server that sent the connection request to NPS. If you specify a NAS phone number and NPS receives a connection request from a NAS with a different phone number, the conditions of the policy are not met. NAS Identifier Allows you to specify the name of network access server that sent the connection request to NPS. If you specify a NAS name and NPS receives a connection request from a NAS with a different name, the conditions of the policy are not met. NAS IPv4 Address Allows you to specify the IPv4 address of the network access server that sent the connection request to NPS. If you specify a NAS IPv4 address and NPS receives a connection request from a NAS with a different IPv4 address, the conditions of the policy are not met. NAS IPv6 Address Allows you to specify the IPv6 address of the network access server that sent the connection request to NPS. If you specify a NAS IPv6 address and NPS receives a connection request from a NAS with a different IPv6 address, the conditions of the policy are not met. NAS Port Type Allows you to specify the type of media used by the client computer to connect to the network. For example, if you specify Ethernet, the client computer must be accessing the network over the media type of Ethernet. If you specify a media type and the client computer is connecting to the network over a different media type, the conditions of the policy are not met. For example, if the designated media type is Wireless - IEEE 802.11, and the client computer is attempting to connect to the network by using a media type of Virtual (VPN), the conditions of the policy are not met. Constraints Properties Constraints are additional network policy parameters that are optional. Constraints differ from network policy conditions in one substantial way: when a condition does not match a connection request, NPS continues to evaluate other configured network policies in search of a match for the connection request, but when a constraint does not match a connection request, NPS does not 66 evaluate additional network policies; NPS rejects the connection request and the user or computer is denied network access. Following are the constraints that you can configure in a network policy: Authentication methods Allows you to specify the authentication methods that are required for the connection request to match the network policy. Idle timeout Allows you to specify the maximum time, in minutes, that the network access server can remain idle before the connection is disconnected. Session timeout Allows you to specify the maximum amount of time, in minutes, that a user can be connected to the network. Called station ID Allows you to specify the telephone number of the dial-up server that clients are allowed to use to access the network. Day and time restrictions Allows you to specify when users are allowed to connect to the network. NAS port type Allows you to specify the access media types that are allowed for users to connect to the network. Settings Properties NPS applies the settings that are configured in the network policy to the connection if all of the conditions and constraints that are configured in the policy match the properties of the connection request. The available groups of settings that you can configure are: RADIUS attributes Network Access Protection Routing and Remote Access IP filters Encryption IP settings RADIUS attributes You can configure both RADIUS standard attributes and vendor-specific attributes (VSAs) as settings in network policy. 67 Important If you plan to return to RADIUS clients any additional RADIUS attributes or VSAs with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs to the appropriate network policy. RADIUS attributes are described in Request for Comments (RFC) 2865, RFC 2866, RFC 2867, RFC 2868, RFC 2869, and RFC 3162. RFCs and Internet drafts for VSAs define additional RADIUS attributes. Network Access Protection You can specify how you want to enforce NAP, remediation server groups, troubleshooting URL, and autoremediation. NAP enforcement You can use the following settings to designate how you want to enforce NAP: Network Access Type If you select Allow full network access, NAP is not enforced for the network policy. All clients, including non-NAP capable clients and NAP-capable clients that are not compliant with health policy, can connect when the connection request matches the conditions and constraints of the policy. If you select Allow full network access for a limited time, you can defer enforcement of health policy until the day and time that you specify. In the time period before the expiration date that you specify, all clients can connect when the connection request matches the conditions and constraints of the network policy. After the expiration date, compliant clients are allowed full network access; and non-compliant NAP clients are allowed access only to a restricted network, where remediation servers can provide clients with the updates they need in order to become compliant with health policy. If you select Allow limited access, NAP is enforced. Compliant clients are allowed full network access, and non-compliant NAP clients are allowed access only to a restricted network, where remediation servers can provide clients with the updates they need in order to become compliant with health policy. Important If you deploy the NAP VPN enforcement method and you have configured NAP enforcement with the Allow full network access for a limited time option, VPN clients that are connected to the network when the expiration time is reached are automatically disconnected whether they are compliant or noncompliant with health policy. After the expiration date and time, VPN clients that attempt to connect to the network are placed on a restricted network if they are noncompliant with health policy, while compliant clients are allowed full network access. 68 Remediation Server Group and Troubleshooting URL If you enable autoremediation in NAP enforcement and you have configured one or more remediation server groups in NPS Network Access Protection settings, you can specify the remediation server group that clients can access for software updates. When you deploy and enforce NAP, you can provide technical assistance and other information to users on a Web site that is located on the remediation network. If users have restricted access because their computers do not comply with health policy, Web resources can assist them in bringing their computers into compliance with policy. If you have deployed a Web server with Help content, you can supply users with the Web page URL by using this network policy setting. Autoremediation You can configure autoremediation for client computers on the NAP enforcement page. When you configure autoremediation, clients that are not compliant with health policy are automatically updated and brought into compliance. For example, if your Windows Security Health Validator (WSHV) designates that the client computer must have a firewall installed and enabled, and must have antivirus software installed, enabled, and configured with the latest signature updates, autoremediation causes the NAP agent on the client to enable the firewall if it is turned off and to download the most recent antivirus signature updates if they are not already installed on the client. If you enable autoremediation, be sure to also configure a remediation server group so that client computers know where to find the updates they need when they are not in compliance with health policy. Extended State The NAP Extended State setting, along with a Host Credentials Authorization Protocol (HCAP) server, allows you to integrate your NAP solution with Cisco Network Admission Control. Do not configure the NAP Extended State setting in network policy unless you have also deployed Cisco Network Admission Control and an HCAP server. Timeout Following are the timeout settings that you can configure in network policies. Idle Timeout allows you to specify the maximum time, in minutes, that the network access server can remain idle before the connection is disconnected. Session Timeout allows you to specify the maximum amount of time, in minutes, that a user can be connected to the network. Routing and Remote Access Following are the Routing and Remote Access settings that you can configure in network policies. 69 Multilink and Bandwidth Allocation Protocol (BAP) allows you to configure how multiple dial-up connections from one computer are managed and whether the number of connections should be reduced based on capacity. IP Filters allows you to create IPv4 and IPv6 filters to control the IP traffic that the client computer can send or receive. Encryption allows you to specify the encryption level required between the client computer and the server running Routing and Remote Access service. If you use non-Microsoft network access servers for VPN and dial-up connections, ensure that the encryption settings you select are supported by your servers. IP Settings allows you to specify the client IP address assignment rules for the network policy. Health Policies Health policies consist of one or more system health validators (SHVs) and other settings that allow you to define client computer configuration requirements for the Network Access Protection (NAP)-capable computers that attempt to connect to your network. When NAP-capable clients attempt to connect to the network, the client computer sends a statement of health (SoH) to Network Policy Server (NPS). The SoH is a report of the client configuration state, and NPS compares the SoH to the requirements defined in health policy. If the client configuration state does not match the requirements defined in health policy, NPS takes one of the following actions, depending on how NAP is configured: The connection request by the NAP client is rejected. The NAP client is placed on a restricted network where it can receive updates from remediation servers that bring the client into compliance with health policy. After the client is compliant with health policy, it is allowed to connect. The NAP client is allowed to connect to the network despite being noncompliant with health policy. You can define client health policies in NPS by adding one or more SHVs to the health policy. After a health policy is configured with one or more SHVs, you can add the health policy to the Health Policies condition of a network policy that you want to use to enforce NAP when client computers connect to your network. Using multiple SHVs in a health policy The Windows Security Health Validator (WSHV) is included by default in NPS. Other companies might also provide additional SHV and system health agent (SHA) pairs for their NAP-compatible products. If you want to use a NAP-compatible product, you can follow the product's documentation to install the SHA on NAP-capable client computers, and then install the SHV on the server running 70 NPS. After you have installed the SHV on the NPS server, you can configure the SHV and then add the SHV to a health policy. After your health policy is configured with the SHVs you want to use, you can add the health policy to the settings of a network policy. Network Access Protection (NAP) In this section System Health Validators Remediation Server Groups Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista and Windows Server 2008. With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network. When you deploy NAP, a server running Network Policy Server (NPS) serves as a health policy server. You create health policies in NPS that specify the required configuration of NAP-capable computers that connect to your network, and then configure one or more network policies with the health policy. NPS then performs health checks while processing the network policy and performing authorization. Note In Windows Server 2003, network policies were named remote access policies. NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are noncompliant with health policy, and remediating noncompliant client computers to bring them into compliance with health policy before they are granted full network access. NAP enforces health policies on client computers that are attempting to connect to a network; NAP also provides ongoing health compliance enforcement while a client computer is connected to a network. NAP is an extensible platform that provides an infrastructure and an application programming interface (API) set for adding components to NAP clients and NPS servers that check a computer's health, enforce network health policy, and remediate noncompliant computers to bring them into compliance with health policy. By itself, NAP does not provide components to verify or remediate a computer's health. Other components, known as system health agents (SHAs) and system health validators (SHVs), provide client computer health state inspection and reporting, validation of client computer health state compared to health policy, and configuration settings to help the client computer become compliant with health policy. The Windows Security Health Agent (WSHA) is included in Windows Vista as part of the operating system. The corresponding Windows Security Health Validator (WSHV) is included in Windows Server 2008 as part of the operating system. By using the NAP API set, other products 71 can also implement SHAs and SHVs to integrate with NAP. For example, an antivirus software vendor can use the API set to create a custom SHA and SHV. These components can then be integrated into the NAP solutions that customers of the software vendor deploy. If you are a network or system administrator planning to deploy NAP, you can deploy NAP with the WSHA and WSHV that are included with the operating system. You can also check with other software vendors to find out if they provide SHAs and SHVs for their products. For more information, see Network Access Protection in NPS in the NPS Help in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=117664. System Health Validators System health validators (SHVs) are server software counterparts to system health agents (SHAs). Each SHA on the client has a corresponding SHV in Network Policy Server (NPS). SHVs allow NPS to verify the statement of health (SoH) that is made by its corresponding SHA on the client computer. SHVs contain the details of the required configuration settings on client computers. For example, the Windows Security Health Validator (WSHV) is the counterpart to the Windows Security Health Agent (WSHA) on client computers. WSHV allows you to create a policy for the way in which settings on NAP-capable client computers must be configured. If the settings on the client computer as reported in the SoH do not match the settings in the SHV on the NPS server, the client computer is not compliant with health policy. To extend this example, if you configure the WSHV to use the setting A firewall is enabled for all network connections, the firewall software that is running on the client computer must be Windows Firewall software or other firewall software that is compatible with Windows Security Center. If the client computer is not running Windows Firewall or other firewall software that is compatible with Windows Security Center, the NAP agent on the client computer sends a SoH to NPS that reports this fact. NPS compares the SoH to the configuration of the WSHV in NPS; NPS then determines that the client computer is not compliant with health policy. WSHV settings The Windows Security Health Validator (WSHV) provides the following settings that you can configure based on the requirements of your deployment. Firewall To use the setting A firewall is enabled for all network connections, the firewall software that is running on the client computer must be Windows Firewall software or other firewall software that is compatible with Windows Security Center. Firewall software that is not compatible with Windows Security Center cannot be managed or detected by WSHA on the client computer. 72 If you select A firewall is enabled for all network connections, WSHA on the client computer checks if firewall software is running on the client computer, and then takes the following actions: If the client computer is not running firewall software, the client computer is restricted to a remediation network until firewall software is installed and running. If the only firewall software running on the client computer is a firewall that is not compliant with Windows Security Center, WSHA reports to the Network Access Protection (NAP) service that no firewall is enabled, and the client computer is restricted to a remediation network. Important If you select A firewall is enabled for all network connections and client computers are not running Windows Firewall or other Windows Security Center-compliant firewall software, client computers cannot connect to your network. If you do not select A firewall is enabled for all network connections, WSHA on the client computer does not attempt to enable firewall software or restrict client computers to a remediation network if they are not running firewall software. Because of this, client computers that are not running firewall software are not prevented from connecting to your network. Autoremediation If you select A firewall is enabled for all network connections, you enable NAP autoremediation, and WSHA on the client computer reports that no firewall is enabled, either because there is no firewall or the firewall software on the client computer is not compatible with Windows Security Center, then WSHV directs WSHA on the client computer to turn on Windows Firewall. Important If autoremediation is enabled and client computers are running firewall software that is not compliant with Windows Security Center and it is not detected by WSHA, WSHA on the client computer turns on Windows Firewall on the client computer, resulting in the client computer running two different firewalls simultaneously. Any exceptions configured on the noncompliant firewall are not configured in Windows Firewall, which could cause a loss of functionality on the client computer, depending on how it is configured. For this reason, it is not recommended for client computers to run two different firewalls simultaneously. Virus protection If you select An antivirus application is on, WSHA on the client computer verifies that antivirus software is running on the client computer. If the client computer is not running antivirus software, the client computer is restricted to a remediation network until antivirus software is installed and running. The antivirus software that is running on the client computer must be compatible with Windows Security Center. Antivirus software that is not compatible with Windows Security Center cannot 73 be managed or detected by WSHA on the client computer. If the only antivirus software running on the client computer is an antivirus application that is not compliant with Windows Security Center, the WSHA reports to WSHV that no antivirus is enabled, and the client computer is restricted to a remediation network. If you select Antivirus is up to date, WSHA on the client computer verifies that the antivirus definitions for your antivirus applications are the most current versions and are up-to-date. To verify that antivirus software is running and that antivirus definitions are the most recent updates available, you must select both An antivirus application is on and Antivirus is up to date. If you do not select An antivirus application is on, WSHA on the client computer does not attempt to detect whether client computers are running antivirus software. Because of this, client computers that are not running antivirus software are not prevented from connecting to your network. If you do not select both An antivirus application is on and Antivirus is up to date, WSHA on the client computer does not attempt to detect whether client computers are running antivirus software with the most recent antivirus definitions. Because of this, client computers that are not running antivirus software or that are running antivirus software with out-of-date antivirus definitions are not prevented from connecting to your network. Spyware protection If you select An antispyware application is on, WSHA on the client computer verifies that antispyware software is running on the client computer. If the client computer is not running antispyware software, the client computer is restricted to a remediation network until antispyware software is installed and running. The antispyware software that is running on the client computer must be Windows Defender or other antispyware software that is compatible with Windows Security Center. Antispyware software that is not compatible with Windows Security Center cannot be managed or detected by WSHA on the client computer. If the only antispyware software running on the client computer is an antispyware application that is not compatible with Windows Security Center, the WSHA reports to WSHV that no antispyware is enabled, and the client computer is restricted to a remediation network. If you select Antispyware is up to date, WSHA on the client computer verifies that the antispyware definitions for your antispyware applications are the most current versions and are up-to-date. To verify that antispyware software is running and that antispyware definitions are the most recent updates available, you must select both An antispyware application is on and Antispyware is up to date. If you do not select An antispyware application is on, WSHA on the client computer does not attempt to detect whether client computers are running antispyware software. Because of this, client computers that are not running antispyware software are not prevented from connecting to your network. 74 If you do not select both An antispyware application is on and Antispyware is up to date, WSHA on the client computer does not attempt to detect whether client computers are running antispyware software with the most recent antispyware definitions. Because of this, client computers that are not running antispyware software or that are running antispyware software with out-of-date antispyware definitions are not prevented from connecting to your network. Autoremediation If you select An antispyware application is on, you enable NAP autoremediation, and WSHA on the client computer reports that no antispyware is enabled, either because there is no antispyware or the antispyware software on the client computer is not compatible with Windows Security Center, then WSHV directs WSHA on the client computer to turn on Windows Defender. Important If autoremediation is enabled and client computers are running antispyware software that is not compliant with Windows Security Center and the antispyware is not detected by WSHA, WSHA on the client computer turns on Windows Defender on the client computer, resulting in the client computer running two different antispyware applications simultaneously. Note You can configure autoremediation using the NAP Client Management MMC snap-in. Automatic updating If you select Automatic updating is enabled, and Microsoft Update Services is not enabled on the client computer, WSHA restricts the client computer to a remediation network until Microsoft Update Services is enabled. Microsoft Update Services is enabled when one of the following settings is selected on the client computer: Install updates automatically (recommended) Download updates, but let me choose whether to install them Check for updates, but let me choose whether to download and install them Autoremediation If you select Automatic updating is enabled, you enable NAP autoremediation, and WSHA on the client computer reports that Microsoft Update Services is not enabled, then WSHV directs WSHA on the client computer to enable Microsoft Update Services and to configure Microsoft Update Services to automatically download and install updates. Note You can configure autoremediation by using the NAP Client Management MMC snap-in. 75 Security Update Protection Do not configure Security Update Protection in your WSHV policy unless client computers on your network are running Windows Update Agent. In addition, client computers that are running Windows Update Agent must be registered with a server running Windows Server Update Service (WSUS). Important If these conditions are not met and you configure Security Update Protection in your WSHV policy, the policy cannot be enforced by WSHA on the client computer. Because of this, WSHA restricts client computers to a remediation network and they cannot connect to your network. If client computers are running Windows Update Agent and are registered with a WSUS server, you can configure Security Update Protection for your WSHV policy. In that case, if you select Enforce quarantine for missing security updates and the most recent security updates are not installed, WSHA restricts the client computer to a remediation network until the most recent software security updates are installed. You can configure Security Update Protection with several possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). These values are: Critical only. If selected, client computers are required to have all security updates with an MSRC severity rating of Critical. If client computers do not have these updates, the client computer is restricted to a remediation network until the updates are downloaded and installed. Important and above. This is the default setting. If selected, client computers are required to have all security updates with an MSRC severity rating of Important or Critical. If client computers do not have these updates, the client computer is restricted to a remediation network until the updates are downloaded and installed. Moderate and above. If selected, client computers are required to have all security updates with an MSRC severity rating of Moderate, Important, and Critical. If client computers do not have these updates, the client computer is restricted to a remediation network until the updates are downloaded and installed. Low and above. If selected, client computers are required to have all security updates with an MSRC severity rating of Low, Moderate, Important, and Critical. If client computers do not have these updates, the client computer is restricted to a remediation network until the updates are downloaded and installed. All. If selected, client computers are required to have all security updates, regardless of their severity rating by the MSRC. If client computers do not have the most recent updates, the client computer is restricted to a remediation network until the updates are downloaded and installed. After you configure the security update severity rating level, you can specify the minimum number of hours allowed since the client has checked the WSUS server for new security updates. The default value for the minimum synchronization time is 22 hours. 76 When a client computer first attempts to connect to a NAP-enabled network and the Security Update Protection setting is configured in the WSHV policy, WSHA determines whether to restrict the client computer to a remediation network as follows: If the client checked the WSUS server for updates at an interval greater than the WSHVconfigured minimum number of hours allowed between checks, the client computer is restricted to a remediation network. After the client checks for updates and downloads and installs any recent updates, the client is allowed full network access. If the client checked the WSUS server for updates at an interval that is equal to or less than the WSHV-configured minimum number of hours allowed between checks, the client computer is not restricted to a remediation network. Note WSHA on the client computer only performs this check the first time that the client computer attempts to connect to the network. If the client computer remains connected to the network for longer than the configured minimum synchronization time, WSHA does not check for security updates, does not download updates, and does not restrict the client computer to a remediation network. Autoremediation For autoremediation to work with the Security Update Protection setting enabled and configured in your WSHV policy, the following must be true: Client computers on your network are running Windows Update Agent. Client computers that are running Windows Update Agent are registered with a WSUS server. Autoremediation is configured and enabled. If these conditions are met, WSHA on the client computer checks with the WSUS server to discover the most recent security updates. If WSHA discovers that the most recent security updates of the configured MSRC severity rating are not installed on the client computer, WSHA downloads and installs the most recent security updates. Remediation Server Groups A remediation server group is a list of servers on the restricted network that provide resources required to bring noncompliant NAP-capable clients into compliance with administrator-defined client health policy. A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with health policy, as defined in Network Policy Server (NPS). For example, a remediation server can host antivirus signatures. If health policy requires that client computers have the latest antivirus definitions installed, an antivirus system health agent (SHA), 77 an antivirus system health validator (SHV), an antivirus policy server, and the remediation server used to host the antivirus signatures work together to update noncompliant computers. Accounting There are three types of logging for Network Policy Server (NPS): Event logging. Used primarily for auditing and troubleshooting connection attempts. Logging user authentication and accounting requests to a local file. Used primarily for connection analysis and billing purposes. Also useful as a security investigation tool because it provides you with a method of tracking the activity of a malicious user after an attack. By default, local file logging in database-compatible format is enabled. Logging user authentication and accounting requests to a Microsoft SQL Server XMLcompliant database. Used to allow multiple servers running NPS to record accounting data to one data source. Also provides the advantages of using a relational database. By default, SQL Server logging is not enabled. Important To deploy NPS SQL Server logging, you must first deploy and configure a compatible version of Microsoft SQL Server. For more information, see NPS Accounting. How Network Policy Server Works In this section NPS Architecture NPS Protocols NPS Processes and Interactions NPS Accounting NPS Architecture The following illustration depicts NPS architecture, including the components upon which NPS has external dependencies. 78 Network Policy Server components The following sections provide additional information about the components in the NPS architecture. 79 Component Description Network access servers RADIUS-compliant network access servers, such as VPN servers, 802.1X wireless access points and authenticating switches, and dial-up servers that send connection requests to the NPS server using the RADIUS protocol. Network access servers are also called RADIUS clients. Remote Authentication Dial-In User Service (RADIUS) protocol An industry standard protocol described in Request for Comments (RFC) 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." RADIUS is used to provide network authentication, authorization, accounting, and auditing services for network administrators that deploy local or remote access to their networks. RADIUS messages Access-Request and other RADIUS messages that are sent between network access servers and the NPS server using the RADIUS protocol. Local Microsoft components When additional components, such as RRAS, TS Gateway, DHCP, and HCAP are installed on the local NPS server, the components use IAS Helper (Iashlpr.dll) to exchange information with NPS. If these components are not installed on the local computer but are installed on remote computers, IAS Helper is not used; instead, the RADIUS protocol is used to exchange information with the local NPS server. NPS server A computer running Windows Server 2008 and Network Policy Server that accepts connection requests from configured RADIUS clients and either processes or forwards the requests, depending on how NPS is configured. In addition, NPS can make determinations about client health through configured health policies if Network Access Protection (NAP) is deployed. 80 Component Description NPS service A service that runs within Svchost.exe and can be configured by using the Services MMC snap-in. By default, the service runs automatically at system startup after you install NPS. NPS policy engine The NPS policy engine processes connection requests when NPS is configured as a RADIUS proxy, RADIUS server, and NAP policy server. Depending on the NPS configuration, NPS can forward a connection request, perform authentication and authorization for a connection request against the AD DS user accounts database or SAM database, or verify the client computer configuration of a NAPcapable client. For detailed information on how NPS processes connection requests based upon the NPS configuration, see AccessRequest Message Processing. SDO Layer - Read Only The NPS service loads its own copy of the Server Data Objects (SDO) dynamic link libraries (DLLs); the NPS service reads information from the SDO layer, but does not write information to the SDO layer. NPS MMC snap-in/console You can use the NPS console or the NPS MMC snap-in to configure NPS using the Windows interface. For more information, see Components of NPS. SDO Layer - Read-Write The NPS MMC console/snap-in loads its own copy of the SDO DLLs, and both reads information from and writes information to the SDO Layer. The SDO API makes it possible to programmatically configure and administer a computer running Windows Server 2008 and NPS. For more information, see Server Data Objects. Netsh NPS A context of the Netsh command-line tool that you can use to configure NPS by using the command line, batch files, or scripts. For more information, see Netsh Commands for Network 81 Component Description Policy Server. SDO Layer - Read-Write Netsh NPS loads its own copy of the SDO DLLs, and both reads information from and writes information to the SDO Layer. IAShost.exe A process of NPS that hosts the DataStore Component Object Model (COM) server. At runtime, there is a single instance of IAShost.exe to which other components, such as the NPS service, the NPS MMC, and Netsh NPS, read and write NPS configuration data. DataStore COM server A service within IAShost.exe that manages read operations from Dnary.xml and both read and write operations to IAS.xml. By using the Distributed COM (DCOM) interface, the following components use the DataStore COM server to access the NPS server configuration: the NPS service on the local computer; the Netsh commands for NPS on the local computer; the NPS console or MMC snap-in on the local computer; and the NPS MMC snap-in on remote NPS servers. For more information, see DCOM Technical Overview. IAS.xml An extensible markup language (XML) file stored on the local hard drive that contains NPS configuration information. IAShost.exe reads information from and writes information to IAS.xml. By default, the IAS.xml file location is %windir%\System32\ias. Dnary.xml Dnary.xml is an extensible markup language (XML) file stored on the local hard drive that contains the NPS library of RADIUS attributes. IAShost.exe reads information from Dnary.xml. By default, the Dnary.xml file location is %windir%\System32\ias. Local log file When the NPS accounting configuration specifies the recording of accounting data in a local log file (either database-compatible format or IAS format), the text file is stored on the local 82 Component Description hard drive. By default, the local log file location is %windir%\system32\LogFiles External Dependencies NPS has the following dependencies on external components. The dependency does not exist, however, unless NPS is configured to use the external resource. For example, NPS is not dependent on SQL Server unless NPS is configured to use SQL Server logging. Component Description LDAP queries When an NPS server is a member of an Active Directory domain, Lightweight Directory Access Protocol (LDAP) queries are sent to global catalog servers when NPS performs authentication against the Active Directory Domain Services (AD DS) user account database. Query results are then sent back to NPS. If an NPS server is not a domain member, authentication is performed against the local SAM database rather than against a domain controller. AD DS NPS performs authentication against the credentials stored in the AD DS user accounts database during the authentication process, and checks user account dial-in properties during the authorization process. NAP Network Access Protection allows NPS to function as a health policy server, verifying that NAP-capable computers connecting to the network are compliant with health policy. QSHVHost QSHVHost is a NAP component required to facilitate communication between NPS and other NAP components. EAP When EAP authentication is configured in a connection request policy or network policy and the Access-Request matches a policy, NPS uses EAP authentication to verify the identity of 83 Component Description the access client or user. EAPHost When configured to use EAP authentication, NPS uses EAPHost during the authentication process. In Windows Server 2008 and Windows Vista, EAPHost updates the EAP implementation in Windows for the latest Internet standards and provides a new modular architecture to extend Windows with EAP authentication methods and supplicants. Accounting data (XML document) When NPS is configured to use SQL Server logging, it sends accounting data in an XML document to the SQL Server database for processing and storage in the database. SQL Server The SQL Server database is configured with a stored procedure that receives and processes the incoming XML document from NPS, in addition to a database where the NPS data is stored. RADIUS extension DLLs and NPS architecture When you incorporate RADIUS extension DLLs into the NPS architecture, you are modifying the NPS policy engine in such a way that Access-Request messages are processed in a different manner. The primary differences are: If you install an authentication extension DLL, NPS calls the DLL before performing authentication and authorization. If you install an authorization extension DLL, NPS performs authentication and authorization before calling the authorization DLL. For more information about extension DLLs, see About NPS Extensions. NPS Protocols In this section Authentication Protocols RADIUS Protocol Authentication protocols are used to transmit user or computer logon credentials. If you configure NPS to process some or all of the connection requests that it receives from RADIUS clients, the 84 authentication protocols that you have configured in network policy or connection request policy are used to transmit user or computer credentials so that NPS can verify the identity of the user or computer that is attempting to access the network. NPS uses the RADIUS protocol to communicate with RADIUS clients and other RADIUS servers. These protocols are detailed in the following sections. Authentication Protocols In this section Certificate-based Authentication Protocols Password-based Authentication Protocols Unauthenticated Access When users attempt to connect to your network through network access servers, NPS authenticates and authorizes the connection request before allowing or denying access. Because authentication is the process of verifying the identity of the user or computer attempting to connect to the network, NPS must receive proof-of-identity from the user or computer in the form of credentials. Authentication protocols allow the transmission of these credentials from the computer or user who is proving their identity to the authenticator that is verifying their identity. Authentication methods typically use an authentication protocol that is negotiated by the Remote Authentication Dial-In User Service (RADIUS) server and the access client during the connection establishment process. Each authentication protocol has advantages and disadvantages in terms of security, usability, and breadth of support. The authentication protocol used to transmit credentials is determined by the configuration of the following RADIUS infrastructure components: the access client, the RADIUS client, and the RADIUS server. Note NPS also supports unauthenticated connections, although in most circumstances unauthenticated access is not recommended for security reasons. You can configure NPS to accept the use of multiple authentication protocols. You can also configure your RADIUS clients to attempt to negotiate a connection by using the most secure protocol first, and then the next most secure, and so on down to the least secure. For example, the Routing and Remote Access service tries to negotiate a connection by using Extensible Authentication Protocol (EAP) first, then MS-CHAP v2, then MS-CHAP v1 , then CHAP, and then PAP. When EAP is chosen as the authentication method, the negotiation of the EAP type occurs between the access client and the NPS server. 