Microsoft Network Policy Server
Geometry
The Remote Authentication Dial-In User Service (RADIUS) protocol plays a central role in user authentication in many companies. The client-server protocol is used for user and computer authentication, authorization, and accounting. RADIUS is often used in combination with access points, VPNs, and other technologies in which the protocol controls the dial-in or login to a computer network.
Network Policy Server [1] is an implementation of the RADIUS protocol for Microsoft environments. The protocol is the de facto standard for centralized authentication of dial-up connections over VPN and WiFi (IEEE 802.1X). During authentication, the service determines which user or computer wants to authenticate itself. To make sure the user or computer is who or what they claim to be, classic username and password procedures are used along with security tokens. Once the resource is uniquely identified, authorization takes over the assignment of rights and permissions. Accounting (account management) here refers to logging by the network policy server.
The RADIUS server handles authentication for the service (i.e., checking the username and password or certificates) and provides parameters for the connection to the client. The RADIUS server takes the authentication information used for this from its own configuration or determines it by querying other databases or directory services such as Active Directory (AD), in which the access credentials (e.g., username and password) are stored. In this way, all user settings can be managed centrally, regardless of the network infrastructure.
In Windows Server 2000, Microsoft implemented its own RADIUS server under the name Internet Authentication Service (IAS). Starting with Windows Server 2008, Microsoft renamed IAS to Network Policy Server (NPS). Compared with IAS, NPS has a number of additional features, the most important being:
- Network Access Protection (NAP)
- Extensible Authentication Protocol (EAP) policy support
- Improved command-line scripting with Netsh
- Extended user interface
- Configuration storage in an XML file
Microsoft describes other features in the Dev Center [2].
Original NAP Removed
One of the most promising innovations in the NPS area was Network Access Protection (NAP), which allowed administrators to create network policies, such as allowing VPN clients to access the network only after a successful check for an activated Windows firewall or the latest security updates. If the terminal device did not meet one or more requirements, access was denied or the VPN client was moved to a quarantine network where it could be updated before gaining access to the production network.
Microsoft NAP was even compatible with Network Access Control (NAC) from Cisco. Because of low market penetration and acceptance of Microsoft virtual private network (VPN) servers, Microsoft NAP never really caught on and was discontinued with Windows Server 2012 R2. Since Windows Server 2016, the feature is no longer available.
RADIUS Components
A classic RADIUS implementation consists of at least one RADIUS server that provides access and authorization rules for remote desktop gateways, VPNs, wireless networks and 802.1X, and NAPs. In Windows Server 2019, Standard and Datacenter editions now support the same maximum number of RADIUS clients and server groups.
Network Policy Server can also be configured as a RADIUS proxy. The task of such a proxy is to forward the RADIUS authentication requests, which are then processed by NPS. Even large IT environments with distributed locations can benefit from centralized implementation with RADIUS servers and proxies. Finally, RADIUS accounting is the logging function of a Microsoft NPS implementation. More on that later.
Installing NPS
Network Policy and Access Services are installed by Server Manager or at the command line. If so desired, you can also install the Role Administration Tools (Figure 1). Please note that the NPS role cannot be installed on a core server. After completing the NPS role install, NPS first needs to be registered AD so that NPS can read the required user properties there. To register NPS in AD, right-click on NPS (Local) in the NPS Administration console and select Register Server in Active Directory .
The registration process adds the NPS computer object to the AD remote access services (RAS) and IAS Servers group. In an AD forest with additional domains, you need to add the NPS computer object to the RAS and IAS Servers group of the respective domain.
Buy this article as PDF
(incl. VAT)