Verify NPS Configuration
Applies To: Windows Server 2008, Windows Server 2012
Network Policy Server (NPS) is the central server used with all Network Access Protection (NAP) enforcement methods to evaluate NAP client access requests. Network health requirements are defined on NPS using policies that grant or restrict access of NAP client computers based on their health. A server running NPS that hosts these NAP policies is called a NAP health policy server. Depending on your deployment, you may have one or more NAP health policies servers on your network. Conditions and settings used by a NAP health policy server to define and enforce network health requirements include: RADIUS clients, connection request policies, network policies, health policies, and system health validators (SHVs).
When you install Health Registration Authority (HRA), NPS is installed on the same computer automatically. If you have deployed more than one HRA, and prefer to centralize policy evaluation by placing your NAP health policies on another computer, you must configure the local NPS server as a RADIUS proxy. When you use NPS as a RADIUS proxy, connection request policy is configured to tell the local NPS server to forward network access requests to remote RADIUS server groups for evaluation.
For more information about NPS, see https://go.microsoft.com/fwlink/?LinkId=94389.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.
Verify NAP health policy server configuration
Use the following procedures as a general guide for verifying the configuration of the local NPS as a NAP health policy server. If the local HRA server is configured as a RADIUS proxy, see Verify NPS proxy configuration.
RADIUS clients
If you have configured remote HRA servers as RADIUS proxies to forward connection requests to the local NPS for evaluation, then the local NPS must have a corresponding RADIUS client entry for each remote HRA server. NAP with IPsec enforcement does not require RADIUS clients if all HRA servers are also NAP health policy servers. If you are using HRA servers on your network that have NPS configured as a RADIUS proxy, use the following procedure to verify that RADIUS clients are configured correctly on the local NPS server so that it can process client connection requests received by remote HRA servers.
To verify RADIUS clients
Click Start, click Run, type nps.msc, and then press ENTER.
In the NPS console tree, double-click RADIUS Clients and Servers, and then click RADIUS Clients.
In the details pane, double-click the friendly name of a RADIUS client corresponding to an HRA server on your network with NPS installed and configured as a RADIUS proxy. If no RADIUS client entry is present, use the following procedure to create a new RADIUS client. This procedure applies only if you have remote HRA servers configured to forward connection requests to the local NPS.
Right-click RADIUS Clients, and then click New RADIUS Client.
Under Friendly name, type a name for the RADIUS client, for example HRA-1.
Under Address (IP or DNS) enter the IP address or DNS name of the remote HRA server, click Verify, and then click Resolve.
Confirm that the IP address displayed corresponds to the correct remote HRA server, and then click OK.
Under Shared secret and Confirm shared secret, type the secret that is configured in remote RADIUS server group settings on the remote HRA server.
If the remote HRA server has enabled the message authenticator attribute in its remote RADIUS server group configuration settings, then select the Access-Request messages must contain the Message-Authenticator attribute check box. If this option is not enabled on the remote HRA, then verify that this check box is cleared.
Select the RADIUS client is NAP-capable check box, and then click OK.
Resume the current procedure to validate configuration of the new RADIUS client.
In the Properties window, verify that the Enable this RADIUS client check box is selected.
Verify that the RADIUS client is NAP-capable check box is selected.
If the remote HRA server is configured to require that access requests contain the message authenticator attribute, then verify that the Access-Request messages must contain the Message-Authenticator attribute check box is selected. Otherwise, verify that this check box is cleared.
Next to Vendor name, verify that RADIUS Standard is selected.
Under Address (IP or DNS), confirm that the DNS name or IP address listed corresponds to the correct remote HRA server, and then click Verify.
In the Verify Client dialog box, click Resolve.
Under IP address, confirm that the IP address listed corresponds to an HRA server that has been configured to forward requests to the local NPS, and that the local NPS has network connectivity to this IP address.
Click OK. If a shared secret mismatch is suspected, type the secret next to Shared Secret and Confirm shared secret, and then click OK.
Repeat this procedure for each HRA on your network that is configured to forward connection requests to the local NPS for processing.
Connection request policies
Connection request policies are conditions and settings that validate requests for network access and govern where this validation is performed. Use the following procedure to confirm that connection request policy on the local NPS is configured for NAP IPsec enforcement.
To verify connection request policies
In the NPS console tree, double-click Policies, and then click Connection Request Policies.
