New Features and Name Changes for NPS
Applies To: Windows Server 2008, Windows Server 2008 R2
NPS functionality in Windows Server 2008 R2
Network Policy Server (NPS) provides the following new features in Windows Server 2008 R2:
NPS templates and Templates Management. NPS templates allow you to create NPS server configuration elements, such as RADIUS clients or shared secrets, that you can reuse on the local server running NPS and export for use on other NPS servers. Templates Management provides a node in the NPS console where you can create, modify, and save templates. In addition, you can export templates for use on other NPS servers, or import templates into Templates Management for use on the local computer. For more information, see Create and Use NPS Templates at http://go.microsoft.com/fwlink/?LinkID=167945.
RADIUS accounting improvements. These improvements include a new accounting configuration wizard that allows you to easily configure SQL Server logging, text file logging, or combinations of these two logging types. In addition, you can use the wizard to automatically configure an NPS database on a local or remote SQL Server.
Full support for international, non-English character sets using UTF-8 encoding. In compliance with the Internet Engineering Task Force (IETF) request for comments (RFC) 2865, NPS processes the value of the User-Name attribute in a connection request using 8-bit Unicode Transformation Format (UTF-8) encoding. The User-Name attribute includes the user or computer identity and the realm. Optionally, the following registry key can be used to cause NPS to process the value of the User-Name attribute in American Standard Code for Information Interchange (ASCII) format if the registry key DWORD value is set to 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost\Configuration\IdentityEncodingFormat
NPS functionality in Windows Server 2008
NPS provides the following new functionality in Windows Server 2008:
Network Access Protection (NAP). A client health policy creation, enforcement, and remediation technology that is included in the Windows Vista operating system and Windows Server 2008. With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network.
Network shell (Netsh) commands for NPS. A comprehensive command set that allows you to manage all aspects of NPS using commands at the netsh prompt and in scripts and batch files. The Netsh NPS command reference is available in HTML format in the Network Shell (Netsh) Technical Reference in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=110825. In addition, the entire Network Shell (Netsh) Technical Reference is available for download in Windows Help format from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=113659
New Windows interface. Windows interface improvements, including policy creation wizards for NAP, network policy, and connection request policy; and wizards designed specifically for deployments of 802.1X wired and wireless and VPN and dial-up connections.
Support for Internet Protocol version 6 (IPv6). NPS can be deployed in IPv6-only environments, IPv4-only environments, and in mixed environments where both IPv4 and IPv6 are used.
Integration with Cisco Network Admission Control (NAC). With Host Credential Authorization Protocol (HCAP) and NPS, you can integrate Network Access Protection (NAP) with Cisco NAC. NPS provides the Extended State and Policy Expiration attributes in network policy for Cisco integration.
Attributes to identify access clients. The operating system and access client conditions allow you to create network access policies that apply to clients you specify and to clients running operating system versions you specify.
Integration with Server Manager. NPS is integrated with Server Manager, which allows you to manage multiple technologies from one Windows interface location.
Network policies that match the network connection method. You can create network policies that are applied only if the network connection method, such as VPN, TS Gateway, or DHCP, matches the policy. This allows NPS to process only the policies that match the type of RADIUS client used for the connection.
Common Criteria support. NPS can be deployed in environments where support for Common Criteria is required. For more information, see the Common Criteria portal at http://go.microsoft.com/fwlink/?LinkId=95567.
NPS extension library. NPS provides extensibility that enables non-Microsoft organizations and companies to implement custom RADIUS solutions by authoring NPS extension dynamic-link libraries (DLLs). NPS recovers from failures in non-Microsoft extension DLLs.
XML NPS configuration import and export. You can export an NPS server configuration to an XML file and then, on another NPS server, import the NPS server configuration from the XML file. These procedures are performed using the netsh NPS commands.
EAPHost and EAP policy support. NPS supports EAPHost, which is also available in Windows Vista. EAPHost is a Windows service that implements RFC 3748 and supports all RFC-compliant EAP methods, including expanded EAP types. EAPHost also supports multiple implementations of the same EAP method. NPS administrators can configure network policy and connection request policy based on EAPHost EAP methods.
Additional features of NPS
Following are additional features provided by NPS.
NPS server administration
After you install NPS, you can administer NPS servers:
Locally, by using the NPS Microsoft Management Console (MMC) snap-in, the static NPS console in Administrative Tools, or the network shell (Netsh) commands for NPS.
