連接要求原則Connection Request Policies

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以了解如何使用 NPS 連接要求原則設定伺服器 NPS RADIUS 伺服器、RADIUS proxy,或兩。You can use this topic to learn how to use NPS connection request policies to configure the NPS server as a RADIUS server, a RADIUS proxy, or both.

注意

本主題中,除了下列連接要求原則文件會提供。In addition to this topic, the following connection request policy documentation is available.

連接要求原則是設定的條件和設定,可讓網路系統管理員,若要指定哪些遠端驗證 Dial 使用者服務 (RADIUS) 伺服器執行驗證和執行的網路原則 Server (NPS) 伺服器接收從 RADIUS 連接要求的授權。Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. 連接要求原則可以指定哪些 RADIUS 伺服器用於會計 RADIUS 設定。Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.

您可以建立連接要求原則,以便在本機處理一些 RADIUS 要求寄從 RADIUS(NPS RADIUS 伺服器為使用)和其他類型的簡訊轉送到(NPS RADIUS proxy 為使用)的另一個 RADIUS 伺服器。You can create connection request policies so that some RADIUS request messages sent from RADIUS clients are processed locally (NPS is used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (NPS is used as a RADIUS proxy).

連接要求原則,您可以使用 NPS RADIUS 伺服器為或 RADIUS proxy,根據因素如下所示:With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on factors such as the following:

  • 的時間和星期幾The time of day and day of the week
  • 在連接要求領域名稱The realm name in the connection request
  • 連接所要求的類型The type of connection being requested
  • RADIUS client 的 IP 位址The IP address of the RADIUS client

處理或才收到的訊息的設定值符合 NPS 伺服器上設定連接要求原則其中轉送 nps RADIUS 存取要求訊息。RADIUS Access-Request messages are processed or forwarded by NPS only if the settings of the incoming message match at least one of the connection request policies configured on the NPS server.

如果符合原則設定原則需要 NPS 伺服器處理訊息,NPS 做為 RADIUS 伺服器、驗證和授權連接要求。If the policy settings match and the policy requires that the NPS server process the message, NPS acts as a RADIUS server, authenticating and authorizing the connection request. 如果符合原則設定原則需要 NPS 伺服器轉送訊息,NPS 做為 RADIUS proxy 與轉送到遠端的處理 RADIUS 伺服器連接要求。If the policy settings match and the policy requires that the NPS server forwards the message, NPS acts as a RADIUS proxy and forwards the connection request to a remote RADIUS server for processing.

如果傳入 RADIUS 存取要求訊息設定不符合連接要求原則其中存取-退回郵件已傳送到 RADIUS client 和使用者或電腦連接到網路就無法存取。If the settings of an incoming RADIUS Access-Request message do not match at least one of the connection request policies, an Access-Reject message is sent to the RADIUS client and the user or computer attempting to connect to the network is denied access.

設定範例Configuration examples

下列設定範例示範如何使用連接要求原則。The following configuration examples demonstrate how you can use connection request policies.

NPS RADIUS 伺服器NPS as a RADIUS server

預設連接要求原則是唯一設定的原則。The default connection request policy is the only configured policy. 在此範例中,設定 NPS RADIUS 伺服器為和本機伺服器 NPS 處理所有連接要求。In this example, NPS is configured as a RADIUS server and all connection requests are processed by the local NPS server. NPS 伺服器可以驗證和授權其帳號而網域中的 NPS 伺服器網域信任的網域中的使用者。The NPS server can authenticate and authorize users whose accounts are in the domain of the NPS server domain and in trusted domains.

NPS RADIUS proxy 為NPS as a RADIUS proxy

預設連接要求刪除原則,並要求轉送到不同的兩個網域建立兩個新連接要求原則。The default connection request policy is deleted, and two new connection request policies are created to forward requests to two different domains. 在此範例中,設定 NPS RADIUS proxy 為。In this example, NPS is configured as a RADIUS proxy. NPS 不處理本機伺服器上的任何連接要求。NPS does not process any connection requests on the local server. 改為,它會連接要求轉送 NPS 或其他 RADIUS 伺服器設定為遠端 RADIUS 伺服器群組成員。Instead, it forwards connection requests to NPS or other RADIUS servers that are configured as members of remote RADIUS server groups.

