Applies To: Windows Server 2008, Windows Server 2008 R2
Every network policy must have at least one configured condition. NPS provides many condition groups that allow you to clearly define the properties that the connection request received by NPS must have in order to match the policy.
The available condition groups are:
Day and time restrictions
Network Access Protection
RADIUS client properties
Groups conditions specify user or computer groups that you configure in Active Directory Domain Services (AD DS) and to which you want the other rules of the network policy to apply when group members attempt to connect to the network.
Following are the Groups conditions you can configure in a network policy:
Specifies that the connecting user or computer must belong to one of the specified groups.
Specifies that the connecting computer must belong to one of the specified groups.
Specifies that the connecting user must belong to one of the specified groups.
Host Credentials Authorization Protocol (HCAP) conditions are used only when you want to integrate your NPS Network Access Protection (NAP) solution with Cisco Network Admission Control. To use these conditions, you must deploy Cisco Network Admission Control and NAP. You must also deploy an HCAP server running both Internet Information Services (IIS) and NPS.
Following are the HCAP conditions you can configure in a network policy:
Specifies the user's or computer's HCAP location group membership required to match this policy.
HCAP User Groups
Specifies the user's HCAP user group membership required to match this policy.
Day and time restrictions
Following is the day and time restriction condition that you can configure in a network policy:
Day and Time Restrictions
Allows you to specify, at a weekly interval, whether connections are allowed or denied on a specific set of days and times.
For example, you can configure this condition to allow access to your network only between the hours of 8 A.M. and 5 P.M. Monday through Thursday. With this condition value, users whose connection requests match all conditions of the network policy cannot connect to the network on Fridays, Saturdays, Sundays, and during other weekdays between the hours of 5 P.M. and 8 A.M., but they can connect between Monday and Thursday between 8 A.M. and 5 P.M.
Conversely, you can specify the days and times when connections to the network are denied. If you specify days and times when connections are denied, users are allowed access to your network on the unspecified days and times. For example, if you configure this condition to deny connections all day on Sunday, users cannot connect at any time on Sundays, but they can connect Monday through Saturday at any time.
To configure the Day and Time Restrictions condition, obtain the properties of a network policy, click the Conditions tab, and then click Add. Scroll to and click Day and Time Restrictions, and then click Add. In Time of day constraints, click Permitted, click the grid pattern of days and times, and then use your mouse to select the days and times that you want to specify.
You can designate specific days and times when network access is allowed only if you select Permitted. If you select Denied, network access is always denied.
Network Access Protection
Following are the NAP conditions that you can configure in a network policy:
Used for NAP DHCP and IPsec deployments to allow client health checks in circumstances where NPS does not receive an Access-Request message that contains a value for the User-Name attribute; in these circumstances, client health checks are performed but authentication and authorization are not performed.
RADIUS Access-Request messages typically include the User-Name attribute, which allows NPS to authenticate and authorize a connection request. When a value for the User-Name attribute is absent, NPS provides a default user name.
However, for scenarios such as NAP enforcement with DHCP or IPsec, where a client health check occurs without authentication or authorization (such as when a DHCP client renews an IP address lease) the User-Name attribute is not present and NPS does not provide a default user name.
When NPS receives a request for a client health check that does not include the User Name attribute and the Identity Type condition is configured with a value of Computer health check, the request matches the policy and, if all other conditions and constraints configured in the policy are also matched, the policy settings are applied.
In addition, in network policy constraints, you can enable the Perform machine health check only authentication method setting.
Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile.
Restricts the policy to clients that meet the health criteria specified in the health policy. For example, you might have two health policies that you have configured by using the Windows Security Health Validator (WSHV) — one health policy created for circumstances where client computers pass all health checks and one policy created for circumstances where client computers fail all health checks specified in the WSHV. If you select the health policy that designates that all client computers must pass all health checks, the statement of health (SoH) sent to NPS from the NAP agent on the client computer must state that the client passed all health checks required by the Windows SHV in order for the conditions of the network policy to be met.
Restricts the policy to either clients that are capable of participating in NAP or clients that are not capable of participating in NAP. This capability is determined by whether the client sends a SoH to NPS.