85 Note Before deploying authentication with NPS, consult your RADIUS client documentation to determine the authentication methods that are supported by the device. In addition, you can use network policies to implement different authentication methods depending on the type of access client that is being authenticated. For example, you can create two network policies, one for VPN clients and one for wireless clients—each of which uses a different authentication method. The network policy for VPN clients can be configured to use EAP-TLS with smart cards or certificates as the authentication method and authentication type, while the network policy for wireless clients can be configured to use PEAP-MS-CHAP v2, which provides secure password authentication. Authentication methods Some authentication methods implement the use of password-based credentials. For example, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) requires that users type in a user name and password. These credentials are then passed to the NPS server by the network access server, and then NPS verifies the credentials against the user accounts database. Other authentication methods implement the use of certificate-based credentials for the user, the client computer, the NPS server, or some combination of these types of certificates. Certificatebased authentication methods provide stronger security than password-based authentication methods. When you deploy NPS, you can specify the authentication method that is required for access to your network. The following sections provide additional information on the authentication methods and protocols available for use with NPS. Certificate-based Authentication Protocols Certificates are digital documents that are issued by certification authorities (CAs), such as Active Directory Certificate Services (AD CS) or the VeriSign public CA. Certificates can be used for many purposes, such as code signing and securing e-mail communication, but with Network Policy Server (NPS), certificates are used for network access authentication. Certificates are used for network access authentication because they provide strong security for authenticating users and computers and eliminate the need for less secure password-based authentication methods. In this section Extensible Authentication Protocol Protected Extensible Authentication Protocol Certificate Templates and Requirements Mapping with Certificate-Based Authentication 86 Two authentication methods, when configured with certificate-based authentication types, use certificates: Extensible Authentication Protocol (EAP) and Protected EAP (PEAP). By using EAP, you can configure the authentication type Transport Layer Security (EAP-TLS), and with PEAP you can configure the authentication types TLS (PEAP-TLS) and Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2). These authentication methods always use certificates for server authentication. Depending on the authentication type configured with the authentication method, certificates might also be used for user authentication and client computer authentication. Note The use of certificates for authentication of virtual private network (VPN) connections is the strongest form of authentication available in Windows Server® 2008. You must use certificate-based authentication for VPN connections based on Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPsec). Point-To-Point Tunneling protocol (PPTP) connections do not require certificates, although you can configure PPTP connections to use certificates for computer authentication when you use EAP-TLS as the authentication method. For wireless clients, PEAP with EAP-TLS and smart cards or certificates is the recommended authentication method. You can deploy certificates for use with NPS by installing and configuring the Active Directory Certificate Services (AD CS) server role. For more information, see the AD CS documentation. Certificate types When you use certificate-based authentication methods, it is important to understand the following types of certificates and how they are used: CA certificate When present on client and server computers, tells the client or server that it can trust other certificates, such as certificates used for client or server authentication, that are issued by this CA. This certificate is required for all deployments of certificate-based authentication methods. Client computer certificate Issued to client computers by a CA and used when the client computer needs to prove its identity to a server running NPS during the authentication process. Server certificate Issued to NPS servers by a CA and used when the NPS server needs to prove its identity to client computers during the authentication process. User certificate Issued to individuals by a CA and typically distributed as a certificate that is embedded on a smart card. The certificate on the smart card is used, along with a smart card reader that is attached to the client computer, when individuals need to prove their identity to NPS servers during the authentication process. 87 Certificate deployments and Active Directory replication Some authentication methods, such as PEAP and EAP, can use certificates for authentication of computers and users. Latency in Active Directory replication might temporarily affect the ability of a client or server to obtain a certificate from a certification authority (CA). If a computer configured to use certificates for authentication cannot enroll a certificate, authentication fails. This latency in Active Directory replication can affect your network access authentication infrastructure because the certificates used for client and server authentication are issued by CAs to domain member computers. In the moments after you have joined a client or server computer to the domain, it is possible that the only Active Directory global catalog server that has a record of the client or server computer's domain membership is the domain controller that handled the join request. After a computer is joined to the domain, a restart of the computer is required. After the computer restarts and you log on to the domain, Group Policy is applied. If you have previously configured the auto-enrollment of client computer certificates or, for NPS servers, server certificates, this is the moment at which the new domain member computer requests a certificate from a CA. Note You can manually refresh Group Policy by logging on to the domain or by running the gpupdate command. The CA in turn checks Active Directory to determine whether or not to issue a certificate to the client or server that has requested it. If Active Directory replication of the computer account has replicated across the domain, the CA can determine whether the client or server has the security permissions required to enroll a certificate. If Active Directory replication of the computer account has not replicated across the domain, however, the CA might not be able to verify that the client or server has the security permissions to enroll a certificate. If this occurs, the CA does not enroll a certificate to the client or server computer. This circumstance has the following effect: If a domain member client computer cannot enroll a client computer certificate, the client computer cannot be successfully authenticated by NPS servers when attempting to connect to the network by using any network access servers that are configured as RADIUS clients in NPS where the required authentication method is either EAP-TLS or PEAP-EAP-TLS. For example, if you have deployed RADIUS clients that are 802.1X wireless access points and you are using PEAP-EAP-TLS as your authentication method, client computers that do not have a client computer certificate cannot be authenticated and cannot access network resources. If a domain member NPS server cannot enroll a server certificate, the NPS server cannot be successfully authenticated by client computers when they are attempting to connect to the network by using any network access servers that are configured as RADIUS clients in NPS where the required authentication method is EAP-TLS, PEAP-EAP-TLS, or PEAP-MS-CHAP v2, and where clients have the Validate server certificate setting enabled. These 88 authentication methods provide mutual authentication, where both the access client and the NPS server authenticate each other, and the NPS server must have a server certificate to be successfully authenticated by client computers. If the NPS server does not have a server certificate, all connection requests that it receives where these authentication methods are required will fail, because client computers are unable to authenticate the NPS server. For this reason, when you deploy certificate-based authentication methods, it is recommended that you design Active Directory replication times and the deployment of subordinate CAs in such a manner that you diminish the possibility that slow replication might negatively impact your network access authentication infrastructure. Extensible Authentication Protocol Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to demand for authentication methods that use security devices, such as smart cards, token cards, and crypto calculators. EAP provides an industrystandard architecture for supporting additional authentication methods within PPP. EAP allows for an open-ended conversation between the remote access client and the authenticator. The conversation consists of authenticator requests for authentication information and the responses by the remote access client. For example, when EAP is used with security token cards, the authenticator can separately query the remote access client for a name, PIN, and card token value. As each query is asked and answered, the remote access client passes through another level of authentication. When all questions have been answered satisfactorily, the remote access client is authenticated. Windows Server 2008 includes an EAP infrastructure, two EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS). EAP infrastructure EAP is a set of internal components that provide architectural support for any EAP type in the form of a plug-in module. For successful authentication, both the remote access client and authenticator must have the same EAP authentication module installed. You can also install additional EAP types. The components for an EAP type must be installed on every network access client and every authenticator. Note The Windows Server 2003 operating systems provide two EAP types: MD5-Challenge and EAP-TLS. MD5-Challenge is not supported in Windows Server 2008. 89 EAP types By using EAP, you can support additional authentication schemes, known as EAP types. These schemes include token cards, one-time passwords, public key authentication using smart cards, and certificates. EAP, in conjunction with strong EAP types, is a critical technology component for secure virtual private network (VPN) connections, 802.1X wired connections, and 802.1X wireless connections. Both the network access client and the authenticator, such as the NPS server, must support the same EAP type for successful authentication to occur. Important Strong EAP types, such as those based on certificates, offer better security against bruteforce or dictionary attacks and password guessing than password-based authentication protocols, such as CHAP or MS-CHAP. With EAP, an arbitrary authentication mechanism authenticates a remote access connection. The authentication scheme to be used is negotiated by the remote access client and the authenticator (either the network access server or the Remote Authentication Dial-In User Service [RADIUS] server). Routing and Remote Access includes support for EAP-TLS and PEAP-MS-CHAP v2 by default. You can plug in other EAP modules to the server running Routing and Remote Access to provide other EAP types. EAP-TLS EAP-Transport Layer Security (EAP-TLS) is an EAP type that is used in certificate-based security environments. If you are using smart cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the remote access client and the authenticator. EAP-TLS provides the strongest authentication and key determination method. Note During the EAP-TLS authentication process, shared secret encryption keys for Microsoft Point-to-Point Encryption (MPPE) are generated. EAP-TLS is supported only on servers that are running Routing and Remote Access, that are configured to use Windows Authentication or RADIUS, and that are members of a domain. A network access server running as a stand-alone server or as a member of a workgroup does not support EAP-TLS. Using RADIUS as a transport for EAP Using RADIUS as a transport for EAP is the passing of EAP messages of any EAP type by a RADIUS client to a RADIUS server for authentication. For example, EAP messages are sent by a remote access client to a network access server that is configured as a RADIUS client. The network access server encapsulates and formats the EAP messages as RADIUS messages, and 90 then sends them to the RADIUS server. When you use EAP over RADIUS, it is called EAPRADIUS. EAP-RADIUS is used in environments where RADIUS is used as the authentication provider. An advantage of using EAP-RADIUS is that EAP types do not need to be installed at each network access server, only at the RADIUS server. In the case of an NPS server, you only need to install EAP types on the NPS server. In a typical use of EAP-RADIUS, a server running Routing and Remote Access is configured to use EAP and to use an NPS server for authentication. When a connection is made, the remote access client negotiates the use of EAP with the network access server. When the client sends an EAP message to the network access server, the network access server encapsulates the EAP message as a RADIUS message, and then sends it to its configured NPS server. The NPS server processes the EAP message and sends a RADIUS-encapsulated EAP message back to the network access server. The network access server then forwards the EAP message to the remote access client. In this configuration, the network access server is only a pass-through device. All processing of EAP messages occurs at the remote access client and the NPS server. Routing and Remote Access can be configured to authenticate locally, or to a RADIUS server. If Routing and Remote Access is configured to authenticate locally, all EAP methods will be authenticated locally. If Routing and Remote Access is configured to authenticate to a RADIUS server, all EAP messages will be forwarded to the RADIUS server with EAP-RADIUS. Enabling EAP To enable EAP-based authentication 1. Enable EAP as an authentication protocol on the network access server. For more information, see your network access server documentation. 2. In NPS, on the Constraints tab of the appropriate network policy, enable EAP and configure the EAP type. For more information, see Constraints Properties. 3. Enable and configure EAP on the access client. For more information, see your access client documentation. Protected Extensible Authentication Protocol Protected Extensible Authentication Protocol (PEAP) uses Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running Network Policy Server (NPS) or other Remote Authentication Dial-In User Service (RADIUS) server. Note PEAP is part of the Extensible Authentication Protocol (EAP) protocols. 91 PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-Microsoft Challenge Handshake Protocol version 2 (MSCHAP v2), that can operate through the TLS-encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients connecting to your organization network through the following types of network access servers: 802.1X wireless access points 802.1X-capable switches Computers running Windows Server 2008 and Routing and Remote Access configured as virtual private network (VPN) servers Computers running Windows Server 2008 and Terminal Services Gateway (TS Gateway) To enhance both the EAP protocols and network security, PEAP provides: A TLS channel that provides protection for the EAP method negotiation that occurs between client and server. This TLS channel helps prevent an attacker from sending packets between the client and the network access server to cause the negotiation of a less secure EAP type. The encrypted TLS channel also helps prevent denial-of-service attacks against the NPS server. Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this functionality. Clients with the ability to authenticate an NPS server or other RADIUS server. Because the server also authenticates the client, mutual authentication occurs. Protection against the deployment of an unauthorized wireless access point at the moment when the EAP client authenticates the certificate provided by the NPS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP. PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the NPS server or other RADIUS server. Fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials. The following table compares MS-CHAP v2 to PEAP-MS-CHAP v2. Function MS-CHAP v2 PEAP-MS-CHAP v2 Provides client authentication by using passwords Yes Yes Ensures that the server has access to credentials Yes Yes Authenticates the server Yes Yes 92 Function MS-CHAP v2 PEAP-MS-CHAP v2 Prevents wireless access point spoofing No Yes Prevents an unauthorized server No from negotiating the least secure authentication method Yes Uses TLS keys generated with a public key No Yes Provides end-to-end encryption No Yes Prevents dictionary or brute force attacks No Yes Prevents replay attacks No Yes Allows chaining of authentication No methods Yes Requires client trust of certificates provided by the server Yes No PEAP authentication process There are two stages in the PEAP authentication process between the PEAP client and the authenticator. The first stage establishes a secure channel between the PEAP client and the authenticating server. The second stage provides EAP authentication between the PEAP client and authenticator. Establish a TLS-encrypted channel In the first stage of PEAP authentication, the TLS channel is created between the PEAP client and the NPS server. The following steps illustrate how this TLS channel is created for wireless PEAP clients. 1. The PEAP client associates with a wireless access point that is configured as a RADIUS client to a server running NPS. An IEEE 802.11-based association provides an Open System or Shared Key authentication before a secure association is created between the PEAP client and the access point. 2. After the IEEE 802.11-based association is successfully established between the client and access point, the TLS session is negotiated with the access point. 3. After computer-level authentication is successfully completed between the wireless PEAP client and the NPS server, the TLS session is negotiated between them. The key that is 93 generated during this negotiation is used to encrypt all subsequent communication, including network access authentication that allows the user to connect to the organization network. Establish EAP-authenticated communication Complete EAP communication, including EAP negotiation, occurs through the TLS channel and is the second stage of PEAP authentication. The following steps extend the previous example and illustrate how wireless clients complete authentication with the NPS server by using PEAP. After the TLS channel is created between the NPS server and the PEAP client, the client passes the credentials (user name and password or a user or computer certificate) to the NPS server through the encrypted channel. The access point only forwards messages between wireless client and RADIUS server; the access point (or a person monitoring it) cannot decrypt these messages because it is not the TLS endpoint. The NPS server authenticates the user and client computer with the authentication type that is selected for use with PEAP. The authentication type can be either EAP-TLS (smart card or other certificate) or EAP-MS-CHAP v2 (secure password). Note You can configure PEAP as the authentication method in NPS network policy. EAP types You can choose between two EAP types, also called authentication types, for use with PEAP: EAP-MS-CHAP v2 or EAP-TLS. EAP-MS-CHAP v2 uses password-based credentials (user name and password) for user authentication, and a certificate in the server computer certificate store for server authentication. EAP-TLS uses either certificates installed in the client computer certificate store or a smart card for user and client computer authentication, and a certificate in the server computer certificate store for server authentication. PEAP with EAP-MS-CHAP v2 PEAP with EAP-MS-CHAPv2 (PEAP-MS-CHAP v2) is easier to deploy than EAP-TLS because user authentication is accomplished with password-based credentials (user name and password) instead of certificates or smart cards. Only the NPS server or other RADIUS server is required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients. Successful PEAP-MS-CHAP v2 authentication requires that the client trust the NPS server after examining the server certificate. For the client to trust the NPS server, the certification authority (CA) that issued the server certificate must have its own different certificate in the Trusted Root Certification Authorities certificate store on client computers. The server certificate used by NPS can be issued by either your organization's trusted root CA or a public CA, such as VeriSign or Thawte, that is already trusted by the client computer. 94 Note PEAP-MS-CHAP v2 provides greatly improved security over MS-CHAP v2 by providing key generation with TLS and by using mutual authentication, which prevents an unauthorized server from negotiating the least secure authentication method with the PEAP client. PEAP with EAP-TLS When you deploy a public key infrastructure (PKI) with Active Directory Certificate Services (AD CS), you can use PEAP with EAP-TLS (PEAP-TLS). Certificates provide a much stronger authentication method than the methods that use password-based credentials. PEAP-TLS uses certificates for server authentication and either smart cards, which contain an embedded certificate, or certificates enrolled to client computers that are stored on the local computer in the certificate store, for user and client computer authentication. To use PEAP-TLS, you must deploy a PKI. PEAP fast reconnect PEAP fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new access point. Wireless access points are configured as RADIUS clients to RADIUS servers. If a wireless client roams between access points that are configured as clients to the same RADIUS server, the client is not required to be authenticated with each new association. When a client moves to an access point that is configured as a RADIUS client to a different RADIUS server, although the client is reauthenticated, this process occurs much more efficiently and quickly. PEAP fast reconnect reduces the response time for authentication between client and authenticator because the authentication request is forwarded from the new access point to the NPS server that originally performed authentication and authorization for the client connection request. Because both the PEAP client and NPS server use previously cached TLS connection properties (the collection of which is named the TLS handle), the NPS server can quickly determine that the client connection is a reconnect. The client can cache TLS handles for multiple PEAP authenticators. If the original NPS server is unavailable, full authentication must occur between the client and the new authenticator. The new PEAP authenticator's TLS handle is cached by the client. For smart cards or PEAP-MS-CHAP v2 authentication, the user is asked to supply the personal identification number (PIN) or credentials, respectively. The following table shows behavior of PEAP fast reconnect when using PEAP-MS-CHAP v2 authentication. 95 When the new access point is a client to the When the new access point is a client to a new same RADIUS server RADIUS server The user is not prompted for credentials each time the client computer associates with a new access point. The user is prompted for credentials on this initial association. The next time the client computer associates with an access point that is a client to this server, user credentials are not required. The RADIUS server is not required to provide a certificate. The RADIUS server provides a certificate on this initial association so that the wireless client can authenticate to the RADIUS server. The next time the client computer associates with an access point that is a client to this server, the server is not required to be reauthenticated. The following table shows behavior of PEAP fast reconnect when using PEAP-TLS authentication. When the new access point is a client to the When the new access point is a client to a new same RADIUS server RADIUS server The client and server are not required to exchange certificates. The client and server exchange certificates on this initial association. The next time the client computer associates with an access point that is a client to this server, certificates are not exchanged. The user is not prompted for a smart card PIN each time the client computer associates with a new access point. The user is prompted for a smart card PIN on this initial association. The next time the client computer associates with an access point that is a client to this server, the user is not prompted for the PIN. To enable PEAP fast reconnect: Both the PEAP client (802.11 wireless client) and PEAP authenticator (RADIUS server) must have fast reconnect enabled. All access points to which the PEAP client roams must be configured as RADIUS clients to a RADIUS server (the PEAP authenticator) for which PEAP is configured as the authentication method for wireless connections. All access points to which the PEAP client associates must be configured to prefer the same RADIUS server (PEAP authenticator) to avoid being prompted for credentials from every RADIUS server. If the access point cannot be configured to prefer a RADIUS server, you can configure an NPS RADIUS proxy with a preferred RADIUS server. 96 Additional information PEAP does not support guest authentication. When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP-TLS, do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type creates a security vulnerability. Certificate Templates and Requirements In this section Server Certificate Requirements Computer and User Certificate Requirements Enrolling Certificates with Templates When you use Extensible Authentication Protocol (EAP) with a strong EAP type, such as Transport Layer Security (TLS) with smart cards or certificates, both the client and the server use certificates to prove their identities to each other. This process is called mutual authentication. Certificates must meet specific requirements to allow the server and the client to use them for mutual authentication. One such requirement is that the certificate is configured with one or more purposes in Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, that correlate to the certificate use. For example, a certificate used for the authentication of a client to a server must be configured with the Client Authentication purpose. Similarly, a certificate used for the authentication of a server must be configured with the Server Authentication purpose. When certificates are used for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in Application Policies extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When a certificate is used for client computer authentication, this object identifier must be present in the Application Policies extensions of the certificate or authentication will fail. The Certificate Templates Microsoft Management Console (MMC) snap-in allows customization of the certificates that are issued by Active Directory Certificate Services (AD CS). Customization possibilities include both how certificates are issued and what the certificates contain, including their purposes. In the Certificate Templates snap-in, you can use a default template, such as the Computer template, to define the template that the certification authority (CA) uses to assign certificates to computers. You can also create a certificate template and assign purposes in EKU extensions to the certificate. By default, the Computer template includes the Client Authentication purpose and the Server Authentication purpose in EKU extensions. The certificate template that you create can include any purpose for which the certificate will be used. For example, if you use smart cards for authentication, you can include the Smart Card Logon purpose in addition to the Client Authentication purpose. You can configure Network Policy 97 Server (NPS) to check certificate purposes before granting network authorization. NPS can check additional EKUs and Issuance Policy purposes (also known as certificate policies). Note Some non-Microsoft CA software might contain a purpose named All, which represents all possible purposes. This is indicated by a blank (or null) EKU extension. Although All is intended to mean "all possible purposes," the All purpose cannot be substituted for the Client Authentication purpose, the Server Authentication purpose, or any other purpose related to network access authentication. Understanding authentication with certificates When a certificate is provided to a client or server computer as proof of identity, the authenticator must examine the certificate to determine its validity, whether it is configured with the purpose for which it is being used, and to find out whether the certificate was issued by a CA that the authenticator trusts. Assuming that a certificate is configured properly and is valid, the most important aspect of the authentication process is the check by the authenticator that it trusts the CA that issued the certificate. If the authenticator trusts the CA and the certificate is valid and configured properly according to the minimum server and client certificate requirements, authentication succeeds. If the authenticator does not trust the CA, authentication fails. How trust is established Windows-based computers keep certificates in a certificate store on the local computer. There is a certificate store for the Local Computer, for the Current User, and for individual services, such as Network Connections, Automatic Updates, and Computer Browser. In each certificate store there is a folder named Trusted Root Certification Authorities that contains certificates from every CA that is trusted, whether they are public or private CAs. To determine trust, the authenticator checks the Trusted Root Certification Authorities certificate store for either Current User or Local Computer. If the CA that issued the client, user, or server certificate being used for authentication has a certificate in the Trusted Root Certification Authorities certificate store on the local computer, the authenticator trusts the certificate. If the issuing CA does not have a CA certificate in the Trusted Root Certification Authorities certificate store on the local computer, the authenticator does not trust the certificate. Important The CA certificate must be present in the Trusted Root Certification Authorities certificate store on the local computer, whether that computer is a client or a server, for other certificates issued by the CA to be trusted. 98 Public CAs Some of these trusted root CA certificates, which are issued by public trusted root certification authorities, are included by default in all installations of Windows; they are included on the product installation compact disc or they are present on computers sold by original equipment manufacturers (OEMs) that provide computers that have Windows installed on them. For example, in the certificate store on computers running Windows XP, in the Trusted Root Certification Authorities folder, there are CA certificates from the VeriSign Trust Network CA, the Thawte Premium Server CA, and the Microsoft Root Certification Authority. If a computer running Windows XP is presented with a certificate that was issued by one of these CAs and the certificate is configured properly and is valid, the computer running Windows XP trusts the certificate. You can purchase additional certificates from many companies, such as VeriSign and Thawte, to use in your authentication infrastructure. For example, when you deploy PEAP-MS-CHAP v2 and the Validate server certificate setting is enabled on the client, the client computer authenticates the NPS server using the NPS server certificate. If you do not want to deploy your own CA and issue your own server certificates to NPS servers, you can purchase a server certificate from a company whose CA is already trusted by client computers. Private CAs When an organization deploys its own public key infrastructure (PKI), and then installs a private trusted root CA, their CA automatically sends its certificate to all domain member computers in the organization. The domain member client and server computers store the CA certificate in the Trusted Root Certification Authorities certificate store. After this occurs, the domain member computers trust certificates that are issued by the organization trusted root CA. For example, if you install AD CS, the CA sends its certificate to the domain member computers in your organization, and then the domain member computers store the CA certificate in their local Trusted Root Certification Authorities certificate store. If you also configure and autoenroll a server certificate for your NPS servers and then deploy PEAP-MS-CHAP v2 for wireless connections, all domain member wireless client computers can successfully authenticate your NPS servers by using the NPS server certificate because they trust the CA that issued the NPS server certificate. Note Non-domain member computers must have the private CA certificate manually installed in their local Trusted Root Certification Authorities certificate store for them to trust certificates, such as NPS server certificates, that are issued by the private CA. Required certificates The following table identifies the certificates that are required to successfully deploy each of the certificate-based authentication methods. 99 Certificate Required for EAP-TLS Required for PEAP-MS- Details and PEAP-TLS? CHAP v2? CA certificate in the Trusted Root Certification Authorities certificate store for Local Computer and Current User. Yes. The CA certificate is enrolled automatically for domain member computers. For nondomain member computers, the certificate must be manually imported into the certificate store. Yes. The CA certificate is enrolled automatically for domain member computers. For nondomain member computers, the certificate must be manually imported into the certificate store. For PEAP-MS-CHAP v2, The CA certificate is required for mutual authentication between client and server. Client computer certificate in the certificate store of the client. Yes. Client computer certificates are required unless user certificates are distributed on smart cards. Client certificates are enrolled automatically for domain member computers. For nondomain member computers, the certificate must be manually imported or obtained by using the Web enrollment tool. No. User authentication is performed with password-based credentials, not certificates. If you deploy user certificates on smart cards, client computers do not need client certificates. Server certificate in the certificate store of the NPS server. Yes. You can configure AD CS to autoenroll server certificates to members of the RAS and IAS servers group in Active Directory Domain Services (AD DS). Yes. In addition to using AD CS for server certificates, you can purchase server certificates from other CAs that client computers already trust. The NPS server sends the server certificate to the client computer; the client computer uses the certificate to authenticate the NPS server. User certificate on a smart card. No. This certificate is required only if you choose to deploy smart cards rather No. User authentication is performed with password-based For EAP-TLS and PEAP-TLS, if you do not autoenroll client computer certificates, 100 Certificate Required for EAP-TLS Required for PEAP-MS- and PEAP-TLS? CHAP v2? than autoenrolling client computer certificates. credentials, not certificates. Details user certificates on smart cards are required. Wireless clients How certificates are used to authenticate wireless clients varies depending on the authentication method. IEEE 802.1X authentication provides authenticated access to 802.11 wireless networks and to wired Ethernet networks. 802.1X provides support for secure EAP types, such as TLS with smart cards or certificates. You can configure 802.1X with EAP-TLS in a variety of ways. If the Validate server certificate option is configured on the client, the client authenticates the server by using its certificate. Client computer and user authentication can be accomplished by using certificates from the client certificate store or a smart card, providing mutual authentication. With wireless clients, PEAP-MS-CHAP v2 can be used as the authentication method. During PEAP-MS-CHAP v2 authentication, the NPS server supplies a certificate to provide proof of its identity to the connecting client. If the Validate server certificate option is configured on the Windows Vista® or Windows XP Professional client, the client uses the certificate to authenticate the NPS server. User authentication is then performed with password-based credentials rather than with a certificate. This use of password-based rather than certificate-based credentials eliminates some of the difficulty of deploying secure authentication for wireless client computers. Server Certificate Requirements All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer/Transport Layer Security (SSL/TLS) as specified below. If you configure your server certificate according to this information, your server certificates will also meet the requirements for PEAP and EAP. Note Use the Certificate Templates Microsoft Management Console (MMC) snap-in and a copy of the RAS and IAS Servers certificate template to configure server certificates for use with EAP and PEAP. For more information, see Foundation Network Companion Guide: Deploying Server Certificates in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=108258. 101 While configuring a copy of the RAS and IAS Servers certificate template, ensure that the following is true: The Subject name field contains a value. If you issue a certificate to your NPS server that has a blank subject name, the certificate is not available for selection when you're configuring authentication in NPS network policy and connection request policy. The server certificate chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy. The NPS server or virtual private network (VPN) server certificate is configured with the Server Authentication purpose in Application Policies extensions (also called Enhanced Key Usage (EKU) extensions). The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. The server certificate is configured with a required Rivest-Shamir-Adleman (RSA) algorithm value. The Subject Alternative Name (SubjectAltName) extension, if used, must contain the Domain Name System (DNS) name of the server. Computer and User Certificate Requirements All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer/Transport Layer Security (SSL/TLS) as specified below. If you configure your computer and user certificates according to this information, your certificates will also meet the requirements for PEAP and EAP. Note Use the Certificate Templates MMC snap-in and copies of the User certificate template and the Workstation Authentication certificate template to configure user and computer certificates for use with EAP and PEAP. For more information, see Foundation Network Companion Guide: Deploying Computer and User Certificates in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=113884. While configuring copies of the User certificate template and the Workstation Authentication certificate template, ensure that the following is true: The Subject name field contains a value. If you issue a certificate that has a blank subject name, the certificate cannot be used for authentication. The certificate chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in Network Policy Server (NPS) network policy. Because you are issuing certificates from your own enterprise root CA, computer and user certificates issued by the CA automatically chain to the CA. Domain member computers have the CA certificate in the Trusted Root Certification Authorities folder 102 in both the Local Computer and Current User certificate stores, which means that they trust the CA. The user or computer certificate is configured with the Client Authentication purpose in Application Policies extensions (also called Enhanced Key Usage (EKU) extensions). The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. By default, the User and Workstation Authentication certificate templates contain this purpose in Application Policies extensions. For user certificates, the Subject Alternative Name (SubjectAltName) extension, if used, contains the user principal name (UPN). By default, the User certificate template is configured with the UPN. For computer certificates, the SubjectAltName extension, if used, contains the fully qualified domain name (FQDN) of the computer, which is also called the DNS name. By default, the Workstation Authentication certificate template is not configured with this value and must be reconfigured to meet this requirement. Enrolling Certificates with Templates The domain membership of computers for which you want to enroll certificates affects the certificate enrollment method that you can choose. Certificates for domain member computers can be enrolled automatically, whereas an administrator must enroll certificates for non-domain member computers by using the Active Directory Certificate Services (AD CS) Web enrollment tool or a floppy disk or compact disc. Domain member certificate enrollment If your virtual private network (VPN) server, Network Policy Server (NPS) server, or client running Windows 2000, Windows XP, or Windows Vista is a member of a domain running Windows Server 2008 or Windows Server 2003 and Active Directory Domain Services (AD DS), you can configure the autoenrollment of computer and user certificates. After autoenrollment is configured and enabled, all domain member computers receive computer certificates when Group Policy is next refreshed, whether the refresh is triggered manually with the gpupdate command or by logging on to the domain. If your computer is a member of a domain where AD DS is not installed, you can install computer certificates manually by requesting them through the Certificates Microsoft Management Console (MMC) snap-in. Note Computers running Windows 2000 can autoenroll computer certificates only. 103 Non-domain member certificate enrollment Certificate enrollment for computers that are not domain members cannot be performed with autoenrollment. When a computer is joined to a domain, a trust is established that allows autoenrollment to occur without administrator intervention. When a computer is not joined to a domain, trust is not established and a certificate is not issued. Trust must be established by using one of the following methods: An administrator (who is, by definition, trusted) must request a computer or user certificate by using the certification authority (CA) Web enrollment tool. An administrator must save a computer or user certificate to a floppy disk or portable USB drive, and then install it on the non-domain member computer. Or, when the computer is not accessible to the administrator — for example, a home computer connecting to an organization network with an Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) VPN connection — a domain user whom the administrator trusts can install the certificate. An administrator can distribute a user certificate on a smart card (computer certificates are not distributed on smart cards). Many network infrastructures contain VPN and NPS servers that are not domain members. For example, a VPN server in a perimeter network might not be a domain member for security reasons. In this case, a computer certificate with the Server Authentication purpose contained in the EKU extensions must be installed on the non-domain member VPN server before it can successfully negotiate L2TP/IPsec-based VPN connections with clients. If the non-domain member VPN server is used as an endpoint for a VPN connection with another VPN server, Enhanced Key Usage (EKU) extensions must contain both the Server Authentication and Client Authentication purposes. If you are running an enterprise certification authority (CA) on a computer running Windows Server 2008 or Windows Server 2003, Standard Edition, you can use the following table to determine the best certificate enrollment method for your requirements. Object and domain Certificate Certificate Preferred certificate Alternate membership template purposes enrollment method certificate enrollment method VPN, Internet Authentication Service (IAS), or NPS server, domain member Computer Server Authentication Autoenrollment Request a certificate by using the Certificates snap-in VPN server with site-to-site connection, Computer Server Authentication and Client Autoenrollment Request a certificate by using the Certificates 104 Object and domain Certificate Certificate Preferred certificate Alternate membership template purposes enrollment method certificate enrollment method domain member Authentication snap-in Client running Windows Vista or Windows XP, domain member Computer Client Authentication Autoenrollment Request a certificate by using the Certificates snap-in VPN, IAS, or NPS server, nondomain member Computer Server Authentication CA Web enrollment Install from a tool floppy disk or portable USB drive VPN server with site-to-site connection, nondomain member Computer Server Authentication and Client Authentication CA Web enrollment Install from a tool floppy disk or portable USB drive Client running Windows Vista or Windows XP, nondomain member Computer Client Authentication CA Web enrollment Install from a tool floppy disk or portable USB drive User, domain user User Client Authentication Autoenrollment Use a smart card or the CA Web enrollment tool If your enterprise CA is on a computer running one of the following operating systems, the RAS and IAS Servers and Workstation Authentication templates are available for use: Windows Server 2003, Enterprise Edition Windows Server 2003, Datacenter Edition Windows Server 2003, Enterprise Edition for Itanium-based Systems Windows Server 2003, Datacenter Edition for Itanium-based Systems Windows Server 2003, Enterprise x64 Edition Windows Server 2003, Datacenter x64 Edition Windows Server 2008 Use the following table to determine when to use these templates. 