The Cable Guy: The New and Improved Network Policy Server
Some major improvements to NPS in Windows Server 2008 R2 provide for much better templates and network access accounting.
The Cable Guy
There’s always room for improvement, and the Network Policy Server (NPS) has just had several. The NPS in Windows Server 2008 R2 is the Microsoft Remote Authentication Dial-In User Service (RADIUS) server and proxy. This service provides authentication, authorization, and accounting (AAA) of network access requests and acts as a Network Access Protection (NAP) health policy server. Here’s a run-down of the new NPS templates and the major accounting enhancements to the NPS.
NPS Templates
NPS templates can help reduce the cost of ownership of NPS environments by separating common RADIUS configuration elements like shared secrets and initial client settings from the configuration running on the server. The RADIUS configuration element inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is selected.
For example, you can reference a single RADIUS shared secret template for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, all the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is selected also inherit whatever change you’ve made.
You can also use NPS templates to help with configuration by temporarily selecting them. For example, create a RADIUS client template for a specific group of RADIUS clients, such as all wireless access points from a specific vendor. This template would contain common settings like vendor type or shared secret. When you create a new RADIUS client, select the RADIUS client template to obtain the common settings. When you de-select the template, the inherited settings remain and you can configure individual settings, like the RADIUS client’s IP address.
NoteCommands in the netsh nps context do not support template settings. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.
The following types of NPS configuration elements use templates:
- RADIUS shared secret
- RADIUS clients
- Remote RADIUS servers
- IP filters
- Health policies
- Remediation server groups
You can set up templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in, as shown in Figure 1.
Figure 1 The Templates Management node in the Network Policy Server snap-in.
You can add, edit, duplicate or delete individual templates. After you’ve configured the templates, you can select and de-select them in the appropriate dialog boxes in the NPS snap-in. Figure 2 lists the different types of templates and where they’re used in the NPS snap-in.
Template | Where it is used |
RADIUS shared secret | When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates |
RADIUS clients | When creating or configuring RADIUS clients |
Remote RADIUS servers | When creating or configuring remote RADIUS server group members |
IP filters | When configuring IP Filters settings for a network policy |
Health policies | When creating or configuring health policies |
Remediation server groups | When creating or configuring remediation server groups |
Figure 2 The type of templates and where you use them in the Network Policy Server snap-in.
Using the RADIUS Shared Secret Template
Templates for RADIUS shared secrets let you specify a shared secret you can reuse when configuring RADIUS clients and remote RADIUS servers in the NPS snap-in. To create and use a RADIUS shared secret template, do the following:
1. From the NPS snap-in, open the Templates Management node.
2. In the console tree, right-click Shared Secrets, then click New.
3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.
4. Click OK to save changes.
To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. Figure 3 shows an example.
Figure 3 Selecting a shared secrets template
To view which RADIUS clients, remote RADIUS servers and remote RADIUS server templates, use a specific RADIUS shared secret template by right-clicking the name of the RADIUS shared secret template in the contents pane of the NPS snap-in, and then click View Usage.
Migrating and Synchronizing Templates
Because templates are independent of the running configuration of the NPS server, you can export and import them independently of the NPS server configuration, using the NPS snap-in. These operations are independent of the export and import of the NPS server configuration using the netsh nps export and netsh nps import commands.
To export the templates of an NPS server, right-click Template Management in the NPS snap-in, and then click Export Templates to a File. To import the templates of an NPS server, click Import Templates from a File. You can use these steps to migrate the templates of one NPS server to another.
To quickly synchronize templates between NPS servers, right-click Template Management in the NPS snap-in, and then click Import Templates from a Computer. You’ll be prompted to specify the name of a remote NPS server. When you click OK, NPS synchronizes the local NPS server with those of the remote NPS server.
The NPS snap-in for Windows Server 2008 R2 supports remote management of NPS servers. When you add the NPS snap-in to a Microsoft Management Console (MMC), you can specify the local computer or a remote computer. You can also remotely manage a Windows Server 2008 NPS server from a Windows Server 2008 R2 NPS server. However, the console tree doesn’t contain the Templates Management node and dialog boxes don’t display template configuration.
Accounting Upgrades
Windows Server 2008 R2 also includes a number of features that improve the accounting capabilities of NPS and significantly reduce its deployment cost. Among these are a number of new logging capabilities enabling correlation between SQL and file logging. There is also a new Accounting Configuration wizard. These enhancements are integrated into the Accounting node of the NPS snap-in.
