連接要求處理Connection Request Processing

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以深入了解在 Windows Server 2016 中的網路原則伺服器處理連接要求。You can use this topic to learn about connection request processing in Network Policy Server in Windows Server 2016.

注意

本主題中,除了下列連接要求處理的文件會提供。In addition to this topic, the following connection request processing documentation is available.

您可以使用連接要求處理指定位置的連接要求驗證執行-本機電腦上或在遠端 RADIUS 伺服器的遠端 RADIUS 伺服器群組成員。You can use connection request processing to specify where the authentication of connection requests is performed - on the local computer or at a remote RADIUS server that is a member of a remote RADIUS server group.

如果您想要執行的網路原則 Server (NPS) 執行連接要求驗證本機伺服器,您可以使用預設連接要求原則,而不需要額外的設定。If you want the local server running Network Policy Server (NPS) to perform authentication for connection requests, you can use the default connection request policy without additional configuration. 根據預設的原則,NPS 驗證使用者與已經 account 本機網域與受信任的網域中的電腦。Based on the default policy, NPS authenticates users and computers that have an account in the local domain and in trusted domains.

如果您想要轉送連接要求遠端 NPS 或其他 RADIUS 伺服器、建立遠端 RADIUS 伺服器群組,並要求送給該遠端 RADIUS 伺服器群組連接要求原則設定。If you want to forward connection requests to a remote NPS or other RADIUS server, create a remote RADIUS server group and then configure a connection request policy that forwards requests to that remote RADIUS server group. 使用此設定時,NPS 可以轉送驗證要求到任何 RADIUS 伺服器,並帳號,不受信任的網域中的使用者都可以進行驗證。With this configuration, NPS can forward authentication requests to any RADIUS server, and users with accounts in untrusted domains can be authenticated.

下圖顯示存取要求訊息從網路存取伺服器 RADIUS proxy,然後再入 RADIUS 伺服器的路徑遠端 RADIUS 伺服器群組中。The following illustration shows the path of an Access-Request message from a network access server to a RADIUS proxy, and then on to a RADIUS server in a remote RADIUS server group. 在 [proxy RADIUS,網路存取伺服器設定為 RADIUS client;並在每個 RADIUS 伺服器、RADIUS proxy 設定為 RADIUS client。On the RADIUS proxy, the network access server is configured as a RADIUS client; and on each RADIUS server, the RADIUS proxy is configured as a RADIUS client.

NPS 連接要求處理

注意

NPS 您使用的網路存取伺服器可能閘道相容 RADIUS 通訊協定,例如 802.1 X wireless 存取點與驗證的參數,設定為 VPN 執行遠端存取伺服器或撥號伺服器或其他 RADIUS 相容裝置。The network access servers that you use with NPS can be gateway devices that are compliant with the RADIUS protocol, such as 802.1X wireless access points and authenticating switches, servers running Remote Access that are configured as VPN or dial-up servers, or other RADIUS compatible devices.

若要在本機時送給遠端 RADIUS 伺服器群組中其他要求處理一些驗證要求 NPS,設定多個連接要求原則。If you want NPS to process some authentication requests locally while forwarding other requests to a remote RADIUS server group, configure more than one connection request policy.

若要設定指定的 NPS 或 RADIUS 伺服器群組處理驗證要求連接要求原則,查看連接要求原則。To configure a connection request policy that specifies which NPS or RADIUS server group processes authentication requests, see Connection Request Policies.

若要指定 NPS 或驗證要求轉送其他 RADIUS 伺服器,查看遠端 RADIUS 伺服器群組。To specify NPS or other RADIUS servers to which authentication requests are forwarded, see Remote RADIUS Server Groups.

NPS RADIUS 伺服器連接要求處理為NPS as a RADIUS server connection request processing

當您使用 NPS RADIUS 伺服器時,RADIUS 訊息將提供驗證、授權及計量網路存取連接的方式如下:When you use NPS as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:

  1. 撥號網路存取伺服器、VPN 伺服器,以及 wireless 存取點,例如存取伺服器,從存取收到連接要求。Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients.

  2. 存取伺服器] 設定為使用 RADIUS 驗證、授權及計量通訊協定,以建立存取要求訊息,並將其傳送到 NPS 伺服器。The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server.

  3. NPS 伺服器評估存取要求訊息。The NPS server evaluates the Access-Request message.

  4. 如果需要的話,NPS 伺服器傳送存取查問訊息存取伺服器。If required, the NPS server sends an Access-Challenge message to the access server. 存取伺服器處理挑戰,並更新的存取要求傳送給 NPS 伺服器。The access server processes the challenge and sends an updated Access-Request to the NPS server.

