設定原則的網路Configure Network Policies

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用此主題中 NPS 設定原則的網路。You can use this topic to configure network policies in NPS.

新增的網路原則Add a Network Policy

網路原則伺服器 (NPS) 使用的網路原則和連上網路授權的使用者帳號,判斷是否是連接要求撥號屬性。Network Policy Server (NPS) uses network policies and the dial-in properties of user accounts to determine whether a connection request is authorized to connect to the network.

若要設定新的網路原則 NPS 主機或遠端存取主控台中,您可以使用此程序。You can use this procedure to configure a new network policy in either the NPS console or the Remote Access console.

執行授權Performing authorization

當 NPS 執行連接要求的授權時,它會比較要求的每個排序清單的原則,開始的第一個原則,然後往原則設定清單中的網路原則。When NPS performs the authorization of a connection request, it compares the request with each network policy in the ordered list of policies, starting with the first policy, and then moving down the list of configured policies. 如果 NPS 尋找其條件符合連接要求的原則、NPS 使用對應原則和帳號撥號屬性執行授權。If NPS finds a policy whose conditions match the connection request, NPS uses the matching policy and the dial-in properties of the user account to perform authorization. 如果權限授與存取或控制項透過網路原則設定的使用者 account 撥號屬性,授權連接要求 NPS 適用於在連接的網路原則設定的設定。If the dial-in properties of the user account are configured to grant access or control access through network policy and the connection request is authorized, NPS applies the settings that are configured in the network policy to the connection.

如果 NPS 找不到網路原則符合連接要求,除非在帳號撥號屬性設權限授與拒絕連接要求。If NPS does not find a network policy that matches the connection request, the connection request is rejected unless the dial-in properties on the user account are set to grant access.

如果設定即可授權的使用者 account 撥號屬性,NPS 拒絕連接要求。If the dial-in properties of the user account are set to deny access, the connection request is rejected by NPS.

設定金鑰Key settings

當您建立網路原則,您在指定的值,以使用新的網路原則精靈網路連接方法用來自動設定原則輸入條件:When you use the New Network Policy wizard to create a network policy, the value that you specify in Network connection method is used to automatically configure the Policy Type condition:

  • 如果您未指定的預設值,您所建立的網路原則評估 NPS 使用的網路存取伺服器 (NAS) 任何類型的所有網路連接類型。If you keep the default value of Unspecified , the network policy that you create is evaluated by NPS for all network connection types that are using any kind of network access server (NAS).
  • 若您指定網路連接方法,NPS 評估的網路原則僅連接要求來自指定的網路存取伺服器的類型。If you specify a network connection method, NPS evaluates the network policy only if the connection request originates from the type of network access server that you specify.

的存取權限頁面上,您必須選取存取授與如果您想要讓使用者連接到您的網路原則。On the Access Permission page, you must select Access granted if you want the policy to allow users to connect to your network. 如果您想要的原則,以防止使用者連接到您的網路,選取拒絕存取If you want the policy to prevent users from connecting to your network, select Access denied.

如果您想要由您的使用者 account 撥號屬性 Active Directory 中的存取權限®Domain Services (AD DS),您可以選取 [存取由使用者撥號中屬性核取方塊。If you want access permission to be determined by user account dial-in properties in Active Directory® Domain Services (AD DS), you can select the Access is determined by User Dial-in properties check box.

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

若要新增的網路原則To add a network policy

  1. 打開 NPS 主控台中,,然後按兩下 [原則Open the NPS console, and then double-click Policies.

  2. 主機樹,以滑鼠右鍵按一下的網路原則,按一下 [In the console tree, right-click Network Policies, and click New. [新的網路原則精靈開啟。The New Network Policy wizard opens.

  3. 使用新的網路原則精靈建立的原則。Use the New Network Policy wizard to create a policy.

建立撥號或 VPN 精靈的網路原則Create Network Policies for Dial-Up or VPN with a Wizard

您可以建立連接要求原則和部署撥號伺服器或 virtual 私人網路 (VPN) 伺服器 NPS RADIUS 伺服器撥號使用者服務遠端驗證 (RADIUS) 戶端為所需的網路原則使用此程序。You can use this procedure to create the connection request policies and network policies required to deploy either dial-up servers or virtual private network (VPN) servers as Remote Authentication Dial-In User Service (RADIUS) clients to the NPS RADIUS server.

