将 NPS 规划为 RADIUS 服务器Plan NPS as a RADIUS server

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

将网络策略服务器 ( NPS ) 作为远程身份验证拨入用户服务 (RADIUS) 服务器部署时,NPS 将为本地域和信任本地域的域的连接请求执行身份验证、授权和记帐。When you deploy Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server, NPS performs authentication, authorization, and accounting for connection requests for the local domain and for domains that trust the local domain. 您可以使用这些规划指南来简化您的 RADIUS 部署。You can use these planning guidelines to simplify your RADIUS deployment.

这些规划准则不包括希望将 NPS 部署为 RADIUS 代理的情况。These planning guidelines do not include circumstances in which you want to deploy NPS as a RADIUS proxy. 将 NPS 部署为 RADIUS 代理时,NPS 会将连接请求转发到运行 NPS 的服务器或远程域、不受信任的域中的其他 RADIUS 服务器。When you deploy NPS as a RADIUS proxy, NPS forwards connection requests to a server running NPS or other RADIUS servers in remote domains, untrusted domains, or both.

在你的网络上将 NPS 部署为 RADIUS 服务器之前,请使用以下准则来规划你的部署。Before you deploy NPS as a RADIUS server on your network, use the following guidelines to plan your deployment.

  • 规划 NPS 配置。Plan NPS configuration.

  • 规划 RADIUS 客户端。Plan RADIUS clients.

  • 规划身份验证方法的使用。Plan the use of authentication methods.

  • 规划网络策略。Plan network policies.

  • 规划 NPS 计帐。Plan NPS accounting.

规划 NPS 配置Plan NPS configuration

您必须决定 NPS 是哪个域的成员。You must decide in which domain the NPS is a member. 对于多域环境,NPS 可以对其所属域中的用户帐户以及信任 NPS 本地域的所有域的凭据进行身份验证。For multiple-domain environments, an NPS can authenticate credentials for user accounts in the domain of which it is a member and for all domains that trust the local domain of the NPS. 若要允许 NPS 在授权过程中读取用户帐户的拨入属性,必须将 NPS 的计算机帐户添加到每个域的 RAS 和 NPSs 组。To allow the NPS to read the dial-in properties of user accounts during the authorization process, you must add the computer account of the NPS to the RAS and NPSs group for each domain.

确定 NPS 的域成员身份后,服务器必须配置为使用 RADIUS 协议与 RADIUS 客户端(也称为网络访问服务器)进行通信。After you have determined the domain membership of the NPS, the server must be configured to communicate with RADIUS clients, also called network access servers, by using the RADIUS protocol. 此外,你还可以配置 NPS 记录在事件日志中的事件类型,并且可以输入服务器的说明。In addition, you can configure the types of events that NPS records in the event log and you can enter a description for the server.

关键步骤Key steps

在规划 NPS 配置过程中,你可以使用以下步骤。During the planning for NPS configuration, you can use the following steps.

  • 确定 NPS 用于接收来自 RADIUS 客户端的 RADIUS 消息的 RADIUS 端口。Determine the RADIUS ports that the NPS uses to receive RADIUS messages from RADIUS clients. 对于 RADIUS 身份验证消息,默认端口为 UDP 端口1812和1645,为 RADIUS 记帐消息设置端口1813和1646。The default ports are UDP ports 1812 and 1645 for RADIUS authentication messages and ports 1813 and 1646 for RADIUS accounting messages.

  • 如果使用多个网络适配器配置了 NPS,请确定允许其 RADIUS 流量允许的适配器。If the NPS is configured with multiple network adapters, determine the adapters over which you want RADIUS traffic to be allowed.

  • 确定希望 NPS 在事件日志中记录的事件类型。Determine the types of events that you want NPS to record in the Event Log. 可以记录拒绝的身份验证请求、成功的身份验证请求或两种类型的请求。You can log rejected authentication requests, successful authentication requests, or both types of requests.