105 Object and domain Certificate Certificate Preferred Alternate membership template purpose certificate certificate enrollment method enrollment method VPN, IAS, or NPS server, domain member RAS and IAS Server Server Authentication Autoenrollment Request a certificate by using the Certificates snap-in Client running Windows Vista or Windows XP, domain member Workstation Authentication Client Authentication Autoenrollment Request a certificate by using the Certificates snap-in VPN, IAS, or NPS server, nondomain member RAS and IAS Server Server Authentication CA Web enrollment tool Install from a floppy disk or portable USB drive Client Authentication CA Web enrollment tool Install from a floppy disk or portable USB drive Client running Workstation Windows Vista or Authentication Windows XP, nondomain member Important If your server running NPS is not a domain controller but is a member of a domain with a Windows 2000 mixed functional level, you must add the server to the access control list (ACL) of the RAS and IAS Server certificate template. You must also configure the correct permissions for autoenrollment. There are different procedures for adding single servers and groups of servers to the ACL. To add an individual server to the ACL for the RAS and IAS server certificate template 1. In the Certificate Templates snap-in, select the template RAS and IAS server, and then add the NPS server to the template Security properties. 2. After you have added your NPS server to the ACL, grant Read, Enroll, and Auto-enroll permissions. To manage a group of servers, add the servers to a new global or universal group, and then add the group to the ACL of the certificate template 1. In the Active Directory Users and Computers snap-in, create a new global or universal 106 group for NPS servers. 2. Add to the group all computers that are NPS servers, and that are members of a domain with a Windows 2000 mixed functional level, but that are not domain controllers. 3. In the Certificate Templates snap-in, select the RAS and IAS server template, and then add the group you created to the template Security properties. 4. Grant Read, Enroll, and Auto-enroll permissions. Mapping with Certificate-Based Authentication Certificate-based authentication is more secure than password-based authentication. In addition, when you map certificates to user accounts instead of using password-based authentication methods, an authentication request is not forwarded to the partner organization Remote Authentication Dial-In User Service (RADIUS) server and user account database. For these reasons, certificate mapping enhances security and can significantly reduce logon time for users. A certificate is mapped to a user account in one of two ways: a single certificate is mapped to a single user account (one-to-one mapping) or multiple certificates are mapped to one user account (many-to-one mapping). One-to-One Mapping For one-to-one mapping of certificates to visitor user accounts, you must perform the following tasks: Create a user account for each visitor. Because the user account itself is not mapped to the user account at the partner organization, the user account names do not have to exactly match the user account names in the partner organization user accounts database. Configuring the local account with the same user name, however, can make it easier to configure realm manipulation rules. Map the certificate to a user account. Perform cross-certification or authorize the partner organization certification authority (CA) as a qualified subordinate CA by using a computer running Windows Server 2008 and Active Directory Certificate Services (AD CS) or Windows Server 2003, Enterprise Edition, and Certificate Services. Performing cross-certification or authorizing the partner organization CA as a qualified subordinate CA is recommended for domains with a Windows Server 2008 or Windows Server 2003 domain functional level and clients running Windows Vista or Windows XP. If your domains are Windows 2000 native, it is recommended that you use a certificate trust list (CTL) instead. 107 Configure your NPS server or NPS proxy server Because authentication requests are not forwarded to external RADIUS servers when authentication is performed with mapped certificates, you are not required to use NPS as a proxy server. Configure a connection request policy for visitor access by using the New Connection Request Policy Wizard. Create a realm manipulation rule to map the partner organization realm name, which is contained in the user certificate, to the local user account of the user. For example, if user@example.com is mapped to user@microsoft.com, the realm manipulation rule must replace “@example.com” with “@microsoft.com” by using regular expressions. Configure a network policy for visitor access. Ensure that network access servers (NASs) are configured as RADIUS clients to this NPS server. When visitors log on to your network, they do so through NASs, such as wireless access points (APs). These APs must be configured as RADIUS clients to your NPS proxy server or NPS server. Many-to-One Mapping Many-to-one certificate mapping allows you to map many certificates to one user account. After you have trusted the enterprise root CA of a partner organization, you can map all certificates issued by the partner organization CA to one account that you create in your local domain. This solution provides ease of management for many users, and eliminates the need to create an individual user account for every visitor to your organization. For many-to-one mapping of certificates, you must perform the following steps: Perform cross-certification or authorize the partner organization CA as a qualified subordinate CA by using a computer running Windows Server 2008 and AD CS or Windows Server 2003, Enterprise Edition, and Certificate Services. Performing cross-certification or authorizing the partner organization CA as a qualified subordinate CA is recommended for domains with a Windows Server 2008 or Windows Server 2003 domain functional level and clients running Windows Vista or Windows XP. If your domains are Windows 2000 native, it is recommended that you use a certificate trust list (CTL) instead. Create one user account and map the partner organization certificates to the account. Configure your NPS server or NPS proxy server Because authentication requests are not forwarded to external RADIUS servers when authentication is performed with mapped certificates, you are not required to use NPS as a proxy server. Configure a connection request policy for visitor access by using the New Connection Request Policy Wizard. 108 Create a realm manipulation rule to map the partner organization realm name, which is contained in the user's certificate, to the user's local user account. For example, if user@tailspintoys.com is mapped to user@microsoft.com, the realm manipulation rule must replace @tailspintoys.com with “@microsoft.com” by using patternmatching syntax. Ensure that NASs are configured as RADIUS clients to this NPS server. Configure a network policy for visitor access. When visitors log on to your network, they do so through NASs, such as wireless APs. These APs must be configured as RADIUS clients to your NPS proxy server or NPS server. Note For strong security between your NPS proxy server and your partner organization RADIUS servers, you can use Internet Protocol security (IPsec). Password-based Authentication Protocols Password-based authentication methods do not provide strong security and their use is not recommended. It is recommended that you use a certificate-based authentication method for all network access methods that support the use of certificates. This is especially true for wireless connections, for which the use of PEAP-MS-CHAP v2 or PEAP-TLS is recommended. In this section Microsoft Challenge Handshake Authentication Protocol v2 Microsoft Challenge Handshake Authentication Protocol v1 Challenge Handshake Authentication Protocol Shiva Password Authentication Protocol Password Authentication Protocol Microsoft Challenge Handshake Authentication Protocol v2 Version 2 of Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) provides stronger security for network access connections than its predecessor, MS-CHAP. MS-CHAP v2 solves some issues of MS-CHAP version 1, as shown in the following table. MS-CHAP version 1 issue MS-CHAP version 2 solution LAN Manager encoding of the response used for backward compatibility with older Microsoft MS-CHAP v2 no longer allows LAN Manager encoded responses. 109 MS-CHAP version 1 issue MS-CHAP version 2 solution remote access clients is cryptographically weak. LAN Manager encoding of password changes is cryptographically weak. MS-CHAP v2 no longer allows LAN Manager encoded password changes. Only one-way authentication is possible. The remote access client cannot verify that it is dialing in to its organization's remote access server or a masquerading remote access server. MS-CHAP v2 provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user password. With 40-bit encryption, the cryptographic key is based on the user password. Each time the user connects with the same password, the same cryptographic key is generated. With MS-CHAP v2, the cryptographic key is always based on the user password and an arbitrary challenge string. Each time the user connects with the same password, a different cryptographic key is used. A single cryptographic key is used for data sent in both directions on the connection. With MS-CHAP v2, separate cryptographic keys are generated for transmitted and received data. MS-CHAP v2 is a one-way encrypted password, mutual authentication process that works as follows: 1. The authenticator — the network access server (NAS) or the server running Network Policy Server (NPS) — sends a challenge to the access client that consists of a session identifier and an arbitrary challenge string. 2. The access client sends a response that contains: The user name. An arbitrary peer challenge string. A one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password. 3. The authenticator checks the response from the client and sends back a response containing: An indication of the success or failure of the connection attempt. An authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user password. 4. The access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the access client terminates the connection. 110 Enabling MS-CHAP v2 To enable MS-CHAP v2–based authentication, you must do the following: 1. Enable MS-CHAP v2 as an authentication protocol on the network access server. 2. Enable MS-CHAP v2 on the appropriate network policy. 3. Enable MS-CHAP v2 on the access client. Additional considerations Following are additional things to consider before deploying MS-CHAP v2: MS-CHAP (version 1 and version 2) is the only password-based authentication protocol provided in NPS that supports password change during the authentication process. Make sure your network access server supports MS-CHAP v2 before you enable it on a network policy on an NPS server. For more information, see your NAS documentation. Microsoft Challenge Handshake Authentication Protocol v1 Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), also known as MS-CHAP version 1, is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows: 1. The authenticator — the network access server (NAS) or the server running Network Policy Server (NPS) — sends a challenge to the access client that consists of a session identifier and an arbitrary challenge string. 2. The access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password. 3. The authenticator checks the response and, if valid, the user credentials are authenticated. If you use MS-CHAP as the authentication protocol, then you can use Microsoft Point-to-Point Encryption (MPPE) to encrypt the data sent on the PPP or PPTP connection. MS-CHAP version 2 provides stronger security for network access connections than MS-CHAP. Consider using MS-CHAP version 2 instead of MS-CHAP. Enabling MS-CHAP To enable MS-CHAP-based authentication, you must do the following: 1. Enable MS-CHAP as an authentication protocol on the network access server. 2. Enable MS-CHAP on the appropriate network policy in NPS. 3. Enable MS-CHAP on the access client. 111 Additional considerations Following are additional things to consider before deploying MS-CHAP: By default in Windows Server 2008, MS-CHAP v1 does not support LAN Manager authentication. If you want to allow the use of LAN Manager authentication with MS-CHAP v1 for older operating systems such as Windows NT 3.5x and Windows 95, see NPS: LAN Manager Authentication. If MS-CHAP v1 is used as the authentication protocol, a 40-bit encrypted connection cannot be established if the user password is larger than 14 characters. This behavior affects both dial-up and VPN-based remote access and demand-dial connections. Challenge Handshake Authentication Protocol Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers (NASs) and clients. A server running Routing and Remote Access supports CHAP so that access clients that require CHAP can be authenticated. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol such as MS-CHAP version 2. To enable CHAP-based authentication, you must do the following: 1. Enable CHAP as an authentication protocol on the network access server. 2. Enable CHAP on the appropriate network policy in NPS. 3. Enable storage of a reversibly encrypted form of the user password. You can enable storage of a reversibly encrypted form of the user password per user account or enable storage for all accounts in a domain. 4. Force a reset of the user password so that the new password is in a reversibly encrypted form. When you enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. You must either manually change user passwords or set user passwords to be changed the next time each user logs on. After the password is changed, it is stored in a reversibly encrypted form. If you set user passwords to be changed the next time a user logs on, the user must log on by using a LAN connection and change the password before they attempt to log on by using a remote access connection and CHAP. You cannot change passwords during the authentication process by using CHAP because the logon attempt fails. One workaround for the remote access user is to temporarily log on by using MS-CHAP to change the password. 5. Enable CHAP on the access client. 112 Additional considerations Following are additional things to consider before deploying CHAP: When users passwords expire, CHAP does not provide the ability for them to change passwords during the authentication process. Verify that your NAS supports CHAP before you enable it on a network policy on an NPS server. For more information, see your NAS documentation. You cannot use Microsoft Point-to-Point Encryption (MPPE) with CHAP. Shiva Password Authentication Protocol Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. A computer running Windows XP Professional, when connecting to a Shiva LAN Rover, uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than Challenge Handshake Authentication Protocol (CHAP) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). To enable SPAP-based authentication, you must do the following: 1. Enable SPAP as an authentication protocol on the RADIUS client. SPAP is disabled by default. 2. Enable SPAP on the appropriate network policy. SPAP is disabled by default. 3. Enable SPAP on the access client. Important When you enable SPAP as an authentication protocol, the same user password is always sent in the same reversibly-encrypted form. This makes SPAP authentication susceptible to replay attacks, where an attacker captures the packets of the authentication process and replays the responses to gain authenticated access to your network. The use of SPAP is discouraged, especially for virtual private network connections. Additional considerations Following are additional things to consider before deploying SPAP: If your password expires, SPAP cannot change passwords during the authentication process. Make sure your network access server (NAS) supports SPAP before you enable it on a network policy on an NPS server. For more information, see your NAS documentation. You cannot use Microsoft Point-to-Point Encryption (MPPE) with SPAP. 113 Password Authentication Protocol Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically negotiated if the access client and network access server (NAS) cannot negotiate a more secure authentication method. To enable PAP-based authentication, you must do the following: 1. Enable PAP as an authentication protocol on the network access server. 2. Enable PAP on the appropriate network policy in Network Policy Server (NPS). 3. Enable PAP on the access client. Important When you enable PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone capturing the packets of the authentication process can easily read the password and use it to gain unauthorized access to your intranet. The use of PAP is highly discouraged, especially for virtual private network connections. Additional considerations Following are additional things to consider before deploying PAP: If you deploy a dial-up server, by disabling the support for PAP on the NAS you ensure that plaintext passwords are never sent by dial-up clients. Disabling support for PAP increases authentication security, but remote access clients who only support PAP cannot connect. When users passwords expire, PAP does not provide the ability for them to change passwords during the authentication process. Make sure your NAS supports PAP before you enable it on a network policy on an NPS server. For more information, see your NAS documentation. You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP. Unauthenticated Access With unauthenticated access, user credentials (a user name and password) are not required. There are some situations where unauthenticated access is useful, although in most cases it is not recommended that you deploy unauthenticated access to your organization network. When you enable unauthenticated access, users are allowed access to your network without sending user credentials. In addition, unauthenticated access clients do not negotiate the use of a common authentication protocol during the connection establishment process and do not send a user name or password to Network Policy Server (NPS). If you permit unauthenticated access on your network, clients can connect without being authenticated if the authentication protocols configured on the access client do not match the authentication protocols that are configured on the network access server (NAS). In this case, the 114 use of a common authentication protocol is not negotiated and the access client does not send a user name and password. This circumstance creates a severe security problem and unauthenticated access should not be allowed on most networks. In the circumstances where you must use unauthenticated access, you can use one of the following solutions: Dialed Number Identification Service (DNIS) authorization Automatic Number Identification/Calling Line Identification (ANI/CLI) authentication Guest authentication The following sections provide detail on each of these access methods. DNIS authorization DNIS enables the authorization of a connection attempt by NPS based on the number that the client computer called to initialize the connection. DNIS identifies the number that was called to the receiver of the call and is provided by most standard telephone companies. For example, you can allow all connections that connect through a specific toll-free number. To identify DNIS-based connections and apply the appropriate connection settings, you must do the following: 1. Enable unauthenticated access on the network access server. 2. Create a network policy on the NPS server for DNIS-based authorization with the CalledStation-Id condition set to the phone number that client computers must call to initiate the connection. 3. Enable unauthenticated access on the network policy in NPS for DNIS-based authorization. Additional considerations Following are additional things to consider before deploying DNIS: If your phone service or hardware does not support DNIS, the passing of the number that was called, you can manually set the phone number of the port. NPS does not support proxied DNIS access requests. ANI/CLI authentication ANI/CLI) authentication is the authentication of a connection attempt based on the phone number of the caller. ANI/CLI service returns the number of the caller to the receiver of the call and is provided by most standard telephone companies. ANI/CLI authentication is different from caller ID authorization. In caller ID authorization, the caller sends a valid user name and password. The caller ID that is configured for the dial-in property on the user account must match the connection attempt; otherwise, the connection attempt is rejected. With ANI/CLI authentication, a user name and password are not sent. To identify ANI/CLI-based connections and apply the appropriate connection settings, you must do the following: 1. Enable unauthenticated access on the network access server. 115 2. Enable unauthenticated access on the appropriate network policy in NPS for ANI/CLI-based authentication. 3. Create a user account in Active Directory Domain Services (AD DS) or the local Security Accounts Manager (SAM) database on the NPS server for each number for which you want to provide ANI/CLI authentication. The name of the user account must match the number that the user is dialing from. For example, if a user is dialing in from 555-0100, create a "5550100" user account. 4. Set the following registry value to 31 on the NPS server: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\U ser Identity Attribute This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31, Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only when there is no user name being supplied in the connection attempt. To always use the calling number as the user identity, set the following registry value to 1 on the authenticating server: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\O verride User-Name However, if you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating server can only perform ANI/CLI-based authentication. Normal authentication by using authentication protocols such as MS-CHAP, CHAP, and EAP is disabled. Note Changes to the registry settings do not take effect until the Routing and Remote Access service (RRAS) or the NPS service is restarted. Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Guest authentication By default, AD DS includes a user account called Guest. By default, this account is disabled, but if you want to provide unauthenticated access you can enable the Guest account. With guest authentication, during the authentication process, the user does not provide a user name or password. If unauthenticated access is enabled, by default the Guest account is used as the identity of the caller. To enable Guest account access, you must do the following: 1. Enable unauthenticated access on the network access server. 2. Enable unauthenticated access on the appropriate network policy in NPS. 3. Enable the Guest account in the Active Directory Users and Computers snap-in. 116 4. Set the remote access permission on the Guest account to either Allow access or Control access through NPS Network Policy depending on your network access administrative model. If you want to enable a guest account that is not named Guest, create a user account and set the remote access permission to either Allow access or Control access through NPS Network Policy. Then, set the following registry value on the authenticating server (either the network access server or the NPS server) to the name of the account: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Defau lt User Identity Note Changes to the registry settings do not take effect until the Routing and Remote Access service or the Network Policy Server service are restarted. Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. RADIUS Protocol RADIUS is an industry standard protocol described in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2865, “Remote Authentication Dial-in User Service (RADIUS),” and RFC 2866, “RADIUS Accounting.” RADIUS is used to provide authentication, authorization, and accounting services. In this section RADIUS Attributes Vendor-Specific Attributes During the network connection attempt by a client computer or other device, a RADIUS client, such as a virtual private network (VPN) server or wireless access point, sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers. Important Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. 117 RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some older network access servers (NASs) might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. NPS can receive RADIUS messages on any configurable set of ports. By default, NPS monitors for, receives, and sends RADIUS traffic on the following UDP ports: 1812 and 1645 for RADIUS authentication messages and 1813 and 1646 for RADIUS accounting messages. Exactly one RADIUS message is encapsulated in the UDP payload. RADIUS message format The following section provides information that might be useful for the following: Understanding a Network Monitor capture. Understanding the different message formats for analyzing the accounting log. Entering vendor-specific attribute (VSA) numbers. General packet structure The figure, “General Structure of RADIUS Packet,” provides a summary of the data structure of a RADIUS packet. The RADIUS client or server sends the fields from top to bottom, or from the Code field in vertical order to the Attributes field. General Structure of RADIUS Packet Code field The Code field is 1 byte long and indicates the type of RADIUS message. A message with a Code field that is not valid is silently discarded. The defined values for the RADIUS Code field are listed in the following table. Codes (Decimal) Packets 1 Access-Request 2 Access-Accept 3 Access-Reject 118 Codes (Decimal) Packets 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved Identifier field The Identifier field is 1 byte long and is used to match a request with its corresponding response. Length field The Length field is two octets long and indicates the entire length of the RADIUS message, including the Code, Identifier, Length, and Authenticator fields, and the RADIUS attributes. The Length field can vary from 20 to 4,096 bytes. Authenticator field The Authenticator field is 16 octets long and contains the information that the RADIUS client and server use to verify that the message came from a computer that is configured with a common shared secret. Attributes section The Attributes section of the RADIUS message contains one or more RADIUS attributes, which carry the specific authentication, authorization, information, and configuration details for RADIUS messages. RADIUS message example A Windows Server 2003 Point-to-Point Tunneling Protocol (PPTP) client attempts a remote access connection to a Windows Server 2003 VPN server. The VPN server is at the IP address 10.10.210.13, and the NPS server is at the IP address 10.10.210.12. Access-Request message The following Network Monitor capture display shows the Access-Request message sent by the VPN server to the NPS server. + IP: ID = 0x850; Proto = UDP; Len: 248 119 + UDP: Src Port: Unknown, (1327); Dst Port: Unknown (1812); Length = 228 (0xE4) RADIUS: Message Type: Access Request(1) RADIUS: Message Type = Access Request RADIUS: Identifier = 2 (0x2) RADIUS: Length = 220 (0xDC) RADIUS: Authenticator = 8A 6F DC 03 23 5F 4B 62 CA 40 92 38 DC 75 CB 74 RADIUS: Attribute Type: NAS IP Address(4) RADIUS: Attribute type = NAS IP Address RADIUS: Attribute length = 6 (0x6) RADIUS: NAS IP address = 10.10.210.13 RADIUS: Attribute Type: Service Type(6) RADIUS: Attribute type = Service Type RADIUS: Attribute length = 6 (0x6) RADIUS: Service type = Framed RADIUS: Attribute Type: Framed Protocol(7) RADIUS: Attribute type = Framed Protocol RADIUS: Attribute length = 6 (0x6) RADIUS: Framed protocol = PPP RADIUS: Attribute Type: NAS Port(5) RADIUS: Attribute type = NAS Port RADIUS: Attribute length = 6 (0x6) RADIUS: NAS port = 32 (0x20) RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 12 (0xC) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = _ RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 18 (0x12) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = MSRASV5.00 RADIUS: Attribute Type: NAS Port Type(61) 120 RADIUS: Attribute type = NAS Port Type RADIUS: Attribute length = 6 (0x6) RADIUS: NAS port type = Virtual RADIUS: Attribute Type: Tunnel Type(64) RADIUS: Attribute type = Tunnel Type RADIUS: Attribute length = 6 (0x6) RADIUS: Tag = 0 (0x0) RADIUS: Tunnel type = Point-to-Point Tunneling Protocol(PPTP) RADIUS: Attribute Type: Tunnel Media Type(65) RADIUS: Attribute type = Tunnel Media Type RADIUS: Attribute length = 6 (0x6) RADIUS: Tag = 0 (0x0) RADIUS: Tunnel media type = IP (IP version 4) RADIUS: Attribute Type: Calling Station ID(31) RADIUS: Attribute type = Calling Station ID RADIUS: Attribute length = 14 (0xE) RADIUS: Calling station ID = 10.10.14.226 RADIUS: Attribute Type: Tunnel Client Endpoint(66) RADIUS: Attribute type = Tunnel Client Endpoint RADIUS: Attribute length = 14 (0xE) RADIUS: Tunnel client endpoint = 10.10.14.226 RADIUS: Attribute Type: User Name(1) RADIUS: Attribute type = User Name RADIUS: Attribute length = 18 (0x12) RADIUS: User name = NTRESKIT\johndoe RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 24 (0x18) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = _+-_e_$+fN<N RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 58 (0x3A) RADIUS: Vendor ID = 311 (0x137) 121 RADIUS: Vendor string = _4 The RADIUS attributes sent by the VPN server include the framed protocol, the service type, the class, various tunnel attributes for the PPTP connection, and a series of vendor-specific attributes (VSA)s for Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) authentication. For more information about Microsoft vendor-specific RADIUS attributes, see RFC 2548. Access-Accept message The following Network Monitor output shows the Access-Accept message sent by the NPS server to the VPN server. + IP: ID = 0xB18; Proto = UDP; Len: 248 + UDP: Src Port: Unknown, (1812); Dst Port: Unknown (1327); Length = 228 (0xE4) RADIUS: Message Type: Access Accept(2) RADIUS: Message Type = Access Accept RADIUS: Identifier = 2 (0x2) RADIUS: Length = 220 (0xDC) RADIUS: Authenticator = 52 E19 98 2E F8 E2 D3 B7 3B E1 24 5B 72 55 9E RADIUS: Attribute Type: Framed Protocol(7) RADIUS: Attribute type = Framed Protocol RADIUS: Attribute length = 6 (0x6) RADIUS: Framed protocol = PPP RADIUS: Attribute Type: Service Type(6) RADIUS: Attribute type = Service Type RADIUS: Attribute length = 6 (0x6) RADIUS: Service type = Framed RADIUS: Attribute Type: Class(25) RADIUS: Attribute type = Class RADIUS: Attribute length = 32 (0x20) RADIUS: Class = <$_@ RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 42 (0x2A) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = _$_DZ,Sc7__:+•RW_t-qxF (-+%p6 122 RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 42 (0x2A) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = _$_ RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 51 (0x33) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = _RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 21 (0x15) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = The RADIUS attributes sent by the NPS server include the user name, the service type, the framed protocol, the service class, and a series of VSAs for MS-CHAP v1 authentication. RADIUS Attributes RADIUS attributes are containers that include a type, a length, and a value that hold information that is sent in RADIUS messages between RADIUS clients and RADIUS servers. One RADIUS message can include multiple RADIUS attributes, each of which holds a specific type of information for which the attribute was designed. For example, the Calling-Station-ID attribute can include a value that is the telephone number from which a dial-up networking session was initiated. A dial-in server that is configured as a RADIUS client can send the Calling-Station-ID attribute, along with other attributes and information, in an Access-Request RADIUS message to a RADIUS server. The following figure shows the structure of each RADIUS attribute. RADIUS attributes use the common Type-Length-Value format that is used by other protocols. 123 Type field The Type field is 1 byte long and indicates the specific type of RADIUS attribute. Length field The Length field is one byte long and indicates the length of the attribute, including the Type, Length, and Value fields. Value field The Value field is zero or more octets and contains information specific to the attribute. The format and length of the Value field is based on the type of RADIUS attribute. Note that value 26 is reserved for vendor-specific attributes (VSAs). RADIUS standard attribute types The RADIUS standard attributes are listed in the following table. For information about other RADIUS attributes and their use, see Internet Engineering Task Force (IETF) Request for Comments (RFCs) 2865 and 2866. Type Value Attribute Name Type Value Attribute Name 1 User-Name 45 Acct-Authentic 2 User-Password 46 Acct-Session-Time 3 CHAP-Password 47 Acct-Input-Packets 4 NAS-IP-Address 48 Acct-Output-Messages 5 NAS-Port 49 Acct-Terminate-Cause 6 Service-Type 50 Acct-Multi-Session-Id 7 Framed-Protocol 51 Acct-Link-Count 8 Framed-IP-Address 52 Acct-Input-Gigawords 9 Framed-IP-Netmask 53 Acct-Output-Gigawords 10 Framed-Routing 55 Event-Timestamp 11 Filter-ID 60 CHAP-Challenge 12 Framed-MTU 61 NAS-Port-Type 13 Framed-Compression 62 Port-Limit 14 Login-IP-Host 63 Login-LAT-Port 15 Login-Service 64 Tunnel-Type 124 Type Value Attribute Name Type Value Attribute Name 16 Login-TCP-Port 65 Tunnel-Medium-Type 18 Reply-Message 66 Tunnel-Client-Endpt 19 Callback-Number 67 Tunnel-Server-Endpt 20 Callback-Id 68 Acct-Tunnel-Connection 22 Framed-Route 69 Tunnel-Password 23 Framed-IPX-Network 70 ARAP-Password 24 State 71 ARAP-Features 25 Class 72 ARAP-Zone-Access 26 Vendor-Specific 73 ARAP-Security 27 Session-Time-out 74 ARAP-Security-Data 28 Idle-Time-out 75 Password-Retry 29 Termination-Action 76 PROMPT 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Message 33 Proxy-State 80 Message-Authenticator 34 Login-LAT-Service 81 Tunnel-Pvt-Group-ID 35 Login-LAT-Node 82 Tunnel-Assignment-ID 36 Login-LAT-Group 83 Tunnel-Preference 37 Framed-AppleTalk-Link 84 ARAP-ChallengeResponse 38 Framed-AppleTalkNetwork 85 Acct-Interim-Interval 39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost 40 Acct-Status-Type 87 NAS-Port-Id 41 Acct-Delay-Time 88 Framed-Pool 42 Acct-Input-Octets 90 Tunnel-Client-Auth-ID 43 Acct-Output-Octets 91 Tunnel-Server-Auth-ID 44 Acct-Session-Id 125 Vendor-Specific Attributes Network Policy Server (NPS) allows you to add vendor-specific attributes (VSAs) to individual network policies, providing you with the ability to deploy new Remote Authentication Dial-In User Service (RADIUS) client products that have proprietary functionality that are not defined in Request for Comments (RFC) 2865. NPS includes VSAs from a number of vendors in its multivendor dictionary. However, over time vendors create new products that use VSAs, and the multivendor dictionary cannot be updated frequently in an efficient manner. You can add attributes that are not in the NPS multivendor dictionary as Vendor-Specific attributes (RADIUS standard attribute type 26) on the Settings tab of a network policy. To use attribute type 26 to create a custom attribute, an administrator must know the VSA format and the exact information to enter. The VSA formats are documented in the following section. For information about what values to enter, see your network access server (NAS) documentation. The following figure shows the VSA structure. Type value The Type value is one byte long and is set to 26 (0x1A) to indicate a VSA. Length value The Length value is one byte long and is set to the number of bytes in the VSA. Vendor-ID value Vendor-ID is 4 octets long. The high-order octet is 0, and the low-order is 3 octets. Together, they make up the Structure and Identification of Management Information (SMI) Network Management Private Enterprise Code of the vendor. String field The String field in the VSA consists of one or more octets. To conform to the recommendation of RFC 2865, the String field should consist of the fields as shown in the following figure. 126 Vendor Type value The Vendor Type value is used to indicate a specific VSA for the vendor. Vendor Length value The Vendor Length value is set to the number of bytes in the string. Attribute-Specific field The Attribute-Specific field contains the data for the specific vendor attribute. Vendors who do not conform to RFC 2865 use attribute type 26 to identify a VSA, but do not use the Vendor Type, Vendor Length, and Attribute-Specific fields within the String field. When adding a VSA for a particular NAS, you must know whether the attribute conforms to RFC 2865. For information about whether your NAS uses the VSA format documented in the figure earlier in this section, see your NAS documentation. Note While you configure a custom VSA, if the VSA format conforms to RFC 2865, use the Yes. It conforms option and then configure the attribute with the vendor-assigned attribute number, attribute format, and attribute value as defined in NAS documentation. If the VSA format does not conform to RFC 2865, choose No. It does not conform, and then configure the attribute with the hexadecimal attribute value, which includes the string of the VSA format (everything after Vendor-ID) as defined in NAS documentation. For a complete list of Microsoft VSAs that you can use with NPS, see sections 2.2.1.1 through 2.2.1.28 of Microsoft Vendor-Specific Attributes (VSAs) in the Microsoft Developer Network Library at http://go.microsoft.com/fwlink/?LinkId=125707. NPS Processes and Interactions In this section Incoming RADIUS Message Validation Network Access Quarantine Control in NPS NPS and Tunneling NPS Certificate Revocation List (CRL) Checks Processing a User Name Without a Domain Name 127 Connection Request Processing NPS Authorization Process RADIUS Authentication Process Overview Incoming RADIUS Message Validation The following sections provide information about how Network Policy Server (NPS) validates incoming Remote Authentication Dial-In User Service (RADIUS) messages under various circumstances. NPS server validation of RADIUS messages For RADIUS messages for which NPS is acting as RADIUS server, NPS performs the following validation checks: 1. NPS verifies that the RADIUS message was sent from a configured RADIUS client by checking the source IP address of the RADIUS message. If the message is not from a configured RADIUS client, it is silently discarded and an event is logged in the system event log. 2. NPS checks to ensure that the message type is valid for the port on which it was received and then checks the structure of the RADIUS message. Items checked include valid values of the Code field, the size of the RADIUS message, and the size of the RADIUS attributes in the RADIUS message. NPS also checks whether or not the attributes themselves are the expected data type. If the attribute is not the expected data type, or if the RADIUS message is malformed, the message is discarded and an event is logged in the system event log. 3. The User-Name attribute is checked for the value of the Ping User-Name registry setting. If there is a match between the value of the User-Name attribute and the value of the Ping User-Name registry setting, NPS sends an Access-Reject for authentication requests and an accounting response for accounting requests. 