NPS RADIUS 伺服器,並 RADIUS proxy 為NPS as both RADIUS server and RADIUS proxy

除了預設連接要求原則,會建立新的連接要求原則,將轉送 NPS 或受信任的網域中的其他 RADIUS 伺服器連接要求。In addition to the default connection request policy, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. 在此範例中,proxy 原則會出現的原則排序清單中的第一次。In this example, the proxy policy appears first in the ordered list of policies. 如果連接要求符合 proxy 原則,連接要求轉送 RADIUS 伺服器遠端 RADIUS 伺服器群組中。If the connection request matches the proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. 如果連接要求不符 proxy 原則,但符合預設連接要求原則、NPS 處理連接要求本機伺服器上。If the connection request does not match the proxy policy but does match the default connection request policy, NPS processes the connection request on the local server. 如果連接要求不符任一原則,會捨棄它。If the connection request does not match either policy, it is discarded.

NPS RADIUS 伺服器遠端計量伺服器為NPS as RADIUS server with remote accounting servers

在此範例中,執行計量未設定 NPS 本機伺服器以及預設連接要求原則修訂使 RADIUS 計量郵件轉寄 NPS 或遠端 RADIUS 伺服器群組中的其他 RADIUS 伺服器。In this example, the local NPS server is not configured to perform accounting and the default connection request policy is revised so that RADIUS accounting messages are forwarded to an NPS or other RADIUS server in a remote RADIUS server group. 轉送計量簡訊,但不轉送驗證和授權訊息,本機伺服器 NPS 本機網域執行這些功能及所有受信任的網域。Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the local NPS server performs these functions for the local domain and all trusted domains.

NPS 的 Windows 使用者對應遠端 RADIUSNPS with Remote RADIUS to Windows User Mapping

在此範例中,NPS 的作用為 RADIUS 伺服器,並為每個個人連接要求 RADIUS proxy 轉送遠端 RADIUS 伺服器的驗證要求時使用本機的 Windows 使用者 account 授權。In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. 此設定是由做為條件連接要求原則設定的 Windows 使用者對應屬性遠端 RADIUS 實作。This configuration is implemented by configuring the Remote RADIUS to Windows User Mapping attribute as a condition of the connection request policy. (另外,帳號必須會建立本機具有相同名稱遠端 RADIUS 伺服器針對執行驗證遠端使用者 account)。(In addition, a user account must be created locally that has the same name as the remote user account against which authentication is performed by the remote RADIUS server.)

連接要求原則條件Connection request policy conditions

連接要求原則的條件是比較屬性傳入 RADIUS 存取要求訊息中的一或多個 RADIUS 屬性。Connection request policy conditions are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS Access-Request message. 如果有多個條件,請在連接的條件的所有要求訊息,然後順序原則 nps 會執行原則必須符合連接要求中。If there are multiple conditions, then all of the conditions in the connection request message and in the connection request policy must match in order for the policy to be enforced by NPS.

以下是您可以在連接要求原則設定可條件屬性。Following are the available condition attributes that you can configure in connection request policies.

連接屬性屬性群組Connection Properties attribute group

連接屬性屬性群組包含下列屬性。The Connection Properties attribute group contains the following attributes.

  • 框架通訊協定Framed Protocol. 用於指定類型框架輸入封包。Used to designate the type of framing for incoming packets. 範例包括點對點通訊協定 (PPP)、序列行網際網路通訊協定(名單)、框架轉接和 X.25。Examples are Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Frame Relay, and X.25.
  • 服務類型Service Type. 用於指定所要求服務的類型。Used to designate the type of service being requested. 範例(例如 PPP 連接)架構(例如,Telnet 連接)登入。Examples include framed (for example, PPP connections) and login (for example, Telnet connections). 如需 RADIUS 服務類型,查看 RFC 2865,「遠端驗證 Dial 使用者服務 (RADIUS)。」For more information about RADIUS service types, see RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)."
  • 通道輸入Tunnel Type. 用於指定由要求 client 的通道的類型。Used to designate the type of tunnel that is being created by the requesting client. 通道類型包括點對點通道通訊協定 (PPTP) 和層級兩種通道通訊協定 (L2TP)。Tunnel types include the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol (L2TP).

