NPS as a RADIUS Server and Proxy
Applies To: Windows Server 2008, Windows Server 2008 R2
RADIUS servers process connection requests, whereas RADIUS proxies forward connection requests to other RADIUS servers for processing. You can configure a server running NPS to act as a RADIUS server, a RADIUS proxy, or both.
When you deploy NPS as a RADIUS server, NPS receives connection requests from network access servers, and then processes the requests. NPS performs centralized connection authentication, authorization, and accounting for many types of network access.
When NPS is used as a RADIUS server, it provides the following:
A central authentication and authorization service for all access requests that are sent by RADIUS clients.
NPS uses a Microsoft Windows NT Server 4.0 domain, an Active Directory domain, or the local SAM to authenticate user credentials for a connection attempt. NPS uses the dial-in properties of the user account and network policies to authorize a connection.
A central accounting recording service for all accounting requests that RADIUS clients send.
Accounting requests are stored in a local log file or a SQL server database for analysis.
As a RADIUS proxy, NPS provides the routing of RADIUS messages between RADIUS clients (access servers), other RADIUS proxies, and the RADIUS servers that perform AAAA for the connection attempt. When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow.
When you configure NPS as a RADIUS proxy, network access servers are configured as RADIUS clients on the RADIUS proxy. In other words, connection requests originate at and are sent by RADIUS clients to the RADIUS proxy. Because the RADIUS proxy forwards these connection requests to remote RADIUS servers for processing, the proxy is acting as a RADIUS client to the remote RADIUS server.
The following illustration shows NPS as a RADIUS proxy between RADIUS clients (access servers) and either RADIUS servers or another RADIUS proxy.
You can use NPS as a RADIUS proxy when:
You are a service provider who offers outsourced dial-up, VPN, or wireless network access services to multiple customers. Your network access servers send connection requests to the NPS RADIUS proxy. Based on the realm portion of the user name in the connection request, the NPS RADIUS proxy forwards the connection request to a RADIUS server that is maintained by the customer and can authenticate and authorize the connection attempt. For more information, see Realm Names.
You want to provide authentication and authorization for user accounts that are not members of either the domain in which the NPS server is a member or another domain that has a two-way trust with the domain in which the NPS server is a member. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm name portion of the user name and forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be authenticated for network access servers in another domain or forest.
NPS supports authentication across forests without a RADIUS proxy when the two forests contain only domains that consist of domain controllers running Windows Server 2008, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. The forest functional level must be Windows Server 2008 or Windows Server 2003, and there must be a two-way trust relationship between forests. If you use EAP-TLS or PEAP-TLS with certificates as your authentication method, you must use a RADIUS proxy for authentication across forests that consist of Windows Server 2008 and Windows Server 2003 domains.
You want to perform authentication and authorization by using a database that is not a Windows account database. In this case, connection requests that match a specified realm name are forwarded to a RADIUS server, which has access to a different database of user accounts and authorization data. Examples of other user databases include Novell Directory Services (NDS) and Structured Query Language (SQL) databases.
You want to process a large number of connection requests. In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers and increases the processing of large numbers of RADIUS clients and authentications per second.
You want to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration. An intranet firewall is between your perimeter network (the network between your intranet and the Internet) and intranet. By placing an NPS server on your perimeter network, the firewall between your perimeter network and intranet must allow traffic to flow between the NPS server and multiple domain controllers. When replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow between the NPS proxy and one or multiple NPS servers within your intranet.
The following illustration shows the path of an Access-Request message from a network access server to a RADIUS proxy, and then on to a RADIUS server in a remote RADIUS server group. On the RADIUS proxy, the network access server is configured as a RADIUS client; and on each RADIUS server, the RADIUS proxy is configured as a RADIUS client.
NPS can be used as a RADIUS server or proxy with any network access servers that are compliant with RADIUS RFCs 2865 and 2866. Network access servers are also called RADIUS clients.
NPS enables the use of a heterogeneous or homogenous set of wireless, switch, remote access, or VPN equipment. You can use NPS to authenticate and authorize network connection requests when you deploy the following types of network access servers and technologies:
Wired access with 802.1X-secured and RADIUS-compliant authenticating switches
Wireless access with 802.1X-secured and RADIUS-compliant wireless access points
Dial-up access with a computer running Windows Server 2008 and RRAS configured as a dial-up server, or other dial-up servers that are RADIUS-compliant
Terminal services access with a computer running Windows Server 2008 and Terminal Services Gateway (TS Gateway)
VPN access with a computer running Windows Server 2008 and RRAS configured as a VPN server, or other VPN servers that are RADIUS-compliant
For more information, see RADIUS Clients.