  5. 檢查使用者的認證,取得使用 [安全連接到網域控制站的使用者 account 撥號屬性。The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.

  6. 連接嘗試授權的使用者 account 以及網路原則這兩個撥號屬性。The connection attempt is authorized with both the dial-in properties of the user account and network policies.

  7. 如果連接嘗試同時驗證,授權 NPS 伺服器傳送存取接受訊息存取伺服器。If the connection attempt is both authenticated and authorized, the NPS server sends an Access-Accept message to the access server. 如果連接嘗試無法通過驗證,或未取得授權,NPS 伺服器傳送存取-退回訊息存取伺服器。If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server.

  8. 存取伺服器存取 client 連接處理程序完成時,並傳送計量要求訊息 NPS 伺服器,位置登訊息。The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged.

  9. NPS 伺服器傳送計量回應存取伺服器。The NPS server sends an Accounting-Response to the access server.

注意

存取伺服器也會傳送計量要求訊息連接、存取 client 連接時關閉,以及當存取伺服器會開始和停止的時間。The access server also sends Accounting-Request messages during the time in which the connection is established, when the access client connection is closed, and when the access server is started and stopped.

NPS RADIUS proxy 連接要求處理為NPS as a RADIUS proxy connection request processing

NPS RADIUS client 之間 RADIUS 伺服器 RADIUS proxy 為使用時,RADIUS 訊息的網路存取的連接嘗試轉送方式如下:When NPS is used as a RADIUS proxy between a RADIUS client and a RADIUS server, RADIUS messages for network access connection attempts are forwarded in the following way:

  1. 撥號網路存取伺服器、virtual 私人網路 (VPN) 伺服器、和 wireless 存取點的存取伺服器接收連接要求從存取。Access servers, such as dial-up network access servers, virtual private network (VPN) servers, and wireless access points, receive connection requests from access clients.

  2. 存取伺服器] 設定為使用 RADIUS 驗證、授權及計量通訊協定,以建立存取要求訊息,並將其傳送到 NPS 作為 NPS RADIUS proxy 伺服器。The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server that is being used as the NPS RADIUS proxy.

  3. NPS RADIUS proxy 收到存取要求訊息,根據本機設定的連接要求原則,判斷轉寄存取要求訊息中的位置。The NPS RADIUS proxy receives the Access-Request message and, based on the locally configured connection request policies, determines where to forward the Access-Request message.

  4. NPS RADIUS proxy 轉送適當 RADIUS 伺服器存取要求訊息。The NPS RADIUS proxy forwards the Access-Request message to the appropriate RADIUS server.

  5. RADIUS 伺服器評估存取要求訊息。The RADIUS server evaluates the Access-Request message.

  6. 如果需要的話,RADIUS 伺服器傳送存取查問訊息給 NPS RADIUS proxy,就會轉送存取伺服器。If required, the RADIUS server sends an Access-Challenge message to the NPS RADIUS proxy, where it is forwarded to the access server. 存取伺服器處理存取 client 的挑戰,並將更新的存取要求傳送給 NPS RADIUS proxy,就會轉送 RADIUS 伺服器。The access server processes the challenge with the access client and sends an updated Access-Request to the NPS RADIUS proxy, where it is forwarded to the RADIUS server.

  7. RADIUS 伺服器驗證,並授權連接嘗試。The RADIUS server authenticates and authorizes the connection attempt.

  8. 如果連接嘗試同時驗證,授權 RADIUS 伺服器傳送存取接受訊息給 NPS RADIUS proxy,就會轉送存取伺服器。If the connection attempt is both authenticated and authorized, the RADIUS server sends an Access-Accept message to the NPS RADIUS proxy, where it is forwarded to the access server. 如果連接嘗試無法通過驗證,或未取得授權,RADIUS 伺服器傳送存取-退回訊息給 NPS RADIUS proxy,就會轉送存取伺服器。If the connection attempt is either not authenticated or not authorized, the RADIUS server sends an Access-Reject message to the NPS RADIUS proxy, where it is forwarded to the access server.

  9. 存取伺服器存取 client 連接處理程序完成時,傳送給 NPS RADIUS proxy 計量要求訊息。The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS RADIUS proxy. NPS RADIUS proxy 登計量資料,並將轉寄 RADIUS 伺服器的訊息。The NPS RADIUS proxy logs the accounting data and forwards the message to the RADIUS server.

  10. RADIUS 伺服器傳送計量回應 NPS RADIUS proxy,就會轉送存取伺服器。The RADIUS server sends an Accounting-Response to the NPS RADIUS proxy, where it is forwarded to the access server.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).