From a remote NPS server, by using the NPS MMC snap-in, the Netsh commands for NPS, or Remote Desktop Connection.
From a remote workstation, by using Remote Desktop Connection.
The protection of user account credentials during the authentication of users attempting connections is an important security concern. NPS supports a variety of authentication protocols and allows you to use arbitrary authentication methods to meet your requirements for authentication:
Password-based Point-to-Point Protocol (PPP) authentication protocols. PPP is a set of industry-standard framing and authentication protocols that enables remote access solutions to be interoperable in a multivendor network. NPS supports the authentication protocols within PPP, such as Password Authentication Protocol, CHAP, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v1), MS-CHAP version 2 (MS-CHAP v2), and Extensible Authentication Protocol (EAP).
Extensible Authentication Protocol (EAP) and Protected EAP (PEAP). EAP is an Internet standards–based infrastructure that allows the addition of arbitrary authentication methods, such as smart cards, certificates, one-time passwords, and token cards. A specific authentication method that uses the EAP infrastructure is an EAP type. NPS includes support for EAP-Transport Layer Security (EAP-TLS), as well as PEAP-MS-CHAP v2 and PEAP-TLS.
NPS supports a number of authorization methods and allows you to add custom methods that meet your authorization requirements. The supported authorization methods are:
Dialed Number Identification Service (DNIS). The authorization of a connection attempt that is based on the number called. DNIS supplies the number that was called to the call receiver and is provided by most standard telephone companies.
Automatic Number Identification/Calling Line Identification (ANI/CLI). The authorization of a connection attempt that is based on the phone number of the caller. ANI/CLI service supplies the number of the caller to the call receiver and is provided by most standard telephone companies.
Guest authorization. The authorization of a connection when the caller does not send a user name or password during the authentication process. If unauthenticated access is enabled, the Guest account is used by default as the identity of the caller.
In addition, you can configure authorization by user with Active Directory Domain Services (AD DS) user and computer account dial-in properties or authorization by group using NPS network policy.
Centralized user authentication and authorization
To authenticate a connection request, NPS validates the connection credentials against user and computer accounts in the local computer security accounts manager (SAM) database (also called Local Users and Groups), a Windows NT Server 4.0 domain, or an Active Directory domain. For an Active Directory domain, NPS supports the use of Active Directory user principal names (UPNs) and universal groups.
To authorize a connection request, NPS uses the dial-in properties of the user account that correspond to both the connection credentials and network policies. One of the elements used during authorization is the network access permission setting, which can be set both on the user or computer account and in the network policy. Although it is relatively easy to manage network access permission for each user account, this approach does not scale well as an organization grows. NPS network policies provide a more powerful and flexible way to manage network access permission.
With network policies, you can authorize network access based on various conditions, including:
User account membership in a group.
The time of day, the day of the week, or both.
The type of media by which the user is connecting (for example, wireless, Ethernet switch, modem, or VPN).
The phone number that the user calls.
The access server from which the request arrives.
In network policies you can control many connection parameters, including:
The use of specific authentication methods.
The idle time-out.
The maximum time of a single session.
The number of links in a multilink session.
The use of encryption and its strength.
The use of packet filters to control what resources the connecting user can access. For example, you can use filters to control which IP addresses, hosts, and ports the user is allowed to use in sending or receiving packets.
The creation of a compulsory tunnel that forces all packets from that connection to be securely tunneled through the Internet and then terminated in a private network.
The virtual local area network identifier for wireless or Ethernet connections.
Centralized administration for all access servers
Support for the RADIUS standard allows NPS to control connection parameters for any network access server (NAS) that implements RADIUS. The RADIUS standard also allows individual access server vendors to create proprietary extensions called vendor-specific attributes (VSAs). NPS has incorporated the extensions from a number of vendors in its dictionary of attributes. In circumstances where an attribute is not included in the NPS dictionary of attributes, additional VSAs can be created and added to the profile of individual network policies.
Outsourced dial-up and wireless network access
Outsourced dialing (also known as wholesale dialing) provides a contract between an organization and an ISP. The ISP allows employees of the organization to connect to its network before the VPN tunnel to the private network of the organization is established. When an employee of the organization connects to the network access server of the ISP, the authentication and records of usage are forwarded to the NPS server at the organization. The NPS server enables the organization to control user authentication, track usage, and determine which employees are allowed to access the network of the ISP.