  • 确定是否要部署多个 NPS。Determine whether you are deploying more than one NPS. 若要为基于 RADIUS 的身份验证和记帐提供容错能力,请使用至少两个 NPSs。To provide fault tolerance for RADIUS-based authentication and accounting, use at least two NPSs. 一个 NPS 用作主 RADIUS 服务器,另一个用作备份。One NPS is used as the primary RADIUS server and the other is used as a backup. 然后在这两个 NPSs 上配置每个 RADIUS 客户端。Each RADIUS client is then configured on both NPSs. 如果主 NPS 变为不可用,则 RADIUS 客户端会将访问请求消息发送到备用 NPS。If the primary NPS becomes unavailable, RADIUS clients then send Access-Request messages to the alternate NPS.

  • 规划用于将一个 NPS 配置复制到其他 NPSs 的脚本,以节省管理开销,并阻止服务器的错误配置。Plan the script used to copy one NPS configuration to other NPSs to save on administrative overhead and to prevent the incorrect cofiguration of a server. NPS 提供 Netsh 命令,使你可以复制所有或部分 NPS 配置以导入到另一个 NPS。NPS provides the Netsh commands that allow you to copy all or part of an NPS configuration for import onto another NPS. 可以在 Netsh 提示符下手动运行这些命令。You can run the commands manually at the Netsh prompt. 但是,如果你将命令序列另存为脚本,则可以在以后选择更改服务器配置时运行该脚本。However, if you save your command sequence as a script, you can run the script at a later date if you decide to change your server configurations.

规划 RADIUS 客户端Plan RADIUS clients

RADIUS 客户端是网络访问服务器,例如无线访问点、虚拟专用网络 (VPN) 服务器、支持 X 的交换机和拨号服务器。RADIUS clients are network access servers, such as wireless access points, virtual private network (VPN) servers, 802.1X-capable switches, and dial-up servers. 将连接请求消息转发到 RADIUS 服务器的 RADIUS 代理也是 RADIUS 客户端。RADIUS proxies, which forward connection request messages to RADIUS servers, are also RADIUS clients. NPS 支持符合 RADIUS 协议的所有网络访问服务器和 RADIUS 代理,如 RFC 2865 "远程身份验证拨入用户服务 (RADIUS) " 中所述,RFC 2866 "RADIUS 记帐"。NPS supports all network access servers and RADIUS proxies that comply with the RADIUS protocol as described in RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting."

重要

访问客户端(如客户端计算机)不是 RADIUS 客户端。Access clients, such as client computers, are not RADIUS clients. 只有支持 RADIUS 协议的网络访问服务器和代理服务器是 RADIUS 客户端。Only network access servers and proxy servers that support the RADIUS protocol are RADIUS clients.

此外,无线访问点和交换机都必须能够 802.1 X 身份验证。In addition, both wireless access points and switches must be capable of 802.1X authentication. 如果要部署可扩展的身份验证协议 ( EAP ) 或受保护的可扩展身份验证协议 ( PEAP ) ,则访问点和交换机必须支持使用 EAP。If you want to deploy Extensible Authentication Protocol (EAP) or Protected Extensible Authentication Protocol (PEAP), access points and switches must support the use of EAP.

若要为无线访问点的 PPP 连接测试基本互操作性,请将访问点和访问客户端配置为使用密码身份验证协议 (PAP) 。To test basic interoperability for PPP connections for wireless access points, configure the access point and the access client to use Password Authentication Protocol (PAP). 使用其他基于 PPP 的身份验证协议(如 PEAP),直到你测试了你打算用于网络访问的身份验证协议。Use additional PPP-based authentication protocols, such as PEAP, until you have tested the ones that you intend to use for network access.

关键步骤Key steps

在规划 RADIUS 客户端的过程中,可以使用以下步骤。During the planning for RADIUS clients, you can use the following steps.

  • 记录 (Vsa 的供应商特定属性) 必须在 NPS 中进行配置。Document the vendor-specific attributes (VSAs) you must configure in NPS. 如果网络访问服务器需要 Vsa,请在 NPS 中配置网络策略时记录 VSA 信息以供以后使用。If your network access servers require VSAs, log the VSA information for later use when you configure your network policies in NPS.