日期和時間限制屬性群組Day and Time Restrictions attribute group

包含 [日期和時間限制屬性屬性群組日期和時間限制。The Day and Time Restrictions attribute group contains the Day and Time Restrictions attribute. 利用此屬性,您可以指定星期幾和連接嘗試的一天的時間。With this attribute, you can designate the day of the week and the time of day of the connection attempt. 日期和時間是與相對的日期和時間 NPS 伺服器。The day and time is relative to the day and time of the NPS server.

閘道屬性群組Gateway attribute group

閘道屬性群組包含下列屬性。The Gateway attribute group contains the following attributes.

  • 基座 ID 稱為「Called Station ID. 用於指定的網路存取伺服器的電話號碼。Used to designate the phone number of the network access server. 此屬性為字串。This attribute is a character string. 您可以使用模式符合語法指定區域驗證碼。You can use pattern-matching syntax to specify area codes.
  • NAS 識別碼NAS Identifier. 用於指定網路存取伺服器的名稱。Used to designate the name of the network access server. 此屬性為字串。This attribute is a character string. 您可以指定 NAS 識別碼使用模式符合語法。You can use pattern-matching syntax to specify NAS identifiers.
  • NAS IPv4 位址NAS IPv4 Address. 用於指定網際網路通訊協定第 4 (IPv4) (RADIUS client) 的網路存取伺服器的位址。Used to designate the Internet Protocol version 4 (IPv4) address of the network access server (the RADIUS client). 此屬性為字串。This attribute is a character string. 若要指定 IP 網路,您可以使用模式符合語法。You can use pattern-matching syntax to specify IP networks.
  • NAS IPv6 位址NAS IPv6 Address. 用於指定網際網路通訊協定第 6 (IPv6) (RADIUS client) 的網路存取伺服器的位址。Used to designate the Internet Protocol version 6 (IPv6) address of the network access server (the RADIUS client). 此屬性為字串。This attribute is a character string. 若要指定 IP 網路,您可以使用模式符合語法。You can use pattern-matching syntax to specify IP networks.
  • NAS 連接埠輸入NAS Port Type. 用於指定存取 client 所使用的媒體類型。Used to designate the type of media used by the access client. 範例類比手機行(也就是非同步)、整合數位網路的服務 (ISDN)、可愛或 virtual 私人網路 (Vpn、) IEEE 802.11 wireless,而乙太網路切換。Examples are analog phone lines (known as async ), Integrated Services Digital Network (ISDN), tunnels or virtual private networks (VPNs), IEEE 802.11 wireless, and Ethernet switches.

電腦的身分屬性群組Machine Identity attribute group

電腦的身分屬性群組包含電腦身分屬性。The Machine Identity attribute group contains the Machine Identity attribute. 使用此屬性,您可以指定原則的使用都會戶端的方法。By using this attribute, you can specify the method with which clients are identified in the policy.

RADIUS Client 屬性屬性群組RADIUS Client Properties attribute group

RADIUS Client 屬性屬性群組包含下列屬性。The RADIUS Client Properties attribute group contains the following attributes.

  • 通話基座 IDCalling Station ID. 用於指定播報來電者 (client 存取) 來使用的電話號碼。Used to designate the phone number used by the caller (the access client). 此屬性為字串。This attribute is a character string. 您可以使用模式符合語法指定區域驗證碼。You can use pattern-matching syntax to specify area codes.
  • Client 易記名稱Client Friendly Name. 用於指定要求驗證 RADIUS client 電腦的名稱。Used to designate the name of the RADIUS client computer that is requesting authentication. 此屬性為字串。This attribute is a character string. 您可以使用模式符合語法指定 client 的名稱。You can use pattern-matching syntax to specify client names.
  • Client IPv4 位址Client IPv4 Address. 若要指定 IPv4 位址的網路存取伺服器 (RADIUS client) 使用。Used to designate the IPv4 address of the network access server (the RADIUS client). 此屬性為字串。This attribute is a character string. 若要指定 IP 網路,您可以使用模式符合語法。You can use pattern-matching syntax to specify IP networks.
  • Client IPv6 位址Client IPv6 Address. 若要指定 IPv6 位址的網路存取伺服器 (RADIUS client) 使用。Used to designate the IPv6 address of the network access server (the RADIUS client). 此屬性為字串。This attribute is a character string. 若要指定 IP 網路,您可以使用模式符合語法。You can use pattern-matching syntax to specify IP networks.
  • Client 廠商Client Vendor. 用於指定廠商要求驗證的網路存取伺服器。Used to designate the vendor of the network access server that is requesting authentication. 執行路由並遠端存取服務的電腦是 Microsoft NAS 製造商。A computer running the Routing and Remote Access service is the Microsoft NAS manufacturer. 您可以使用此屬性,來設定不同原則的不同 NAS 製造商。You can use this attribute to configure separate policies for different NAS manufacturers. 此屬性為字串。This attribute is a character string. 您可以使用模式符合語法。You can use pattern-matching syntax.

