Network Policy Server

TechNet library Windows ServerWindows Server R2 und Windows Server 2008 provides Windows Server content by category for Windows Server R2 Content-installed Windows Server R2 products help network policy and Access services networking policies ServerNetwork Policy Server OverviewNPS and FirewallsNPS TemplatesPolicies in NPSregistering an NPS server in Active Directory Domain ServicesCertificates for PEAP and EAP require NPS inventory to configure NPS UDP port information for client computers to configure network Access Protection in NPS radiusHost Credential Authorization protocolNetwork Policy Server

Apply to: Windows Server R2

Network Policy Server

Using Network Policy server (NPS), you can create and enforce an organization-wide network access policy for client health, connection request authentication, and connection request authorization. In addition, NPS can be used as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a server or other RADIUS server that is running NPS configured in a remote RADIUS server group.

NPS can centrally configure and manage network access authentication, authorization, and client health policies with the following three features:

• RADIUS server . NPS performs centralized authentication, authorization, and accounting for wireless, authentication switches, remote access dial-up, and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you can configure network access servers such as wireless access points and VPN servers as RADIUS clients in NPS. You can also configure the network policy that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to a log file on your local hard disk or in a Microsoft SQL Server database. For more information, see  radius Server.
  
  
• RADIUS proxy . When you use NPS as a RADIUS proxy, you can configure connection request policies to tell the NPS server which connection requests to forward to other RADIUS servers, and which RADIUS servers to forward connection requests to. You can also configure NPS to forward accounting data that will be recorded by one or more computers in a remote RADIUS server group. For more information, see RADIUS Proxy.
  
  
• Network Access Protection (NAP) policy Server . When NPS is configured as a NAP policy server, NPS evaluates the statement of Health (SoH) that is sent to the client computer that is connecting to the network and that supports NAP. NPS, which is already configured for NAP, also acts as a RADIUS server to perform authentication and authorization on connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHV), health policies, and update server groups that allow client computers to update their configuration to be compatible with your organization's network policies. For more information, see Network Access Protection in  nps.
  
  

NPS can be configured with any combination of the aforementioned features. For example, you can use one or more enforcement methods to configure an NPS server to act as a NAP policy server, as well as to configure the same NPS server as a RADIUS server for dial-up connections, and to configure the RADIUS proxy to forward certain connection requests to a remote RADIUS service Member of the service group to authenticate and authorize in another domain.

Configuration

To configure NPS as a RADIUS server or NAP policy server, you can use either the NPS console or the standard configuration or Advanced configuration in Server Manager. To configure NPS as a RADIUS proxy, you must use an advanced configuration.

Standard configuration

Using standard configuration will provide wizards to help you configure NPS for the following scenarios:

• NAP Policy Server
  
  
• RADIUS Server for dial-up or VPN connections
  
  
• RADIUS Server for 802.1X wireless or wired connections
  
  

To configure NPS by using the wizard, open the NPS console, select one of the above scenarios, and then click the link to open the wizard.

Advanced Configuration

With advanced configuration, you can manually configure NPS as a RADIUS server, NAP policy server, or RADIUS proxy. Some wizards are provided to help you with policy and NAP configuration, but these wizards are opened from the NPS folder tree in the NPS console, not from the Getting Started section of the console details pane.

To configure NPS by using Advanced Configuration, open the NPS console, and then click the arrow next to Advanced Configuration to expand the section.

The following advanced configuration items are available.

Configuring the RADIUS Server

To configure NPS as a RADIUS server, you must configure RADIUS clients, network policies, and RADIUS accounting.

The following Help section provides the information you need to deploy NPS as a RADIUS server:

• RADIUS Server
  
  
• Network Policy
  
  
• RADIUS Client
  
  
• RADIUS Accounting
  
  

Configuring the NAP Policy Server

To deploy NAP, you must configure NAP components in addition to the RADIUS client and network policies.

The following Help section provides the information that is required to deploy NPS as a NAP policy server:

• Network Access Protection in NPS
  
  
• Network Policy
  
  
• Health policy
  
  
• Connection request Policy
  
  
• RADIUS Client
  
  

Configuring the RADIUS Proxy

To configure NPS as a RADIUS proxy, you must configure the RADIUS client, the remote RADIUS server group, and the connection request policy.

The following Help section provides the information that is required to deploy NPS as a RADIUS proxy:

• RADIUS Proxy
  
  
• RADIUS Client
  
  
• Connection request Processing
  
  
• Remote RADIUS Server Group
  
  

NPS Log Records

NPS logging is also known as RADIUS accounting. NPS logging can be configured to your requirements regardless of whether NPS is used as a RADIUS server, proxy, NAP policy server, or any combination of these three configurations.

To configure NPS logging, you must configure the events that you want to log and view by using Event Viewer, and then determine the additional information that you want to log. In addition, you must decide whether to log user authentication and accounting information to a text log file stored on the local computer or to a SQL Server database on the local computer or a remote computer.

The following Help section provides the information that is required to deploy RADIUS accounting:

• Configure log file properties
  
  
• Configuring SQL Server Logging in NPS

Network Policy Server