注意

Client 電腦、膝上型電腦和其他執行 client 作業系統的電腦不是 RADIUS 戶端。Client computers, such as laptop computers and other computers running client operating systems, are not RADIUS clients. RADIUS 戶端的網路存取伺服器,例如 wireless 存取點、802.1 X 驗證的參數,virtual 私人網路 (VPN) 伺服器及撥號伺服器,因為這些裝置使用 RADIUS 通訊協定與例如伺服器 NPS RADIUS 伺服器通訊。RADIUS clients are network access servers — such as wireless access points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-up servers — because these devices use the RADIUS protocol to communicate with RADIUS servers such as NPS servers.

此程序如何開放 NPS 中的新撥號或 Virtual 私人網路連接精靈。This procedure explains how to open the New Dial-up or Virtual Private Network Connections wizard in NPS.

您在執行精靈之後,下列原則建立:After you run the wizard, the following policies are created:

  • 有一個連接要求原則One connection request policy
  • 有一個網路原則One network policy

您可以在每次您必須建立新原則撥號伺服器及 VPN 伺服器的執行新撥號或 Virtual 私人網路連接精靈。You can run the New Dial-up or Virtual Private Network Connections wizard every time you need to create new policies for dial-up servers and VPN servers.

執行新撥號或 Virtual 私人網路連接精靈不為伺服器 NPS RADIUS 戶端部署撥號或 VPN 伺服器的唯一步驟。Running the New Dial-up or Virtual Private Network Connections wizard is not the only step required to deploy dial-up or VPN servers as RADIUS clients to the NPS server. 這兩個網路的存取方法需要額外的硬體和軟體元件部署。Both network access methods require that you deploy additional hardware and software components.

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

若要建立撥號或 VPN 原則精靈To create policies for dial-up or VPN with a wizard

  1. 打開 NPS 主機。Open the NPS console. 如果您未選取,按一下 [ NPS (Local)If it is not already selected, click NPS (Local). 如果您想要建立的原則 NPS 遠端伺服器上,選取 [伺服器。If you want to create policies on a remote NPS server, select the server.

  2. 開始標準設定、選取撥號或 VPN 連接 RADIUS 伺服器In Getting Started and Standard Configuration, select RADIUS server for Dial-Up or VPN Connections. 文字和底下的文字變更,以反映您選擇的連結。The text and links under the text change to reflect your selection.

  3. 按一下設定 VPN 或撥號精靈的Click Configure VPN or Dial-Up with a wizard. [新增撥號或 Virtual 私人網路連接精靈開啟。The New Dial-up or Virtual Private Network Connections wizard opens.

  4. 依照精靈中的指示,完成建立新原則。Follow the instructions in the wizard to complete creation of your new policies.

建立網路原則 802.1 X 有線或 Wireless 精靈的Create Network Policies for 802.1X Wired or Wireless with a Wizard

您可以建立連接要求原則和部署 802.1 X 驗證參數或 802.1 X wireless 存取點 NPS RADIUS 伺服器遠端驗證 Dial 使用者服務 (RADIUS) 戶端為所需的網路原則使用此程序。You can use this procedure to create the connection request policy and network policy that are required to deploy either 802.1X authenticating switches or 802.1X wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients to the NPS RADIUS server.

此程序如何開始新的 IEEE 802.1 X 的安全有線和無線連接精靈 NPS 中。This procedure explains how to start the New IEEE 802.1X Secure Wired and Wireless Connections wizard in NPS.

您在執行精靈之後,下列原則建立:After you run the wizard, the following policies are created:

  • 有一個連接要求原則One connection request policy
  • 有一個網路原則One network policy

您可以在每次您需要為 802.1 X 存取建立新原則執行新 IEEE 802.1 X 的安全有線和無線連接精靈。You can run the New IEEE 802.1X Secure Wired and Wireless Connections wizard every time you need to create new policies for 802.1X access.

執行新 IEEE 802.1 X 的安全有線及 Wireless 連接精靈不部署 802.1 X 驗證參數和 wireless 存取點伺服器 NPS RADIUS 戶端為所需的唯一步驟。Running the New IEEE 802.1X Secure Wired and Wireless Connections wizard is not the only step required to deploy 802.1X authenticating switches and wireless access points as RADIUS clients to the NPS server. 這兩個網路的存取方法需要額外的硬體和軟體元件部署。Both network access methods require that you deploy additional hardware and software components.

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

建立精靈使用 802.1 X 的原則有線或 wirelessTo create policies for 802.1X wired or wireless with a wizard

  1. NPS 伺服器,在伺服器管理員中,按一下 [工具,然後按一下 [的網路原則伺服器On the NPS server, in Server Manager, click Tools, and then click Network Policy Server. NPS 主控台開啟。The NPS console opens.

  2. 如果您未選取,按一下 [ NPS (Local)If it is not already selected, click NPS (Local). 如果您想要建立的原則 NPS 遠端伺服器上,選取 [伺服器。If you want to create policies on a remote NPS server, select the server.