4. If the Message-Authenticator attribute is present, its value is validated by using the shared secret. A shared secret is a text string that serves as a password between a RADIUS server and a RADIUS client. If the Message-Authenticator attribute is required but missing, or verification of its value fails, the message is silently discarded, and an event is logged in the system event log. NPS proxy validation of RADIUS request messages For RADIUS request messages for which NPS is acting as RADIUS proxy, NPS performs the following validation checks: 128 1. NPS verifies that the RADIUS message was sent from a configured RADIUS client by checking the source IP address of the RADIUS message. If the message is not from a configured RADIUS client, it is silently discarded, and an event is logged in the system event log. 2. NPS checks to ensure that the message type is valid for the port on which it was received and then checks the structure of the RADIUS message. Items checked include valid values of the Code field, the size of the RADIUS message, and the size of the RADIUS attributes in the RADIUS message. If the RADIUS message is malformed, it is silently discarded and an event is logged in the system event log. 3. NPS checks for the presence of the Proxy-State attribute and whether the value of the ProxyState attribute corresponds to an active proxy session in the proxy session table. If the RADIUS message does not contain a valid Proxy-State attribute, it is silently discarded and an event is logged in the system event log. 4. If the Message-Authenticator attribute is present, its value is validated using the shared secret. If the Message-Authenticator attribute is required but missing, or verification of its value fails, the message is silently discarded, and an event is logged in the system event log. NPS proxy validation of RADIUS response messages For RADIUS response messages for which NPS is acting as RADIUS proxy, NPS performs the following validation checks: 1. NPS verifies that the RADIUS message was sent from a configured remote RADIUS server by checking the source IP address of the RADIUS message. If the message is not from a configured remote RADIUS server, it is silently discarded and an event is logged in the system event log. 2. NPS checks to ensure that the message type is valid for the port on which it was received and then checks the structure of the RADIUS message. Items checked include valid values of the Code field, the size of the RADIUS message, and the size of the RADIUS attributes in the RADIUS message. If the RADIUS message is malformed, it is silently discarded, and an event is logged in the system event log. 3. NPS checks for the presence of the Proxy-State attribute and whether the value of the ProxyState attribute corresponds to an active proxy session in the proxy session table. If the RADIUS message does not contain a valid Proxy-State attribute, it is silently discarded and an event is logged in the system event log. 4. NPS checks the IP source address and UDP source port of the message against the matching entry in the proxy session table to verify that the message was sent from the remote RADIUS server to which the initial request was sent. 129 5. The value of the Authenticator field is checked. If the RADIUS message contains an Authenticator field that is not valid, it is silently discarded and an event is logged in the system event log. This is typically caused by mismatched shared secrets between the NPS server and the remote RADIUS server that sends the RADIUS message. 6. If the Message-Authenticator attribute is present, its value is validated using the shared secret. If the Message-Authenticator attribute is required but missing, or verification of its value fails, the message is silently discarded, and an event is logged in the system event log. Network Access Quarantine Control in NPS Network Access Quarantine Control (NAQC) in Network Policy Server (NPS) provides phased network access for remote virtual private network (VPN) client computers by restricting them to a quarantine mode. After the client computer configuration is either brought into or determined to be in compliance with your organization’s network policy, quarantine restrictions, which consist of IP filters and session timers, are removed and standard network policy is applied to the connection. NAQC provides protection when VPN users in your organization accidentally reconfigure key settings and do not restore them before connecting to your network. For example, a user might disable antivirus software that is required while connected to your network. Although NAQC does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements. You can use the Routing and Remote Access service (RRAS) to process the Remote Authentication Dial-In User Service (RADIUS) options sent by NPS, complete any required client configuration work, and remove the quarantine condition (or drop the connection) based on success or failure. Understanding NAQC and NAP Network Access Quarantine Control is not the same as Network Access Protection (NAP). NAQC is used only for VPN connections when you deploy VPN with RRAS in Windows Server 2008 or Windows Server 2003. In addition, to deploy NAQC, you must write and distribute a script that runs on VPN client computers and that verifies the client computer configuration. NAP can be deployed with many different enforcement methods, including 802.1X, Internet Protocol security (IPsec), Terminal Services Gateway TS Gateway), RRAS, and Dynamic Host Configuration Protocol (DHCP) enforcement. NAP requires multiple deployment actions, however it does not require that you write scripts that run on client computers. For more information, see Network Access Protection (NAP). 130 Quarantine mode Quarantine mode is a set of network restrictions that are configured in network policy and are implemented by the remote access server for each connection. Note You can configure network policy in either the Routing and Remote Access service console or the NPS console, depending on whether you are using NPS for your NAQC deployment. By configuring the MS-Quarantine-IPFilter attribute in network policy settings, you can use a quarantine IP Filter to restrict access to a specified set of servers (for example, servers on a virtual LAN). In addition, by configuring the MS-Quarantine-Session-Timeout attribute in network policy settings, you can use a quarantine session timer to restrict the amount of time that the VPN client can remain connected in quarantine mode. To configure the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes 1. In the NPS console, double-click Policies, click Network Policies, and then, in the details pane, double-click the network policy that you want to configure. 2. In policy Properties, click the Settings tab. 3. In RADIUS Attributes, click Vendor Specific, and then click Add. The Add Vendor Specific Attribute dialog box opens. 4. In Add Vendor Specific Attribute, in Vendor, select Microsoft, and then browse to the attribute that you want to configure. Note In the NPS console, there is also a Microsoft vendor-specific attribute named MSQuarantine-User-Class. This attribute is not for use with NAQC; it is used when you deploy the DHCP enforcement method of NAP. Do not use the MS-Quarantine-UserClass attribute when you deploy NAQC. Components of Network Access Quarantine Control You can implement NAQC with one or more servers running Windows Server 2008 and Routing and Remote Access, one or more servers running Windows Server 2008 and NPS, a Connection Manager profile created with Connection Manager Administration Kit (CMAK), an administratorprovided script or the Quarchk.cmd file, and two additional NAQC components: the notifier component and the listener component. The notifier component is a program named Rqc.exe that you can include in a Connection Manager profile. The listener component can be configured in the Services Microsoft Management Console (MMC) snap-in after you install Routing and Remote Access. Important NPS is an optional component of NAQC. You can deploy NAQC without NPS if you choose to create network policy in Routing and Remote Access. This is practical if you 131 only have one or two virtual private network (VPN) servers. If you have multiple VPN servers, however, it is recommended that you deploy a server running NPS and configure network policy in NPS. This allows you to configure network policy one time in NPS rather than multiple times, once on each VPN server. You can add Rqc.exe to the Connection Manager profile for installation on the client computer when the profile is installed. After the administrator-provided script has run successfully on the client computer, Rqc.exe notifies the remote access server. Note After you install Routing and Remote Access and CMAK, Rqc.exe and Quarchk.cmd are located at %systemroot%\Program Files\CMAK\Support. The listener component, named the Remote Access Quarantine Agent service, is included when you install Routing and Remote Access. However, the Remote Access Quarantine Agent service is disabled by default. When you deploy NAQC, you must start the Remote Access Quarantine Agent service and change its startup type to automatic. Note To configure the Remote Access Quarantine Agent service, install Routing and Remote Access, and then open the Services MMC snap-in. Browse to and double-click the Remote Access Quarantine Agent service. The Remote Access Quarantine Agent service receives notification from Rqc.exe that either Quarchk.cmd or the script on the client has successfully performed all configuration checks. After the Remote Access Quarantine Agent service receives notification, it removes the client from quarantine mode, and the remote access server applies standard network policy to the client. Caution Placing all remote access clients in quarantine mode without a way to remove quarantine policy and apply full access policy might prevent all remote access clients from establishing network connections. For more information, see Deploying Network Access Quarantine Control in NPS Help in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=119931. NPS and Tunneling The entire process of packet encapsulation, transmission, and de-encapsulation is called tunneling. More specifically, tunneling is a method of using an internetwork infrastructure of one protocol to transfer a payload. Sometimes, the payload consists of the frames (or packets) of another protocol. Instead of being sent as the originating host produces it, the frame is encapsulated with an additional header. The additional header provides routing information so that the encapsulated payload can traverse an intermediate internetwork (also known as a transit internetwork). The encapsulated packets are then routed between tunnel endpoints over the 132 transit internetwork. After the encapsulated payload packets reach their destination on the transit internetwork, the frame is de-encapsulated and forwarded to its final destination. The logical path in the transit internetwork through which the encapsulated packets travel is called a tunnel. With remote access virtual private network (VPN) connections, there are two types of tunneling: Voluntary and compulsory. Voluntary tunneling When a client computer is configured with the appropriate tunneling protocol, the user or client computer can issue a VPN request to create and configure a voluntary tunnel from the client computer to the VPN server. In this case, the user’s computer is a tunnel endpoint that acts as the tunnel client, and the VPN server is the tunnel server. A simple example of voluntary tunneling occurs when a user with a dial-up connection to the Internet through an Internet service provider (ISP) connects to an organization VPN server that is also connected to the Internet. In this scenario, the user has two separate accounts, each account having its own set of credentials: A set of credentials for an account with an ISP A set of credentials for an account with the organization To connect to the organization VPN server, the client computer uses a dial-up modem to attempt to connect to the ISP dial-up server. The user supplies his ISP account credentials, is authenticated by the ISP Remote Authentication Dial-IN User Service (RADIUS) server against the ISP user accounts database, and is authorized by the ISP RADIUS server to connect to the ISP and the Internet. After the dial-up connection is established and the client computer is on the Internet, the user initiates a VPN connection to his organization VPN server. The VPN server is configured as a RADIUS client to an NPS server at the organization. The user supplies organization account credentials for the connection attempt, and the organization NPS server uses the credentials to authenticate and authorize the user against an Active Directory Domain Services (AD DS) user accounts database. After the user is authenticated and authorized, the VPN tunnel is established and the user can access organization resources. In another example, NPS is used in an outsourced bulk-dial scenario for voluntary tunneling. In the outsourced bulk dial scenario, an ISP is providing both dial-up and non-dedicated broadband digital subscriber line (DSL) Internet access for all the employees of an organization. Rather than providing the ISP with a copy of its user accounts database, the organization and the ISP use a server running NPS as a RADIUS proxy so that users, when connecting to the ISP, can be authenticated and authorized using the organization RADIUS servers and AD DS user accounts database on the organization network. This provides strong security and prevents exposure of sensitive information contained in the user accounts database to the ISP and its employees. When the organization employee attempts to connect to the organization VPN server, the following process occurs: 133 1. The client computer establishes the dial-up or DSL connection to the ISP network access server (NAS). 2. Based on the connection parameters, the NAS sends an Access-Request message to an NPS server that is configured as a RADIUS proxy. 3. The RADIUS proxy processes the Access-Request message and determines where to send it based on the realm portion of the User-Name attribute. The RADIUS proxy forwards the Access-Request message to the organization NPS server, which is accessible on the Internet through a firewall configured to allow traffic on the default RADIUS UDP ports of 1812 (authentication) and 1813 (accounting). 4. The organization NPS server authenticates and authorizes the connection attempt of the client computer and sends an Access-Accept message back to the RADIUS proxy. 5. The RADIUS proxy forwards the Access-Accept message to the ISP NAS, and then the ISP NAS connects the client computer to the Internet. 6. After it is on the Internet, the client computer initiates a VPN tunnel connection with the organization VPN tunnel server on the Internet. 7. Based on the tunnel connection parameters, the tunnel server sends an Access-Request message to the organization NPS server. 8. The organization NPS server authenticates and authorizes the connection attempt of the tunnel client and sends an Access-Accept message back to the tunnel server. 9. The tunnel server completes the tunnel creation, and then the tunnel client can send packets to the organization intranet through the tunnel across the Internet. The following figure illustrates the establishment of a voluntary VPN tunnel by a dial-up client. Voluntary tunneling is not different from other types of network access, and NPS can be used for authentication, authorization, and accounting when the tunnel server is configured as a RADIUS client to the NPS server. Compulsory tunneling Compulsory tunneling is the creation of a secure tunnel by another computer or network device on behalf of the client computer. Compulsory tunnels are configured and created automatically for the user without their knowledge or intervention. With a compulsory tunnel, the user’s computer is 134 not a tunnel endpoint. Another device between the user’s computer and the tunnel server — the dial-up access server dialed by the client — is the tunnel endpoint, acting as the tunnel client. A number of vendors that sell dial-up access servers have implemented the ability to create a tunnel on behalf of a dial-up client. The computer or network device providing the tunnel for the client computer is known as a Front End Processor (FEP) in PPTP, an Access Concentrator in Layer Two Tunneling Protocol (L2TP), or an IP Security Gateway in Internet Protocol security (IPsec). In this section, “How NPS Works,” the acronym FEP describes this functionality, regardless of the tunneling protocol. To carry out its function, the FEP must have the appropriate tunneling protocol installed and must be capable of establishing the tunnel when the client computer attempts a connection. An organization can contract with an ISP to deploy a nationwide set of FEPs. These FEPs can establish tunnels across the Internet to a tunnel server connected to the private network of the organization, thereby consolidating calls from geographically diverse locations into a single Internet connection at the organization network. The following figure shows the outsourced bulk-dial scenario for compulsory tunneling. In the outsourced bulk-dial scenario for compulsory tunneling, a dial-up client establishes a dialup connection to an ISP that is providing tunneled access across the Internet for all the employees of an organization. Based on the dial-up connection parameters, the ISP NAS sends an Access-Request message to an NPS server. The ISP NPS server authorizes, but does not authenticate, the tunnel connection. The ISP NPS server sends an Access-Accept message to the ISP NAS with a series of VPN tunnel attributes. The ISP NAS then acts as a tunnel client and creates a VPN tunnel to the VPN server of the organization that faces the Internet. Note Typically, NPS provides both authentication and authorization. However, it is common for the ISP NPS server to provide only authorization when the dial-in user is authenticated by the organization NPS server. The ISP NAS then sends a PPP message to the dial-up client to restart the authentication process so that the dial-up user can be authenticated by the organization NPS server through the 135 tunnel. The dial-up client sends the authentication information to the ISP NAS, which encapsulates the user account credentials and sends them through the tunnel to the organization tunnel server. After the user account credentials are received by the tunnel server, the tunnel server sends an Access-Request message to the organization NPS server. The organization NPS server authenticates and authorizes the connection of the dial-up client to the tunnel server and sends an Access-Accept message to the tunnel server. The tunnel server then completes the connection to the dial-up client. All data that is sent by the dial-up client is automatically sent through the tunnel to the tunnel server by the ISP NAS. This configuration is known as compulsory tunneling because the client is compelled to use the tunnel created by the FEP. After the initial connection is made, all network traffic to and from the client is automatically sent through the tunnel. In addition, you can configure NPS to instruct an FEP to tunnel different remote access clients to different tunnel servers. Unlike the separate tunnels created for each voluntary client, a compulsory tunnel between the FEP and organization VPN server can be shared by multiple dial-up clients. When a second client dials into the same access server (the FEP) to reach a destination for which a tunnel already exists, the data traffic for the new client is carried over the existing VPN tunnel. The following RADIUS attributes are used to carry the tunneling information from the NPS server to the NAS. Used in authorization only: Tunnel-Assignment-ID Tunnel-Client-Auth-ID Tunnel-Password Tunnel-Preference Tunnel-Pvt-Group-ID Tunnel-Server-Auth-ID Used in authorization and accounting: Tunnel-Client-Endpt Tunnel-Medium-Type (X.25, ATM, Frame Relay, IP, and so on) Tunnel-Server-Endpt Tunnel-Type (such as PPTP and L2TP) Used for accounting only: Acct-Tunnel-Connection The Windows Server 2003 or Windows 2000 Routing and Remote Access service cannot be used as a FEP for compulsory tunneling. 136 NPS Certificate Revocation List (CRL) Checks By default, the NPS server checks for certificate revocation for all the certificates in the certificate chain sent by the client computer during the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP)-TLS authentication process. If certificate revocation fails for any of the certificates in the chain, the connection attempt is not authenticated and is denied. Certificate revocation checking behavior for NPS can be modified with registry settings. For more information, see NPS CRL Check Registry Settings. Because certificate revocation checking can prevent client access due to the unavailability or expiration of certificate revocation lists (CRLs) for each certificate in the certificate chain, design your public key infrastructure (PKI) for high availability of CRLs. For example, configure multiple CRL distribution points for each certification authority (CA) in the certificate hierarchy and configure publication schedules that ensure that the most current CRL is always available. Certificate revocation checking is only as accurate as the last published CRL. For example, if a certificate is revoked, by default the new CRL containing the newly revoked certificate is not automatically published. CRLs are typically published based on a configurable schedule. This means that the revoked certificate can still be used to authenticate because the published CRL is not current; it does not contain the revoked certificate, which can therefore still be used to create wireless connections. To prevent this from occurring, the network administrator must manually publish the new CRL with the newly revoked certificate. By default, the NPS server uses the CRL distribution points in the certificates. However, it is also possible to store a local copy of the CRL on the NPS server. In this case, the local CRL is used during certificate revocation checking. If a new CRL is manually published to Active Directory Domain Services (AD DS), the local CRL on the NPS server is not updated. The local CRL is updated when it expires. This can create a situation wherein a certificate is revoked, the CRL is manually re-published, but the NPS server still allows the connection because the local CRL has not yet been updated. The certificate revocation check for a certificate can fail because of the following issues. The certificate has been revoked The issuer of the certificate has explicitly revoked the certificate. The certificate revocation list (CRL) for the certificate is not reachable or available CAs maintain CRLs and publish them to specific CRL distribution points. The CRL distribution points are included in the CRL Distribution Points property of the certificate. If the CRL distribution points cannot be contacted to check for certificate revocation, then the certificate revocation check fails. 137 Additionally, if there are no CRL distribution points in the certificate, the NPS server cannot verify that the certificate has not been revoked and the certificate revocation check fails. The publisher of the CRL did not issue the certificate Included in the CRL is the publishing CA. If the publishing CA of the CRL does not match the issuing CA for the certificate for which certificate revocation is being checked, then the certificate revocation check fails. The CRL is not current Each published CRL has a range of valid dates. If the CRL Next Update date has passed, the CRL is not valid and the certificate revocation check fails. New CRLs must be published before the expiration date of the last published CRL. Processing a User Name Without a Domain Name While processing connection requests, Network Policy Server (NPS) examines the user name portion of the Access-Request message to determine whether a domain name has been specified. If a domain name is specified and NPS is registered to access the user accounts database in the designated domain, NPS proceeds with processing the connection request. Note To be registered in a domain, the NPS server must be a member of the RAS and IAS Servers security group for the Active Directory Domain Services (AD DS) domain. Some network access servers delete or modify the domain name as specified by the user. As a result, the network access request is authenticated against the default domain, which might not be the domain for the user's account. To resolve this problem, configure your Remote Authentication Dial-In User Service (RADIUS) servers to change the user name into the correct format with the accurate domain name. When the user name does not contain a domain name, NPS supplies one. By default, the NPSsupplied domain name is the domain of which the NPS server is a member. For more information, see NPS: Default Domain. Connection Request Processing In this section Load Balancing with NPS Proxy Realm Names 138 Using Pattern-Matching Syntax in NPS To determine whether a specific connection attempt request or an accounting message received from a Remote Authentication Dial-In User Service (RADIUS) client must be processed locally or forwarded to another RADIUS server, the NPS server uses connection request processing. Connection request processing is a combination of the following: Connection request policies that determine, for any incoming RADIUS request message, whether the message is processed locally or forwarded to another RADIUS server. For more information, see Connection Request Policies. Remote RADIUS server groups that contain one or more RADIUS servers to which RADIUS request messages are forwarded. For more information, see Remote RADIUS Server Groups. If connection request policy is configured to forward connection requests to members of a remote RADIUS server group, NPS is configured as a RADIUS proxy. NPS Proxy Process Overview When NPS is a RADIUS proxy between a RADIUS client and a RADIUS server, the messages that RADIUS sends for network access are forwarded as follows: 1. Access servers, such as dial-up network access servers, virtual private network (VPN) servers, and wireless access points, receive connection requests from access clients. 2. The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server that is being used as the NPS RADIUS proxy. 3. The NPS RADIUS proxy receives the Access-Request message and, based on the locally configured connection request policies, determines where to forward the Access-Request message. 4. The NPS RADIUS proxy forwards the Access-Request message to the appropriate RADIUS server. 5. The RADIUS server evaluates the Access-Request message. 6. If required, the RADIUS server sends an Access-Challenge message to the NPS RADIUS proxy, where it is forwarded to the access server. The access server processes the challenge with the access client, and then sends an updated Access-Request to the NPS RADIUS proxy, where it is forwarded to the RADIUS server. 7. The RADIUS server authenticates and authorizes the connection attempt. 8. If the connection attempt is both authenticated and authorized, the RADIUS server sends an Access-Accept message to the NPS RADIUS proxy, where it is forwarded to the access server. 9. If the connection attempt is either not authenticated or not authorized, the RADIUS server sends an Access-Reject message to the NPS RADIUS proxy, where it is forwarded to the access server. 139 10. The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS RADIUS proxy. The NPS RADIUS proxy logs the accounting data and forwards the message to the RADIUS server. 11. The RADIUS server sends an Accounting-Response to the NPS RADIUS proxy, where it is forwarded to the access server. The following sections provide information about how an NPS RADIUS proxy changes each type of RADIUS message when it forwards the message. Access-Request messages Forwarding a RADIUS Access-Request message from a RADIUS client to a RADIUS server results in the following changes to the RADIUS Access-Request message: Attribute manipulation rules are applied and the RADIUS attribute is modified according to the configured find and replace rules. All RADIUS message fields for which the RADIUS shared secret is used are recalculated. The recalculation is performed by using the shared secret of the NPS RADIUS proxy and the remote RADIUS server to which the message is being forwarded. These RADIUS attributes include the Message Authenticator (also known as the Signature attribute), User-Name, Tunnel-Password, and MS-CHAP-MPPE-Keys. Additionally, the Authenticator field in the RADIUS header is recalculated. If the Access-Request message contains a Proxy-State attribute indicating that the message has been forwarded by another RADIUS proxy, the contents of the Proxy-State attribute are saved in a proxy session table and the Proxy-State attribute is rewritten with a value determined by the NPS RADIUS proxy. The new value of the Proxy-State attribute is stored in a proxy session table. When forwarding the Access-Request message, any additional RADIUS attributes that are configured in connection request policy Settings are stored in the proxy session table. These attributes are not actually added to the Access-Request message but are saved for the response to the Access-Request message. Access-Accept messages The Proxy-State attribute in the Access-Accept message is used to find the corresponding entry in the proxy session table. The entry in the proxy session table indicates the IP address of the client to which the message is forwarded, the Proxy-State attribute of the original Access-Request message, and any additional RADIUS attributes to add. If an entry is not found, the AccessAccept message is discarded. Forwarding a RADIUS Access-Accept message from a RADIUS server to a RADIUS client results in the following changes to the RADIUS Access-Accept message: All RADIUS message fields for which the RADIUS shared secret is used are recalculated by using the shared secret of the NPS RADIUS proxy and the RADIUS client to which the message is being forwarded. These RADIUS attributes include the Message Authenticator 140 (also known as the Signature attribute), Tunnel-Password, and MS-CHAP-MPPE-Keys. Additionally, the Authenticator field in the RADIUS header is recalculated. If the proxy session table entry contains an original Proxy-State attribute, the Proxy-State attribute in the Access-Accept message is replaced with the original Proxy-State attribute of the Access-Request message. If the proxy session table entry contains any additional RADIUS attributes, these RADIUS attributes are added to the Access-Accept message. If any of these RADIUS attributes are already present, their values are overwritten with new values. Access-Reject messages The Proxy-State attribute in the Access-Reject message is used to find the corresponding entry in the proxy session table. The entry in the proxy session table indicates the IP address of the client to which the message is to be forwarded, the Proxy-State attribute of the original Access-Request message, and any additional RADIUS attributes to add. If an entry is not found, the AccessReject message is discarded. Forwarding a RADIUS Access-Reject message from a RADIUS server to a RADIUS client results in the following changes to the RADIUS Access-Reject message: All RADIUS message fields for which the RADIUS shared secret is used are recalculated by using the shared secret of the NPS RADIUS proxy and the RADIUS client to which the message is being forwarded. These RADIUS attributes include the Message Authenticator (also known as the Signature attribute), Tunnel-Password, and MS-CHAP-MPPE-Keys. Additionally, the Authenticator field in the RADIUS header is recalculated. If the proxy session table entry contains an original Proxy-State attribute, the Proxy-State attribute in the Access-Reject message is replaced with the Proxy-State attribute of the original Access-Request message. If the proxy session table entry contains any additional RADIUS attributes, these RADIUS attributes are added to the Access-Reject message. If any of these RADIUS attributes are already present, their values are overwritten with new values. Accounting-Request messages When an NPS RADIUS proxy forwards a RADIUS Accounting-Request message from a RADIUS client to a RADIUS server, it results in the following changes: Attribute manipulation rules are applied and the RADIUS attribute is modified according to the configured find and replace rules. All RADIUS message fields for which the RADIUS shared secret are used are recalculated by using the shared secret of the NPS RADIUS proxy and the remote RADIUS server to which the message is being forwarded. These RADIUS attributes include the Message Authenticator (also known as the Signature attribute) and User-Name. Additionally, the Authenticator field in the RADIUS header is recalculated. 141 If the Accounting-Request message contains a Proxy-State attribute indicating that the message has been forwarded by another RADIUS proxy, the contents of the Proxy-State attribute are saved in a proxy session table and the Proxy-State attribute is rewritten with a value determined by the NPS RADIUS proxy. The new value of the Proxy-State attribute is stored in a proxy session table. When forwarding the Accounting-Request message, the set of additional RADIUS attributes as configured on the Advanced tab from the profile settings of the matching connection request policy is stored in the proxy session table. These attributes are not actually added to the Accounting-Request message but are saved for the response to the Accounting-Request message. Accounting-Response messages The Proxy-State attribute in the Accounting-Response message is used to find the corresponding entry in the proxy session table. The entry in the proxy session table indicates the IP address of the client to which the message is to be forwarded, the Proxy-State attribute of the original Accounting-Request message, and any additional RADIUS attributes to add. If an entry is not found, the Accounting-Response message is discarded. When an NPS RADIUS proxy forwards a RADIUS Accounting-Response message from a RADIUS server to a RADIUS client, it results in the following changes to the RADIUS AccountingResponse message: All RADIUS message fields for which the RADIUS shared secret is used are recalculated by using the shared secret of the NPS RADIUS proxy and the RADIUS client to which the message is being forwarded, such as the Message Authenticator (also known as the Signature attribute). Additionally, the Authenticator field in the RADIUS header is recalculated. If the proxy session table entry contains an original Proxy-State attribute, the Proxy-State attribute in the Accounting-Response message is replaced with the original Proxy-State attribute of the Accounting-Request message. If the proxy session table entry contains additional RADIUS attributes, these RADIUS attributes are added to the Accounting-Response message. If any of these RADIUS attributes are already present, their values are overwritten with new values. When you configure connection request policies so that connection requests are forwarded to members of a remote RADIUS server group, you can use regular expressions and realm names for the configuration process. The following sections provide additional information. Load Balancing with NPS Proxy Remote Authentication Dial-In User Service (RADIUS) clients, which are network access servers such as virtual private network (VPN) servers and wireless access points, create connection requests and send them to RADIUS servers such as NPS. In some cases, an NPS server might 142 receive too many connection requests at one time, resulting in degraded performance or an overload. When an NPS server is overloaded, it is a good idea to add more NPS servers to your network and to configure load balancing. When you evenly distribute incoming connection requests among multiple NPS servers to prevent the overloading of one or more NPS servers, it is called load balancing. Load balancing is particularly useful for: Organizations that use Extensible Authentication Protocol-Transport Layer Security (EAPTLS) or Protected Extensible Authentication Protocol (PEAP)-TLS for authentication. Because these authentication methods use certificates for server authentication and for either user or client computer authentication, the load on RADIUS proxies and servers is heavier than when password-based authentication methods are used. Organizations that need to sustain continuous service availability. Internet service providers (ISPs) that outsource VPN access for other organizations. The outsourced VPN services can generate a large volume of authentication traffic. There are two methods you can use to balance the load of connection requests sent to your NPS servers: Configure your network access servers to send connection requests to multiple RADIUS servers. For example, if you have 20 wireless access points and two RADIUS servers, configure each access point to send connection requests to both RADIUS servers. You can load balance and provide failover at each network access server by configuring the access server to send connection requests to multiple RADIUS servers in a specified order of priority. This method of load balancing is usually best for small organizations that do not deploy a large number of RADIUS clients. Use NPS configured as a RADIUS proxy to load balance connection requests between multiple NPS servers or other RADIUS servers. For example, if you have 100 wireless access points, one NPS proxy, and three RADIUS servers, you can configure the access points to send all traffic to the NPS proxy. On the NPS proxy, configure load balancing so that the proxy evenly distributes the connection requests between the three RADIUS servers. This method of load balancing is best for medium and large organizations that have many RADIUS clients and servers. In many cases, the best approach to load balancing is to configure RADIUS clients to send connection requests to two NPS proxy servers, and then configure the NPS proxies to load balance among RADIUS servers. This approach provides both failover and load balancing for NPS proxies and RADIUS servers. RADIUS server priority and weight During the NPS proxy configuration process, you can create remote RADIUS server groups and then add RADIUS servers to each group. To configure load balancing, you must have more than one RADIUS server per remote RADIUS server group. While adding group members, or after creating a RADIUS server as a group member, you can access the Add RADIUS server dialog box to configure the following items on the Load Balancing tab: 143 Priority. Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the higher priority the NPS proxy gives to the RADIUS server. For example, if the RADIUS server is assigned the highest priority of 1, the NPS proxy sends connection requests to the RADIUS server first; if servers with priority 1 are not available, NPS then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the same priority to multiple RADIUS servers, and then use the Weight setting to load balance between them. Weight. NPS uses this Weight setting to determine how many connection requests to send to each group member when the group members have the same priority level. Weight setting must be assigned a value between 1 and 100, and the value represents a percentage of 100 percent. For example, if the remote RADIUS server group contains two members that both have a priority level of 1 and a weight rating of 50, the NPS proxy forwards 50 percent of the connection requests to each RADIUS server. Advanced settings. These failover settings provide a way for NPS to determine whether the remote RADIUS server is unavailable. If NPS determines that a RADIUS server is unavailable, it can start sending connection requests to other group members. With these settings you can configure the number of seconds that the NPS proxy waits for a response from the RADIUS server before it considers the request dropped; the maximum number of dropped requests before the NPS proxy identifies the RADIUS server as unavailable; and the number of seconds that can elapse between requests before the NPS proxy identifies the RADIUS server as unavailable. Configuring NPS proxy load balancing Before configuring load balancing, create a deployment plan that includes how many remote RADIUS server groups you require, which servers are members of each particular group, and the Priority and Weight setting for each server. Note The steps that follow assume that you have already deployed and configured RADIUS servers. To configure NPS to act as a proxy server and forward connection requests from RADIUS clients to remote RADIUS servers, you must take the following actions: 1. Deploy your RADIUS clients (VPN servers, dial-up servers, Terminal Services Gateway servers, 802.1X authenticating switches, and 802.1X wireless access points) and configure them to send connection requests to your NPS proxy servers. 2. On the NPS proxy, configure the network access servers as RADIUS clients. 3. On the NPS proxy, create one or more remote RADIUS server groups. During this process, add RADIUS servers to the remote RADIUS server groups. 144 4. On the NPS proxy, for each RADIUS server that you add to a remote RADIUS server group, click the RADIUS server Load Balancing tab, and then configure Priority, Weight, and Advanced settings. 5. On the NPS proxy, configure connection request policies to forward authentication and accounting requests to remote RADIUS server groups. You must create one connection request policy per remote RADIUS server group. Realm Names Realm names The User-Name RADIUS attribute is a character string that typically contains a user account location and a user account name. The user account location is also called the realm or realm name, and is synonymous with the concept of domain, including DNS domains, Active Directory® domains, and Windows NT 4.0 domains. For example, if a user account is located in the user accounts database for a domain named example.com, then example.com is the realm name. In another example, if the User-Name RADIUS attribute contains the user name user1@example.com, user1 is the user account name and example.com is the realm name. Realm names can be presented in the user name as a prefix or as a suffix: Example\user1. In this example, the realm name Example is a prefix; and it is also the name of a Windows NT 4.0 domain. user1@example.com. In this example, the realm name example.com is a suffix; and it is either a DNS domain name or the name of an Active Directory domain. You can use realm names configured in connection request policies while designing and deploying your RADIUS infrastructure to ensure that connection requests are routed from RADIUS clients, also called network access servers, to RADIUS servers that can authenticate and authorize the connection request. When NPS is configured as a RADIUS server with the default connection request policy, NPS processes connection requests for the domain in which the NPS server is a member and for trusted domains. To configure NPS to act as a RADIUS proxy and forward connection requests to untrusted domains, you must create a new connection request policy. In the new connection request policy, you must configure the User Name attribute with the realm name that will be contained in the User-Name attribute of connection requests that you want to forward. You must also configure the connection request policy with a remote RADIUS server group. The connection request policy allows NPS to calculate which connection requests to forward to the remote RADIUS server group based on the realm portion of the User-Name attribute. 