  • 记录 RADIUS 客户端和 NPS 的 IP 地址,以简化所有设备的配置。Document the IP addresses of RADIUS clients and your NPS to simplify the configuration of all devices. 部署 RADIUS 客户端时,必须将其配置为使用 RADIUS 协议,并将 NPS IP 地址输入为身份验证服务器。When you deploy your RADIUS clients, you must configure them to use the RADIUS protocol, with the NPS IP address entered as the authenticating server. 将 NPS 配置为与 RADIUS 客户端通信时,必须在 NPS 管理单元中输入 RADIUS 客户端 IP 地址。And when you configure NPS to communicate with your RADIUS clients, you must enter the RADIUS client IP addresses into the NPS snap-in.

  • 在 RADIUS 客户端和 NPS 管理单元中创建用于配置的共享机密。Create shared secrets for configuration on the RADIUS clients and in the NPS snap-in. 在 NPS 中配置 RADIUS 客户端时,你必须使用共享机密或密码配置 RADIUS 客户端。You must configure RADIUS clients with a shared secret, or password, that you will also enter into the NPS snap-in while configuring RADIUS clients in NPS.

规划身份验证方法的使用Plan the use of authentication methods

NPS 支持基于密码的身份验证和基于证书的身份验证方法。NPS supports both password-based and certificate-based authentication methods. 但是,并非所有网络访问服务器都支持相同的身份验证方法。However, not all network access servers support the same authentication methods. 在某些情况下,可能需要根据网络访问类型部署不同的身份验证方法。In some cases, you might want to deploy a different authentication method based on the type of network access.

例如,你可能想要为你的组织部署无线和 VPN 访问,但对于每种类型的访问,请使用不同的身份验证方法: VPN 连接的 EAP-TLS,因为对于 802.1 X 无线连接,eap 使用传输层安全性 (eap-tls) 提供和 PEAP-CHAP v2。For example, you might want to deploy both wireless and VPN access for your organization, but use a different authentication method for each type of access: EAP-TLS for VPN connections, due to the strong security that EAP with Transport Layer Security (EAP-TLS) provides, and PEAP-MS-CHAP v2 for 802.1X wireless connections.

PEAP with Microsoft 质询握手身份验证协议版本 2 (PEAP-GTC v2) 提供一个名为 "快速重新连接" 的功能,该功能专门用于便携式计算机和其他无线设备。PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) provides a feature named fast reconnect that is specifically designed for use with portable computers and other wireless devices. 快速重新连接使无线客户端可以在同一网络上的无线访问点之间移动,而无需在每次与新的访问点关联时进行身份验证。Fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new access point. 这为无线用户提供了更好的体验,并允许他们在访问点之间移动,而无需重新键入其凭据。This provides a better experience for wireless users and allows them to move between access points without having to retype their credentials. 由于 "快速重新连接" 和 "PEAP-GTC v2" 提供的安全性,PEAP-ms-chap v2 是一种用于无线连接的身份验证方法的逻辑选择。Because of fast reconnect and the security that PEAP-MS-CHAP v2 provides, PEAP-MS-CHAP v2 is a logical choice as an authentication method for wireless connections.

对于 VPN 连接,EAP-TLS 是一种基于证书的身份验证方法,它提供强大的安全性,可保护网络流量,即使是通过 Internet 从家里或移动计算机传输到组织 VPN 服务器。For VPN connections, EAP-TLS is a certificate-based authentication method that provides strong security that protects network traffic even as it is transmitted across the Internet from home or mobile computers to your organization VPN servers.

基于证书的身份验证方法Certificate-based authentication methods

基于证书的身份验证方法具有提供强大安全性的优点;而且,它们具有比基于密码的身份验证方法更难部署的缺点。Certificate-based authentication methods have the advantage of providing strong security; and they have the disadvantage of being more difficult to deploy than password-based authentication methods.

PEAP MS-CHAP v2 和 EAP-TLS 都是基于证书的身份验证方法,但是它们之间的差异和部署方式有很多差异。Both PEAP-MS-CHAP v2 and EAP-TLS are certificate-based authentication methods, but there are many differences between them and the way in which they are deployed.