使用者名稱屬性群組User Name attribute group

使用者名稱屬性群組包含的使用者名稱屬性。The User Name attribute group contains the User Name attribute. 使用此屬性,您可以指定的使用者名稱或使用者名稱,必須符合存取 client RADIUS 訊息中所提供的使用者名稱的一部分。By using this attribute, you can designate the user name, or a portion of the user name, that must match the user name supplied by the access client in the RADIUS message. 此屬性是字元字串,通常會包含領域名稱與 account 使用者名稱。This attribute is a character string that typically contains a realm name and a user account name. 您可以使用模式符合語法指定的使用者名稱。You can use pattern-matching syntax to specify user names.

連接要求原則設定Connection request policy settings

連接要求原則設定的一組屬性,可套用至連入 RADIUS 訊息。Connection request policy settings are a set of properties that are applied to an incoming RADIUS message. 設定包含下列群組的屬性。Settings consist of the following groups of properties.

  • 驗證Authentication
  • 計量Accounting
  • 屬性操作Attribute manipulation
  • 轉送要求Forwarding request
  • 進階Advanced

下列章節提供這些設定的相關的其他詳細資料。The following sections provide additional detail about these settings.

驗證Authentication

使用此設定,您可以覆寫驗證設定中所有的網路原則設定,您可以指定的驗證方法和連接到您的網路所需的類型。By using this setting, you can override the authentication settings that are configured in all network policies and you can designate the authentication methods and types that are required to connect to your network.

重要

如果您在您的網路原則設定的驗證方法比不安全的連接要求原則設定的驗證方法,就會覆寫更安全的驗證方法,您的網路原則設定。If you configure an authentication method in connection request policy that is less secure than the authentication method you configure in network policy, the more secure authentication method that you configure in network policy is overridden. 例如,如果您有的網路原則,需要使用的受保護延伸驗證通訊協定 Microsoft 挑戰交換驗證通訊協定第 2 \ (PEAP MS-CHAP v2),這是安全的無線密碼架構的驗證方法,您也可以設定連接要求原則,以允許未授權的存取,結果很戶端不會需要使用了 v2 PEAP MS-CHAP 驗證。For example, if you have one network policy that requires the use of Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), which is a password-based authentication method for secure wireless, and you also configure a connection request policy to allow unauthenticated access, the result is that no clients are required to authenticate by using PEAP-MS-CHAP v2. 在此範例中,會授與所有戶端連接到您的網路未經授權的存取。In this example, all clients connecting to your network are granted unauthenticated access.

計量Accounting

使用此設定,您可以設定轉寄 NPS 或遠端 RADIUS 伺服器群組中的其他 RADIUS 伺服器計量資訊,以便遠端 RADIUS 伺服器群組執行計量連接要求原則。By using this setting, you can configure connection request policy to forward accounting information to an NPS or other RADIUS server in a remote RADIUS server group so that the remote RADIUS server group performs accounting.

注意

如果您有多個 RADIUS 伺服器和您想要計量資訊儲存在一個中央 RADIUS 計量資料庫中的所有伺服器,您可以使用連接要求原則計量設定中每個 RADIUS 伺服器上的原則向前計量資料所有一個 NPS 伺服器或其他程式指定為計量伺服器 RADIUS 伺服器。If you have multiple RADIUS servers and you want accounting information for all servers stored in one central RADIUS accounting database, you can use the connection request policy accounting setting in a policy on each RADIUS server to forward accounting data from all of the servers to one NPS or other RADIUS server that is designated as an accounting server.