In the details pane, double-click the connection request policy that is used to authenticate incoming network access requests from IPsec-protected NAP clients. If this policy is not present, perform the following steps to create a connection request policy.
Right-click Connection Request Policies, and the click New.
Under Policy Name, type a name for the connection request policy, for example: NAP IPsec with HRA.
Under Type of network access server, select Health Registration Authority, and then click Next.
Connection request policy requires that at least one condition be specified. A condition will be added that does not deny any incoming access requests. To add this condition, click Add on the Specify Conditions page.
In the Select condition window, click Day and Time Restrictions, and then click Add.
In the Time of day constraints window, select Permitted. Verify that all days and times are permitted, click OK, and then click Next.
If the local NPS is a NAP health policy server, verify that Authenticate requests on this server is chosen, click Next three times, and then click Finish. If the local NPS will forward requests to another server for evaluation, see Verify NPS proxy configuration.
Resume the current procedure to validate the new connection request policy.
On the Overview tab, verify that the Policy enabled check box is selected.
On the Overview tab, verify that the Type of network access server is either Health Registration Authority or Unspecified. For more information about specifying an access server type, see additional considerations.
Click the Conditions tab and verify that all configured conditions are matched by both compliant and noncompliant NAP clients. For example, Day and time restrictions can be configured to permit network access only on specified days at specified times.
Click the Settings tab. Under Required Authentication Methods, click Authentication Methods, and verify that the Override network policy authentication settings check box is cleared.
Under Forwarding Connection Request, click Authentication.
To enable the local NPS as a NAP health policy server, verify that Authenticate requests on this server is chosen.
Click OK to close the properties window.
Network policies
Network policies use conditions, settings, and constraints to determine who can connect to the network. To evaluate health status of NAP clients, there must be at least one network policy that will be applied to computers that are compliant with the health requirements, and at least one network policy that will be applied to computers that are noncompliant. Use the following procedure to verify that these policies have been created and configured for NAP IPsec enforcement.
To verify network policies
In the NPS console tree, double-click Policies, and then click Network Policies.
In the details pane, verify that you have at least one policy for compliant computers and one policy for noncompliant computers, and that these policies have a Status of Enabled. To enable a policy, right-click the policy name and then click Enable. If these policies are not present, perform the following steps to create a network policy.
Right-click Network Policies, and the click New.
Under Policy Name, type a name for the network policy, for example: NAP IPsec with HRA Compliant or NAP IPsec with HRA Noncompliant.
Under Type of network access server, select Health Registration Authority, and then click Next.
On the Specify Conditions page, click Add.
In Select condition, click Health Policies, and then click Add.
If this network policy will apply to compliant client computers, under Health Policies, choose a health policy that has been configured to match a compliant client health state, and then click OK.
If this network policy will apply to noncompliant client computers, under Health Policies, choose a health policy that has been configured to match a noncompliant client health state, and then click OK.
If no health policies are available, or health policies are not configured to match compliant and noncompliant client health states, see health policies and then resume this procedure.
Click Next, select Access granted, and then click Next.
On the Configure Authentication Methods page, select the Perform machine health check only check box, and then click Next twice.
On the Configure Settings page, click NAP Enforcement.
Choose an enforcement mode for this policy. See NAP enforcement modes for more information.
To enable auto-remediation of noncompliant clients, select the Enable auto-remediation of client computers check box. If you do not wish to enable auto-remediation, clear this check box.
Click Next, and then click Finish.
Resume the current procedure to validate configuration of the new network policy.
In the details pane, verify that the Processing Order of policies is configured correctly for your deployment. More specific policies are typically processed before more general policies. To change the order of policies, right-click the policy name and then click Move Up or Move Down.
In the details pane, verify that both your compliant and noncompliant NAP policies are configured with an Access Type of Grant Access. To configure access permissions, right-click the policy name, click Properties, click the Overview tab, and then select Grant Access.
In the details pane, verify that the Source of your policies used to process IPsec-protected NAP clients is either Health Registration Authority or Unspecified. For more information about specifying an access server type, see additional considerations.
In the details pane, double-click the name of a network policy used to match compliant clients, and then click the Conditions tab.
Verify that at least one of the conditions specified is Health Policy, and the Value corresponds to a health policy that you have configured to match a compliant client health state. If this condition is not present, perform the following steps.
Click Add, click Health Policies, and then click Add.
Under Health Policies, choose a policy that corresponds to a compliant client health state, and then click OK. If no health policies are available, then verify health policies and repeat this procedure.