EAP-TLSEAP-TLS

EAP-TLS 同时使用证书来进行客户端和服务器身份验证,并要求您在您的组织中部署 (PKI) 的公钥基础结构。EAP-TLS uses certificates for both client and server authentication, and requires that you deploy a public key infrastructure (PKI) in your organization. 部署 PKI 可能会很复杂,并且需要计划阶段,这与规划将 NPS 用作 RADIUS 服务器无关。Deploying a PKI can be complex, and requires a planning phase that is independent of planning for the use of NPS as a RADIUS server.

使用 EAP-TLS 时,NPS 将从证书颁发机构 CA 注册服务器证书 ( ) ,并将证书保存在本地计算机上的证书存储中。With EAP-TLS, the NPS enrolls a server certificate from a certification authority (CA), and the certificate is saved on the local computer in the certificate store. 在身份验证过程中,当 NPS 向访问客户端发送其服务器证书以向访问客户端证明其身份时,将发生服务器身份验证。During the authentication process, server authentication occurs when the NPS sends its server certificate to the access client to prove its identity to the access client. 访问客户端将检查各种证书属性,以确定证书是否有效,以及在服务器身份验证期间是否适用于使用。The access client examines various certificate properties to determine whether the certificate is valid and is appropriate for use during server authentication. 如果服务器证书满足最低服务器证书要求并且由访问客户端信任的 CA 颁发,则 NPS 已成功通过客户端的身份验证。If the server certificate meets the minimum server certificate requirements and is issued by a CA that the access client trusts, the NPS is successfully authenticated by the client.

同样,客户端身份验证在客户端将其客户端证书发送到 NPS 以向 NPS 证明其身份时在身份验证过程中进行。Similarly, client authentication occurs during the authentication process when the client sends its client certificate to the NPS to prove its identity to the NPS. NPS 检查证书,如果客户端证书满足最低客户端证书要求并且由 NPS 信任的 CA 颁发,则 NPS 会成功对访问客户端进行身份验证。The NPS examines the certificate, and if the client certificate meets the minimum client certificate requirements and is issued by a CA that the NPS trusts, the access client is successfully authenticated by the NPS.

尽管服务器证书必须存储在 NPS 上的证书存储中,但客户端或用户证书可以存储在客户端上的证书存储区中,也可以存储在智能卡上。Although it is required that the server certificate is stored in the certificate store on the NPS, the client or user certificate can be stored in either the certificate store on the client or on a smart card.

要使此身份验证过程成功,所有计算机都必须在本地计算机和当前用户的 "受信任的根证书颁发机构" 证书存储中具有组织的 CA 证书。For this authentication process to succeed, it is required that all computers have your organization's CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and the Current User.

PEAP-MS-CHAP v2PEAP-MS-CHAP v2

PEAP-MS-CHAP v2 使用证书进行服务器身份验证,并使用基于密码的凭据进行用户身份验证。PEAP-MS-CHAP v2 uses a certificate for server authentication and password-based credentials for user authentication. 由于证书仅用于服务器身份验证,因此无需部署 PKI 即可使用 PEAP-MS-CHAP v2。Because certificates are used only for server authentication, you are not required to deploy a PKI in order to use PEAP-MS-CHAP v2. 部署 PEAP-MS-CHAP v2 时,可以通过以下两种方式之一获取 NPS 的服务器证书:When you deploy PEAP-MS-CHAP v2, you can obtain a server certificate for the NPS in one of the following two ways:

  • 可以 (AD CS) 安装 Active Directory 证书服务,然后将证书自动注册到 NPSs。You can install Active Directory Certificate Services (AD CS), and then autoenroll certificates to NPSs. 如果使用此方法,则还必须将 CA 证书注册到连接到网络的客户端计算机,以便它们信任颁发给 NPS 的证书。If you use this method, you must also enroll the CA certificate to client computers connecting to your network so that they trust the certificate issued to the NPS.