145 Acquiring the realm name The realm name portion of the user name is provided when the user types password-based credentials during a connection attempt or when a Connection Manager (CM) profile on the user's computer is configured to provide the realm name automatically. You can designate that users of your network provide their realm name when typing their credentials during network connection attempts. For example, you can require users to type their user name, including the user account name and the realm name, in User name in the Connect dialog box when making a dial-up or virtual private network (VPN) connection. In addition, if you create a custom dialing package with the Connection Manager Administration Kit (CMAK), you can assist users by adding the realm name automatically to the user account name in CM profiles that are installed on users' computers. For example, you can specify a realm name and user name syntax in the CM profile so that the user only has to specify the user account name when typing credentials. In this circumstance, the user does not need to know or remember the domain where their user account is located. During the authentication process, after users type their password-based credentials, the user name is passed from the access client to the network access server. The network access server constructs a connection request and includes the realm name within the User-Name RADIUS attribute in the Access-Request message that is sent to the RADIUS proxy or server. If the RADIUS server is an NPS server, the Access-Request message is evaluated against the set of configured connection request policies. Conditions on the connection request policy can include the specification of the contents of the User-Name attribute. You can configure a set of connection request policies that are specific to the realm name within the User-Name attribute of incoming messages. This allows you to create routing rules that forward RADIUS messages with a specific realm name to a specific set of RADIUS servers when NPS is used as a RADIUS proxy. Attribute manipulation rules Before the RADIUS message is either processed locally (when NPS is being used as a RADIUS server) or forwarded to another RADIUS server (when NPS is being used as a RADIUS proxy), the User-Name attribute in the message can be modified by attribute manipulation rules. You can configure attribute manipulation rules for the User-Name attribute by selecting User name on the Conditions tab in the properties of a connection request policy. NPS attribute manipulation rules use regular expression syntax. You can configure attribute manipulation rules for the User-Name attribute to change the following: Remove the realm name from the user name (also known as realm stripping). For example, the user name user1@example.com is changed to user1. Change the realm name but not its syntax. 146 For example, the user name user1@example.com is changed to user1@wcoast.example.com. Change the syntax of the realm name. For example, the user name example\user1 is changed to user1@example.com. After the User-Name attribute is modified according to the attribute manipulation rules that you configure, additional settings of the first matching connection request policy are used to determine whether: The NPS server processes the Access-Request message locally (when NPS is being used as a RADIUS server). The NPS server forwards the message to another RADIUS server (when NPS is being used as a RADIUS proxy). Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Note When the user name does not contain a domain name, NPS supplies one. By default, the NPS-supplied domain name is the domain of which the NPS server is a member. You can specify the NPS-supplied domain name through the following registry setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtoc ols\BuiltIn\DefaultDomain Some non-Microsoft network access servers delete or modify the domain name as specified by the user. As the result, the network access request is authenticated against the default domain, which might not be the domain for the user's account. To resolve this problem, configure your RADIUS servers to change the user name into the correct format with the accurate domain name. Using Pattern-Matching Syntax in NPS Network Policy Server (NPS) in Windows Server 2008 supports the use of regular expressions for pattern matching. You can use this syntax to specify the conditions of network policy attributes and Remote Authentication Dial-In User Service (RADIUS) realms. Pattern-matching reference You can use the following table as a reference source when creating regular expressions with pattern-matching syntax. Character Description Example \ Marks the next character as a /n/ matches the character "n". 147 Character Description Example character to match. The sequence /\n/ matches a line feed or newline character. ^ Matches the beginning of the input or line. $ Matches the end of the input or line. * Matches the preceding character zero or more times. /zo*/ matches either "z" or "zoo." + Matches the preceding character one or more times. /zo+/ matches "zoo" but not "z." ? Matches the preceding character zero or one times. /a?ve?/ matches the "ve" in "never." . Matches any single character except a newline character. (pattern) Matches pattern and remembers the match. To match ( ) (parentheses), use "\(" or "\)". x|y Matches either x or y. /z|food?/ matches "zoo" or "food." {n} Matches exactly n times (n is a nonnegative integer). /o{2}/ does not match the "o" in "Bob," but matches the first two instances of the letter o in "foooood." {n,} Matches at least n times (n is a nonnegative integer). /o{2,}/ does not match the "o" in "Bob" but matches all of the instances of the letter o in "foooood." /o{1,}/ is equivalent to /o+/. {n,m} Matches at least n and at most m times (m and n are nonnegative integers). /o{1,3}/ matches the first three instances of the letter o in "fooooood." [xyz] Matches any one of the enclosed characters (a character set). /[abc]/ matches the "a" in "plain." 148 Character Description Example [^xyz] Matches any characters that are /[^abc]/ matches the "p" in not enclosed (a negative "plain." character set). \b Matches a word boundary (for example, a space). /ea*r\b/ matches the "er" in "never early." \B Matches a nonword boundary. /ea*r\B/ matches the "ear" in "never early." \d Matches a digit character (equivalent to [0-9]). \D Matches a nondigit character (equivalent to [^0-9]). \f Matches a form feed character. \n Matches a line feed character. \r Matches a carriage return character. \s Matches any white space character including space, tab, and form feed (equivalent to [ \f\n\r\t\v]). \S Matches any non-white space character (equivalent to [^ \f\n\r\t\v]). \t Matches a tab character. \v Matches a vertical tab character. \w Matches any word character, including underscore (equivalent to [A-Za-z0-9_]). \W Matches any nonword character, excluding underscore (equivalent to [^A-Za-z0-9_]). \num Refers to remembered matches (?num, where num is a positive integer). For example, \1 replaces what is stored in the 149 Character Description Example first remembered match. This option can be used only in the Replace text box when configuring attribute manipulation. /n/ Allows the insertion of ASCII codes into regular expressions (?n, where n is an octal, hexadecimal, or decimal escape value). Examples of using pattern-matching syntax to specify network policy attributes The following examples describe the use of the pattern-matching syntax to specify network policy attributes: To specify all phone numbers within the 899 area code, the syntax is: 899.* To specify a range of all IP addresses that begin with 192.168.1, the syntax is: 192\.168\.1\..+ Examples for manipulation of the realm name in the User-Name attribute The following examples describe the use of the pattern-matching syntax to manipulate realm names for the User-Name attribute, which is located on the Attribute tab in the properties of a connection request policy. To remove the realm portion of the User-Name attribute In an outsourced dial-up scenario in which an Internet service provider (ISP) routes connection requests to an organization NPS server, the ISP RADIUS proxy might require a realm name to route the authentication request. However, the NPS server might not recognize the realm name portion of the user name. Therefore, the realm name must be removed by the ISP RADIUS proxy before it is forwarded to the organization NPS server. Find: @microsoft\.com Replace: To replace user@example.microsoft.com with example.microsoft.com\user Find: (.*)@(.*) 150 Replace: $2\$1 To replace domain\user with specific_domain\user Find: (.*)\\(.*) Replace: specific_domain\$2 To replace user with user@specific_domain Find: $ Replace: @specific_domain Example for RADIUS message forwarding by a proxy server You can create routing rules that forward RADIUS messages with a specified realm name to a set of RADIUS servers when an NPS server is used as a RADIUS proxy. Following is a recommended syntax for routing requests based on realm name. NetBIOS name Pattern WCOAST ^wcoast\\ In the following example, wcoast.microsoft.com is a unique user principal name (UPN) suffix for the Domain Name System (DNS) or Active Directory Domain Services (AD DS) domain wcoast.microsoft.com. Using the supplied pattern, the NPS proxy can route messages based on domain network basic input/output system (NetBIOS) name or UPN suffix. NetBIOS name UPN suffix Pattern WCOAST wcoast.microsoft.com ^wcoast\\|@wcoast\.microsoft\.com$ NPS Authorization Process In this section Authorization by User and Group Dial-In Properties of Accounts MAC Address Authorization Network Policies and Authorization Network Policy Server (NPS) grants or denies network access authorization on the basis of the following configurable items: 151 The dial-in properties of Security Accounts Manager (SAM) database or Active Directory Domain Services (AD DS) user and computer accounts NPS network policies Note For convenience in this document, in discussions of authorization, the dial-in properties of user and computer accounts are frequently referred to only as user accounts. Network policies allow you to grant or deny network access for users and computers that are members of Windows groups; this authorization management method is called Authorization by Group. Alternately, the Network Access Permission setting on the dial-in properties of each user and computer account in AD DS allows you to grant or deny network access for individual users and computers. This authorization management method is called Authorization by User. Important By using the Network Access Permission setting Control access through NPS Network Policy, AD DS also allows you to designate that network access permission is granted based solely on network policy settings. When NPS receives a connection request from a Remote Authentication Dial-In User Service (RADIUS) client, NPS accepts or rejects the connection request based on the following: The first policy in the ordered list of network policies is checked. If there are no network policies configured in NPS, the connection request is rejected. If all the conditions of the policy do not match the connection request, NPS moves on to and evaluates the next policy. If there are no more policies, NPS rejects the connection request. If all the conditions of the policy match the connection request, NPS checks the value of the Ignore-User-Dialin-Properties attribute (which is configurable as a property on the Overview tab) of the network policy. If the Ignore-User-Dialin-Properties attribute is set to False, NPS checks the Network Access Permission setting in user account dial-in properties for the user attempting the connection: If Deny access is selected, NPS rejects the connection request. If Allow access is selected, NPS applies the user account properties and network policy constraints: If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request. If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request. If Network Access Permission is not set to Allow access or Deny access, the network access permission is set to Control access through NPS Network Policy. In that case, NPS evaluates the Access Permission setting (which is configurable as a property on the Overview tab) of the network policy: 152 If Deny access is selected, NPS rejects the connection request. If Grant access is selected, NPS applies the user account properties and network policy constraints: If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request. If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request. If the Ignore-User-Dialin-Properties attribute is set to True, NPS checks the Access Permission setting of the network policy: If Deny access is selected, reject the connection request. If Grant access is selected, NPS applies the network policy constraints: If the connection request does not match the settings of the network policy constraints, NPS rejects the connection request. If the connection request matches the network policy constraints, NPS accepts the connection request. Authorization by User and Group When designing your authorization scheme, you must determine whether you want to manage authorization by user or by group. Authorization by user If you are managing authorization by user, set the network access permission on the user or computer account to either Grant access or Deny access and, optionally, create different network policies based on different types of connections. For example, you might want to create one network policy that is used for virtual private network (VPN) connections and a different network policy that is used for wireless connections. Important Managing authorization by user is recommended only when you have a small number of user or computer accounts to manage. If you are managing authorization by user, the basic process used by Network Policy Server (NPS) to authorize a connection request occurs as follows: 1. If NPS finds that the connection request matches all of the conditions of the network policy, it checks the network access permission setting of the user account: If the network access permission setting of the user account is set to grant access, NPS applies the network policy and user account connection settings to the connection, which is granted. 153 If the network access permission setting of the user account is set to deny access, NPS rejects the connection request. 2. If the connection request does not match all conditions of the first network policy, NPS processes the next network policy. 3. If the connection request does not match all conditions of any network policy, NPS rejects the connection request. Authorization by group If you are managing authorization by group, set the network access permission on the user account to Control access through NPS Network Policy and create network policies that are based on different types of connections and on Windows group membership. For example, you might want to create one network policy for dial-up connections for employees (members of the Employees group that you have created in Active Directory Domain Services (AD DS)) and a different network policy for dial-up connections for contractors (members of the Contractors group that you have created in AD DS). If you are managing authorization by group, the basic process used by NPS to authorize a connection request occurs as follows: 1. If NPS finds that the connection request matches all of the conditions of the network policy, it checks the Access Permission setting of the network policy. If the Access Permission setting is configured to grant access, NPS applies the network policy and user account connection settings to the connection, which is granted. If the Access Permission setting is configured to deny access, NPS rejects the connection request. 2. If the connection request does not match all conditions of the first network policy, NPS processes the next network policy. 3. If the connection request does not match all conditions of any network policy, NPS rejects the connection request. Dial-In Properties of Accounts In Windows Server 2008, accounts in the Security Accounts Manager (SAM) database for a stand-alone server or in the user accounts database for an Active Directory Domain Services (AD DS)-based server contain a set of dial-in properties that are used when allowing or denying a connection attempt made by a user or computer. For a stand-alone server, the dial-in properties are available on the Dial-in tab of the user or computer object in the Local Users and Groups Microsoft Management Console (MMC) snap-in. For an AD DS-based server, the dial-in properties are available on the Dial-in tab of the user or computer account in the Active Directory Users and Computers snap-in. The dial-in properties for an account are the following: 154 Network Access Permission Use this property to set whether network access is explicitly allowed, denied, or determined by Network Policy Server (NPS) network policies. If access is explicitly allowed, network policy conditions or other account properties can override the setting. Note By default, the Administrator and Guest accounts are set to Control access through NPS Network Policy or Control access through Remote Access Policy on a standalone Routing and Remote Access service (RRAS) server or in a Windows 2000 or later domain. In addition, new accounts created on a stand-alone RRAS server or in a Windows 2000 or later domain are set to Control access through NPS Network Policy or Control access through Remote Access Policy. Verify Caller ID When Caller ID is enabled, the server verifies the caller's phone number.. Caller ID must be supported by the caller, the phone system between the caller and the remote access server, and the remote access server. On a computer running the Routing and Remote Access service, caller ID support consists of call answering equipment that provides caller ID information and the appropriate Windows driver to pass the information to the Routing and Remote Access service. The connection attempt is denied if: The caller's phone number does not match the configured phone number The caller ID phone number is configured for a user, but you the passing of caller ID information from the caller to the Routing and Remote Access service is not supported. Callback Options If this property is enabled, the server calls the caller back during the connection establishment at a phone number set by the caller or a specific phone number set by the administrator. Assign a Static IP Address If this property is enabled, the administrator assigns a specific IP address to the user when the connection is made. Apply Static Routes If this property is enabled, the administrator defines a series of static IP routes that are added to the routing table of the remote access server when a connection is made. This setting is designed for accounts that Windows Server 2008, Windows Server 2003, or Windows 2000 routers use for demand-dial routing. Note You can configure NPS network policy to ignore the dial-in properties of user and computer accounts by selecting or clearing the Ignore user account dial-in properties check box on the Overview tab of a network policy. For more information, see Access Permission. 155 MAC Address Authorization Media access control (MAC) address authorization functions in the same way as automatic number identification (ANI) authorization, but it is used for wireless clients and clients connecting to your network by using an 802.1X authenticating switch. MAC address authorization is based on the MAC address of the network adapter installed in the access client computer. Like ANI authorization, MAC address authorization uses the CallingStation-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt. MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names. MAC address authorization is enabled when you do the following: 1. Enable MAC address authorization on access servers, such as wireless access points (APs). 2. Enable unauthenticated access on the appropriate NPS network policy for MAC addressbased authentication, and enable Password Authentication Protocol (PAP). 3. In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, create a user account for each MAC address for which you want to provide MAC address authorization. The name of the user account must match the MAC address of the network adapter installed in the computer from which the user is connecting. The format of the password assigned to the account is determined by the network access server vendor. Review the network access server documentation to determine the appropriate password. 4. Set the User Identity Attribute registry value to 31 on the NPS server. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy 5. To always use the MAC address as the user identity, on the NPS server set the Override User-Name registry value to 1. This registry value location is: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Note For more information, see NPS: User Identity Attribute and NPS: Override User-Name. 156 Network Policies and Authorization A network policy is an ordered set of rules that defines how connections are either authorized or rejected. For each rule, there are one or more conditions that must match the connection request for the policy to apply. In addition, each network policy contains constraints, settings, and an Access Permission property. Note If Network Policy Server (NPS) authorizes a connection, restrictions specified in the dialin properties of the user or computer account override the network policy constraints, where applicable. Network policies validate several connection settings before authorizing the connection, including the following: Access permission Group membership Type of connection Time of day Authentication methods Access server identity Access client phone number or media access control (MAC) address Whether account dial-in properties are ignored Whether unauthenticated access is allowed After the connection is authorized, network policies can also be used to specify connection settings, including the following: Idle time-out time Maximum session time Encryption strength IP packet filters IP address for PPP connections Static routes The following settings can also affect connection restrictions: Group membership Type of connection Time of day Authentication methods Identity of the access server Access client phone number or MAC address 157 It is important to remember that connection requests are accepted only if the properties of the connection request matches all of the conditions and constraints of at least one of the configured network policies (subject to the conditions of the dial-in properties of the account). If the connection request does not match at least one of the network policies, the connection attempt is rejected regardless of the dial-in properties of the user account. Note Network policies are administered in the NPS snap-in or the Routing and Remote Access snap-in (when RRAS is configured for Windows authentication). For more information, see Network Policies. Network policy configuration issues Following are several issues that might impact your configuration of NPS, depending on your network and needs: Some elements of a network policy correspond to RADIUS attributes that are used during RADIUS-based authentication. For network policies on an NPS server, verify that the network access servers (NASs) used are sending RADIUS attributes that correspond to the configured network policy conditions and settings. If a NAS does not send a RADIUS attribute that corresponds to a network policy condition or setting, then all RADIUS authentication requests from that NAS are denied. You can only use the Generate-Session-Time-out attribute if your user account database is a Security Accounts Manager (SAM) database or is the user account database for an Active Directory Domain Services (AD DS) domain. If the value of Generate-Session-Time-out is set to True, make sure the ForceLogoff value for a SAM database is set to 0. In the Local Security Settings console, ForceLogoff is changed to zero when Network security: Force logoff when logon hours expire is enabled. If you are using Wired Equivalent Privacy (WEP) encryption, you can configure wireless connection policy so that wireless clients using WEP periodically reauthenticate. This ensures that the client WEP encryption keys are changed often enough to provide adequate security for the wireless connection. To configure reauthentication, set the session time-out in your network policy or connection request policy for wireless connections (by using the SessionTime-out attribute) to the required interval (for example, 10 minutes). Additionally, configure the value of the Termination-Action attribute to RADIUS-Request. If the Termination-Action attribute is not set to RADIUS-Request, wireless APs might end the connection during reauthentication. For more information, see your hardware documentation. Important It is recommended that you use Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access 2 (WPA2) rather than WEP for wireless deployments. 158 Access Permission Access permission Access permission is configured on the Overview tab of each network policy and allows you to configure the policy to either grant or deny access to users if the conditions and constraints of the network policy are matched by the connection request. Access permission settings have the following effect: Grant access. Access is granted if the connection request matches the conditions and constraints that are configured in the policy. Deny access. Access is denied if the connection request matches the conditions and constraints that are configured in the policy. Access permission is also granted or denied with the dial-in properties of each user account. Note User accounts and their properties, such as dial-in properties, are configured in either the Active Directory Users and Computers or the Local Users and Groups Microsoft Management Console (MMC) snap-in, depending on whether you have Active Directory Domain Services (AD DS) installed. The user account setting Network Access Permission, which is configured on the dial-in properties of user accounts, overrides the network policy access permission setting. When network access permission on a user account is set to the Control access through NPS Network Policy option, the network policy access permission setting determines whether the user is granted or denied access. When Network Policy Server (NPS) evaluates connection requests against configured network policies, it performs the following actions: If the conditions of the first policy are not matched, NPS evaluates the next policy, and continues this process until either a match is found or all policies have been evaluated for a match. If the conditions and constraints of a policy are matched, NPS either grants or denies access, depending on the value of the Access permission setting in the policy. If the conditions of a policy match but the constraints in the policy do not match, NPS rejects the connection request. If the conditions of all policies do not match, NPS rejects the connection request. Ignore user account dial-in properties You can configure NPS network policy to ignore the dial-in properties of user accounts by selecting or clearing the Ignore user account dial-in properties check box on the Overview tab of network policy. Normally when NPS performs authorization of a connection request, it checks the dial-in properties of the user account, where the network access permission setting value can 159 affect whether the user is authorized to connect to the network. When you configure NPS to ignore the dial-in properties of user accounts during authorization, network policy settings determine whether the user is granted access to the network. The dial-in properties of user accounts contain the following: Network access permission Caller-ID Callback options Static IP address Static routes To support multiple types of connections for which NPS provides authentication and authorization, it might be necessary to disable the processing of user account dial-in properties. This can be done to support scenarios in which specific dial-in properties are not required. For example, the caller-ID, callback, static IP address, and static routes properties are designed for a client that is dialing into a network access server, not for clients that are connecting to wireless access points. A wireless access point that receives these settings in a RADIUS message from NPS might not be able to process them, which could cause the wireless client to be disconnected. When NPS provides authentication and authorization for users who are both dialing in and accessing the organization network through wireless access points, the dial-in properties must be configured to support either dial-in connections (by setting dial-in properties) or wireless connections (by not setting dial-in properties). You can use NPS to enable dial-in properties processing for the user account in some scenarios (such as dial-in) and to disable dial-in properties processing in other scenarios (such as 802.1X wireless and authenticating switch). You can also use Ignore user account dial-in properties to manage network access control through groups and the access permission setting on the network policy. When you configure Ignore user account dial-in properties with the value of True (selected), network access permission on the user account is ignored. The only disadvantage to this configuration is that you cannot use the additional user account dial-in properties of caller-ID, callback, static IP address, and static routes. RADIUS Authentication Process Overview This section contains overview information about the Remote Authentication Dial-In User Service (RADIUS) authentication process, from when a RADIUS client sends an Access-Request message to a RADIUS server to when the RADIUS server sends the Access-Accept or AccessReject message. In addition, detail about how Network Policy Server (NPS) processes AccessRequest messages under different configurations is provided. In this section 160 Access-Request Message Processing The RADIUS authentication process begins when a user attempts to access a network by using a computer or other device, such as a personal digital assistant (PDA), through a network access server (NAS) that is configured as a RADIUS client to a RADIUS server. For example, when the user sends credentials by using Challenge Handshake Authentication Protocol (CHAP), the RADIUS client creates a RADIUS Access-Request message containing such attributes as the Port ID the user is accessing and the results of the CHAP authentication process (the user name, the challenge string, and the response of the access client). The RADIUS Access-Request message is sent from the RADIUS client to the RADIUS server. If a response is not received within a specific length of time, the request is re-sent. The RADIUS client can also be configured to forward requests to an alternate server or servers in the event that the primary server is unreachable. An alternate server can be used either after a specified number of non-responses from the primary server, or the RADIUS client can take turns sending the connection request to both the alternate and primary RADIUS server. Note If you are using the Routing and Remote Access service (RRAS), you can add and prioritize multiple RADIUS servers using a scoring mechanism. If a primary RADIUS server does not respond within three seconds, RRAS automatically switches to the RADIUS server with the next highest score. After the RADIUS server receives the request, it validates the sending RADIUS client. Validation occurs by verifying that the RADIUS Access-Request message is sent from a RADIUS client that is configured on the RADIUS server. If the Access-Request message is sent by a valid RADIUS client, and if the Message-Authenticator attribute is required for the RADIUS client, the value of the Message-Authenticator attribute is verified by using the RADIUS shared secret. If the Message-Authenticator attribute is either missing or contains an incorrect value, the RADIUS message is silently discarded — that is, the message is discarded without logging an event in the Event Log or making an entry in the NPS accounting log. For more information, see Incoming RADIUS Message Validation. If the RADIUS client is valid, the RADIUS server consults a database of users to find the user whose name matches the User-Name attribute in the connection request. The user account contains a list of requirements that must be met to allow access for the user. This list of requirements can include verification of the password, and it can also specify whether the user is allowed access. If any condition of authentication or authorization is not met, the RADIUS server sends a RADIUS Access-Reject message in response, indicating that this user request is not valid. If all conditions are met, the list of configuration settings for the user is placed into a RADIUS Access-Accept message that is sent back to the RADIUS client. These settings include a list of RADIUS attributes and all necessary values to deliver the desired service. For Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) service types, this can include values such as encryption types, the Class attribute, Maximum Transmission Unit (MTU), and the desired compression and packet filter identifiers. 161 For more details about how NPS processes connection requests under different configurations, see Access-Request Message Processing. Access-Request Message Processing The following sections detail how Network Policy Server (NPS) processes Access-Request messages when it is configured as a Remote Authentication Dial-In User Service (RADIUS) server, a RADIUS proxy, and a Network Access Protection (NAP) policy server. In this section NPS RADIUS Server Message Processing NPS RADIUS Proxy Message Processing NAP Health Policy Server Message Processing NPS RADIUS Server Message Processing This section provides information about how Network Policy Server (NPS) processes an incoming Access-Request message when NPS is configured as a Remote Authentication Dial-In User Service (RADIUS) server. When you configure NPS as a RADIUS server, Access-Request messages are processed locally. In this process, NPS does the following: 1. Validates the RADIUS message. The incoming Access-Request message is validated for source IP address, the digital signature, valid attributes, and so on. If the RADIUS message is not valid, an event is logged in the system event log and the RADIUS Access-Request message is discarded. An Access-Reject message is not sent. 2. Checks for Auto Reject. Auto Reject, also called Ping User-Name for the corresponding registry entry, is used to send an immediate Access-Reject message when the User-Name attribute in the Access-Request message matches the registry entry value. Some RADIUS clients (RADIUS proxy servers and network access servers) periodically send artificial authentication and accounting requests, called ping requests, to verify that the NPS server is present on the network. These ping requests include fictional user names and do not represent an actual connection request by a real user or computer. When NPS processes these requests, the event and accounting logs become filled with access reject records, making it difficult to keep track of records for valid connection attempts by real users. When you configure a registry entry for Ping User-Name, NPS matches the registry entry value against the value of the User-Name attribute in ping requests that other servers make. If the registry entry and the user name value match, NPS automatically rejects the request and does not create an event or accounting log entry. 162 3. Performs connection request policy evaluation. If no connection request policies are matched, an event is logged in the system event log and the RADIUS Access-Request message is discarded. 4. Applies realm stripping rules. NPS determines or defines the domain name and the user identity for the Access-Request message. If the User-Name attribute in the Access-Request message is not the Auto Reject name, then the user identity is determined. User identity is how NPS identifies the user for the purposes of authentication and authorization. Typically, the user identity is the string value of the User-Name RADIUS attribute. If the User-Name attribute is not present, the user identity is set to the Guest account or the account specified by the Default User Identity registry entry. NPS can use any RADIUS attribute to identify the user. The RADIUS attribute that NPS uses to identify the user is configurable by setting the User Identity Attribute registry entry. 5. Determines authentication server. NPS determines whether to authenticate locally or forward to a remote RADIUS server group (When NPS is configured as a RADIUS server, the message is authenticated locally and is not forwarded.) 6. Performs name cracking. Name cracking is the resolution of the user identity to a user account by using user principal names (UPNs), Lightweight Directory Access Protocol (LDAP), distinguished names (DNAs), canonical names, and so on. If a user principal name is encountered by NPS, NPS performs a query to the Active Directory Domain Services (AD DS) global catalog in an attempt to resolve the name. To speed up this process, a copy of the global catalog must be located on a domain controller within the same site as the NPS server. When the user identity does not contain a domain name, NPS supplies a domain name. By default, the NPS-supplied domain name is the domain for which the NPS server is a member. You can specify the NPS-supplied domain by means of the DefaultDomain registry entry. 7. Checks for authentication plug-ins. Authentication plug-ins are optional components created by using the NPS software development kit (SDK); each plug-in can return Accept, Reject, or Continue. If an authentication plug-in returns an Accept, the user is authenticated and the account is validated. If the authentication plug-in returns a Reject, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authentication plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user still needs to be authenticated. The authentication plug-in can also return RADIUS attributes to be included in the AccessAccept message. 8. Checks for remote access account lockout. The registry on the NPS server is read for remote access account lockout entry for the user account. If the account is locked out, NPS sends an Access-Reject message and logs an authentication event. For more information, see Network Policy Server Tools and Settings. 9. Checks for PAP, CHAP, MS-CHAP. If Password Authentication Protocol (PAP), CHAP, Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1), or MS163 CHAP v2 are used to authenticate the remote access client, NPS consults an authentication sub-module based on the authentication protocol to perform the authentication. The user credentials (user name and password) are authenticated against the user name and password of the accounts database (either a domain or the local accounts database), and the group membership of the user account is determined. The exact method of authentication varies depending on the authentication protocol. If the authentication of the credentials is not successful, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If either Extensible Authentication Protocol (EAP) or unauthenticated access is being used, then the user authentication process is bypassed. EAP authentication takes place later in this process. For unauthenticated access, no user authentication is performed. 10. Validates user account. Based on the user or computer account determined by name cracking, the user account is validated to discover whether the account is locked out (which is not the same as remote access account lockout), whether the account is disabled, and whether the user account password has expired. If the user account is not valid, an AccessReject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 11. Performs network policy evaluation. Network policies configured on the NPS server are evaluated to find a policy that matches the parameters of the connection. If a matching policy is not found, an Access-Reject message is sent and an event is logged. 12. Checks user properties and network policy properties. If the Ignore-User-DialinProperties attribute is set to 0, the dial-in properties of the user account and the properties of the matching network policy are evaluated against the parameters of the connection attempt to ensure that the connection attempt is allowed. If the Ignore-User-Dialin-Properties attribute is set to 1, the properties from the matching network policy become the set of properties for the connection. If the connection attempt is not allowed, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 13. Checks for EAP authentication. If EAP is the authentication protocol used for the connection attempt, EAP authentication takes place. The initial negotiation for EAP consists of selecting EAP as the authentication protocol and negotiating an EAP type with the access client. Based on the EAP type, the settings for the matching network policy are checked to ensure that the EAP type is allowed. If the EAP type is not allowed, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS accounting log, depending on the configured logging settings. If the EAP type is allowed by network policy settings, EAP authentication for the EAP type occurs. NPS sends an EAP challenge to the NAS requesting it to start EAP negotiation. Communications between EAP modules on a RADIUS client and server are tunneled using the RADIUS protocol. After negotiation is complete, an EAP provider can return attributes that are sent back to the NAS in the Access-Accept message. If EAP authentication fails, an 164 Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 14. Checks for authorization plug-ins. Authorization plug-ins are optional components created by using the NPS software development kit (SDK). Each plug-in can return either Reject or Continue. If the authorization plug-in returns a Reject, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authorization plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user is authorized. The authorization plug-in can also return RADIUS attributes to be included in the AccessAccept message. 