To better correlate SQL and file logging configurations, Windows Server 2008 R2 includes a new file type known as DTS Compliant. The new file type is designed for easy mapping to the NPS standard SQL database using the SQL Server Data Transformation Services. You can select this new file type from the Log File tab of the Log File Properties dialog box, as shown in Figure 4.
Figure 4 Selecting the DTS Compliant local log format
NPS SQL and File Logging Correlation
These Windows Server 2008 R2 features enable accounting configurations that use both SQL and file logging:
Failover logging from SQL to a file: You can configure NPS to log to a SQL database (local or remote) and failover to a preconfigured log file if connectivity to the SQL Server is lost. Enable this feature by selecting the Enable text file logging for failover checkbox in the NPS SQL Server Logging Properties dialog box.
Parallel logging to both a file and SQL: You can configure NPS to log every accounting entry to both a SQL Server and a file. This new functionality doesn’t have any explicit configuration. You enable parallel logging by configuring both logging modes without the file logging failover.
Authentication without accounting: You can configure NPS to authenticate and authorize without logging. This feature is disabled by default. It ensures that NPS can operate even when it’s unable to perform logging. It also allows for network access authentication and authorization without requiring logging.
You can enable this feature independently for file and SQL logging, allowing for a variety of scenarios when used in conjunction with parallel and failover logging. This functionality is controlled independently in both the SQL Server Logging Properties and Log File Logging dialog boxes by clearing the If logging fails, discard connection requests checkbox. When either checkbox is selected, access requests require successful logging.
NPS Accounting Configuration Wizard
To run the new Accounting Configuration wizard, select the Accounting node and click Configure Accounting link in the contents pane of the NPS snap-in. The Accounting Configuration wizard walks you through the full accounting configuration for common configurations, including those settings required on a SQL Server to create the NPS standard database, table and store procedures. Figure 5 shows the Select Accounting Options page of the Accounting Configuration wizard.
Figure 5 The new Accounting Configuration wizard
From this page, you can configure the following:
- Log to a SQL Server database: Use this option to configure NPS to only log to a SQL database using the default NPS SQL table format and store procedures.
- Log to a text file on the local computer: Use this option to configure NPS to only log to a text file using the new DTS Compliant file format.
- Simultaneously log to a SQL Server database and to a local text file: Use this option to configure both SQL and file logging and enable parallel logging. SQL logging configuration uses the default NPS SQL table format and store procedures. The file logging uses the DTS Compliant file format. The information logged in each data store is configured independently.
- Log to a SQL Server database using text file logging for failover: Use this option to configure both SQL and file logging and enable file logging only in cases where SQL logging fails. SQL logging configuration uses the default NPS SQL table format and store procedures. The file logging uses the DTS Compliant file format. You configure the information logged in each data store independently.
Automated SQL Database Configuration
Besides configuring NPS accounting, the new Accounting Configuration wizard also automatically generates the required database, tables and store procedures on an existing SQL Server. The wizard will automatically configure the SQL Server for the standard NPS data store on any of the configurations available from the Select Accounting Options page of the Accounting Configuration wizard that include a SQL logging configuration. Figure 6 shows the Configure SQL Server Logging page of the Accounting Configuration wizard.
Figure 6 The Configure SQL Server Logging page
When you click Configure, NPS displays the Data Link Properties dialog box, as shown in Figure 7.
Figure 7 The Data Link Properties dialog box
After you specify a SQL Server and credentials (sections 1 and 2), select the database from the SQL Server. When you select an existing database from this list and when the wizard is complete, you’re prompted to continue using the specified database as is or to re-initialize the database using the default NPS SQL data store configuration.
You could also type a new database name into the Select the database on the server list box. In this case, the Accounting Configuration wizard automatically configures the default NPS data store using the specified database name on the SQL Server.
For more information about NPS in Windows Server 2008 R2, consult the following resources:
Joseph Davies* is a principal technical writer on the Windows networking writing team at Microsoft. He is the author and coauthor of a number of books published by Microsoft Press, including “Windows Server 2008 Networking and Network Access Protection (NAP),” “Understanding IPv6, Second Edition” and “Windows Server 2008 TCP/IP Protocols and Services.*