Components of a RADIUS Infrastructure
Applies To: Windows Server 2008, Windows Server 2008 R2
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. NPS and network access servers use the RADIUS protocol to securely transmit RADIUS messages. The RADIUS protocol is used solely between RADIUS servers and proxies, such as servers and proxies running NPS, and RADIUS-compliant network access servers. A fully functioning RADIUS infrastructure also contains components that do not use the RADIUS protocol, however, such as access clients and user accounts databases.
RADIUS is an industry standard. For more information about RADIUS, see RFC 2865, “Remote Authentication Dial-In User Service (RADIUS),” and RFC 2866, “RADIUS Accounting.” For information about standards that apply to NPS in Windows Server 2008, see RFC 2868, “RADIUS Attributes for Tunnel Protocol Support,” and RFC 2869, “RADIUS Extensions.”
There are five components to an NPS or RADIUS infrastructure: access clients, access servers (RADIUS clients), NPS servers (RADIUS servers), NPS proxies (RADIUS proxies), and user account databases. A RADIUS infrastructure is used to perform authentication, authorization and accounting of user network access attempts. Authentication is the process of verifying the credentials of the users attempting to connect to a network. The authorization process determines whether users have permission to connect to the network, and the conditions under which permission has been granted. Accounting is an option that provides record keeping of successful or failed connection attempts.
The following figure, “Components of an NPS Infrastructure,” illustrates the relationships between the five components of an NPS infrastructure.
Components of an NPS Infrastructure
An access client is a device that requires some level of access to a larger network. Examples of access clients are dial-up or virtual private network (VPN) clients, wireless clients, or local area network (LAN) clients connected to an authenticating switch.
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
Access servers used as RADIUS clients
An access server is a device that provides some level of access to a larger network. An access server using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server.
NPS servers used as RADIUS servers
An NPS or RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients or RADIUS proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request.
NPS proxies and RADIUS proxies
An NPS or RADIUS proxy is a device that forwards or routes RADIUS connection requests and accounting messages between RADIUS clients and RADIUS servers. The RADIUS proxy uses information within the RADIUS message, such as the User-Name or Called-Station-ID RADIUS attributes, to route the RADIUS message to the appropriate RADIUS server.
A RADIUS proxy can be used as a forwarding point for RADIUS messages when the authentication, authorization, and accounting must occur at multiple RADIUS servers in different organizations.
User accounts databases
The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information.
The user account databases that NPS can use are the local Security Accounts Manager (SAM); a Microsoft Windows NT Server 4.0 domain; the Active Directory directory service and user accounts database included with Windows Server 2003 and Windows 2000; and the user accounts database provided with Active Directory Domain Services (AD DS) in Windows Server 2008. When NPS is a domain member of an AD DS domain, NPS can provide authentication and authorization for user or computer accounts that exist in the following locations:
In the domain in which the NPS server is a member.
In domains for which there is a two-way trust with the NPS server domain.
In trusted forests with domain controllers running Windows Server 2008 and AD DS.
If the user accounts for authentication reside in a different type of database, NPS can be configured as a RADIUS proxy to forward the authentication request to a RADIUS server that does have access to the user account database. Different databases for Active Directory include untrusted forests, untrusted domains, or one-way trusted domains.