Network Policy Server

Updated: January 21, 2008

Applies To: Windows Server 2008

Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization.

What does Network Policy Server do?

  • Network Policy Server is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. You can use NPS to centrally manage network access through a variety of network access servers, including wireless access points, VPN servers, dial-up servers, and 802.1X authenticating switches. In addition, you can use NPS to deploy secure password authentication with Protected Extensible Authentication Protocol (PEAP)-MS-CHAP v2 for wireless connections. NPS also has key components for deploying Network Access Protection (NAP) on your network.

    The following technologies can be deployed after the NPS role service has been installed:

    • NAP policy server. When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to communicate on the network. You can create NAP policies in NPS that allow client computers to update their configuration to comply with your organization's network policy.

    • IEEE 802.11 Wireless. Using the NPS Microsoft Management Console (MMC) snap-in, you can configure 802.1X-based connection request policies for IEEE 802.11 wireless client network access. You can also configure wireless access points as RADIUS clients in NPS, and use NPS as a RADIUS server to process connection requests, as well as perform authentication, authorization, and accounting for 802.11 wireless connections. You can fully integrate IEEE 802.11 wireless access with NAP when you deploy a wireless 802.1X authentication infrastructure so that the health status of wireless clients is verified against health policy before clients are allowed to connect to the network.

    • IEEE 802.3 Wired. Using the NPS MMC snap-in, you can configure 802.1X-based connection request policies for IEEE 802.3 wired client Ethernet network access. You can also configure 802.1X-compliant switches as RADIUS clients in NPS, and use NPS as a RADIUS server to process connection requests, as well as perform authentication, authorization, and accounting for 802.3 Ethernet connections. You can fully integrate IEEE 802.3 wired client access with NAP when you deploy a wired 802.1X authentication infrastructure.

    • RADIUS server. NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and remote access dial-up and VPN connections, as well as for connections to computers running Terminal Services Gateway (TS Gateway). When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests. You can configure RADIUS accounting so that NPS records accounting information to log files on the local hard disk or in a Microsoft® SQL Server™ database.

    • RADIUS proxy. When you use NPS as a RADIUS proxy, you configure connection request policies that tell the server running NPS which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group.

Who will be interested in this feature?

Network and systems administrators that want to centrally manage network access, including authentication (verification of identity), authorization (verification of the right to access the network), and accounting (the logging of NPS status and network connection process data), will be interested in deploying Network Policy Server.

Are there any special considerations?

When a server running NPS is a member of an Active Directory® domain, NPS uses the directory service as its user account database and is part of a single sign-on solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network) and to log on to an Active Directory domain. Because of this, it is recommended that you use NPS with Active Directory Domain Services (AD DS).

The following additional considerations apply when using NPS.

  • To deploy NPS with secure IEEE 802.1X wired or wireless access, you must enroll a server certificate to the server running NPS using Active Directory Certificate Services (AD CS) or a non-Microsoft public certification authority (CA). To deploy EAP-TLS or PEAP-TLS, you must also enroll computer or user certificates, which requires that you design and deploy a public key infrastructure (PKI) using AD CS. In addition, you must purchase and deploy network access servers (wireless access points or 802.1X authenticating switches) that are compatible with the RADIUS protocol and EAP.

  • To deploy NPS with TS Gateway, you must deploy TS Gateway on the local or a remote computer that is running the Windows Server® 2008 operating system.

  • To deploy NPS with Routing and Remote Access configured as a VPN server, a member of a VPN site-to-site configuration, or a dial-up server, you must deploy Routing and Remote Access on the local or a remote computer that is running Windows Server 2008.

  • To deploy NPS with NAP, you must deploy additional NAP components as described in NPS product Help and other NAP documentation.

  • To deploy NPS with SQL Server logging, you must deploy Microsoft SQL Server 2000 or Microsoft SQL Server 2005 on the local or a remote computer.

What new functionality does this feature provide?

NPS provides the following new functionality in Windows Server 2008.

  • Network Access Protection (NAP). A client health policy creation, enforcement, and remediation technology that is included in the Windows Vista® operating system and Windows Server 2008. With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network.

  • Network shell (Netsh) commands for NPS. A comprehensive command set that allows you to manage all aspects of NPS using commands at the netsh prompt and in scripts and batch files.

  • New Windows interface. Windows interface improvements, including policy creation wizards for NAP, network policy, and connection request policy; and wizards designed specifically for deployments of 802.1X wired and wireless and VPN and dial-up connections.

  • Support for Internet Protocol version 6 (IPv6). NPS can be deployed in IPv6-only environments, IPv4-only environments, and in mixed environments where both IPv4 and IPv6 are used.

  • Integration with Cisco Network Admission Control (NAC). With Host Credential Authorization Protocol (HCAP) and NPS, you can integrate Network Access Protection (NAP) with Cisco NAC. NPS provides the Extended State and Policy Expiration attributes in network policy for Cisco integration.

  • Attributes to identify access clients. The operating system and access client conditions allow you to create network access policies that apply to clients you specify and to clients running operating system versions you specify.

  • Integration with Server Manager. NPS is integrated with Server Manager, which allows you to manage multiple technologies from one Windows interface location.

  • Network policies that match the network connection method. You can create network policies that are applied only if the network connection method, such as VPN, TS Gateway, or DHCP, matches the policy. This allows NPS to process only the policies that match the type of RADIUS client used for the connection.

  • Common Criteria support. NPS can be deployed in environments where support for Common Criteria is required. For more information, see Common Criteria portal at

  • NPS extension library. NPS provides extensibility that enables non-Microsoft organizations and companies to implement custom RADIUS solutions by authoring NPS extension dynamic-link libraries (DLLs). NPS is now resilient to failures in non-Microsoft extension DLLs.

  • XML NPS configuration import and export. You can import NPS server configuration to a XML file and import NPS server configurations using XML files with the netsh NPS commands.

  • EAPHost and EAP policy support. NPS supports EAPHost, which is also available in Windows Vista. EAPHost is a Windows service that implements RFC 3748 and supports all RFC-compliant EAP methods, including expanded EAP types. EAPHost also supports multiple implementations of the same EAP method. NPS administrators can configure network policy and connection request policy based on EAPHost EAP methods.

Additional references

For information about other Network Policy and Access Services features, see the Network Policy and Access Services Role topic.