連接要求原則計量設定功能的本機伺服器 NPS 計量組態的獨立。Connection request policy accounting settings function independent of the accounting configuration of the local NPS server. 亦即如果您設定來登入 RADIUS 計量資訊本機的檔案或的 Microsoft SQL Server 資料庫 NPS 本機伺服器,它就會如此無論您是否設定連接要求原則將計量郵件轉寄給遠端 RADIUS 伺服器群組。In other words, if you configure the local NPS server to log RADIUS accounting information to a local file or to a Microsoft SQL Server database, it will do so regardless of whether you configure a connection request policy to forward accounting messages to a remote RADIUS server group.

如果您想要登入遠端而不是在本機計量資訊,您必須設定以不執行計量,同時也連接要求向前計量資料到遠端的 RADIUS 伺服器群組原則中設定計量 NPS 本機伺服器。If you want accounting information logged remotely but not locally, you must configure the local NPS server to not perform accounting, while also configuring accounting in a connection request policy to forward accounting data to a remote RADIUS server group.

屬性操作Attribute manipulation

您可以設定 [尋找取代規則操作文字字串屬性下列其中一組。You can configure a set of find-and-replace rules that manipulate the text strings of one of the following attributes.

  • 使用者名稱User Name
  • 稱為的基座 IDCalled Station ID
  • 通話基座 IDCalling Station ID

尋找取代規則處理發生之前的屬性 RADIUS 訊息之前受驗證及計量設定。Find-and-replace rule processing occurs for one of the preceding attributes before the RADIUS message is subject to authentication and accounting settings. 屬性操作規則僅適用於單一屬性。Attribute manipulation rules apply only to a single attribute. 您無法設定為每個屬性屬性操作規則。You cannot configure attribute manipulation rules for each attribute. 此外的屬性,您可以管理清單是靜態清單。您無法新增到清單中供操作屬性。In addition, the list of attributes that you can manipulate is a static list; you cannot add to the list of attributes available for manipulation.

注意

如果您使用 MS-CHAP v2 驗證通訊協定,您就不能如果向前 RADIUS 訊息來連接要求原則操作使用者名稱屬性。If you are using the MS-CHAP v2 authentication protocol, you cannot manipulate the User Name attribute if the connection request policy is used to forward the RADIUS message. 僅限例外發生於使用斜線 () 的字元和管理只會影響左邊的資訊。The only exception occurs when a backslash () character is used and the manipulation only affects the information to the left of it. 以指出(右邊的斜線字元資訊)的網域中的使用者 account 名稱,且網域名稱(資訊向左斜線字元)通常是斜線字元。A backslash character is typically used to indicate a domain name (the information to the left of the backslash character) and a user account name within the domain (the information to the right of the backslash character). 若是如此,允許只屬性操作規則修改或取代網域名稱。In this case, only attribute manipulation rules that modify or replace the domain name are allowed.

範例如何管理領域名稱中的使用者名稱屬性,請參考主題中的區段「範例操作領域中的使用者名稱屬性名稱]使用規則運算式 NPS 在For examples of how to manipulate the realm name in the User Name attribute, see the section "Examples for manipulation of the realm name in the User Name attribute" in the topic Use Regular Expressions in NPS.

轉送要求Forwarding request

您可以將下列轉接要求用於 RADIUS 存取要求訊息的選項:You can set the following forwarding request options that are used for RADIUS Access-Request messages:

  • 驗證要求此伺服器上的Authenticate requests on this server. 使用此設定,NPS 使用 Windows nt4.0 網域、Active Directory 或本機安全性帳號 Manager(坡)使用者帳號資料庫驗證連接要求。By using this setting, NPS uses a Windows NT 4.0 domain, Active Directory, or the local Security Accounts Manager (SAM) user accounts database to authenticate the connection request. 此設定也會指定對應的網路原則設定 NPS,在撥號的屬性帳號,以及由授權連接要求 NPS。This setting also specifies that the matching network policy configured in NPS, along with the dial-in properties of the user account, are used by NPS to authorize the connection request. 此時,請 NPS 伺服器為 RADIUS 伺服器執行設定。In this case, the NPS server is configured to perform as a RADIUS server.

  • 轉送要求下列遠端 RADIUS 伺服器群組到Forward requests to the following remote RADIUS server group. 使用此設定,NPS 轉送給指定遠端 RADIUS 伺服器群組連接要求。By using this setting, NPS forwards connection requests to the remote RADIUS server group that you specify. NPS 伺服器接收有效的存取權接受郵件對應存取要求訊息時,如果連接嘗試視為驗證而且授權。If the NPS server receives a valid Access-Accept message that corresponds to the Access-Request message, the connection attempt is considered authenticated and authorized. 此時,請 NPS 伺服器扮演 RADIUS proxy。In this case, the NPS server acts as a RADIUS proxy.