15. Sends an Access-Accept. If the dial-in properties of the user account, the properties of the matching network policy, and the conditions imposed by authorization plug-ins allow the connection attempt, an Access-Accept message is sent back to the NAS. Included with the Access-Accept message is the set of RADIUS attributes for the restrictions on the connection. In addition, an authentication success event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. After NPS sends the Access-Accept message, the NAS completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged in Internet Authentication Service (IAS) format, database-compatible format, or to a SQL Server database. The NPS server then sends an Accounting-Response to the NAS to verify that it has received and recorded accounting data for the connection. Note The NAS also sends Accounting-Request messages when the connection is being established, when the NAS connection is closed, and when the access server is started and stopped. RRAS authentication and authorization The authentication and authorization process for the Routing and Remote Access service (RRAS), when configured for Windows authentication, requires steps 6 through 15 of this process. The authentication and authorization success and failure are the return values of functions called by the Routing and Remote Access service. Local event or authentication logging depends on the configured logging settings of the Routing and Remote Access service. NPS RADIUS Proxy Message Processing This section provides information about how Network Policy Server (NPS) processes an incoming Access-Request message when NPS is configured as a Remote Authentication Dial-In User Service (RADIUS) proxy. When you configure NPS as a RADIUS proxy, Access-Request messages that the proxy receives from RADIUS clients are forwarded to a remote RADIUS server for processing. 165 When you map external user accounts to a local Windows user account, authentication is performed remotely and authorization is performed locally. In this process, NPS does the following tasks: 1. Validates the RADIUS message. The incoming Access-Request message is validated for source IP address, the digital signature, valid attributes, and so on. If the RADIUS message is not valid, an event is logged in the system event log and the RADIUS Access-Request message is discarded. An Access-Reject message is not sent. 2. Checks for Auto Reject. Auto Reject, also called Ping User-Name for the corresponding registry entry, is used to send an immediate Access-Reject message when the User-Name attribute in the Access-Request message matches the registry entry value. Some RADIUS clients (RADIUS proxy servers and network access servers) periodically send artificial authentication and accounting requests, called ping requests, to verify that the NPS server is present on the network. These ping requests include fictional user names and do not represent an actual connection request by a real user or computer. When NPS processes these requests, the event and accounting logs become filled with access reject records, making it difficult to keep track of records for valid connection attempts by real users. When you configure a registry entry for Ping User-Name, NPS matches the registry entry value against the value of the User-Name attribute in ping requests that other servers make. If the registry entry and the user name value match, NPS automatically rejects the request and does not create an event or accounting log entry. 3. Performs connection request policy evaluation. Connection request policies configured on the NPS server are evaluated to find a policy that matches the parameters of the connection. If a policy is found that matches the connection request, the name of the remote RADIUS server group to which the Access-Request should be forwarded is injected into the message. If a matching policy is not found, an Access-Reject message is sent and an event is logged. 4. Applies realm stripping rules. NPS determines or defines the domain name and the user identity for the Access-Request message. If the User-Name attribute in the Access-Request message is not the Auto Reject name, then the user identity is determined. User identity is the value that NPS uses to identify the user for the purposes of authentication and authorization. Typically, the user identity is the string value of the User-Name RADIUS attribute. If the User-Name attribute is not present, the user identity is set to the Guest account or the account specified by the Default User Identity registry entry. NPS can use any RADIUS attribute to identify the user. The RADIUS attribute that NPS uses to identify the user is configurable by setting the User Identity Attribute registry entry. 5. Determines whether to authenticate locally or forward to a remote RADIUS server group. Based on the realm portion of the user name, the NPS proxy determines whether to forward the message or continue to process it locally. 6. Checks for authentication plug-ins. Authentication plug-ins are optional components created by using the NPS SDK; each plug-in can return Accept, Reject, or Continue. If an authentication plug-in returns an Accept, the user is authenticated and the account is 166 validated. If the authentication plug-in returns a Reject, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authentication plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user still needs to be authenticated. The authentication plug-in can also return RADIUS attributes to be included in the AccessAccept message. 7. Forwards the Access-Request message to a remote RADIUS server group. NPS creates a RADIUS message, which includes the attributes received from the RADIUS client, with the exception of the Proxy-State attribute. NPS forwards the message to the remote RADIUS server group specified in the request. When a valid reply is received from the remote server, attributes from the RADIUS message are merged with the attributes in the request. Attributes returned by the remote RADIUS server are not added if the same attribute has already been added by the connection request policy. In other words, local settings override remote settings. 8. Maps a remote user account to a local Windows account. If the NPS proxy server is configured to map an external user account to a local Windows account, and if the remote RADIUS server has performed authentication and returned an Access-Accept, mapping of the accounts is performed. If mapping is not configured, the NPS proxy proceeds to step 12 in this process, Checks for authorization plug-ins. 9. Validates user account. Based on the user or computer account determined by means of name cracking, the user account is validated to check whether the account is locked out (which is not the same as remote access account lockout), whether the account is disabled, and whether the user account password has expired. If the user account is not valid, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 10. Performs network policy evaluation. Network policies configured on the NPS server are evaluated to find a policy that matches the parameters of the connection. If a matching policy is not found, an Access-Reject message is sent and an event is logged. 11. Checks user properties and network policy properties. If the Ignore-User-DialinProperties attribute is set to 0, the dial-in properties of the user account and the properties of the matching network policy are evaluated against the parameters of the connection attempt to ensure that the connection attempt is allowed. If the Ignore-User-Dialin-Properties attribute is set to 1, the properties from the matching policy become the set of properties for the connection. If the connection attempt is not allowed, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 12. Checks for authorization plug-ins.Authorization plug-ins are optional components created by using the NPS SDK. Each plug-in can return either Reject or Continue. If an authorization 167 plug-in is installed and it returns a Reject, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authorization plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user is authorized. An authorization plug-in can also return RADIUS attributes to be included in the AccessAccept message. 13. Sends an Access-Accept. If the dial-in properties of the user account, the properties of the matching network policy, and the conditions imposed by authorization plug-ins allow the connection attempt, an Access-Accept message is sent back to the NAS. Included with the Access-Accept message is the set of RADIUS attributes for the restrictions on the connection. In addition, an authentication success event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. NAP Health Policy Server Message Processing This section provides information about how Network Policy Server (NPS) processes an incoming Access-Request message when NPS is configured as a Network Access Protection (NAP) policy server. When you configure NPS as a NAP policy server, Access-Request messages are processed locally. In this process, NPS does the following: 1. Validates the RADIUS message. The incoming Access-Request message is validated for source IP address, the digital signature, valid attributes, and so on. If the RADIUS message is not valid, an event is logged in the system event log and the RADIUS Access-Request message is discarded. An Access-Reject message is not sent. 2. Checks for Auto Reject. Auto Reject, also called Ping User-Name for the corresponding registry entry, is used to send an immediate Access-Reject message when the User-Name attribute in the Access-Request message matches the registry entry value. Some RADIUS clients (RADIUS proxy servers and network access servers) periodically send artificial authentication and accounting requests, called ping requests, to verify that the NPS server is present on the network. These ping requests include fictional user names and do not represent an actual connection request by a real user or computer. When NPS processes these requests, the event and accounting logs become filled with access reject records, making it difficult to keep track of records for valid connection attempts by real users. When you configure a registry entry for Ping User-Name, NPS matches the registry entry value against the value of the User-Name attribute in ping requests that other servers make. If the registry entry and the user name value match, NPS automatically rejects the request and does not create an event or accounting log entry. 168 3. Performs connection request policy evaluation. If no connection request policies are matched, an event is logged in the system event log and the RADIUS Access-Request message is discarded. 4. Applies realm stripping rules. NPS determines or defines the domain name and the user identity for the Access-Request message. If the User-Name attribute in the Access-Request message is not the Auto Reject name, then the user identity is determined. User identity is how NPS identifies the user for the purposes of authentication and authorization. Typically, the user identity is the string value of the User-Name RADIUS attribute. If the User-Name attribute is not present, the user identity is set to the Guest account or the account specified by the Default User Identity registry entry. NPS can use any RADIUS attribute to identify the user. The RADIUS attribute that NPS uses to identify the user is configurable by setting the User Identity Attribute registry entry. 5. Determines authentication server. NPS determines whether to authenticate locally or forward to a remote RADIUS server group (When NPS is configured as a NAP policy server, the message is authenticated locally and is not forwarded.) 6. Performs user name cracking. Name cracking is the resolution of the user identity to a user account by using user principal names (UPNs), Lightweight Directory Access Protocol (LDAP), distinguished names (DNAs), canonical names, and so on. If a user principal name is encountered by NPS, NPS performs a query to the Active Directory Domain Services (AD DS) global Ccatalog in an attempt to resolve the name. To speed up this process, a copy of the global catalog must be located on a domain controller within the same site as the NPS server. When the user identity does not contain a domain name, NPS supplies a domain name. By default, the NPS-supplied domain name is the domain for which the NPS server is a member. You can specify the NPS-supplied domain by means of the DefaultDomain registry entry. 7. Evaluates EAP authentication configured in connection request policy. If connection request policy is configured with an Extensible Authentication Protocol (EAP) authentication method, this setting overrides all authentication settings in all network policies. 8. Requests the client Statement of Health (SoH). NPS requests the SoH from the NAPcapable client. 9. Performs computer name cracking. NPS resolves the computer identity to a computer account in Active Directory Domain Services. 10. Checks for authentication plug-ins. Authentication plug-ins are optional components created by using the NPS software development kit (SDK); each plug-in can return Accept, Reject, or Continue. If an authentication plug-in returns an Accept, the user is authenticated and the account is validated. If the authentication plug-in returns a Reject, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authentication plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user still needs to be authenticated. 169 The authentication plug-in can also return RADIUS attributes to be included in the AccessAccept message. 11. Checks for remote access account lockout. The registry on the NPS server is read for remote access account lockout entry for the user account. If the account is locked out, NPS sends an Access-Reject message and logs an authentication event. For more information, see Network Policy Server Tools and Settings. 12. Checks for PAP, CHAP, MS-CHAP. If Password Authentication Protocol (PAP), CHAP, Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1), or MSCHAP v2 are used to authenticate the remote access client, NPS consults an authentication sub-module based on the authentication protocol to perform the authentication. The user credentials (user name and password) are authenticated against the user name and password of the accounts database (either a domain or the local accounts database), and the group membership of the user account is determined. The exact method of authentication varies depending on the authentication protocol. If the authentication of the credentials is not successful, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If either EAP or unauthenticated access is being used, then the user authentication process is bypassed. EAP authentication takes place later in this process. For unauthenticated access, no user authentication is performed. 13. Validates the user or computer account. Based on the user or computer account determined by name cracking, the account is validated to discover whether it is locked out (which is not the same as remote access account lockout), whether the account is disabled, and whether the user account password has expired. If the account is not valid, an AccessReject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 14. Performs network policy-to-connection request matching. NPS evaluates the ordered list of network policies until it finds one whose conditions exactly match the connection request. When starting this process, NPS first evaluates the policies that match the network connection type, if there are any. For example, if the connection request is received from a Terminal Services Gateway (TS Gateway) server, NPS first evaluates network policies whose network connection type is TS Gateway. If no match is found, and if there are policies with a network connection type of Unspecified, NPS evaluates these policies next. If a matching policy is found, NPS adds the network policy settings to the connection request. If a matching policy is not found, an Access-Reject message is sent and an event is logged. 15. Performs health policy evaluation. If NPS matches the connection request to a network policy that is configured with a health policy, the health policy is evaluated against the SoH and the health of the NAP-capable client is determined. NPS enforces NAP based on the settings in the health policy. 170 16. Performs network policy constraints processing. Network policy constraints are processed by NPS. If all constraints do not match the connection request, NPS sends an Access-Reject message, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. In this circumstance, NPS does not evaluate additional policies. 17. Checks user account properties and network policy authorization properties. If the Ignore-User-Dialin-Properties attribute is set to 0, the dial-in properties of the user account and the properties of the matching network policy are evaluated against the parameters of the connection attempt to ensure that the connection attempt is allowed. If the Ignore-UserDialin-Properties attribute is set to 1 (True), NPS does not evaluate the dial-in properties of the user account in AD DS and the properties from the matching network policy are the only properties used to authorize the connection. If the connection attempt is not allowed, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 18. Checks for EAP authentication. If EAP is the authentication protocol used for the connection attempt, EAP authentication takes place. The initial negotiation for EAP consists of selecting EAP as the authentication protocol and negotiating an EAP type with the access client. Based on the EAP type, the settings for the matching connection request policy or network policy are checked to ensure that the EAP type is allowed. If the EAP type is not allowed, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS accounting log, depending on the configured logging settings. If the EAP type is allowed by connection request policy or network policy settings, EAP authentication for the EAP type occurs. NPS sends an EAP challenge to the NAS requesting it to start EAP negotiation. Communications between EAP modules on a RADIUS client and server are tunneled using the RADIUS protocol. After negotiation is complete, an EAP provider can return attributes that are sent back to the NAS in the Access-Accept message. If EAP authentication fails, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. 19. Checks for authorization plug-ins. Authorization plug-ins are optional components created by using the NPS software development kit (SDK). Each plug-in can return either Reject or Continue. If the authorization plug-in returns a Reject, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authorization plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user is authorized. The authorization plug-in can also return RADIUS attributes to be included in the AccessAccept message. 20. Sends an Access-Accept message. If the dial-in properties of the user account, the properties of the matching network policy, and the conditions imposed by authorization plugins allow the connection attempt, an Access-Accept message is sent back to the NAS. 171 Included with the Access-Accept message are NPS settings and the set of RADIUS attributes for the restrictions on the connection. In addition, an authentication success event is logged in either the system event log or the NPS authentication log, depending on the configured logging settings. After NPS sends the Access-Accept message, the NAS completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged in Internet Authentication Service (IAS) format, database-compatible format, or to a SQL Server database. The NPS server then sends an Accounting-Response to the NAS to verify that it has received and recorded accounting data for the connection. Note The NAS also sends Accounting-Request messages when the connection is being established, when the access client connection is closed, and when the NAS is started and stopped. NPS Accounting Network Policy Server (NPS) supports Remote Authentication Dial-In User Service (RADIUS) accounting, which you can use to track network usage for auditing and billing purposes. Accounting data can also be queried to assist with network access troubleshooting. In this section Interpret IAS Format Log Files Interpret NPS Database Format Log Files Interpret Windows System Health Validator Entries in Log Files NPS SQL Server Logging Note In addition to these topics, for more information, see the Windows Server 2003 Help topic Interpreting IAS IDs for vendor-specific attributes. Although this topic documents IAS in Windows Server 2003, the content is also accurate for NPS in Windows Server 2008. RADIUS accounting provides the following benefits: Real-time data collection. Accounting data can be collected from a central location. Non-Microsoft products can be used to analyze RADIUS accounting data to provide chargeback, troubleshooting, performance, and exception reports. When configured for accounting, NPS can log accounting data to a log file or to a SQL Server database. When a RADIUS client is configured to use RADIUS accounting, at the start of service delivery it generates an Accounting-Start message describing the type of service being delivered and the user it is being delivered to. The message is then sent to the RADIUS Accounting server, which 172 sends back an acknowledgment to the RADIUS client. At the end of service delivery, the client generates an Accounting-Stop message describing the type of service that was delivered and optional statistics, such as elapsed time, input and output octets, or input and output packets. It then sends that data to the RADIUS accounting server, which sends back an acknowledgment to the RADIUS client. The Accounting-Request message (whether for the Start or Stop message) is submitted to the RADIUS accounting server through the network. If no response is returned within a length of time, the request is re-sent a number of times. The client can also forward requests to an alternate server or servers in the event that the primary server is unreachable. An alternate server can be used either after a number of tries to the primary server fail, or in a round-robin fashion. If the RADIUS accounting server cannot successfully record the accounting message, it does not send an Accounting-Response acknowledgment to the RADIUS client. For example, when the log file is full, NPS starts discarding accounting messages. This prompts the RADIUS client to switch to the backup RADIUS accounting server. NPS log file NPS can create a log file based on the data returned by the network access servers (NASs). This information is useful for keeping track of usage and correlating authentication information with accounting records (for example, to discover missing records or instances of over-billing). NPS supports two formats of the log file: Internet Authentication Service (IAS) format and database-compatible format. Database format allows you to keep track of a predetermined set of attributes, and IAS format is more detailed and can contain information about all attributes. Use database-compatible format if you want to import the data directly into a database. IAS format can be used if you need to record more detailed information than the database log format allows. Note The NPS log file contains all the NPS user-related events. NPS service and systemrelated events are recorded in the Event log files. NPS events and Event Viewer By using the event logs in Event Viewer, you can monitor NPS errors and other events that you configure NPS to record. NPS records connection request failure events in the System event log by default. Connection request failure events consist of requests that are rejected or are discarded by NPS. Other NPS authentication events are recorded in the Event Viewer system log on the basis of the settings that you specify in the NPS Microsoft Management Console (MMC) snap-in. Connection request failure events Although NPS records connection request failure events by default, you can change the configuration according to your logging needs. 173 Connection requests are rejected or ignored for a variety of reasons, including the following: The RADIUS message is not formatted according to RFCs 2865 or 2866. The RADIUS client is unknown. The RADIUS client has multiple IP addresses and sent the request on an address other than the one defined in NPS. The shared secret is not valid. The Message-Authenticator attribute (also known as a digital signature) sent by the client is not valid. NPS was unable to locate the domain of the user name. NPS was unable to connect to the domain of the user name. NPS was unable to access the user account in the domain. When NPS rejects a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, the name of the first matching network policy, the reason for the rejection, and other information. Connection request success events Although NPS records connection request success events by default, you can change the configuration according to your logging needs. When NPS accepts a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, and the name of the first matching network policy. Caution Logging connection request successes can result in the recording of large volumes of data. If you choose to log successful connection request events, use event logging options in Event Viewer to manage the Event Viewer logs. Logging secure channel (Schannel) events Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These protocols provide identity authentication and secure, private communication by using encryption. Logging of client certificate validation failures is a secure channel event, and is not enabled on the NPS server by default. You can enable the logging of additional secure channel events. For more information, see NPS: SCHANNEL. 174 Interpret IAS Format Log Files In the Windows NT 4.0 version of Internet Authentication Service (IAS), log files are formatted by using a method in which attributes are logged as attribute-value pairs. This formatting is supported by Network Policy Server (NPS) in Windows Server 2008 and by IAS in Windows Server 2003 and Windows 2000 Server. The logs that use this format are referred to as IAS format log files. However, in Windows Server 2008, Windows Server 2003, and Windows 2000, this format supports the inclusion of additional information in the log file: In addition to accounting messages (Accounting-On, Accounting-Off, Accounting-Start, Accounting-Stop, and Accounting-Interim), the NPS server also logs authentication messages (Access-Request, Access-Accept, and Access-Reject). All string attributes that contain either unprintable characters or delimiters are printed in hexadecimal format (for example, 0x026). If NPS receives an attribute (RADIUS-standard or vendor-specific) that is not defined in the NPS dictionary, it is logged as a string. Note Unless you have migration, compatibility, or other issues that require you to use IAS format, use the database-compatible format or SQL Server logging. Although a databasecompatible log file contains a smaller subset of attributes, it contains the attributes required to support most tracking and accounting activities. Entries recorded in IAS format log files The following is an example entry (Access-Request) from an IAS format log file. 10.10.10.10,client,06/04/1999,14:42:19,NPS,CLIENTCOMP,6,2,7,1,5,9,61,5,64,1,65,1,31,1 The format of this record, which is the same for all records in your log file, includes a header, followed by the attribute-value pairs for all attributes that are contained in the packet. The first six record fields make up the header and are described in the following table. Value shown in Attribute ID Data type Represents example 10.10.10.10 NAS-IP-Address IAS Header Text The IP address of the network access server (NAS) that is sending the request. client User-Name IAS Header Text The user name that is requesting access. 175 Value shown in Attribute ID Data type Represents 06/04/1999 Record-Date IAS Header Time The date that the log is written. 14:42:19 Record-Time IAS Header Time The time that the log is written. NPS Service-Name IAS Header Text The name of the service that is running on the RADIUS server. CLIENTCOMP Computer-Name IAS Header Text The name of the RADIUS server. example Beyond the header, RADIUS attributes and values are listed in pairs in the following format: <AttributeNumber1>,<ValueForAttributeNumber1>,<AttributeNumber2>,<ValueForAttributeNumb er2> For example, the two fields after the header contain a 6 and a 2, which can be interpreted as follows: The number 6 represents the RADIUS ID for the Service-Type. The number 2 represents the attribute value for the Service-Type. The RADIUS protocol specifies the following values for the Service-Type attribute: 1 = Login 2 = Framed 3 = Callback Login 4 = Callback Framed 5 = Outbound 6 = Administrative 7 = NAS Prompt 8 = Authenticate Only 9 = Callback NAS Prompt The value of this attribute is 2 (Framed). This attribute-value pair is interpreted as Service-Type = Framed, which indicates to the NPS server to provide a framed protocol for the user – for example, Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP). The following table describes the RADIUS attributes, listed in numerical order, which can be found in an IAS format log file. Unlike database import log files, which use a fixed sequence of attributes, the sequence of the attributes in IAS format log files depends upon the sequence used 176 by the network access server (NAS). For additional information about the sequence of these records, see the documentation for the NAS. Additional information This table does not cover vendor-specific attributes (VSAs). For more information about VSAs that are supported by your NAS, see your NAS documentation. The entries in the ID column that begin with "IAS" are NPS/IAS-specific attributes. They are not found in the RADIUS protocol. Attribute ID Data type Represents User-Name 1 Text The user identity, as specified by the user. NAS-IP-Address 4 Text The IP address of the NAS originating the request. NAS-Port 5 Number The physical port number of the NAS originating the request. Service-Type 6 Number The type of service that the user has requested. Framed-Protocol 7 Number The protocol to be used. Framed-IP-Address 8 Text The framed IP address to be configured for the user. Framed-IP-Netmask 9 Text The IP netmask to be configured for the user. Framed-Routing 10 Number The routing method to be used by the user. Filter-ID 11 Text The name of the filter list for the user requesting authentication. Framed-MTU 12 Number The maximum transmission unit (MTU) to be configured for the user. FramedCompression 13 Number The compression protocol to be used. Login-IP-Host 14 Number The IP address of the host to which the user should be connected. Login-Service 15 Number The service that connects the user to the login host. Login-TCP-Port 16 Number The TCP port to which the user is to be connected. Reply-Message 18 Text The message displayed to the user when an 177 Attribute ID Data type Represents authentication request is accepted. Callback-Number 19 Text The callback phone number. Callback-ID 20 Text The name of a location to be called by the access server when performing callback. Framed-Route 22 Text The routing information that is configured on the access client. Framed-IPXNetwork 23 Number The Internetwork Packet Exchange (IPX) network number to be configured on the NAS for the user. Class 25 Text The attribute sent to the client in an AccessAccept packet, which is useful for correlating Accounting-Request packets with authentication sessions. The format is: Type contains the value 25 (1 octet). Length contains a value of 20 or greater (1 octet). Checksum contains an Adler-32 checksum that is computed over the remainder of the Class attribute (4 octets). Vendor-ID contains the ID of the NAS vendor (4 octets). The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the vendor in network byte order, as defined in "Private Enterprise Numbers" at http://www.iana.org/assignments/enterpr ise-numbers. Version vontains the value of 1 (2 octets). Server-Address contains the IP address of the RADIUS server that issued the Access-Challenge message. For multihomed servers, this is the address of the network interface that received the original Access-Request message (2 octets). 178 Attribute ID Data type Represents Service-Reboot-Time specifies the time at which the first serial number was returned (8 octets). Unique-Serial-Number contains a unique number to distinguish an individual connection attempt (8 octets). String contains information that is used to classify accounting records for additional analysis (0 or more octets). In NPS, the Class attribute is copied into the String field. The Class attribute is used to match the accounting and authentication records if it is sent by the NAS in the Accounting-Request message. The combination of SerialNumber, Service-Reboot-Time, and ServerAddress must be a unique identification for each authentication that the RADIUS server performs. Vendor-Specific 26 Text The attribute that is used to support proprietary NAS features. Session-Timeout 27 Number The length of time (in seconds) before a session is terminated. Idle-Timeout 28 Number The length of idle time (in seconds) before a session is terminated. Termination-Action 29 Number The action that the NAS is to take when service is completed. Called-Station-ID 30 Text The phone number that is dialed by the user. Calling-Station-ID 31 Text The phone number from which the call originated. NAS-Identifier 32 Text The string that identifies the NAS originating the request. Login-LAT-Service 34 Text The host with which the user is to be connected by Local Area Transport (LAT). Login-LAT-Node 35 Text The node with which the user is to be connected by LAT. 179 Attribute ID Data type Represents Login-LAT-Group 36 Text The LAT group codes for which the user is authorized. Framed-AppleTalkLink 37 Number The AppleTalk network number for the serial link to the user (this is used only when the user is a router). Framed-AppleTalkNetwork 38 Number The AppleTalk network number that the NAS must query for existence in order to allocate the user AppleTalk node. Framed-AppleTalkZone 39 Text The AppleTalk default zone for the user. Acct-Status-Type 40 Number The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Services session. Acct-Delay-Time 41 Number The length of time (in seconds) for which the NAS has been sending the same accounting packet. Acct-Input-Octets 42 Number The number of octets received by NPS during the session. Acct-Output-Octets 43 Number The number of octets sent by NPS during the session. Acct-Session-ID 44 Text The unique numeric string that identifies the server session. Acct-Authentic 45 Number The number that specifies which server has authenticated an incoming call. Acct-Session-Time 46 Number The length of time (in seconds) for which the session has been active. Acct-Input-Packets 47 Number The number of packets received by NPS during the session. Acct-OutputPackets 48 Number The number of packets sent by NPS during the session. Acct-TerminateCause 49 Number The reason that a connection was terminated by NPS. Acct-Multi-SSN-ID 50 Text The unique numeric string that identifies the multilink session. 180 Attribute ID Data type Represents Acct-Link-Count 51 Number The number of links in a multilink session. Event-Timestamp 55 Time The date and time that this event occurred on the NAS. NAS-Port-Type 61 Number The type of physical port that is used by the NAS originating the request. Port-Limit 62 Number The maximum number of ports that the NAS provides to the user. Login-LAT-Port 63 Number The port with which the user is connected by LAT. Tunnel-Type 64 Number The tunneling protocols to be used. Tunnel-MediumType 65 Number The transport medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers. Tunnel-Client-Endpt 66 Text The IP address of the tunnel client. Tunnel-ServerEndpt 67 Text The IP address of the tunnel server. Acct-TunnelConnection 68 Text An identifier assigned to the tunnel. Password-Retry 75 Number The number of times a user can try to be authenticated before the NAS terminates the connection. Prompt 76 Number A number that indicates to the NAS whether or not it should (Prompt=1) or should not (Prompt=0) echo the user response as it is typed. Connect-Info 77 Text Information that is used by the NAS to specify the type of connection made. Typical information includes connection speed and data encoding protocols. ConfigurationToken 78 Text The type of user profile to be used (sent from a RADIUS proxy server to a RADIUS client) in an Access-Accept packet. Tunnel-Pvt-GroupID 81 Text The group ID for a specific tunneled session. 181 Attribute Data type Represents Tunnel-Assignment- 82 ID Text The tunnel to which a session is to be assigned. Tunnel-Preference 83 Number A number that indicates the preference of the tunnel type, as indicated by the TunnelType attribute when multiple tunnel types are supported by the NAS. Acct-Interim-Interval 85 Number The length of interval (in seconds) between each interim update sent by the NAS. Ascend 107 to 255 Text The vendor-specific attributes for Ascend. For more information, see the Ascend documentation. Client-IP-Address IAS 4108 Text The IP address of the RADIUS client. NAS-Manufacturer IAS 4116 Number The manufacturer of the NAS. MS-CHAP-Error IAS 4121 Number The error data that describes a Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) transaction. Authentication-Type IAS 4127 Number The authentication scheme that is used to verify the user. Client-FriendlyName IAS 4128 Text The friendly name for the RADIUS client. SAM-AccountName IAS 4129 Text The user account name in the Security Accounts Manager (SAM) database. Fully-QualifiedUser-Name IAS 4130 Text The user name in canonical format. EAP-Friendly-Name IAS 4132 Text The friendly name that is used with Extensible Authentication Protocol (EAP). Packet-Type IAS 4136 Number The type of packet, which can be: Reason-Code ID IAS 4142 Number 1 = Accept-Request 2 = Access-Accept 3 = Access-Reject 4 = Accounting-Request The reason for rejecting a connection request: 00 = Success 182 Attribute ID Data type Represents 01 = Internal error 02 = Access denied 03 = Malformed request 04 = Global catalog unavailable 05 = Domain unavailable 06 = Server unavailable 07 = No such domain 08 = No such user 16 = Authentication failure 17 = Password change failure 18 = Unsupported authentication type 19 = No reversibly encrypted password is stored for the user account 32 = Local users only 33 = Password must be changed 34 = Account disabled 35 = Account expired 36 = Account locked out 37 = Logon hours are not valid 38 = Account restriction 48 = Did not match network policy 49 = Did not match connection request policy 64 = Dial-in locked out 65 = Dial-in disabled 66 = Authentication type is not valid 67 = Calling station is not valid 68 = Dial-in hours are not valid 69 = Called station is not valid 70 = Port type is not valid 71 = Restriction is not valid 80 = No record 96 = Session timed out 97 = Unexpected request 183 Attribute ID Data type Represents NP-Policy-Name IAS 4149 Text The friendly name of a network policy. Attributes that are not recorded in IAS format log files Although most attributes sent by access servers are logged in IAS format log files, some attributes are not logged because they contain sensitive information. For example, user passwords are not logged for security reasons. The following table lists some of the attributes that are not logged. Attribute name ID/Description User-Password 2 CHAP-Password 3 State 24 Proxy-State 33 CHAP-Challenge 60 Tunnel-Password 69 EAP-Message 79 Signature 80 MS-CHAP-Challenge Microsoft vendor-specific attribute MS-CHAP-Response Microsoft vendor-specific attribute MS-CHAP-CPW-1 Microsoft vendor-specific attribute MS-CHAP-CPW-2 Microsoft vendor-specific attribute MS-CHAP-LM-Enc-PW Microsoft vendor-specific attribute MS-CHAP-NT-Enc-PW Microsoft vendor-specific attribute MS-CHAP-MPPE-Keys Microsoft vendor-specific attribute MS-MPPE-Send-Key Microsoft vendor-specific attribute MS-MPPE-Recv-Key Microsoft vendor-specific attribute MS-Filter Microsoft vendor-specific attribute MS-CHAP2-Response Microsoft vendor-specific attribute MS-CHAP2-Success Microsoft vendor-specific attribute 184 Attribute name ID/Description MS-CHAP2-CPW Microsoft vendor-specific attribute Interpret NPS Database Format Log Files Unlike IAS-formatted log files, database-compatible log files present the data in a standard sequence and use a structure that is identical, regardless of the format used by the network access server (NAS) that sends the data. This consistent sequence and structure helps simplify accounting and authentication records. Data can be easily exported to a database. Note Although NPS supports both IAS-formatted and database-compatible log files, use the database-compatible log format in most instances because it supports tools compliant with Open Database Connectivity (ODBC). Entries recorded in database-compatible log files The following are example entries (Access-Request and Access-Accept) from a databasecompatible log file. Note In the examples below, "IAS" refers to Internet Authentication Service. In Windows Server 2008. NPS replaces IAS. In NPS accounting data, the term IAS refers to the Network Policy Server service. This is the first example: "CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,, ,,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, This is the second example: "CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.1 0","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, The following table shows the attributes that can be contained in a record in the databasecompatible log file, the sequence in which they are recorded, and how the preceding examples are interpreted. Additional information A blank field in the first column of the table indicates that the network access server did not include a value with the attribute in the packets for the preceding example entries. The Data type column identifies the data type (text, number, or time) for each attribute. When you create a database into which log files are imported, you must define each field for the 185 data type of the attribute value that will be imported into it. In database-compatible log files, text values (such as strings, octet strings, and IP addresses) are always surrounded by double quotes. If the double quotes appear within the string, then they are replaced with a double set of double quotes. This table shows the values for the example entries of an IAS-internal attribute. Value shown in Attribute Data type Description "CLIENTCOMP" ComputerName Text The name of the server where the packet was received (this is an IAS-internal attribute). "IAS" ServiceName Text The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IASinternal attribute). 