NPS Terminology

Updated: October 21, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

The following section provides common RADIUS, NPS, and other terms and their definitions.

Access client. A computer or other device, such as a personal digital assistant (PDA), that initiates a connection attempt to a network by contacting a RADIUS client.

Authentication. The process of verifying the identity of a user or computer. NPS authenticates users and computers by verifying their supplied credentials (a user name and password or a certificate) against the credentials in the user account database.

Authorization. The process of determining whether a user or computer has permission to access the network. NPS authorizes users and computers by using user account dial-in properties in AD DS, with network policies, or by using both user account dial-in properties and network policies.

Certificate. A digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. Most certificates in common use are based on the X.509v3 certificate standard. Because certificates are generally used to establish identity and create trusts for the secure exchange of information, certification authorities (CAs) can issue certificates to people, to devices (such as computers), and to services running on computers (such as IPsec).

Certificate store. A location on a computer hard drive that contains, or stores, certificates that are issued to the computer, user, or to services running on the computer. In Windows Vista and Windows Server 2008, the certificate store can be viewed by using the Certificates Microsoft Management Console (MMC) snap-in.

Connection request. A RADIUS Access-Request message that contains RADIUS attributes and other information and is sent by a RADIUS client to either a RADIUS proxy or a RADIUS server. RADIUS clients, or network access servers, create connection requests when users, computers, and other devices contact the RADIUS client in an effort to gain access to their network.

Connection request policy. A set of conditions and settings that allow network administrators to designate which RADIUS servers perform the authentication and authorization of connection requests that the server running NPS receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. If you configure authentication in a connection request policy, the settings override authentication settings in all network policies.


When you deploy Network Access Protection (NAP) by using the VPN or 802.1X enforcement methods with PEAP authentication, you must configure PEAP authentication in the connection request policy even when connection requests are processed locally.

Extensible Authentication Protocol (EAP). An extension of Point-to-Point Protocol (PPP) that allows arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to demand for authentication methods that use security devices, such as smart cards, token cards, and crypto-calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.

Message-Authenticator attribute. An attribute that contains the encrypted shared secret that is configured on both a RADIUS client and on the NPS server to provide protection from spoofed Access-Request messages and RADIUS message tampering. Enabling the use of the Message-Authenticator attribute provides additional security when PAP, CHAP, MS-CHAP, and MS-CHAP v2 are used for authentication. EAP uses the Message-Authenticator attribute by default.

Network Access Protection (NAP). A client health policy creation, enforcement, and remediation technology that is included in Windows Vista and Windows Server 2008. With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network.

Network access server (NAS). A computer or other device, such as a wireless access point, dedicated VPN device, or authenticating switch, that serves as a gateway between access clients and a network. When a NAS is compliant with the RADIUS protocol, is also called a RADIUS client.

Network policy. A set of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. When you deploy NAP, health policy is added to the network policy configuration so that NPS performs client health checks during the authorization process. Network policy settings are applied to the connection when they are returned in an Access-Accept message to the RADIUS client from the NPS server.

NPS dictionary. A read-only list of vendor-specific attributes that is stored by NPS in dnary.xml.

Protected EAP (PEAP) . PEAP uses Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS server or RADIUS server. PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP.

Remote Authentication Dial-In User Service (RADIUS). An industry standard protocol described in Request for Comments (RFC) 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." RADIUS is used to provide network authentication, authorization, accounting, and auditing services for network administrators that deploy local or remote access to their networks.

RADIUS Access-Accept message. A message created by a RADIUS server that is sent to a RADIUS client. The Access-Accept message tells the RADIUS client that the user or computer can access the network, and can include NPS network policy settings that allow the RADIUS client to start delivery of service to the access client.

RADIUS Access-Challenge message. A message created by a RADIUS server that is sent to a RADIUS client when the RADIUS server requires more information than was provided in the original Access-Request message.

RADIUS Access-Reject message. A message created by a RADIUS server that is sent to a RADIUS client when the RADIUS server is rejecting a connection attempt. Connection requests can result in an Access-Reject if no network policy matches the connection request, if the user’s or computer’s identity cannot be verified, if the user or computer is not authorized to access the network, or for many other reasons.

RADIUS Access-Request message. A message created by a RADIUS client that contains such attributes as the port ID the user is accessing and the results of the authentication process, such as the user name, the challenge string, and the response of the access client. Also called a connection request.

RADIUS accounting. Part of the RADIUS protocol that allows you to log user authentication and accounting requests to a local file or to a SQL Server database. Accounting logs are used for billing, security, and troubleshooting purposes.

RADIUS Accounting-Request message. A message created by a RADIUS client that is sent to a RADIUS server that contains accounting information for service that is provided to an access client or user. If the RADIUS server is configured to do so, the accounting information can be recorded in an accounting log. NPS provides the ability to log accounting information in a local text file or in a SQL Server database.

RADIUS Accounting-Response message. A message that is created by a RADIUS server that is sent to a RADIUS client upon receipt of an Accounting-Request message and successful recording of the accounting data.

RADIUS attributes. Containers that include a Type, a Length, and a Value that hold information that is sent in RADIUS messages between RADIUS clients and RADIUS servers. One RADIUS message can include multiple RADIUS attributes, each of which holds a specific type of information for which the attribute was designed. For example, the Calling-Station-ID attribute can include a value that is the telephone number from which a dial-up networking session was initiated. A dial-in server that is configured as a RADIUS client can send the Calling-Station-ID attribute, along with other attributes and information, in an Access-Request RADIUS message to a RADIUS server. The RADIUS standard attributes are described in Request for Comments (RFC) 2865 and RFC 2866.

RADIUS client. A network access server — such as a dial-up server, VPN server, TS Gateway server, RADIUS proxy, 802.1X-capable switch, or wireless access point — that is compliant with the RADIUS protocol and uses the RADIUS protocol to communicate with RADIUS servers.

RADIUS proxy. A RADIUS client that is compliant with the RADIUS protocol and that can receive and forward RADIUS messages between other RADIUS clients and RADIUS servers. RADIUS proxies can be configured to forward connection requests to multiple sets of remote RADIUS servers, and are used for load balancing and to provide network access for users whose accounts are located in remote or untrusted domains and forests.

RADIUS server. An authenticating server that is compliant with the RADIUS protocol, and that processes connection requests that it receives from RADIUS clients and RADIUS proxies.

Remote RADIUS server group. A collection of one or more RADIUS servers that is configured on a RADIUS proxy. The RADIUS proxy forwards connection requests to members of remote RADIUS server groups for processing.

Shared secret. A password that is configured on both a RADIUS server and its configured RADIUS clients that assists these entities in verifying the identity of the device with which they are communicating. When the Message-Authenticator attribute is used during the authentication process, the shared secret is encrypted and used as proof of identity during communication between the RADIUS client and server.

User accounts database. The list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information. User accounts databases can also include accounts for computers and other devices.

Vendor specific attribute (VSA). A RADIUS attribute that is created and supported only by specific RADIUS client manufacturers. VSAs allow RADIUS client vendors, such as the manufacturers of wireless access points, 802.1X authenticating switches, and devices that act as virtual private network (VPN) servers, to support their own proprietary RADIUS attributes that are not included in the RFCs. NPS includes VSAs from a number of vendors in its dictionary; however, the NPS dictionary does not include VSAs for all vendors. Some network access server (NAS) manufacturers use VSAs to provide functionality that is not supported in RADIUS standard attributes. NPS enables you to create or edit VSAs to take advantage of proprietary functionality supported by some NAS vendors.