What Is a Network Policy Server?

Windows Server 2008 Network Policy Server (NPS):
• RADIUS server
• RADIUS proxy
• Network Access Protection

Network Policy Server Usage Scenarios

NPS is used for the following scenarios:
• Network Access Protection
• Enforcement for IPsec traffic
• Enforcement for 802.1x wired and wireless
• Enforcement for DHCP
• Enforcement for VPN
• Secure Wired and Wireless Access
• RADIUS
• Terminal Server Gateway

Tools Used for Managing a Network Policy Server

Tools used to manage NPS include:
• Netsh command line to configure all aspects of NPS, such as:
• NPS Server Commands
• RADIUS Client Commands
• Connection Request Policy Commands
• Remote RADIUS Server Group Commands
• Network Policy Commands
• Network Access Protection Commands
• Accounting Commands
• NPS MMC Console

What Is a RADIUS Client?

• RADIUS clients are network access servers, such as:
• Wireless access points
• 802.1x authenticating switches
• VPN servers
• Dial-up servers
• NPS is a RADIUS server
• RADIUS clients send connection requests and accounting
messages to RADIUS servers for authentication, authorization, and accounting

What Is a RADIUS Proxy?

A RADIUS proxy is required for:
• Service providers offering outsourced dial-up, VPN, or wireless network access services
• Providing authentication and authorization for user accounts that are not Active Directory members
• Performing authentication and authorization using a database that is not a Windows account database
• Load-balancing connection requests among multiple RADIUS servers
A RADIUS proxy receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing
• Providing RADIUS for outsourced service providers and limiting traffic types through the firewall

What Is a Connection Request Policy?

Connection Request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients Custom Connection Request policies are required to orward the request to another proxy or RADIUS server or server group for authorization and authentication, or to specify a different server for accounting information.

Password-Based Authentication Methods

Authentication methods for an NPS server include:
• MS-CHAPv2
• MS-CHAP
• CHAP
• PAP
• Unauthenticated access

Using Certificates for Authentication

Certificate-based authentication in NPS:
• Certificate types:
• CA certificate: Verifies the trust path of other certificates
• Client computer certificate: Issued to the computer to prove its identity to NPS during authentication
• Server certificate: Issued to an NPS server to prove its identity to client computers during authentication
• User certificate: Issued to individuals to prove their identity to NPS servers for authentication
• Certificates can be obtained from public CA providers or you can host your own Active Directory certificate services
• To specify certificate-based authentication in a network policy, configure the authentication methods on the Constraints tab

…