Click the Constraints tab, and then click Authentication Methods.
Verify that the Perform machine health check only check box is selected.
Click the Settings tab, and then click NAP Enforcement.
Verify that Allow full network access is selected for this compliant network policy, and then click OK. This completes verification of a compliant network policy.
In the details pane, double-click the name of a network policy used to match noncompliant clients, and then click the Conditions tab.
Verify that at least one of the conditions specified is Health Policy, and the Value corresponds to a health policy that you have configured to match a noncompliant client health state. If this condition is not present, perform the following steps.
Click Add, click Health Policies, and then click Add.
Under Health Policies, choose a policy that corresponds to a noncompliant client health state, and then click OK. If no health policies are available, then verify health policies and repeat this procedure.
Click the Constraints tab, and then click Authentication Methods.
Verify that the Perform machine health check only check box is selected.
Click the Settings tab, and then click NAP Enforcement.
Verify that Allow limited access is selected for this noncompliant network policy if you have deployed NAP in a full enforcement mode.
Verify that Allow full network access for a limited time is selected for this noncompliant network policy if you have deployed NAP in deferred enforcement mode.
Verify that Allow full network access is selected for this noncompliant network policy if you have deployed NAP in reporting mode.
Verify that the Enable auto-remediation of client computers check box is selected if you wish to enable automatic remediation of noncompliant NAP clients.
Click OK.
Repeat these steps as necessary to verify configuration of each of the network policies used to evaluate access requests from IPsec-protected NAP clients.
NAP enforcement modes
When you enable NAP on your network, three enforcement modes are available. Use these enforcement modes for staging your NAP deployment.
To enable reporting mode, select Allow full network access for both compliant and noncompliant NAP client computers. In reporting mode, the health status of client computers is logged but network access is not restricted. Both complaint and noncompliant computers receive health certificates.
To enable deferred enforcement mode, select Allow full network access in your compliant network policy and Allow full network access for a limited time in your noncompliant network policy. You must also specify a date and time when noncompliant clients will have their access restricted. In deferred enforcement mode, client computers immediately receive NAP notifications if they are not in compliance with network health requirements, but do not have their access restricted until the specified time and date.
To enable full enforcement mode, select Allow full network access in your compliant network policy and Allow limited access in your noncompliant network policy. In full enforcement mode, client computers immediately have their network access restricted if they are not in compliance with network health requirements.
Additional considerations
If the type of network access server in connection request policy and network policy is set to Unspecified, NPS uses this policy to evaluate all connection requests that originate from any type of network access server. If the type of network access server is set to Health Registration Authority, then only connection requests that are forwarded from an HRA server are evaluated by this policy. If one or more enabled policies have a specified source of Health Registration Authority, then all policies with an Unspecified source will be ignored by NPS when processing IPsec-protected NAP client network access requests.
Health policies
Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. You need at least one health policy that corresponds to a compliant client health state, and at least one health policy that corresponds to a noncompliant client health state. Use the following procedure to verify that compliant and noncompliant health policies have been configured on the NAP health policy server.
To verify health policies
In the NPS console tree, double-click Policies, and then click Health Policies.
In the details pane, under Policy Name, double-click the name of a compliant health policy. If this policy is not present, use the following steps to create a compliant health policy.
Right-click Health Policies, and then click New.
Under Policy name, type a name for your compliant health policy, for example: NAP IPsec with HRA Compliant.
Under Client SHV checks, select Client passes all SHV checks to create a strict health policy, or select Client passes one or more SHV checks to create a more lenient health policy.
Under SHVs used in this health policy, select the check box next to each SHV that will be used to evaluate client health. The Windows Security Health Validator is available by default. Other SHVs are available if they have been installed.
Click OK, and resume this procedure to validate your new health policy.
Under Client SHV checks, verify that either Client passes all SHV checks or Client passes one or more SHV checks is selected. These conditions are used to create compliant policies that are more restrictive or less restrictive, respectively.
Under SHVs used in this health policy, verify that the check boxes are selected next to installed SHVs that will be used to evaluate health on your IPsec-protected NAP client computers, and then click OK.
In the details pane, under Policy Name, double-click the name of a noncompliant health policy. If this policy is not present, use the following steps to create a noncompliant health policy.
Right-click Health Policies, and then click New.
Under Policy name, type a name for your noncompliant health policy, for example: NAP IPsec with HRA Noncompliant.