  • 你可以从公共 CA (如 VeriSign)购买服务器证书。You can purchase a server certificate from a public CA such as VeriSign. 如果使用此方法,请确保选择客户端计算机已信任的 CA。If you use this method, make sure that you select a CA that is already trusted by client computers. 若要确定客户端计算机是否信任 CA,请在客户端计算机上打开 "证书" Microsoft 管理控制台 (MMC) 管理单元,然后查看本地计算机和当前用户的 "受信任的根证书颁发机构" 存储。To determine whether client computers trust a CA, open the Certificates Microsoft Management Console (MMC) snap-in on a client computer, and then view the Trusted Root Certification Authorities store for the Local Computer and for the Current User. 如果这些证书存储区中有来自 CA 的证书,则客户端计算机将信任 CA,因此信任 CA 颁发的任何证书。If there is a certificate from the CA in these certificate stores, the client computer trusts the CA and will therefore trust any certificate issued by the CA.

在采用 PEAP-MS-CHAP v2 的身份验证过程中,当 NPS 将其服务器证书发送到客户端计算机时,会发生服务器身份验证。During the authentication process with PEAP-MS-CHAP v2, server authentication occurs when the NPS sends its server certificate to the client computer. 访问客户端将检查各种证书属性,以确定证书是否有效,以及在服务器身份验证期间是否适用于使用。The access client examines various certificate properties to determine whether the certificate is valid and is appropriate for use during server authentication. 如果服务器证书满足最低服务器证书要求并且由访问客户端信任的 CA 颁发,则 NPS 已成功通过客户端的身份验证。If the server certificate meets the minimum server certificate requirements and is issued by a CA that the access client trusts, the NPS is successfully authenticated by the client.

当用户尝试连接到网络类型的凭据并尝试登录时,将发生用户身份验证。User authentication occurs when a user attempting to connect to the network types password-based credentials and tries to log on. NPS 接收凭据并执行身份验证和授权。NPS receives the credentials and performs authentication and authorization. 如果用户已成功进行身份验证和授权,并且客户端计算机成功通过了 NPS 的身份验证,则会授予连接请求。If the user is authenticated and authorized successfully, and if the client computer successfully authenticated the NPS, the connection request is granted.

关键步骤Key steps

在规划使用身份验证方法的过程中,可以使用以下步骤。During the planning for the use of authentication methods, you can use the following steps.

  • 确定你计划提供的网络访问类型,如无线、VPN、802.1 支持 X 的交换机和拨号访问。Identify the types of network access you plan to offer, such as wireless, VPN, 802.1X-capable switch, and dial-up access.

  • 确定要用于每种类型的访问的身份验证方法。Determine the authentication method or methods that you want to use for each type of access. 建议使用提供强大安全性的基于证书的身份验证方法;但是,部署 PKI 可能并不可行,因此其他身份验证方法可能会为网络提供更好的平衡。It is recommended that you use the certificate-based authentication methods that provide strong security; however, it might not be practical for you to deploy a PKI, so other authentication methods might provide a better balance of what you need for your network.

  • 如果要部署 EAP-TLS,请规划 PKI 部署。If you are deploying EAP-TLS, plan your PKI deployment. 这包括规划要用于服务器证书和客户端计算机证书的证书模板。This includes planning the certificate templates you are going to use for server certificates and client computer certificates. 它还包括确定如何将证书注册到域成员计算机和非域成员计算机,以及如何确定是否要使用智能卡。It also includes determining how to enroll certificates to domain member and non-domain member computers, and determining whether you want to use smart cards.

  • 如果要部署 PEAP-MS-CHAP v2,请确定是要安装 AD CS 以便向 NPSs 颁发服务器证书,还是要从公共 CA (如 VeriSign)购买服务器证书。If you are deploying PEAP-MS-CHAP v2, determine whether you want to install AD CS to issue server certificates to your NPSs or whether you want to purchase server certificates from a public CA, such as VeriSign.

规划网络策略Plan network policies

NPS 使用网络策略来确定是否授权了从 RADIUS 客户端接收的连接请求。Network policies are used by NPS to determine whether connection requests received from RADIUS clients are authorized. NPS 还使用用户帐户的拨入属性来做出授权决定。NPS also uses the dial-in properties of the user account to make an authorization determination.