The advantages of outsourced dialing are the potential financial and administrative savings. By using an ISP’s hardware and wide area network (WAN) links instead of purchasing and installing your own, you might save a great deal on infrastructure costs. If traveling or remotely located employees dial in to an ISP that has worldwide connections, making a local rather than a long distance connection, you might significantly decrease your long-distance phone bill. And by moving support requirements to the provider, you might eliminate administrative costs.
You can also outsource wireless access. A vendor can provide wireless access in a remote location and use NPS as a RADIUS proxy to forward your employee connection requests to a RADIUS server on your network for authentication and authorization.
Logging to a SQL Server database
You can use Microsoft SQL Server to log NPS accounting information, such as user authentication requests, accounting requests, and periodic data, to a database that warehouses data from multiple NPS servers.
You can configure NPS RADIUS accounting to record accounting information to a stored procedure in a Microsoft SQL Server 2000, SQL Server 2005, or SQL Server 2008 database.
NPS integration with RRAS
You can configure RRAS to use Windows authentication and accounting or to use RADIUS authentication and accounting. When RADIUS authentication or accounting is selected, any RFC-compliant RADIUS server can be used to provide authentication and authorization for connection requests; using an NPS server is recommended, however, to achieve the optimum level of integration with RRAS in Windows Server 2008 and Windows Server 2003 environments.
NPS and the Routing and Remote Access service share the same network policies and authentication capabilities. When the Routing and Remote Access service is configured for Windows authentication, local RRAS network policies are used, and logging is recorded in a local file by default. You can also configure the Routing and Remote Access service to log accounting data to a database on a computer running Microsoft SQL Server.
When the Routing and Remote Access service is configured as a RADIUS client to an NPS server, the network policies of the NPS server are used and logging is recorded in a local file on the NPS server or, when NPS SQL Server logging is configured on the NPS server, to a SQL Server database.
Because the policies within NPS at a central large site can be exported to the independent remote access server in a small site, a consistent implementation across NPS and the Routing and Remote Access service is provided. It allows you to deploy the Routing and Remote Access service at small sites without the need for a separate, centralized NPS server; it also provides the capability to scale up to a centralized remote access management model when the need arises to do so. In this case, NPS in conjunction with remote access servers implements a single point of administration for remote access to your network for outsourced-dial, demand-dial, and VPN access.
You can scale NPS to network configurations of varying size, from stand-alone servers for small networks to large corporate and ISP networks. As your network grows, you can add access servers, NPS proxy servers, and NPS servers to scale up and out, exporting and importing server configurations to minimize administrative overhead. NPS logging to SQL Server databases also provides the ability to scale the logging of network session information.
Mapping network authentication and authorization for NPS proxy
When you map a user account in a remote user accounts database to a user account in a local user accounts database, the proxy component of NPS can separate the authentication and authorization of connection requests. NPS sends the authentication request to the remote NPS server while also processing the authorization request locally. The NPS proxy can forward password-based user credentials to an external RADIUS server for authentication, and perform authorization against a user account in an Active Directory domain and a locally configured network policy.
Members of a remote RADIUS server group can be NPS servers that authenticate connection requests by using Active Directory or they can be third-party RADIUS servers that can perform authentication by using other user account databases. Regardless of the user accounts database or RADIUS server used with account mapping, authorization is performed on the local NPS proxy.
To configure NPS to split authentication and authorization between two different NPS servers and user accounts databases, you can map the realm portion of a user name to a remote RADIUS server for authentication, even if that RADIUS server is located on another private network.
For example, NPS can authenticate a visitor from a partner organization by using the partner organization RADIUS server and user accounts database. NPS then authorizes access to your network by using connection request policy settings on your NPS server and a Windows user accounts database in an Active Directory domain that is established for visitor accounts.
You can configure the proxy component with the Remote-RADIUS-to-Windows-User-Mapping attribute in the advanced properties of a connection request policy.
Name changes from Windows Server 2003
Internet Authentication Service (IAS) in Windows Server 2003 is named Network Policy Server (NPS) in Windows Server 2008.
IAS remote access policies in Windows Server 2003 are named network policies in NPS in Windows Server 2008.
The Remote Access Permission setting in user account dial-in properties in the Active Directory Users and Computers MMC snap-in is named Network Access Permission in Windows Server 2008 AD DS.
The Control access through Remote Access Policy setting in user account dial-in properties in Active Directory Users and Computers is named Control access through NPS Network Policy in Windows Server 2008 AD DS.