Under Client SHV checks, select Client fails one or more SHV checks to create a strict health policy, or select Client fails all SHV checks to create a more lenient health policy.
Under SHVs used in this health policy, select the check box next to each SHV that will be used to evaluate client health. The Windows Security Health Validator is available by default. Other SHVs are available if they have been installed.
Click OK, and resume this procedure to validate your new health policy.
Under Client SHV checks, verify that either Client fails one or more SHV checks or Client fails all SHV checks is selected. These conditions are used to create noncompliant policies that are more restrictive or less restrictive, respectively.
Under SHVs used in this health policy, verify that the check boxes are selected next to installed SHVs that will be used to evaluate health on your IPsec-protected NAP client computers, and then click OK.
Repeat these steps for all health policies used to evaluate your IPsec-protected NAP client computers.
System health validators
SHVs define software and configuration requirements for computers that attempt to connect to your network. Use the following procedure to verify that SHVs are configured correctly for your deployment.
To verify system health validators
In the NPS console tree, double-click Network Access Protection, and then click System Health Validators.
In the details pane, under Name, double-click the name of an installed SHV.
Configuration of SHVs will vary based on implementation. If you are using the Windows Security Health Validator (WSHV), click Configure.
To configure health requirements for computers running Windows Vista, click the Windows Vista tab.
To configure health requirements for computers running Windows XP with Service Pack 3, click the Windows XP tab.
Enable health requirements by selecting the check boxes next to specific health components. Clear these check boxes to disable requirements. The health requirements available when using the WSHV include: Firewall, Virus Protection, Spyware Protection, Automatic Updating, and Security Update Protection.
Click OK, and configure error code resolutions for your deployment. Error code resolutions determine how clients are evaluated under the listed error conditions. You can select to return a status of Compliant or Noncompliant for each condition.
Click OK, and close the NPS console.
Verify NPS proxy configuration
Use the following procedure to verify configuration of the local NPS server as a RADIUS proxy. This procedure does not apply if the local NPS server is configured as a NAP health policy server.
To verify NPS proxy configuration
Click Start, click Run, type nps.msc, and then press ENTER.
In the console tree, double-click RADIUS Clients and Servers, and then click Remote RADIUS Server Groups.
In the details pane, under Group Name, double-click the name of a remote RADIUS server group. If no remote RADIUS server group entry is displayed, perform the following steps to add a remote RADIUS server group.
In the console tree, under RADIUS Clients and Servers, right-click Remote RADIUS Server Groups, and then click New.
Under Group name, type a name for the remote RADIUS server group, for example: NAP Health Policy Server1.
Click Add, and then under Server type the DNS name or IP address of an NPS server that is configured to evaluate NAP IPsec client connection requests forwarded from the local HRA.
Click Verify, and then click Resolve. Confirm that the IP address displayed is correct for your deployment, and then click OK.
Click the Authentication/Accounting tab.
Under Shared secret and Confirm shared secret, type the secret that is configured in NPS settings on the NAP health policy server.
Click OK twice, and resume this procedure to validate the NPS proxy configuration.
In the server group properties window, under RADIUS Server, click the name of a remote RADIUS server, and then click Edit.
On the Address tab, click Verify.
In the Verify Client dialog box, click Resolve. Verify that the IP address of the RADIUS client corresponds to a NAP health policy server on your network that is configured with a RADIUS proxy corresponding to the local NPS.
Click OK, and then click the Authentication/Accounting tab.
Verify that the authentication and accounting ports are correct for your deployment. The default authentication port is 1812 and the default accounting port is 1813.
Verify that the Request must contain the message authenticator attribute check box is selected only if a corresponding access-request message requirement for the message authenticator attribute is enabled on the NAP health policy server. Clear this check box if the NAP health policy server does not require this attribute.
If a shared secret mismatch is suspected, type the secret next to Shared secret and Confirm shared secret, and then click OK twice.
In the console tree, double-click Policies, and then click Connection Request Policies.
In the details pane, double-click the connection request policy that is used to authenticate incoming network access requests from IPsec-protected NAP clients.
Click the Settings tab, and under Forwarding Connection Request, click Authentication.
Verify that Forward requests to the following remote RADIUS server group for authentication is selected, and verify the name of the selected remote RADIUS server group corresponds to the correct NAP health policy servers on your network.
Repeat these steps for all remote NPS servers and groups.
Close the NPS console.