因为网络策略按照它们在 NPS 管理单元中的显示顺序进行处理,所以请计划在策略列表中首先放置最严格的策略。Because network policies are processed in the order in which they appear in the NPS snap-in, plan to place your most restrictive policies first in the list of policies. 对于每个连接请求,NPS 都尝试将策略的条件与连接请求属性进行匹配。For each connection request, NPS attempts to match the conditions of the policy with the connection request properties. NPS 会按顺序检查每个网络策略,直到找到匹配项为止。NPS examines each network policy in order until it finds a match. 如果找不到匹配项,则会拒绝连接请求。If it does not find a match, the connection request is rejected.

关键步骤Key steps

在规划网络策略的过程中,可以使用以下步骤。During the planning for network policies, you can use the following steps.

  • 确定网络策略的首选 NPS 处理顺序,从最严格到最小限制。Determine the preferred NPS processing order of network policies, from most restrictive to least restrictive.

  • 确定策略状态。Determine the policy state. 策略状态可以是 "已启用" 或 "已禁用" 的值。The policy state can have the value of enabled or disabled. 如果启用了该策略,则 NPS 将在执行授权时评估策略。If the policy is enabled, NPS evaluates the policy while performing authorization. 如果未启用策略,则不会对其进行评估。If the policy is not enabled, it is not evaluated.

  • 确定策略类型。Determine the policy type. 你必须确定策略是否设计为在连接请求匹配策略的条件时授予访问权限,或者是否将策略设计为在该策略的条件与连接请求匹配时拒绝访问。You must determine whether the policy is designed to grant access when the conditions of the policy are matched by the connection request or whether the policy is designed to deny access when the conditions of the policy are matched by the connection request. 例如,如果要显式拒绝对 Windows 组成员的无线访问,则可以创建指定组、无线连接方法以及策略类型设置为 "拒绝访问" 的网络策略。For example, if you want to explicitly deny wireless access to the members of a Windows group, you can create a network policy that specifies the group, the wireless connection method, and that has a policy type setting of Deny access.

  • 确定是否希望 NPS 忽略作为策略的组成员的用户帐户的拨入属性。Determine whether you want NPS to ignore the dial-in properties of user accounts that are members of the group on which the policy is based. 如果未启用此设置,则用户帐户的拨入属性将覆盖在网络策略中配置的设置。When this setting is not enabled, the dial-in properties of user accounts override settings that are configured in network policies. 例如,如果配置了向用户授予访问权限的网络策略,但该用户的用户帐户的拨入属性设置为 "拒绝访问",则该用户将被拒绝访问。For example, if a network policy is configured that grants access to a user but the dial-in properties of the user account for that user are set to deny access, the user is denied access. 但是,如果启用 "忽略用户帐户拨入属性" 策略类型设置,则会向同一用户授予对网络的访问权限。But if you enable the policy type setting Ignore user account dial-in properties, the same user is granted access to the network.

  • 确定策略是否使用策略源设置。Determine whether the policy uses the policy source setting. 此设置允许您轻松指定所有访问请求的源。This setting allows you to easily specify a source for all access requests. 可能的源是终端服务网关 (TS 网关) 、远程访问服务器 (VPN 或拨号) 、DHCP 服务器、无线访问点和健康注册机构服务器。Possible sources are a Terminal Services Gateway (TS Gateway), a remote access server (VPN or dial-up), a DHCP server, a wireless access point, and a Health Registration Authority server. 或者,您可以指定供应商特定的源。Alternatively, you can specify a vendor-specific source.

  • 确定必须匹配的条件,才能应用网络策略。Determine the conditions that must be matched in order for the network policy to be applied.

  • 如果连接请求匹配网络策略的条件,则确定应用的设置。Determine the settings that are applied if the conditions of the network policy are matched by the connection request.

  • 确定是否要使用、修改或删除默认的网络策略。Determine whether you want to use, modify, or delete the default network policies.

规划 NPS 记帐Plan NPS accounting

NPS 提供记录 RADIUS 记帐数据的功能,如用户身份验证和记帐请求,分为以下三种格式: IAS 格式、数据库兼容格式和 Microsoft SQL Server 日志记录。NPS provides the ability to log RADIUS accounting data, such as user authentication and accounting requests, in three formats: IAS format, database-compatible format, and Microsoft SQL Server logging.