Specifies the operating system (operating system version, service pack number, or both), role (client or server), and architecture (x86, x64, or ia64) required for the computer configuration to match the policy. In the Windows interface, in the Operating System Properties dialog box, both Operating System Version and Service Pack (SP) Number have default values of five zeroes, a decimal point, and then five zeroes (00000.00000). This value equals zero (0). To edit these fields, you must place the cursor to the left of the character (0) that you want to replace, and then type the new number. For example, to enter an Operating System Version of 6.1, place the cursor after the fourth zero, and then type 61.
Specifies when the network policy expires; after the expiration date and time that you specify, the network policy is no longer evaluated by NPS. This condition is useful for circumstances where the network policy is designed with the NAP Enforcement setting that allows client computers full network access for a limited time. At the same time that the NAP Enforcement time setting expires, the network policy can also expire. In this circumstance, create a second network policy that enforces NAP after the expiration time of the first policy.
Following are the connection properties that you can configure in a network policy:
Access Client IPv4 Address
Specifies the IPv4 address of the access client that is required to match the conditions of the policy.
Access Client IPv6 Address
Specifies the IPv6 address of the access client that is required to match the conditions of the policy.
Specifies the authentication methods that are required for the connection request to match the network policy.
Allowed EAP Types
Specifies the EAP types that are required in order for the authentication method used by the client computer to match the policy. This condition is useful when connection request policy is configured with authentication. When authentication is configured in a connection request policy, the authentication settings in the network policy are overridden; however the use of the Allowed EAP Types condition causes NPS to verify the authentication method being used; if the specified EAP type is not being used, NPS does not use the network policy for authorization and continues to seek a policy whose conditions match the connection request.
Restricts the policy to clients that specify a certain framing protocol for incoming packets, such as PPP or SLIP.
Restricts the policy to only clients specifying a certain type of service, such as Telnet or Point-to-Point Protocol connections.
Restricts the policy to only clients that create a specific type of tunnel, such as PPTP or L2TP. The Tunnel Type attribute is typically used when you deploy virtual local area networks (VLANs).
RADIUS client properties
Following are the RADIUS client conditions that you can configure in a network policy:
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
Calling Station ID
Specifies the network access server telephone number that was dialed by the dial-up access client.
Client Friendly Name
Specifies the name of the RADIUS client that forwarded the connection request to the NPS server.
Client IPv4 Address
Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the connection request to the NPS server.
Client IPv6 Address
Specifies the Internet Protocol (IP) version 6 address of the RADIUS client that forwarded the connection request to the NPS server.
Specifies the name of the vendor or manufacturer of the RADIUS client that sends connection requests to the NPS server.
MS RAS Vendor
Specifies the vendor identification number of the network access server that is requesting authentication.
Following are the gateway properties that you can configure in a network policy:
Called Station ID
Allows you to specify the phone number of the network access server that sent the connection request to NPS. If you specify a NAS phone number and NPS receives a connection request from a NAS with a different phone number, the conditions of the policy are not met.
Allows you to specify the name of network access server that sent the connection request to NPS. If you specify a NAS name and NPS receives a connection request from a NAS with a different name, the conditions of the policy are not met.
NAS IPv4 Address
Allows you to specify the IPv4 address of the network access server that sent the connection request to NPS. If you specify a NAS IPv4 address and NPS receives a connection request from a NAS with a different IPv4 address, the conditions of the policy are not met.
NAS IPv6 Address
Allows you to specify the IPv6 address of the network access server that sent the connection request to NPS. If you specify a NAS IPv6 address and NPS receives a connection request from a NAS with a different IPv6 address, the conditions of the policy are not met.
NAS Port Type
Allows you to specify the type of media used by the client computer to connect to the network. For example, if you specify Ethernet, the client computer must be accessing the network over the media type of Ethernet. If you specify a media type and the client computer is connecting to the network over a different media type, the conditions of the policy are not met. For example, if the designated media type is Wireless - IEEE 802.11, and the client computer is attempting to connect to the network by using a media type of Virtual (VPN), the conditions of the policy are not met.