  • 接受使用者驗證憑證的而Accept users without validating credentials. 使用此設定,來 NPS 不會驗證嘗試連上網路的使用者身分和 NPS 不會嘗試驗證使用者或電腦已連上網路的權限。By using this setting, NPS does not verify the identity of the user attempting to connect to the network and NPS does not attempt to verify that the user or computer has the right to connect to the network. NPS 已允許未經授權的存取權時收到連接要求、NPS 會立即傳送存取接受 RADIUS client 的使用者或電腦的訊息會授與網路存取權。When NPS is configured to allow unauthenticated access and it receives a connection request, NPS immediately sends an Access-Accept message to the RADIUS client and the user or computer is granted network access. 某些類型的位置的存取 client 使用通道之前驗證使用者認證強制通道會使用此設定。This setting is used for some types of compulsory tunneling where the access client is tunneled before user credentials are authenticated.

注意

存取 client 的驗證通訊協定 MS-CHAP v2 或延伸驗證通訊協定傳輸層安全性 (EAP-TLS),這兩種提供互加好友的驗證時無法使用此驗證選項。This authentication option cannot be used when the authentication protocol of the access client is MS-CHAP v2 or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), both of which provide mutual authentication. 在 [互加好友的驗證存取 client 證明它是有效的存取 client 驗證伺服器(伺服器 NPS),而且很存取 client 有效驗證伺服器的驗證伺服器證明。In mutual authentication, the access client proves that it is a valid access client to the authenticating server (the NPS server), and the authenticating server proves that it is a valid authenticating server to the access client. 使用此驗證選項時,會傳回存取接受訊息。When this authentication option is used, the Access-Accept message is returned. 不過,驗證伺服器無法提供給存取 client、驗證和互加好友的驗證失敗。However, the authenticating server does not provide validation to the access client, and mutual authentication fails.

如何使用規則運算式建立遠端 RADIUS 伺服器群組,轉送給指定的領域名稱 RADIUS 訊息的路徑規則的範例,請參考主題中的區段「範例 RADIUS 郵件轉寄 proxy 伺服器]在 NPS 使用規則運算式For examples of how to use regular expressions to create routing rules that forward RADIUS messages with a specified realm name to a remote RADIUS server group, see the section "Example for RADIUS message forwarding by a proxy server" in the topic Use Regular Expressions in NPS.

進階Advanced

您可以設定進階的屬性,指定的 RADIUS 屬性一系列:You can set advanced properties to specify the series of RADIUS attributes that are:

  • 當正伺服器 NPS RADIUS 驗證或計量伺服器加入 RADIUS 回應訊息。Added to the RADIUS response message when the NPS server is being used as a RADIUS authentication or accounting server. 屬性,指定的網路原則和連接要求原則上時,會傳送 RADIUS 回應訊息中的屬性的屬性兩個組的組合。When there are attributes specified on both a network policy and the connection request policy, the attributes that are sent in the RADIUS response message are the combination of the two sets of attributes.
  • 當正伺服器 NPS RADIUS 驗證或計量 proxy 加入 RADIUS 訊息。Added to the RADIUS message when the NPS server is being used as a RADIUS authentication or accounting proxy. 如果屬性已經轉送訊息,這會取代連接要求原則中指定的屬性的值。If the attribute already exists in the message that is forwarded, it is replaced with the value of the attribute specified in the connection request policy.

此外,可供連接設定的某些屬性,要求原則設定索引標籤中進階]分類提供的特殊的功能。In addition, some attributes that are available for configuration on the connection request policy Settings tab in the Advanced category provide specialized functionality. 例如,您可以設定Windows 使用者對應遠端 RADIUS當您想要分割驗證,以及連接要求之間兩個使用者的授權帳號資料庫屬性。For example, you can configure the Remote RADIUS to Windows User Mapping attribute when you want to split the authentication and authorization of a connection request between two user accounts databases.

