NPS authentication and management

matteu31 826 Reputation points
2021-05-04T12:30:53.38+00:00

Hello,

I have a customer with NPS role installed on DC01 and radius client + radius server configured.
Radius client are wifi controller and radius server is fortigate

On his policy connexion settings I don't understand exactly how it works.
On transfert connexion :
-Authentication : On this server
-Management : On the fortigate.

I understand authentication is done on the domain controller (with active directory I suppose ?) and logs are copied to the fortigate.

Am I right or wrong ? I don't understand really if DC01 is proxy radius or radius server in the environment.

Thank you for your help.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
{count} votes

7 answers

Sort by: Most helpful
  1. matteu31 826 Reputation points
    2021-05-05T06:28:54.507+00:00

    Hello,

    Thanks for your answer.
    I suppose some people here knoww how this feature works and can maybe help me ? I don't know where I can find an answer about microsoft role if it's not on microsoft forum :/

    No comments

  2. Candy Luo 12,451 Reputation points
    2021-05-06T02:24:22.767+00:00

    Hi,

    I understand authentication is done on the domain controller (with active directory I suppose ?) and logs are copied to the fortigate. Am I right or wrong ? I don't understand really if DC01 is proxy radius or radius server in the environment.

    Yes, you are right. Microsoft NPS server role can be installed on a domain controller or dedicated Microsoft Windows server that is joined to AD domain. NPS uses an Active Directory Domain Services (AD DS) domain or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts.

    So, in domain environment, when NPS server is installed on DC then Authentication should be On this server and Management should be On the fortigate. This is right.

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  3. matteu31 826 Reputation points
    2021-05-06T07:11:41.68+00:00

    Thank you for your answer.
    I just would like to understand, what is management for ? Only for logging ?

    I suppose best practice is to redirect all "security" trafic from connection to the same device ?

    No comments

  4. Candy Luo 12,451 Reputation points
    2021-05-06T07:29:51.857+00:00

    In fact, to optimize NPS authentication and authorization response times and minimize network traffic, we can install NPS on a domain controller. I am not familiar with fortigate radius server. In windows, if you install DC and NPS role on same machine, DC is a radius server as well.

    For Radius server, it can centrally configure and manage network access authentication, provide authorization for connection requests, and accounting for information logs. Not only for logging.

    Since your radius server is fortigate instead of DC, then you should configure Management on your radius server(fortigate).

    No comments

  5. matteu31 826 Reputation points
    2021-05-06T08:11:06.47+00:00

    I'm sorry but I don't understand what I would like.

    What's the difference between "authentication" and "management". I mean between both part here :

    94381-2021-05-06-10h09-43.png

    On my client : Authentication is configured local (DC01)
    Accounting : Redirect to fortigate.

    I don't understand what accounting do really

    No comments