IAS 格式和数据库兼容格式在本地 NPS 上以文本文件格式创建日志文件。IAS format and database-compatible format create log files on the local NPS in text file format.

SQL Server 日志记录提供了记录到与 SQL Server 2000 或 SQL Server 2005 XML 兼容的数据库的功能,从而扩展了 RADIUS 记帐以利用日志记录到关系数据库的优点。SQL Server logging provides the ability to log to a SQL Server 2000 or SQL Server 2005 XML-compliant database, extending RADIUS accounting to leverage the advantages of logging to a relational database.

关键步骤Key steps

在规划 NPS 记帐期间,可以使用以下步骤。During the planning for NPS accounting, you can use the following steps.

  • 确定是要将 NPS 记帐数据存储在日志文件中还是存储在 SQL Server 数据库中。Determine whether you want to store NPS accounting data in log files or in a SQL Server database.

使用本地日志文件的 NPS 记帐NPS accounting using local log files

记录日志文件中的用户身份验证和记帐请求主要用于进行连接分析和计费,还可用作一种安全调查工具,提供一种方法,用于在攻击后跟踪恶意用户的活动。Recording user authentication and accounting requests in log files is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method for tracking the activity of a malicious user after an attack.

关键步骤Key steps

使用本地日志文件规划 NPS 记帐时,可以使用以下步骤。During the planning for NPS accounting using local log files, you can use the following steps.

  • 确定要用于 NPS 日志文件的文本文件格式。Determine the text file format that you want to use for your NPS log files.

  • 选择要记录的信息的类型。Choose the type of information that you want to log. 可以记录记帐请求、身份验证请求和定期状态。You can log accounting requests, authentication requests, and periodic status.

  • 确定要用于存储日志文件的硬盘位置。Determine the hard disk location where you want to store your log files.

  • 设计日志文件备份解决方案。Design your log file backup solution. 存储日志文件的硬盘位置应该是一个可让你轻松备份数据的位置。The hard disk location where you store your log files should be a location that allows you to easily back up your data. 此外,应通过为存储日志文件的文件夹配置访问控制列表 (ACL) 来保护硬盘位置。In addition, the hard disk location should be protected by configuring the access control list (ACL) for the folder where the log files are stored.

  • 确定要创建新日志文件的频率。Determine the frequency at which you want new log files to be created. 如果希望基于文件大小创建日志文件,请确定 NPS 在创建新日志文件之前允许的最大文件大小。If you want log files to be created based on the file size, determine the maximum file size allowed before a new log file is created by NPS.

  • 确定是否希望 NPS 在硬盘用尽存储空间时删除旧的日志文件。Determine whether you want NPS to delete older log files if the hard disk runs out of storage space.

  • 确定要用于查看记帐数据并生成报告的应用程序。Determine the application or applications that you want to use to view accounting data and produce reports.

NPS SQL Server 日志记录NPS SQL Server logging

如果需要会话状态信息、报表创建和数据分析目的,以及用于集中和简化记帐数据的管理,则使用 NPS SQL Server 日志记录。NPS SQL Server logging is used when you need session state information, for report creation and data analysis purposes, and to centralize and simplify management of your accounting data.

NPS 提供使用 SQL Server 日志记录来记录从一个或多个网络访问服务器接收的用户身份验证和记帐请求,并将其发送到运行 Microsoft SQL Server 桌面引擎 MSDE 2000 的计算机上的数据源 ( ) ,或超过 SQL Server 2000 的任何版本 SQL Server。NPS provides the ability to use SQL Server logging to record user authentication and accounting requests received from one or more network access servers to a data source on a computer running the Microsoft SQL Server Desktop Engine (MSDE 2000), or any version of SQL Server later than SQL Server 2000.

记帐数据从 XML 格式的 NPS 传递到数据库中的存储过程,该存储过程支持结构化查询语言 ( SQL ) 和 XML ( SQLXML ) 。Accounting data is passed from NPS in XML format to a stored procedure in the database, which supports both structured query language (SQL) and XML (SQLXML). 将用户身份验证和记帐请求记录到符合 XML 的 SQL Server 数据库中,可使多个 NPSs 具有一个数据源。Recording user authentication and accounting requests in an XML-compliant SQL Server database enables multiple NPSs to have one data source.