03/07/2008 Record-Date Time The date at the NPS or Routing and Remote Access server (this is an IASinternal attribute). 13:04:33 Record-Time Time The time at the NPS or Routing and Remote Access server (this is an IASinternal attribute). 1 Packet-Type Number The type of packet, which can be: example 1 = Access-Request 2 = Access-Accept 3 = Access-Reject 4 = Accounting-Request This is an IAS-internal attribute. "client" User-Name Text The user identity, as specified by the user. Fully-QualifiedDistinguishedName Text The user name in canonical format (this is an IAS-internal attribute). Called-Station-ID Text The phone number dialed by the user. Calling-Station-ID Text The phone number from which the call originated. Callback-Number Text The callback phone number. Framed-IP- Text The framed address to be configured for 186 Value shown in Attribute Data type Description example Address the user. NAS-Identifier Text The text that identifies the network access server originating the request. NAS-IP-Address Text The IP address of the network access server originating the request. NAS-Port Number The physical port number of the network access server originating the request. 9 Client-Vendor Number The manufacturer of the network access server (this is an IAS-internal attribute). "10.10.10.10" Client-IP-Address Text The IP address of the RADIUS client (this is an IAS-internal attribute). "npsclient" Client-FriendlyName Text The friendly name for the RADIUS client (this is an IAS-internal attribute). Event-Timestamp Time The date and time that this event occurred on the network access server. Port-Limit Number The maximum number of ports that the network access server provides to the user. NAS-Port-Type Number The type of physical port that is used by the network access server originating the request. Connect-Info Text Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols. Framed-Protocol Number The protocol to be used. Service-Type Number The type of service that the user has requested. AuthenticationType Number The authentication scheme, which is used to verify the user and can be: 1 1 = PAP 2 = CHAP 187 Value shown in Attribute Data type Description example 3 = MS-CHAP 4 = MS-CHAP v2 5 = EAP 7 = None 8 = Custom This is an IAS-internal attribute. 0 Policy-Name Text The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank. Reason-Code Number The reason for rejecting a user, which can be: 0 = IAS_SUCCESS 1 = IAS_INTERNAL_ERROR 2 = IAS_ACCESS_DENIED 3 = IAS_MALFORMED_REQUEST 4= IAS_GLOBAL_CATALOG_UNAVAILA BLE 5 = IAS_DOMAIN_UNAVAILABLE 6 = IAS_SERVER_UNAVAILABLE 7 = IAS_NO_SUCH_DOMAIN 8 = IAS_NO_SUCH_USER 16 = IAS_AUTH_FAILURE 17 = IAS_CHANGE_PASSWORD_FAILUR E 18 = IAS_UNSUPPORTED_AUTH_TYPE 32 = IAS_LOCAL_USERS_ONLY 33 = IAS_PASSWORD_MUST_CHANGE 188 Value shown in Attribute Data type Description example 34 = IAS_ACCOUNT_DISABLED 35 = IAS_ACCOUNT_EXPIRED 36 = IAS_ACCOUNT_LOCKED_OUT 37 = IAS_INVALID_LOGON_HOURS 38 = IAS_ACCOUNT_RESTRICTION 48 = IAS_NO_POLICY_MATCH 64 = IAS_DIALIN_LOCKED_OUT 65 = IAS_DIALIN_DISABLED 66 = IAS_INVALID_AUTH_TYPE 67 = IAS_INVALID_CALLING_STATION 68 = IAS_INVALID_DIALIN_HOURS 69 = IAS_INVALID_CALLED_STATION 70 = IAS_INVALID_PORT_TYPE 71 = IAS_INVALID_RESTRICTION 80 = IAS_NO_RECORD 96 = IAS_SESSION_TIMEOUT 97 = IAS_UNEXPECTED_REQUEST This is an IAS-internal attribute. Class Text The attribute that is sent to the client in an Access-Accept packet. Session-Timeout Number The length of time (in seconds) before the session is terminated. Idle-Timeout Number The length of idle time (in seconds) before the session is terminated. TerminationAction Number The action that the network access server takes when service is completed. EAP-FriendlyName Text The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAP189 Value shown in Attribute Data type Description example Friendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2)." Acct-Status-Type Number The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Server session. Acct-Delay-Time Number The length of time (in seconds) for which the network access server has been sending the same accounting packet. Acct-Input-Octets Number The number of octets received during the session. Acct-OutputOctets Number The number of octets sent during the session. Acct-Session-Id Text The unique numeric string that identifies the server session. Acct-Authentic Number The number that specifies which server authenticated an incoming call. Acct-SessionTime Number The length of time (in seconds) for which the session has been active. Acct-InputPackets Number The number of packets received during the session. Acct-OutputPackets Number The number of packets sent during the session. Acct-TerminateCause Number The reason that a connection was terminated. Acct-Multi-Ssn-ID Text The unique numeric string that identifies the multilink session. Acct-Link-Count Number The number of links in a multilink session. Acct-InterimInterval Number The length of interval (in seconds) between each interim update that the network access server sends. Tunnel-Type Number The tunneling protocol to be used. Tunnel-Medium- Number The medium to use when creating a tunnel 190 Value shown in Attribute Data type Description example Type for protocols. For example, L2TP packets can be sent over multiple link layers. Tunnel-ClientEndpt Text The IP address of the tunnel client. Tunnel-ServerEndpt Text The IP address of the tunnel server. Acct-Tunnel-Conn Text An identifier assigned to the tunnel. Tunnel-PvtGroup-ID Text The group ID for a specific tunneled session. TunnelAssignment-ID Text The tunnel to which a session is assigned. TunnelPreference Number The preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server. MS-Acct-AuthType Number A Routing and Remote Access service attribute. For more information, see RFC 2548. MS-Acct-EAPType Number A Routing and Remote Access service attribute. For more information, see RFC 2548. MS-RAS-Version Text A Routing and Remote Access service attribute. For more information, see RFC 2548. MS-RAS-Vendor Number A Routing and Remote Access service attribute. For more information, see RFC 2548. MS-CHAP-Error Text A Routing and Remote Access service attribute. For more information, see RFC 2548. MS-CHAPDomain Text A Routing and Remote Access service attribute. For more information, see RFC 2548. MS-MPPE- Number A Routing and Remote Access service 191 Value shown in Attribute Data type Description example Encryption-Types "CLIENTCOMP" attribute. For more information, see RFC 2548. MS-MPPEEncryption-Policy Number A Routing and Remote Access service attribute. For more information, see RFC 2548. Proxy-PolicyName Text The name of the connection request policy that matched the connection request. Provider-Type Number Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication. Provider-Name Text A string value that corresponds to Provider-Type. Possible values are "None" for a Provider-Type value of 0, "Windows" for a Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2. Remote-ServerAddress IP address The IP address of the remote RADIUS server to which the connection request was forwarded for authentication. MS-RAS-ClientName Text The name of the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7 and less than 40. Value, which specifies the computer name of the endpoint that is requesting network access, is sent in ASCII format and is null terminated. The valid character set for the computer name includes letters, numbers, and the following symbols: ! @ # $ % ^ & ‘ ) ( . - _ { } ~. 192 Value shown in Attribute Data type Description MS-RAS-ClientVersion Number The operating system version that is installed on the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7. example Value, which specifies the version of the operating system on a remote access client, is a string that is in network byte order. Interpret Windows System Health Validator Entries in Log Files When NPS is configured as a Network Access Protection (NAP) policy server, and one or more health policies are configured with the Windows Security Health Validator (WSHV), NPS logs statement of health responses (SoHRs) in the NPS log file or to a Microsoft® SQL Server™ database, depending on your accounting configuration. You can use the information in this topic to interpret WSHV entries in NPS accounting logs. Diagnostic codes The WSHV entries contain elements that correspond to components that might be installed or enabled on client computers, such as firewalls, antivirus applications, and Windows Automatic Updates. The WSHV log file entries always present the WSHV list of elements as diagnostic codes, and these codes are always presented in the following order: 1. Firewall (On/Off) 2. Antivirus - On/Off 3. Antivirus - Up-to-date status 4. Antispyware - On/Off 5. Antispyware - Up-to-date status 6. Automatic Updates (On/Off) 7. Security Updates - Compliance code 8. Security Updates - Severity 193 9. Security Updates - Legitimate Source (Windows Update, Windows Server Update Services, or Microsoft Update) For item 9 above, the following codes are possible values in the log file. Update source Diagnostic code Windows Update 0x00004000 Windows Server Update Services (WSUS) 0x00010000 Microsoft Update 0x00020000 Important If the configuration allows the receipt of updates from more than one source, the log file entry combines the codes. For example, if both Windows Update and Microsoft Update are legitimate sources, the log file code is 0x00024000. When each of the other eight elements is evaluated as compliant by NPS, the diagnostic code is 0x0. When an element of the SHV is compliant, the corresponding component on the client computer is either on, as in the case of a firewall application, or it is up-to-date, as in the case of Windows Automatic Updates or signatures for an antispyware application. If the Windows SHV is not configured to enforce any specific element, such as Firewall or Security Updates, log entries for the element are not relevant and should be ignored. The Security Updates element provides a severity rating. To interpret the severity rating when reviewing the NPS log file, you can use the following severity levels. Severity level Code in NPS log Unspecified 0x0040 Low 0x0080 Moderate 0x0100 Important 0x0200 Critical 0x0400 Error codes On the client computer, the NAP agent can receive errors from the Windows System Health Agent, which monitors the components on the client operating system, such as firewalls and antivirus applications. When the NAP agent sends a statement of health (SoH) to NPS, the statement contains information about errors on the client computer. In turn, NPS records the error in the NPS log file. 194 The following table provides the possible error codes that can be logged by NPS. Error code Description 0xC0FF0001 E_MSSHV_PRODUCT_NOT_ENABLED A system health component is not enabled. 0xC0FF0002 E_MSSHAV_PRODUCT_NOT_INSTALLED A system health component is not installed. 0xC0FF0003 E_MSSHAV_WSC_SERVICE_DOWN The Windows Security Center service is not running. 0xC0FF0004 E_MSSHV_PRODUCT_NOT_UPTODATE The signatures for a specific system health component are not up to date. 0x00FF0008 E_MSSHAV_WUA_SERVICE_NOT_STARTED_SINCE_BOOT The Windows Server Update Services has not started. An administrator must try to start the service manually. 0xC0FF000C E_MSSHAV_NO_WUS_SERVER The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server. An administrator must configure the Windows Update Agent service. Click the Try again button after configuration is done for the changes to take effect. 0xC0FF000D E_MSSHAV_NO_CLIENT_ID Windows failed to determine the Windows Server Update Services client ID of this computer. 0xC0FF000E E_MSSHAV_WUA_SERVICE_DISABLED The Windows Update Agent service has been disabled or not configured to start automatically. An administrator must enable the service. 0xC0FF000F E_MSSHAV_WUA_COMM_FAILURE The periodic scan of this computer for security updates failed. An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server. 0xC0FF0010 E_MSSHAV_UPDATES_INSTALLED_REQUIRE_REBOOT Security updates have been installed and require this computer 195 Error code Description to be restarted. Please close all applications and restart this computer. 0xC0FF0012 E_MSSHV_WUS_SHC_FAILURE The NPS server failed to validate the security update status of this computer. An administrator must ensure that a Windows Server Update Services server is available and that the Windows Update Agent on this computer is configured to synchronize with the server. 0xC0FF0014 E_MSSHV_UNKNOWN_CLIENT Unknown client 0xC0FF0017 E_MSSHV_INVALID_SOH The Windows Security Health Validator did not process the latest Statement of Health (SoH) because the SoH is not valid. 0xC0FF0018 E_MSSHAV_WSC_SERVICE_NOT_STARTED_SINCE_BOOT The Windows Security Center service has not started. An administrator must try to start the service manually. 0xC0FF0047 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_ENABLED A third-party system health component is not enabled. 0xC0FF0048 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_UPTODATE The signatures for a specific third-party system health component are not up to date. 0xC0FF004EL E_MSSHAV_BAD_UPDATE_SOURCE_MU This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Microsoft Update. 0xC0FF004FL E_MSSHAV_BAD_UPDATE_SOURCE_WUMU This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive updates from Windows Update or Microsoft Update. 0xC0FF0050L E_MSSHAV_BAD_UPDATE_SOURCE_MUWSUS This computer is not configured to receive security updates from a source approved for this network. An administrator must configure the Windows Update Agent service to receive 196 Error code Description updates from Windows Server Update Services or Microsoft Update. 0xC0FF0051L E_MSSHAV_NO_UPDATE_SOURCE The Windows Update Agent on this computer is not configured to receive security updates. An administrator must configure the Windows Update Agent service. The NAP agent might have to be restarted for changes to take effect. Determining the client operating system When you review Windows SHV entries in the NPS log file, you can determine whether the client computer is running Windows Vista or Windows XP in one of two ways: 1. Examine the field OS-Version in the NPS log. 2. Count the number of diagnostic codes recorded in the log file. If the client computer is running Windows Vista, NPS logs all eight diagnostic codes. If the client computer is running Windows XP, NPS logs only six diagnostic codes because the monitoring of antispyware status is not supported in WSHV for Windows XP. Example log file entries The first example log file entry depicts an entry for a client computer running Windows Vista that is not configured to synchronize with a Windows Server Update Services server. The text in italics is added to clarify the meaning of the diagnostic codes and does not normally appear in NPS log entries. First example log file entry Machine testclient was quarantined. OS-Version = 6.0.5495 0.0 x86 Workstation Fully-Qualified-Machine-Name = <undetermined> Fully-Qualified-User-Name = <undetermined> NAS-IP-Address = <not present> NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1 NAS-Identifier = testserver Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Account-Session-Identifier = F1290E5E59241D44A57539224835F0FDC46427E9FBCAC601 Proxy-Policy-Name = Use Windows authentication for all users 197 Policy-Name = Access Denied Quarantine-Session-Identifier = {5E0E29F1-2459-441D-A575-39224835F0FD} - 2006-08-28 23:44:32.391Z Quarantine-Help-URL = <undetermined> Quarantine-System-Health-Result = Windows Security Health Validator NonCompliant None (0x0-) Firewall is compliant (0x0-) Anti Virus is compliant (0x0-) Anti Virus signatures are compliant (0x0-) Anti Spyware is compliant (0x0-) Anti Spyware signatures are compliant (0x0-) Automatic Update is compliant (0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server. An administrator must configure the Windows Update Agent service. Please click the 'try again' button after configuration is done for the changes to take effect.) Diagnostic code for Security Updates from Diagnostic Code table (0x40-) Unspecified Severity Level from Severity level table (0x00004000-) Legitimate update source is Windows Update Second example log file entry The second example log file entry depicts an entry for a client computer running Windows Vista that is configured to use the Windows Security Center for the firewall, antivirus, antispyware and Automatic Updates. Because Windows Security Center is disabled, as is detailed in the log file entry, the diagnostic codes for the Windows SHV do not have meaning and should be ignored. Machine testclient was quarantined. OS-Version = 6.0.5495 0.0 x86 Workstation Fully-Qualified-Machine-Name = <undetermined> Fully-Qualified-User-Name = <undetermined> NAS-IP-Address = <not present> NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1 NAS-Identifier = testserver 198 Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Account-Session-Identifier = 32049473A12646448AB5DCFD9BF69271B0477E2E58CCC601 Proxy-Policy-Name = Use Windows authentication for all users Policy-Name = Access Denied Quarantine-Session-Identifier = {73940432-26A1-4446-8AB5-DCFD9BF69271} - 2006-08-30 17:17:33.585Z Quarantine-Help-URL = <undetermined> Quarantine-System-Health-Result = Windows Security Health Validator NonCompliant None (0xc0ff0003-The Windows Security Center service is not running.) (0x0-) (0x0-) (0xc0ff0003-The Windows Security Center service is not running.) (0x0-) (0xc0ff0003-The Windows Security Center service is not running.) (0xc0ff000c-The Windows Update Agent on this computer is not configured to synchronize with a Windows Server Update Services server. An administrator must configure the Windows Update Agent service. Please click the 'try again' button after configuration is done for the changes to take effect.) (0x40-) NPS SQL Server Logging You can use SQL Server logging to record user Remote Authentication Dial-In User Service (RADIUS) authentication and accounting requests received from one or more network access servers (NASs) to a data source on a computer running Microsoft SQL Server. Accounting data is passed from Network Policy Server (NPS) in eXtensible Markup Language (XML) format to a stored procedure in a SQL Server database. SQL Server databases support both SQL and XML (SQLXML). 199 Advantages of SQL Server logging Logging to a SQL Server relational database instead of a standard text file — that is, either Internet Authentication Service (IAS) format or database-compatible format — has many advantages, including the following: Relationships between data tables enable the flexible creation of dynamic data views by using queries and reports. SQL Server has high-speed optimizations that can effectively support very large, multipleterabyte-sized databases. Multiple bulk copy operations can be performed concurrently against a single table in SQL Server to speed data entry. The Transact-SQL BACKUP and RESTORE statements are optimized to read through a database serially and write in parallel to multiple backup devices. In addition, SQL Server supports differential backups, which replicate only the data changed after the last backup. You can configure SQL Server logging to provide failover and redundancy, and multiple NPS servers can log to the same database, providing ease of administration. Data from multiple NPS servers can be stored in the same database, providing a centralized data source for many NPS servers and the ability to achieve a more comprehensive data view for applications that query the database, such as Help desk applications. Note When you configure NPS to log accounting information to a database on a remote SQL server, you must also create a firewall exception on the SQL Server to allow the incoming connection from the NPS server. By default, SQL Server listens for incoming connections on TCP port 1433. For more information, see INF: TCP Ports Needed for Communication to SQL Server Through a Firewall. In addition, you can improve logging performance and, in some circumstances, reduce the cost of deploying SQL Server logging by using SQL Server Express databases installed on each NPS server. The following sections describe key logging concepts such as requests logged by NPS, NPS log file contents, and how NPS creates an XML document from accounting and authentication data when you deploy SQL Server logging. Data logged by NPS By default, NPS does not log any data until you configure it to do so. When you configure SQL Server logging, all required attributes, accounting, and authentication data that is normally logged in either IAS format or database-compatible format is logged to the SQL Server database. Initially, it is recommended that you enable the logging of accounting and user authentication requests. You can refine your logging settings after you determine your required data. 200 Requests logged by NPS You can log the following information in a SQL Server database: Accounting-on requests, which are sent by the RADIUS client to indicate that it is online and ready to accept connections. Accounting-off requests, which are sent by the RADIUS client to indicate that it is going offline. Accounting-start requests, which are sent by the RADIUS client (after the user is authenticated and authorized by the NPS server) to indicate the start of a user session. Accounting-stop requests, which are sent by the RADIUS client to indicate the end of a user session. Accounting interim requests, which are sent periodically by some RADIUS clients during a user session, and which can be logged by NPS. This type of request can be used when the Acct-Interim-Interval RADIUS attribute is configured to support periodic requests in network policy settings on the NPS server. The RADIUS client must support the use of accounting interim requests if you want the interim requests to be logged on the NPS server. If the RADIUS client does not send accounting interim requests, they are not logged. Authentication requests, which are sent by the RADIUS client on behalf of the connecting user. These entries in the log contain only incoming attributes. Authentication accepts and rejects, which are sent by NPS to the RADIUS client, indicating whether the user is accepted or rejected. These entries contain only outgoing attributes. NPS log file contents Unlike database-compatible format log files, which use a fixed sequence of attributes, the sequence of the attributes in a SQL Server log file depends upon the sequence used by the RADIUS client. For more information about the sequence of these records, see the documentation for your RADIUS client. Required database fields for session correlation When you create the fields in the tables of your SQL Server databases, you must provide all fields that allow applications to query the database, correlate related fields, and return a cohesive view of each session in the query results. This is called session correlation. At a minimum, to provide session correlation, you must log the values of the following NPS attributes as accounting data in the SQL Server databases: NAS-IP-Address NAS-Identifier (You need both NAS-IP-Address and NAS-Identifier because the RADIUS client can send one or the other.) Class 201 Acct-Session-Id Acct-Multi-Session-Id Packet-Type Acct-Status-Type Acct-Interim-Interval NAS-Port Event-Timestamp Configuring accounting to provide the best session correlation When you use an application to query your SQL Server database, it is important that sufficient data is logged to provide the application with the ability to correlate related fields and information into a cohesive view of any particular user session. To provide the best session correlation, take the following actions: Use RADIUS clients that send the Class attribute in all Accounting-Request messages. The Class attribute is sent to the RADIUS client in an Access-Accept message, and is useful for correlating Accounting-Request messages with authentication sessions. If the Class attribute is sent by the RADIUS client in the Accounting-Request messages, it can be used to match the accounting and authentication records. The combination of the attributes Unique-Serial-Number, Service-Reboot-Time, and Server-Address must be a unique identification for each authentication that the server accepts. Use RADIUS clients that support interim accounting. Use NASs that send Accounting-on and Accounting-off messages. Use RADIUS clients that support the storing and forwarding of accounting data. RADIUS clients that support this feature can store accounting data in circumstances when it cannot communicate with the NPS server. When the NPS server is available, the RADIUS client forwards the stored records to the NPS server, providing increased reliability in accounting over RADIUS clients that do not provide this feature. Always configure the Acct-Interim-Interval attribute in network policies. The Acct-InterimInterval attribute sets the interval (in seconds) between each interim update that the NAS sends. You can add the Acct-Interim-Interval attribute on the Settings tab of the network policy. According to RFC 2869, the value of the Acct-Interim-Interval attribute must not be smaller than 60 seconds, or one minute, and cannot be larger than 600 seconds, or 10 minutes. For more information, see RFC 2869 "RADIUS Extensions." Ensure that logging of periodic status is enabled on your NPS servers. 202 How NPS creates an XML document from accounting and authentication data If you select SQL Server logging in the NPS Microsoft Management Console (MMC) snap-in, attribute-value pairs are converted to XML format. When NPS creates an XML document from attributes, accounting, and authentication data, the XML document includes the attribute ID or name, the attribute value, and the data type of the attribute value. In SQL Server logging, there are five data types for attribute values: Non-negative integers (data_type=0) Strings (data_type=1) Hexadecimal numbers (data_type=2) IPv4 addresses (data_type=3) Date and time (data_type=4) The following example XML document created by NPS includes the attribute name (User-Name), the attribute value (DOMAIN\username), and the data type (1), indicating a value data type of string: <Event> <User-Name data_type="1">DOMAIN\username</User-Name> </Event> The next example XML document created by NPS includes the attribute name (NAS-IP-Address), the attribute value (192.168.0.1), and the data type (3), indicating a value data type of IP address: <Event> <NAS-IP-Address data_type="3">192.168.0.1</NAS-IP-Address> </Event> The next example XML document created by NPS includes the attribute name (Provider-Type), the attribute value (1), and the data type (0), indicating a value data type of non-negative integers: <Event> <Provider-Type data_type="0">1</Provider-Type> </Event> The last example XML document created by NPS includes the three previous examples combined into one XML document: <Event> <User-Name data_type="1">DOMAIN\username</User-Name> <NAS-IP-Address data_type="3">192.168.0.1</NAS-IP-Address> <Provider-Type data_type="0">1</Provider-Type> </Event> 203 Following is an example of a typical XML document sent by NPS configured for SQL Server logging: <Event> <Computer-Name data_type="1">MYNAS</Computer-Name> <Event-Source data_type="1">NPS</Event-Source> <Acct-Session-Id data_type="1">10</Acct-Session-Id> <NAS-IP-Address data_type="3">10.10.1.1</NAS-IP-Address> <Service-Type data_type="0">2</Service-Type> <Framed-Protocol data_type="0">1</Framed-Protocol> <NAS-Port data_type="0">7</NAS-Port> <NAS-Port-Type data_type="0">5</NAS-Port-Type> <Tunnel-Type data_type="0">1</Tunnel-Type> <Tunnel-Medium-Type data_type="0">1</Tunnel-Medium-Type> <Calling-Station-Id data_type="1">10.10.1.2</Calling-Station-Id> <Tunnel-Client-Endpt data_type="1">10.10.1.2</Tunnel-Client-Endpt> <User-Name data_type="1">MYDOMAIN\Administrator</User-Name> <Client-IP-Address data_type="3">10.10.1.1</Client-IP-Address> <Client-Vendor data_type="0">0</Client-Vendor> <Client-Friendly-Name data_type="1">MYNAS</Client-Friendly-Name> <MS-RAS-Vendor data_type="0">311</MS-RAS-Vendor> <MS-RAS-Version data_type="1">MSRASV5.20</MS-RAS-Version> <MS-RAS-Client-Version data_type="1">MSRASV5.20</MS-RAS-Client-Version> <MS-RAS-Client-Name data_type="1">MSRAS-0-MYCLIENT</MS-RAS-Client-Name> <Provider-Type data_type="0">1</Provider-Type> <Class data_type="1">311 1 192.168.0.123 02/20/2003 19:03:02 9</Class> <SAM-Account-Name data_type="1">MYDOMAIN\Administrator</SAM-Account-Name> <Fully-Qualified-User-Name data_type="1">MYDOMAIN\Administrator</Fully-Qualified-UserName> <Authentication-Type data_type="0">4</Authentication-Type> <Packet-Type data_type="0">1</Packet-Type> <Reason-Code data_type="0">0</Reason-Code> </Event> 204 Network Policy Server Tools and Settings You can use Network Policy Server (NPS) tools, such as the NPS console and the Network Shell (Netsh) commands for NPS, to configure your servers running NPS. NPS settings include port settings, the use of the Message-Authenticator attribute, and shared secrets. In this section NPS Tools NPS Settings NPS Tools You can use the following tools to configure, manage, monitor, and develop applications for your servers running Network Policy Server (NPS). NPS console After you have installed NPS, you can manage the local NPS server by using the NPS console. The NPS console is opened in the Administrative Tools folder of the Start menu. NPS MMC snap-in You can manage a local NPS server and one or more remote NPS servers from the NPS Microsoft Management Console (MMC) snap-in on the local NPS server. The MMC is opened by typing MMC in the Run dialog box that is opened on the Start menu. After the MMC is open you can add the NPS snap-in to the console. Netsh commands for NPS You can use commands in the Netsh Network Policy Server (NPS) context to configure all aspects of NPS. The Netsh commands for NPS provide the same functionality as the NPS console, and the commands can be run manually at the Netsh command prompt or automatically in scripts and batch files. The Netsh commands for Network Policy Server are available in HTML format in the Network Shell (Netsh) Technical Reference in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=110825. In addition, you can download the Network Shell (Netsh) Technical Reference in Windows Help format from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=113659. 205 Network Monitor Network Monitor is a protocol analyzer that allows you to capture, view, and analyze network traffic. The Network Monitor tool can be used to capture the Remote Authentication Dial-In User Service (RADIUS) messages being sent and received for detailed analysis. To view RADIUS messages, configure Network Monitor with a display filter to display only RADIUS messages by disabling all protocols except the RADIUS protocol. Download Microsoft Network Monitor 3.1 from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkID=94770. NPS API sets NPS includes two application programming interface (API) sets: NPS Extensions API and Server Data Objects (SDO) API. Both NPS Extensions API and SDO API are also supported by the precursor of NPS, Internet Authentication Service (IAS). NPS Extensions API can be used to extend the authentication, authorization, and accounting methods offered by NPS and previously by IAS. Server Data Objects API can be used to manipulate the network policy configuration on a computer that runs NPS or IAS. For more developer information related to NPS, see the following topics on the Microsoft Developer Network (MSDN): Network Policy Server at http://go.microsoft.com/fwlink/?LinkId=119325 Extensible Authentication Protocol at http://go.microsoft.com/fwlink/?LinkId=119326 Extensible Authentication Protocol Host at http://go.microsoft.com/fwlink/?LinkId=119329 MS-CHAP Password Management API at http://go.microsoft.com/fwlink/?LinkId=119330 Network Access Protection at http://go.microsoft.com/fwlink/?LinkId=119332 NPS Settings The following sections provide information about Network Policy Server (NPS) features and settings. In this section NPS Server Registration in Active Directory NPS Ports NPS Firewall Settings NPS Message-Authenticator Attribute NPS Shared Secrets NPS Reason Codes 206 NPS Registry Entries NPS Server Registration in Active Directory To enable Network Policy Server (NPS) to read user account information in Active Directory Domain Services (AD DS) during the authentication and authorization processes, you must register the server running NPS in AD DS. The NPS server is registered in AD DS when it is added as a member of the RAS and IAS Servers security group. You can add the NPS server to this AD DS group in the local domain using the Register server in Active Directory command on the Action menu of the NPS console or NPS Microsoft Management Console (MMC) snap-in. Note You can also add the NPS server to the RAS and IAS Servers security group by using the netsh nps add registeredserver command. To add the NPS server to the RAS and IAS Servers security group in a remote domain or forest, open the Active Directory Users and Computers MMC snap-in, browse to the security group, and then add the NPS server as a member. NPS Ports By default, Network Policy Server (NPS) listens for Remote Authentication Dial-In User Service (RADIUS) traffic on the following User Datagram Protocol (UDP) ports. RADIUS Traffic Type UDP Port Authentication traffic 1812 Accounting traffic 1813 Authentication traffic 1645 Accounting traffic 1646 Note By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters. If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall of the local computer to allow RADIUS traffic on the new ports. 207 Connecting to a remote SQL server When you configure NPS to log accounting information to a database on a remote SQL Server, you must also create a firewall exception on the SQL Server to allow the incoming connection from the NPS server. By default, SQL Server listens for incoming connections on TCP port 1433. For more information, see INF: TCP Ports Needed for Communication to SQL Server Through a Firewall. NPS Firewall Settings Firewalls can be configured to allow or block types of IP traffic to and from the computer or device on which the firewall is running. If firewalls are not properly configured to allow Remote Authentication Dial-In User Service (RADIUS) traffic between RADIUS clients, RADIUS proxies, and RADIUS servers, network access authentication can fail, preventing users from accessing network resources. Two types of firewalls might need to be configured to allow RADIUS traffic: Windows Firewall with Advanced Security (WFAS) on the local server running Network Policy Server (NPS). Firewalls running on other computers or hardware devices. WFAS on the local NPS server By default, NPS sends and receives RADIUS traffic over User Datagram Protocol (UDP) ports 1812, 1813, 1645, and 1646, and WFAS on the NPS server is automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received. Therefore, if you are using the default UDP ports, you do not need to change the WFAS configuration to allow RADIUS traffic to and from NPS servers. In some cases, you might want to change the ports that NPS uses for RADIUS traffic. If you configure NPS and your network access servers (NASs) to send and receive RADIUS traffic on ports other than the defaults, you must do the following: Remove the exceptions that allow RADIUS traffic through the default ports. Create new exceptions that allow RADIUS traffic through the new ports. Other firewalls In the most common configuration, the firewall is connected to the Internet and the NPS server is an intranet resource that is connected to the perimeter network. To reach the domain controller within the intranet, the NPS server might have: An interface on the perimeter network and an interface on the intranet (IP routing is not enabled). 208 A single interface on the perimeter network. In this configuration, NPS communicates with intranet domain controllers through another firewall that connects the perimeter network to the intranet. Configuring the Internet firewall The firewall that is connected to the Internet must be configured with input and output filters on its Internet interface (and, optionally, on its network perimeter interface), to allow the forwarding of RADIUS messages between the NPS server and RADIUS clients or proxies on the Internet. Additional filters can be used to allow the passing of traffic to Web servers, virtual private network (VPN) servers, and other types of servers on the perimeter network. Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface. Filters on the Internet interface Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic: Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server. This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812. Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server. This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813. (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server. This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients. (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server. This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients. Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic: Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server. 209 This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812. Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server. This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813. (Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server. This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients. (Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server. This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients. Filters on the perimeter network interface Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic: Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server. This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812. Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server. This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813. (Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server. This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients. (Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server. This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients. 210 Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic: Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server. This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812. Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server. This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813. (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server. This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients. (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server. This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients. For added security, you can use the IP addresses of each RADIUS client that sends the packets through the firewall to define filters for traffic between the client and the IP address of the NPS server on the perimeter network. Configuring the intranet firewall The firewall that is connected to the intranet must be configured with input and output filters on its perimeter network interface (and, optionally, on its intranet interface), to allow the forwarding of RADIUS messages between the NPS server on the perimeter network and domain controllers on the intranet. Additional filters can allow the passing of traffic to Web, VPN, and other types of servers on the perimeter network. Separate input and output packet filters can be configured on the perimeter network interface and the intranet interface. Filters on the perimeter network interface Configure the following input packet filters on the perimeter network interface of the intranet firewall to allow the following types of traffic: Source IP address of the perimeter network interface of the NPS server. This filter allows traffic from the NPS server on the perimeter network. 211 Configure the following output filters on the perimeter network interface of the intranet firewall to allow the following types of traffic: Destination IP address of the perimeter network interface of the NPS server. This filter allows traffic to the NPS server on the perimeter network. Filters on the intranet interface Configure the following input filters on the intranet interface of the firewall to allow the following types of traffic: Destination IP address of the perimeter network interface of the NPS server. This filter allows traffic to the NPS server on the perimeter network. Configure the following output packet filters on the intranet interface of the firewall to allow the following types of traffic: Source IP address of the perimeter network interface of the NPS server. This filter allows traffic from the NPS server on the perimeter network. NPS Message-Authenticator Attribute When you add one or more Remote Authentication Dial-In User Service (RADIUS) clients in the NPS Microsoft Management Console (MMC) snap-in, you configure the IP address of one RADIUS client or, if you are using Windows Server 2008 Enterprise or Windows Server 2008 Datacenter, you configure multiple RADIUS clients using an IP address range. If an incoming RADIUS Access-Request message does not originate from an IP address of a configured RADIUS client, Network Policy Servre (NPS) automatically discards the message, providing protection for a server running NPS. However, source IP addresses can be spoofed (substituted with other IP addresses) by malicious users. To provide protection from spoofed Access-Request messages and RADIUS message tampering, each RADIUS message can be additionally protected with the RADIUS MessageAuthenticator attribute, which is described in RFC 2869, “RADIUS Extensions.” Key facts about the Message-Authenticator attribute: The RADIUS Message-Authenticator attribute is a Message Digest 5 (MD5) hash of the entire RADIUS message. The shared secret configured on the NPS server and the RADIUS client is used as the key. If the RADIUS Message-Authenticator attribute is present, it is verified by NPS. If the AccessRequest message fails verification, the message is discarded by the NPS server. If the RADIUS client settings require the Message-Authenticator attribute and it is not present, the RADIUS message is discarded. 