Network Policy Server Overview
Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Network Policy Server (NPS) allows you to centrally configure and manage network policies with the following three features: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server.
RADIUS server and proxy
NPS can be used as a RADIUS server, a RADIUS proxy, or both.
NPS is the Microsoft implementation of the RADIUS standard specified by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866. As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up and virtual private network (VPN) remote access, and router-to-router connections.
NPS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment. You can use NPS with the Routing and Remote Access service, which is available in Microsoft Windows 2000, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
When a server running NPS is a member of an Active Directory® Domain Services (AD DS) domain, NPS uses the directory service as its user account database and is part of a single sign-on solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network) and to log on to an AD DS domain.
Internet service providers (ISPs) and organizations that maintain network access have the increased challenge of managing all types of network access from a single point of administration, regardless of the type of network access equipment used. The RADIUS standard supports this functionality in both homogeneous and heterogeneous environments. RADIUS is a client-server protocol that enables network access equipment (used as RADIUS clients) to submit authentication and accounting requests to a RADIUS server.
A RADIUS server has access to user account information and can check network access authentication credentials. If user credentials are authenticated and the connection attempt is authorized, the RADIUS server authorizes user access on the basis of specified conditions, and then logs the network access connection in an accounting log. The use of RADIUS allows the network access user authentication, authorization, and accounting data to be collected and maintained in a central location, rather than on each access server.
For more information, see RADIUS Server.
As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers.
With NPS, organizations can also outsource remote access infrastructure to a service provider while retaining control over user authentication, authorization, and accounting.
NPS configurations can be created for the following scenarios:
Organization dial-up or virtual private network (VPN) remote access
Outsourced dial-up or wireless access
Authenticated access to extranet resources for business partners
For more information, see RADIUS Proxy.
RADIUS server and RADIUS proxy configuration examples
The following configuration examples demonstrate how you can configure NPS as a RADIUS server and a RADIUS proxy.
NPS as a RADIUS server . In this example, NPS is configured as a RADIUS server, the default connection request policy is the only configured policy, and all connection requests are processed by the local NPS server. The NPS server can authenticate and authorize users whose accounts are in the domain of the NPS server and in trusted domains.
NPS as a RADIUS proxy . In this example, the NPS server is configured as a RADIUS proxy that forwards connection requests to remote RADIUS server groups in two untrusted domains. The default connection request policy is deleted, and two new connection request policies are created to forward requests to each of the two untrusted domains. In this example, NPS does not process any connection requests on the local server.
NPS as both RADIUS server and RADIUS proxy . In addition to the default connection request policy, which designates that connection requests are processed locally, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. This second policy is named the Proxy policy. In this example, the Proxy policy appears first in the ordered list of policies. If the connection request matches the Proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. If the connection request does not match the Proxy policy but does match the default connection request policy, NPS processes the connection request on the local server. If the connection request does not match either policy, it is discarded.
NPS as a RADIUS server with remote accounting servers . In this example, the local NPS server is not configured to perform accounting and the default connection request policy is revised so that RADIUS accounting messages are forwarded to an NPS server or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the local NPS server performs these functions for the local domain and all trusted domains.
NPS with remote RADIUS to Windows user mapping . In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. This configuration is implemented by configuring the Remote RADIUS to Windows User Mapping attribute as a condition of the connection request policy. (In addition, a user account must be created locally on the RADIUS server that has the same name as the remote user account against which authentication is performed by the remote RADIUS server.)
NAP policy server
NAP is included in Windows Vista®, Windows® 7, Windows Server® 2008, and Windows Server® 2008 R2, and helps protect access to private networks by ensuring that client computers are configured in accordance with organization network health policies before they are allowed to connect to network resources. In addition, client computer compliance with health policy is monitored by NAP while the computer is connected to the network. By using NAP autoremediation, noncompliant computers can be automatically updated to bring them into compliance with health policy so that they can connect to the network.
System administrators define network health policies and create these policies by using NAP components that are provided in NPS and, depending on your NAP deployment, by other companies.
Health policies can include such things as software requirements, security update requirements, and required configuration settings. NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are deemed unhealthy, and remediating unhealthy client computers for full network access.
For more information, see Network Access Protection in NPS.