关键步骤Key steps

使用 NPS 来规划 NPS 记帐 SQL Server 日志记录时,可以使用以下步骤。During the planning for NPS accounting by using NPS SQL Server logging, you can use the following steps.

  • 确定你或组织中的另一个成员是否有 SQL Server 2000 或 SQL Server 2005 关系数据库开发体验,并了解如何使用这些产品来创建、修改、管理和管理 SQL Server 数据库。Determine whether you or another member of your organization has SQL Server 2000 or SQL Server 2005 relational database development experience and you understand how to use these products to create, modify, administer, and manage SQL Server databases.

  • 确定是在 NPS 上还是在远程计算机上安装 SQL Server。Determine whether SQL Server is installed on the NPS or on a remote computer.

  • 设计将在 SQL Server 数据库中使用的存储过程,以处理包含 NPS 记帐数据的传入 XML 文件。Design the stored procedure that you will use in your SQL Server database to process incoming XML files that contain NPS accounting data.

  • 设计 SQL Server 的数据库复制结构和流。Design the SQL Server database replication structure and flow.

  • 确定要用于查看记帐数据并生成报告的应用程序。Determine the application or applications that you want to use to view accounting data and produce reports.

  • 计划使用在所有记帐请求中发送类属性的网络访问服务器。Plan to use network access servers that send the Class attribute in all accounting-requests. 类属性在访问-接受消息中发送到 RADIUS 客户端,并可用于将记帐请求消息与身份验证会话关联。The Class attribute is sent to the RADIUS client in an Access-Accept message, and is useful for correlating Accounting-Request messages with authentication sessions. 如果类属性由网络访问服务器在会计请求消息中发送,则可以使用它来匹配记帐和身份验证记录。If the Class attribute is sent by the network access server in the accounting request messages, it can be used to match the accounting and authentication records. 属性的唯一序列号、服务重新启动时间和服务器地址的组合必须是服务器接受的每个身份验证的唯一标识。The combination of the attributes Unique-Serial-Number, Service-Reboot-Time, and Server-Address must be a unique identification for each authentication that the server accepts.

  • 计划使用支持过渡记帐的网络访问服务器。Plan to use network access servers that support interim accounting.

  • 计划使用发送记帐和记帐关闭消息的网络访问服务器。Plan to use network access servers that send Accounting-on and Accounting-off messages.

  • 计划使用支持存储和转发记帐数据的网络访问服务器。Plan to use network access servers that support the storing and forwarding of accounting data. 如果网络访问服务器无法与 NPS 通信,则支持此功能的网络访问服务器可以存储记帐数据。Network access servers that support this feature can store accounting data when the network access server cannot communicate with the NPS. 当 NPS 可用时,网络访问服务器会将存储的记录转发到 NPS,从而提高通过不提供此功能的网络访问服务器进行记帐的可靠性。When the NPS is available, the network access server forwards the stored records to the NPS, providing increased reliability in accounting over network access servers that do not provide this feature.

  • 计划始终在网络策略中配置 "帐户-间歇间隔" 属性。Plan to always configure the Acct-Interim-Interval attribute in network policies. "帐户间歇间隔" 属性设置网络访问服务器发送的每个临时更新之间的间隔 (秒) 。The Acct-Interim-Interval attribute sets the interval (in seconds) between each interim update that the network access server sends. 根据 RFC 2869,"帐户临时间隔" 属性的值不能小于60秒或1分钟,并且不应小于600秒或10分钟。According to RFC 2869, the value of the Acct-Interim-Interval attribute must not be smaller than 60 seconds, or one minute, and should not be smaller than 600 seconds, or 10 minutes. 有关详细信息,请参阅 RFC 2869 "RADIUS 扩展"。For more information, see RFC 2869, "RADIUS Extensions."

  • 确保已在 NPSs 上启用定期状态的日志记录。Ensure that logging of periodic status is enabled on your NPSs.