212 Note With NPS in Windows Server 2008, all Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP) authentication methods use the Message-Authenticator attribute by default. For more information, see Incoming RADIUS Message Validation and NPS Shared Secrets. NPS Shared Secrets A shared secret is a text string that serves as a password between: A Remote Authentication Dial-In User Service (RADIUS) client and RADIUS server. A RADIUS client and a RADIUS proxy. A RADIUS proxy and a RADIUS server. Important Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared secret used between the RADIUS proxy and the RADIUS server. Shared secrets are used to verify that RADIUS messages, with the exception of the AccessRequest message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password. To provide verification for Access-Request messages, you can enable use of the RADIUS Message-Authenticator attribute for both the RADIUS client configured on the server running NPS and the network access server (NAS). When creating and using a shared secret: Use the same case-sensitive shared secret on both RADIUS devices. If you specify RADIUS clients by using an IP address range, all RADIUS clients within the address range must use the same shared secret. Use a different shared secret for each RADIUS server-RADIUS client pair. Generate a random sequence at least 22 characters long. Use any standard alphanumeric and special characters. Make the shared secret up to 128 characters in length. To protect your NPS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters). 213 Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your NPS server and your RADIUS clients from dictionary attacks. Make sure your shared secrets contain characters from each of the following three groups: Group Examples Letters (uppercase and lowercase) A, B, C and a, b, c Numerals 0, 1, 2, 3 Symbols (all characters not defined as letters or Exclamation point (!), asterisk (*), colon (:) numerals) The stronger your shared secret, the more secure are the attributes (for example, those used for passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is 8d#>9jq4rV)H7%a3-zM13sW. Note When Password Authentication Protocol (PAP) is used between an access client and an access server (a RADIUS client), the access server encrypts the PAP password by using the shared secret and sends it in an Access-Request packet. If the access server sends the Access-Request message to a RADIUS proxy, the RADIUS proxy must first decrypt the PAP password with the shared secret that was used between the RADIUS proxy and the access server. Next, it encrypts the PAP password by using the shared secret that was used between the RADIUS proxy and the RADIUS server before forwarding the Access-Request message. Because a malicious user or process at a RADIUS proxy can record user names and passwords for PAP connections after they are decrypted but before they are encrypted, the use of PAP is highly discouraged. NPS Reason Codes When Network Policy Server (NPS) writes an event to either the security or system event log, the event can contain a reason code. Reason codes provide specific information about the cause for the event being written to the log. The following sections provide information about NPS reason codes. In this section NPS Reason Codes 0 Through 37 NPS Reason Codes 38 Through 257 NPS Reason Codes 258 Through 282 NPS Reason Codes 283 Through 303 214 NPS Reason Codes 0 Through 37 Network Policy Server (NPS) provides reason codes to identify changes, problems, and status via events in Event Viewer while NPS is running. You can use the following reason code definitions to look up reason codes and clarify their meaning. Note There are intentional gaps in the numeric sequence of reason codes. For example, the reason codes 38 and 48 exist, but there are currently no reason codes that correspond to the numbers 39 through 47. Following are some of the reason codes provided by NPS. Reason Code Description 0 The connection request was successfully authenticated and authorized by Network Policy Server. 1 The connection request failed due to a Network Policy Server error. 2 There are insufficient access rights to process the request. 3 The Remote Authentication Dial-In User Service (RADIUS) Access-Request message that NPS received from the network access server was malformed. 4 The NPS server was unable to access the Active Directory Domain Services (AD DS) global catalog. Because of this, authentication and authorization for the connection request cannot be performed, and access is denied. 5 The Network Policy Server was unable to connect to a domain controller in the domain where the user account is located. Because of this, authentication and authorization for the connection request cannot be performed, and access is denied. 6 The NPS server is unavailable. This issue can occur if the NPS server is running low on or is out of random access memory (RAM). It can also occur if the NPS server fails to receive the 215 Reason Code Description name of a domain controller, if there is a problem with the Security Accounts Manager (SAM) database on the local computer, or in circumstances where there is a Windows NT directory service (NTDS) failure. 7 The domain that is specified in the User-Name attribute of the RADIUS message does not exist. 8 The user account that is specified in the UserName attribute of the RADIUS message does not exist. 9 An Internet Authentication Service (IAS) extension dynamic link library (DLL) that is installed on the NPS server discarded the connection request. 10 An IAS extension dynamic link library (DLL) that is installed on the NPS server has failed and cannot perform its function. 16 Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect. 17 The user's attempt to change their password has failed. 18 The authentication method used by the client computer is not supported by Network Policy Server for this connection. 19 Challenge Handshake Authentication Protocol (CHAP) is being used as the authentication method for the connection request, however CHAP is not configured to store a reversibly encrypted form of user passwords. With CHAP, reversibly encrypted password storage is required. You can enable reversibly encrypted password storage per user account or for all accounts in a domain using Group Policy. To enable reversibly encrypted password storage for a user account, obtain the 216 Reason Code Description properties of a user account in AD DS, click the Account tab, and then select the Store password using reversible encryption check box. To allow reversibly encrypted password storage for all user accounts in the domain, add the Group Policy Management Editor snap-in to the Microsoft Management Console (MMC) and enable the default domain policy setting Store password using reversible encryption at the following path: Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Password Policies. 20 The client attempted to use LAN Manager authentication, which is not supported by Network Policy Server. To enable the use of LAN Manager authentication, see NPS: LAN Manager Authentication. 21 An IAS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request. 22 Network Policy Server was unable to negotiate the use of an Extensible Authentication Protocol (EAP) type with the client computer. 23 An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. By default, these log files are located at %windir%\System32\Logfiles. 32 NPS is joined to a workgroup and performs the authentication and authorization of connection requests using the local Security Accounts Manager database, however the AccessRequest message contains a domain user name. NPS does not have access to a domain user accounts database. The connection request was denied. 33 The user that is attempting to connect to the 217 Reason Code Description network must change their password. 34 The user account that is specified in the RADIUS Access-Request message is disabled. 35 The user account that is specified in the RADIUS Access-Request message is expired. 36 The user's authentication attempts have exceeded the maximum allowed number of failed attempts specified by the Account lockout threshold setting in Account Lockout Policy in Group Policy. To unlock the account, obtain the user account properties in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, click the Account tab, and then click Unlock account. 37 According to AD DS user account logon hours, the user is not permitted to access the network on this day and time. To change the account logon hours, obtain the user account properties in the Active Directory Users and Computers snap-in, click the Account tab, and then click Logon Hours. In the Logon Hours dialog box, configure the days and times when the user is permitted to access the network. NPS Reason Codes 38 Through 257 Network Policy Server (NPS) provides reason codes to identify changes, problems, and status via events in Event Viewer while NPS is running. You can use the following reason code definitions to look up reason codes and clarify their meaning. Note There are intentional gaps in the numeric sequence of reason codes. For example, the reason codes 38 and 48 exist, but there are currently no reason codes that correspond to the numbers 39 through 47. Following are some of the reason codes provided by NPS. 218 Reas Description on code 38 Authentication failed due to a user account restriction or requirement that was not followed. For example, the user account settings might require the use of a password but the user attempted to log on with a blank password. To resolve this issue, check the user account properties for restrictions, and then either remove or modify the restrictions or inform the user of the requirements for network access. 48 The connection request did not match a configured network policy, so the connection request was denied by Network Policy Server. 49 The connection request did not match a configured connection request policy, so the connection request was denied by Network Policy Server. 64 Remote Access Account Lockout is enabled, and the user's authentication attempts have exceeded the designated lockout count because the credentials they supplied (user name and password) are not valid. When the lockout count for a user account is reset to 0 due to either a successful authentication or an automatic reset, the registry subkey for the user account is deleted. To manually reset a user account that has been locked out before the failed attempts counter is automatically reset, delete the following registry subkey that corresponds to the user's account name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Para meters\AccountLockout\domain name:user name 65 The Network Access Permission setting in the dial-in properties of the user account is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, click the Dial-in tab, and then change Network Access Permission. 66 Authentication failed. Either the client computer attempted to use an authentication method that is not enabled on the matching network policy or the client computer attempted to authenticate as Guest, but guest authentication is not enabled. To resolve this issue, ensure that all client computers are configured to use one or more authentication methods that are allowed by matching network policies. 67 NPS denied the connection request because the value of the Calling-Station-ID attribute in the Access-Request message did not match the value of Verify Caller ID in user account dial-in properties in the Active Directory Users and Computers snap-in. 68 The user or computer does not have permission to access the network on this day at this time. To change the day and time when the user is permitted to connect to the network, change the Day and Time Restrictions in the constraints of the matching network policy. For more information, see Constraints Properties. 219 Reas Description on code 69 The telephone number of the network access server does not match the value of the Calling-Station-ID attribute that is configured in the constraints of the matching network policy. NPS denied the Access-Request message. 70 The network access method used by the access client to connect to the network does not match the value of the NAS-Port-Type attribute that is configured in the constraints of the matching network policy. NPS denied the Access-Request message. 72 The user password has expired or is about to expire and the user must change their password, however Authentication Methods in network policy constraints are not configured to allow the user to change their password. To allow the user to change their password, open the properties of the matching network policy, click the Constraints tab, click Authentication Methods, and then in the details pane select the appropriate authentication method and User can change password after it has expired check box. 73 The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. To correct this problem, you must reconfigure the certificate template with the Client Authentication purpose in Application Policies extensions, revoke the old certificate, and enroll a new certificate that is configured correctly. For more information, see Foundation Network Companion Guide: Deploying Computer and User Certificates at http://go.microsoft.com/fwlink/?LinkId=113884. 80 NPS attempted to write accounting data to the data store (a log file on the local computer or a SQL Server database), but failed to do so for unknown reasons. 96 Authentication failed due to an Extensible Authentication Protocol (EAP) session timeout; the EAP session with the access client was incomplete. 97 The authentication request was not processed because it contained a Remote Authentication Dial-In User Service (RADIUS) message that was not appropriate for the secure authentication transaction. 112 The local NPS proxy server forwarded a connection request to a remote RADIUS server, and the remote server rejected the connection request. Check the event log on the remote RADIUS server to determine the reason that the connection request was rejected. 113 The local NPS proxy attempted to forward a connection request to a member of a remote RADIUS server group that does not exist. To resolve this issue, configure a valid remote 220 Reas Description on code RADIUS server group. 115 The local NPS proxy did not forward a RADIUS message because it is not an accounting request or a connection request. 116 The local NPS proxy server cannot forward the connection request to the remote RADIUS server because either the proxy cannot open a Windows socket over which to send the connection request, or the proxy server attempted to send the connection request but received Windows sockets errors that prevented successful completion of the send operation. 117 The remote RADIUS server did not respond to the local NPS proxy within an acceptable time period. Verify that the remote RADIUS server is available and functioning properly. 118 The local NPS proxy server received a RADIUS message that is malformed from a remote RADIUS server, and the message is unreadable. This issue can also be caused if a connection request contains more than the expected number of User-Name attributes, or if the User-Name attribute value is not valid, such as if the value has zero length or if it contains characters that are not valid. 256 The certificate provided by the user or computer as proof of their identity is a revoked certificate. Because of this, the user or computer was not authenticated, and NPS rejected the connection request. 257 Due to a missing dynamic link library (DLL) or exported function, NPS cannot access the certificate revocation list to verify whether the user or client computer certificate is valid or is revoked. NPS Reason Codes 258 Through 282 Network Policy Server (NPS) provides reason codes to identify changes, problems, and status via events in Event Viewer while NPS is running. You can use the following reason code definitions to look up reason codes and clarify their meaning. Note There are intentional gaps in the numeric sequence of reason codes. For example, the reason codes 38 and 48 exist, but there are currently no reason codes that correspond to the numbers 39 through 47. Following are some of the reason codes provided by NPS. 221 Reason code Description 258 NPS cannot access the certificate revocation list to verify whether the user or client computer certificate is valid or is revoked. Because of this, authentication failed. 259 The certification authority that manages the certificate revocation list is not available. NPS cannot verify whether the certificate is valid or is revoked. Because of this, authentication failed. 260 The Extensible Authentication Protocol (EAP) message has been altered so that the Message Digest 5 (MD5) hash of the entire Remote Authentication Dial-In User Service (RADIUS) message does not match, or the message has been altered at the Schannel level. 261 NPS cannot contact Active Directory Domain Services (AD DS) or the local user accounts database to perform authentication and authorization. The connection request is denied for this reason. 262 NPS discarded the RADIUS message because it is incomplete and the signature was not verified. 263 NPS did not receive complete credentials from the user or computer. The connection request is denied for this reason. 264 The Security Support Provider Interface (SSPI) called by EAP reports that the system clocks on the NPS server and the access client are not synchronized. 265 The certificate that the user or client computer provided to NPS as proof of identity chains to an enterprise root certification authority that is not trusted by the NPS server. 266 NPS received a message that was either unexpected or incorrectly formatted. NPS discarded the message for this reason. 222 Reason code Description 267 The certificate provided by the connecting user or computer is not valid because it is not configured with the Client Authentication purpose in Application Policies or Enhanced Key Usage (EKU) extensions. NPS rejected the connection request for this reason. 268 The certificate provided by the connecting user or computer is expired. NPS rejected the connection request for this reason. 269 The Security Support Provider Interface (SSPI) called by EAP reports that the NPS server and the access client cannot communicate because they do not possess a common algorithm. 270 Based on the matching NPS network policy, the user is required to log on with a smart card, but they have attempted to log on by using other credentials. NPS rejected the connection request for this reason. 271 The connection request was not processed because the NPS server was in the process of shutting down or restarting when it received the request. 272 The certificate that the user or client computer provided to NPS as proof of identity maps to multiple user or computer accounts rather than one account. NPS rejected the connection request for this reason. 273 Authentication failed. NPS called Windows Trust Verification Services, and the trust provider is not recognized on this computer. A trust provider is a software module that implements the algorithm for applicationspecific policies regarding trust. 274 Authentication failed. NPS called Windows Trust Verification Services, and the trust provider does not support the specified action. Each trust provider provides its own unique set of action identifiers. For information about the 223 Reason code Description action identifiers supported by a trust provider, see the documentation for that trust provider. 275 Authentication failed. NPS called Windows Trust Verification Services, and the trust provider does not support the specified form. A trust provider is a software module that implements the algorithm for applicationspecific policies regarding trust. Trust providers support subject forms that describe where the trust information is located and what trust actions to take regarding the subject. 276 Authentication failed. NPS called Windows Trust Verification Services, but the binary file that calls EAP cannot be verified and is not trusted. 277 Authentication failed. NPS called Windows Trust Verification Services, but the binary file that calls EAP is not signed, or the signer certificate cannot be found. 278 Authentication failed. The certificate that was provided by the connecting user or computer is expired. 279 Authentication failed. The certificate is not valid because the validity periods of certificates in the chain do not match. For example, the following End Certificate and Issuer Certificate validity periods do not match: End Certificate validity period: 2007-2010; Issuer Certificate validity period: 2006-2008. 280 Authentication failed. The certificate is not valid and was not issued by a valid certification authority (CA). 281 Authentication failed. The path length constraint in the certification chain has been exceeded. This constraint restricts the maximum number of CA certificates that can follow this certificate in the certificate chain. 282 Authentication failed. The certificate contains a 224 Reason code Description critical extension that is unrecognized by NPS. NPS Reason Codes 283 Through 303 Network Policy Server (NPS) provides reason codes to identify changes, problems, and status via events in Event Viewer while NPS is running. You can use the following reason code definitions to look up reason codes and clarify their meaning. Note There are intentional gaps in the numeric sequence of reason codes. For example, the reason codes 38 and 48 exist, but there are currently no reason codes that correspond to the numbers 39 through 47. Following are some of the reason codes provided by NPS. Reason code Description 283 Authentication failed. The certificate does not contain the Client Authentication purpose in Application Policies extensions, and cannot be used for authentication. 284 Authentication failed. The certificate is not valid because the certificate issuer and the parent of the certificate in the certificate chain are required to match but do not match. 285 Authentication failed. NPS cannot locate the certificate, or the certificate is incorrectly formed and is missing important information. 286 Authentication failed. The certificate provided by the connecting user or computer is issued by a certification authority (CA) that is not trusted by the NPS server. 287 Authentication failed. The certificate provided by the connecting user or computer does not chain to an enterprise root CA that NPS trusts. 288 Authentication failed due to an unspecified trust failure. 289 Authentication failed. The certificate provided 225 Reason code Description by the connecting user or computer is revoked and is not valid. 290 Authentication failed. A test or trial certificate is in use, however the test root CA is not trusted, according to local or domain policy settings. 291 Authentication failed because NPS cannot locate and access the certificate revocation list to verify whether the certificate has or has not been revoked. This issue can occur if the revocation server is not available or if the certificate revocation list cannot be located in the revocation server database. 292 Authentication failed. The value of the UserName attribute in the connection request does not match the value of the common name (CN) property in the certificate. 293 Authentication failed. The certificate provided by the connecting user or computer is not valid because it is not configured with the Client Authentication purpose in Application Policies or Enhanced Key Usage (EKU) extensions. NPS rejected the connection request for this reason. 294 Authentication failed because the certificate was explicitly marked as untrusted by the Administrator. Certificates are designated as untrusted when they are imported into the Untrusted Certificates folder in the certificate store for the Current User or Local Computer in the Certificates Microsoft Management Console (MMC) snap-in. 295 Authentication failed. The certificate provided by the connecting user or computer is issued by a CA that is not trusted by the NPS server. 296 Authentication failed. The certificate provided by the connecting user or computer is not valid because it is not configured with the Client Authentication purpose in Application Policies 226 Reason code Description or Enhanced Key Usage (EKU) extensions. NPS rejected the connection request for this reason. 297 Authentication failed. The certificate provided by the connecting user or computer is not valid because it does not have a valid name. 298 Authentication failed. Either the certificate does not contain a valid user principal name (UPN) or the value of the User-Name attribute in the connection request does not match the certificate. 299 Authentication failed. The sequence of information provided by internal components or protocols during message verification is incorrect. 300 Authentication failed. The certificate is malformed and Extensible Authentication Protocl (EAP) cannot locate credential information in the certificate. 301 NPS terminated the authentication process. NPS received a cryptobinding type length value (TLV) from the access client that is not valid. This issue occurs when an attempt to breach your network security has occurred and a manin-the-middle (MITM) attack is in progress. During MITM attacks on your network, attackers use unauthorized computers to intercept traffic between your legitimate hosts while posing as one of the legitimate hosts. The attacker's computer attempts to gain data from your other network resources. This enables the attacker to use the unauthorized computer to intercept, decrypt, and access all network traffic that would otherwise go to one of your legitimate network resources. 302 NPS terminated the authentication process. NPS did not receive a required cryptobinding type length value (TLV) from the access client 227 Reason code Description during the authentication process. NPS Registry Entries The following registry settings can be configured to customize NPS behavior under specific circumstances. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. In this section NPS: Account Lockout NPS CRL Check Registry Settings NPS: Default Domain NPS: Default User Identity NPS: LAN Manager Authentication NPS: MaxConcurrentApi NPS: Override User-Name NPS: Ping User-Name NPS: SCHANNEL NPS: User Identity Attribute NPS: Account Lockout You can use remote access account lockout to specify how many times a network access authentication attempt fails against a valid user account before the user is denied access. Remote access account lockout is especially important for remote access virtual private network (VPN) connections over the Internet. An attacker on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the attacker sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases. Important Remote access account lockout settings are universally applied to connection requests. When you configure remote access account lockout with a MaxDenials value other than 0, Network Policy Server (NPS) uses that lockout setting when evaluating connection 228 requests from all Remote Authentication Dial-In User Service (RADIUS) clients regardless of type. This includes connection requests from 802.1X authenticating switches and wireless access points, Terminal Services Gateway (TS Gateway) servers, and Routing and Remote Access service (RRAS) servers configured as VPN and dial-up servers. When remote access account lockout is enabled, a dictionary attack is thwarted after a specified number of failed attempts. As the network administrator, you must decide on two remote access account lockout variables: The number of failed attempts before future attempts are denied. After each failed attempt, a failed attempts counter for the user account is incremented. If the user account’s failed attempts counter reaches the configured maximum, future attempts to connect are denied. A successful authentication resets the failed attempts counter when its value is less than the configured maximum. In other words, the failed attempts counter does not accumulate beyond a successful authentication. The frequency with which the failed attempts counter is reset. The failed attempts counter is periodically reset to 0. If an account is locked out after the maximum number of failed attempts, the failed attempts counter is automatically reset to 0 after the reset time. Note If you’re using RRAS and the RRAS server is configured for Windows Authentication, modify the registry on the RRAS server. If the RRAS server is configured for RADIUS authentication, modify the registry on the NPS server. Enable the remote access account lockout feature by changing the following settings in the registry on the computer that provides authentication services for connection requests. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters To enable remote access account lockout Set the MaxDenials entry in the registry to 1 or greater. MaxDenials is the maximum number of failed attempts before the account is locked out. By default, MaxDenials is set to 0, which means that remote access account lockout is disabled. To modify the amount of time before the failed attempts counter is reset Set the ResetTime (mins) entry in the registry to the required number of minutes. 229 By default, ResetTime (mins) is set to 0xb40, or 2,880 minutes (48 hours). To manually reset a user account that has been locked out before the failed attempts counter is automatically reset Delete the following registry entry that corresponds to the user’s account name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters \AccountLockout\domain name:user name When the lockout count for a user account is reset to 0 due to either a successful authentication or an automatic reset, the registry subkey for the user account is deleted. NPS CRL Check Registry Settings NPS CRL check registry settings You can use the following registry settings to change the way Network Policy Server (NPS) performs certificate revocation list (CRL) checks when EAP-TLS is used. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. All of the listed registry settings can be configured on NPS servers with the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 Important All of the following registry settings must be added as a DWORD type and have the valid values of 0 or 1. IgnoreNoRevocationCheck When set to 1, NPS allows EAP-TLS clients to connect even when NPS does not perform or cannot complete a revocation check of the certificate chain (excluding the root certificate) of the client. Typically, revocation checks fail because the certificate does not include CRL information. IgnoreNoRevocationCheck is set to 0 (disabled) by default. An EAP-TLS client cannot connect unless the server completes a revocation check of the certificate chain (including the root certificate) of the client and verifies that none of the certificates has been revoked. You can use this entry to authenticate clients when the certificate does not include CRL distribution points, such as might be the case with certificates issued by non-Microsoft certification authorities (CAs). 230 IgnoreRevocationOffline When set to 1, NPS allows EAP-TLS clients to connect even when a server that stores a CRL is not available on the network. IgnoreRevocationOffline is set to 0 by default. With this default setting, NPS does not allow clients to connect unless it can complete a revocation check of their certificate chain and verify that none of the certificates is revoked. When NPS cannot connect to a server that stores a revocation list, the certificate fails the revocation check and authentication fails. Setting IgnoreRevocationOffline to 1 prevents certificate validation failure because poor network conditions prevented NPS from successfully completing a revocation check. NoRevocationCheck When set to 1, NPS prevents EAP-TLS from performing a revocation check of the certificate of the client. The revocation check verifies that the certificate of the client and the certificates in its certificate chain have not been revoked. NoRevocationCheck is set to 0 by default. NoRootRevocationCheck When set to 1, NPS prevents EAP-TLS from performing a revocation check of the root CA certificate of the client. NoRootRevocationCheck is set to 0 by default. This entry only eliminates the revocation check of the root CA certificate of the client. A revocation check is still performed on the remainder of the certificate chain of the client. You can use this entry to authenticate clients when the certificate does not include CRL distribution points. Also, this entry can prevent certification-related delays that occur when a certificate revocation list is offline or expired. NPS: Default Domain You can use this registry setting to provide Network Policy Server (NPS) with a domain name for use during the authentication and authorization of connection requests. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Configuring the Default Domain Name While processing connection requests, NPS examines the User-Name portion of the AccessRequest message to determine whether a domain name has been specified. If a domain name is specified and NPS is configured to access the user accounts database in the designated domain, NPS proceeds with processing the connection request. 231 Note Some network access servers delete or modify the domain name as specified by the user. As a result, the network access request is authenticated against the default domain, which might not be the domain for the user account. To resolve this problem, configure your Remote Authentication Dial-In User Service (RADIUS) servers to change the user name into the correct format with the accurate domain name. When NPS cannot properly parse the domain identity from the user name attribute in the connection request or the user name does not contain a domain, NPS takes the following actions: 1. If the NPS server is not a member of a domain, NPS authenticates the user against the local Security Accounts Manager (SAM) database. 2. If the NPS server is a member of a domain, NPS checks the DefaultDomain registry entry. If a value is specified for DefaultDomain, NPS authenticates the user against the domain specified in the registry entry. 3. If the NPS server is a member of a domain and a value for the DefaultDomain registry entry is not specified, NPS authenticates the user against the domain to which the NPS server is joined. Creating the DefaultDomain Registry Key You must create the new registry key at the following path. Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\B uiltIn To specify the NPS-supplied domain By default, the NPS-supplied domain name is the domain of which the NPS server is a member. You can specify a different NPS-supplied domain by browsing to the registry path in Registry Editor and then adding a new key named DefaultDomain. Next, add a new string value to DefaultDomain that is the domain name you require. NPS: Default User Identity You can use the Default User Identity registry setting to provide Network Policy Server (NPS) with a standard user account with which to perform authentication and authorization when the user name is not present in the connection request. Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy 232 User identity is the means by which NPS identifies the user for the purposes of authentication and authorization. Normally, the user identity is the string value of the User-Name Remote Authentication Dial-In User Service (RADIUS) attribute. If the User-Name attribute is not present, or is present but equals null, the user identity is set to the Guest account or the account specified by the Default User Identity registry value. NPS: LAN Manager Authentication Although the use of Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) or LAN Manager authentication is not recommended for security reasons, you can enable LAN Manager authentication by using this registry setting to support older Microsoft Windows operating systems on your network. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy By default, MS-CHAP for Windows Server 2008 does not support LAN Manager authentication. Although the use of MS-CHAP or LAN Manager authentication is not recommended for security reasons, you might need to deploy one or both of these authentication methods to support legacy clients. If you deploy MS-CHAP with change password capability enabled in Internet Authentication Service (IAS), you must also deploy LAN Manager authentication. To enable LAN Manager authentication If you want to enable the use of LAN Manager authentication with MS-CHAP for older Windows operating systems such as Windows NT 3.5 and Windows 95, you must set Allow LM Authentication to 1 on the authenticating server. To disable LAN Manager authentication LAN Manager authentication is disabled by default. However, if you have previously enabled it and want to disable it again, set Allow LM Authentication to 0. NPS: MaxConcurrentApi You can use this registry setting to alter the number of concurrent authentications performed between the NPS server and a domain controller when NPS is not installed on a domain controller. 233 Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters If NPS is installed on a computer other than a domain controller and NPS is receiving a very large number of authentication requests per second, you can improve performance by increasing the number of concurrent authentications between the NPS server and the domain controller. To increase concurrent authentication Add a new entry named MaxConcurrentApi to this registry key and assign to it a value from 2 through 5. NPS: Override User-Name You can use this registry setting when you deploy Routing and Remote Access service (RRAS) as a dial-up server and you want to use the calling number as the user identity. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy To always use the calling number as the user identity, set the value of the Override User-Name registry entry to 1 on the authenticating server. Note If you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating server can perform only Automatic Number Identification/Calling Line Identification (ANI/CLI)-based authentication. Normal authentication by using authentication protocols, such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and Extensible Authentication Protocol (EAP), is disabled. NPS: Ping User-Name Some Remote Authentication Dial-In User Service (RADIUS) clients — RADIUS proxy servers and network access servers (NASs) — periodically send artificial connection requests, known as ping requests, to servers running Network Policy Server (NPS) and other RADIUS servers in order to verify that the NPS and RADIUS servers are available. These ping requests contain a 234 fictional user name. When NPS processes these requests they are all rejected, and the event and accounting logs become filled with access reject records, making it more difficult to keep track of valid records. You can configure a Ping User-Name registry entry that specifies the fictional user name (or a user name pattern, with variables, that matches the fictional user name) that is sent by RADIUS clients. When a registry entry for Ping User-Name is configured, NPS matches the registry entry value against the user name value when it receives ping requests. In this circumstance, NPS rejects the authentication requests without processing them. NPS does not record accounting data for connection requests that contain the fictional user name in any log files, which makes the event log easier to interpret. Note The Ping User-Name registry entry is not created by default when NPS is installed. You must add Ping User-Name to the registry. You can add an entry to the registry by using Registry Editor. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters\ To add Ping User-Name to the registry When you add the Ping User-Name entry to the registry, you must supply values for Name, Type, and Data, as shown in the following table. Name Type Data Ping User-Name REG_SZ User name To indicate more than one user name for a Ping User-Name value, enter a name pattern, such as a Domain Name System (DNS) name including wildcard characters, in Data. NPS: SCHANNEL You can use this registry setting to enable the logging of client certificate validation failures, which are secure channel (Schannel) events. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. 235 Registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Schannel is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These protocols provide identity authentication and secure, private communication through encryption. Logging of client certificate validation failures is a secure channel event, and is not enabled on the NPS server by default. To enable secure channel events You can enable additional secure channel event logging by changing the registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003). Note The logging of rejected or discarded authentication events is enabled by default. NPS: User Identity Attribute When you deploy the Routing and Remote Access service (RRAS) as a dial-up server, you can use this registry setting to instruct Network Policy Server (NPS) to use the value of the CallingStation-ID attribute. which is a Remote Authentication Dial-In User Service (RADIUS) attribute, as the identity of the calling user. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy The RADIUS attribute that NPS uses to identify the user is configurable by setting the User Identity Attribute registry setting. You can change the value of this entry to the number of the RADIUS attribute that is used for the user identity. To assign the Calling-Station-ID attribute value, change the entry value to 31. By default, User Identity Attribute is set to 1, the RADIUS type value for the User-Name RADIUS attribute. This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31, Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only when there is no user name being supplied in the connection attempt. 236 Additional NPS Resources For NPS resources in addition to this guide, see Network Policy Server in the Windows Server 2008 Technical library (http://go.microsoft.com/fwlink/?LinkId=104545). 237