Windows 使用者對應遠端 RADIUS屬性,指定的 Windows 授權,就會發生的使用者透過遠端 RADIUS 伺服器的驗證。The Remote RADIUS to Windows User Mapping attribute specifies that Windows authorization occurs for users who are authenticated by a remote RADIUS server. 亦即,遠端 RADIUS 伺服器遠端使用者帳號資料庫中執行驗證的帳號,但 NPS 本機伺服器會授與對使用者的本機帳號資料庫中帳號連接要求。In other words, a remote RADIUS server performs authentication against a user account in a remote user accounts database, but the local NPS server authorizes the connection request against a user account in a local user accounts database. 當您想要允許訪客存取您的網路,這非常有用。This is useful when you want to allow visitors access to your network.

例如訪客合作夥伴可以自己合作夥伴公司 RADIUS 伺服器的驗證,再使用 Windows 使用者帳號,您的組織來賓區域網路(區域網路)您網路上的存取。For example, visitors from partner organizations can be authenticated by their own partner organization RADIUS server, and then use a Windows user account at your organization to access a guest local area network (LAN) on your network.

其他屬性所提供的特殊的功能包括:Other attributes that provide specialized functionality are:

  • MS-隔離-IPFilter 與 MS 隔離-工作階段逾MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout. 您路由並遠端存取 VPN 部署網路存取隔離控制項 (NAQC) 時,會使用這些屬性。These attributes are used when you deploy Network Access Quarantine Control (NAQC) with your Routing and Remote Access VPN deployment.
  • Passport 型使用者對應-UPN-尾碼Passport-User-Mapping-UPN-Suffix. 此屬性可以讓您驗證使用 Windows Live™ ID 使用者 account 認證連接要求。This attribute allows you to authenticate connection requests with Windows Live™ ID user account credentials.
  • 通道標籤Tunnel-Tag. 此屬性指定的連接應該部署區域網路 (Vlan) 時的 nas 指派 VLAN 編號。This attribute designates the VLAN ID number to which the connection should be assigned by the NAS when you deploy virtual local area networks (VLANs).

預設連接要求原則Default connection request policy

當您安裝 NPS 建立預設連接要求原則。A default connection request policy is created when you install NPS. 這項原則有下列設定。This policy has the following configuration.

  • 未設定驗證。Authentication is not configured.
  • 計量未設定為往後遠端 RADIUS 伺服器群組計量資訊。Accounting is not configured to forward accounting information to a remote RADIUS server group.
  • 未設定屬性,轉送給連接要求遠端 RADIUS 伺服器群組操作規則的屬性。Attribute is not configured with attribute manipulation rules that forward connection requests to remote RADIUS server groups.
  • 轉送要求是設定為使連接要求驗證,而且僅授權 NPS 本機伺服器上。Forwarding Request is configured so that connection requests are authenticated and authorized on the local NPS server.
  • 未設定進階的屬性。Advanced attributes are not configured.

預設連接要求原則使用 NPS RADIUS 伺服器。The default connection request policy uses NPS as a RADIUS server. 若要將執行 NPS 做為 RADIUS proxy 伺服器設定,您必須也設定遠端 RADIUS 伺服器群組。To configure a server running NPS to act as a RADIUS proxy, you must also configure a remote RADIUS server group. 使用新的連接要求原則精靈建立新連接要求原則時,您可以建立新的遠端 RADIUS 伺服器群組。You can create a new remote RADIUS server group while you are creating a new connection request policy by using the New Connection Request Policy Wizard. 您可以 delete 預設連接要求原則或驗證預設連接要求原則是最後 nps 處理放置原則排序清單中的最後一次的原則。You can either delete the default connection request policy or verify that the default connection request policy is the last policy processed by NPS by placing it last in the ordered list of policies.

注意

如果已安裝 NPS 和遠端存取服務遠端存取相同的電腦上設定 Windows 驗證服務及計量,可能會遠端存取驗證及計量要求轉寄 RADIUS 伺服器。If NPS and the Remote Access service are installed on the same computer, and the Remote Access service is configured for Windows authentication and accounting, it is possible for Remote Access authentication and accounting requests to be forwarded to a RADIUS server. 遠端存取驗證及計量要求符合連接要求原則是設定為轉寄到遠端的 RADIUS 伺服器群組時,這可能會發生。This can occur when Remote Access authentication and accounting requests match a connection request policy that is configured to forward them to a remote RADIUS server group.