  3. 開始標準設定、選取802.1 X 無線或有線連接 RADIUS 伺服器In Getting Started and Standard Configuration, select RADIUS server for 802.1X Wireless or Wired Connections. 文字和底下的文字變更,以反映您選擇的連結。The text and links under the text change to reflect your selection.

  4. 按一下設定 802.1 X 使用精靈Click Configure 802.1X using a wizard. [新增 IEEE 802.1 X 的安全有線和無線連接精靈開啟。The New IEEE 802.1X Secure Wired and Wireless Connections wizard opens.

  5. 依照精靈中的指示,完成建立新原則。Follow the instructions in the wizard to complete creation of your new policies.

NPS 略過撥號屬性 Account 使用者的設定Configure NPS to Ignore User Account Dial-in Properties

若要設定的 Active Directory 中帳號撥號屬性忽略授權程序期間 NPS 的網路原則使用此程序。Use this procedure to configure an NPS network policy to ignore the dial-in properties of user accounts in Active Directory during the authorization process. Active Directory 使用者與電腦帳號有撥號屬性,除非 NPS 評估授權程序期間網路存取權限的使用者帳號屬性設為控制 NPS 的網路原則透過User accounts in Active Directory Users and Computers have dial-in properties that NPS evaluates during the authorization process unless the Network Access Permission property of the user account is set to Control access through NPS Network Policy.

有兩個環境,您可能想要設定略過的 Active Directory 中帳號撥號屬性 NPS:There are two circumstances where you might want to configure NPS to ignore the dial-in properties of user accounts in Active Directory:

  • 當您想要使用的網路原則,來簡化 NPS 授權,但並非所有使用者帳號有的網路存取權限屬性設為控制 NPS 的網路原則透過When you want to simplify NPS authorization by using network policy, but not all of your user accounts have the Network Access Permission property set to Control access through NPS Network Policy. 某些帳號,例如可能會有網路存取權限屬性帳號設定為拒絕可讓存取For example, some user accounts might have the Network Access Permission property of the user account set to Deny access or Allow access.

  • 在其他撥號屬性帳號的不是適用於連接類型中的網路原則設定。When other dial-in properties of user accounts are not applicable to the connection type that is configured in the network policy. 例如,以外的屬性網路存取權限設定只適用於撥中或 VPN 連接,但您所建立的網路原則是 wireless 或驗證切換連接。For example, properties other than the Network Access Permission setting are applicable only to dial-in or VPN connections, but the network policy you are creating is for wireless or authenticating switch connections.

您可以使用此程序,設定 NPS 略過使用者 account 撥號屬性。You can use this procedure to configure NPS to ignore user account dial-in properties. 如果連接要求符合此核取方塊已選取位置的網路原則,NPS 不使用撥號屬性的使用者帳號判斷您的使用者或電腦已授權來存取該網路。若要判斷授權可用中的網路原則設定。If a connection request matches the network policy where this check box is selected, NPS does not use the dial-in properties of the user account to determine whether the user or computer is authorized to access the network; only the settings in the network policy are used to determine authorization.

資格在系統管理員,或相當於,才能完成此程序最小值。Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

  1. NPS 伺服器,在伺服器管理員中,按一下 [工具,然後按一下 [的網路原則伺服器On the NPS server, in Server Manager, click Tools, and then click Network Policy Server. NPS 主控台開啟。The NPS console opens.

  2. 按兩下原則,按一下 [的網路原則,然後在詳細資料窗格中按兩下您想要設定的原則。Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.

  3. 原則中屬性對話方塊中,於概觀索引標籤的存取權限忽略使用者 account 撥號屬性核取方塊,然後[確定]In the policy Properties dialog box, on the Overview tab, in Access Permission, select the Ignore user account dial-in properties check box, and then click OK.

若要設定略過撥號屬性使用者 account NPSTo configure NPS to ignore user account dial-in properties

NPS Vlan 設定Configure NPS for VLANs

使用 VLAN 感知網路存取伺服器 NPS 中與 Windows Server 2016,您可以網路資源,適用於他們安全性權限存取提供使用者的群組。By using VLAN-aware network access servers and NPS in Windows Server 2016, you can provide groups of users with access only to the network resources that are appropriate for their security permissions. 例如,您可以提供訪客 wireless 存取網際網路不讓他們存取您的組織的網路。For example, you can provide visitors with wireless access to the Internet without allowing them access to your organization network.

此外,Vlan 邏輯群組網路資源存在在不同的所在位置,或在不同的實體子網路,可讓您。In addition, VLANs allow you to logically group network resources that exist in different physical locations or on different physical subnets. 例如您銷售部門與他們網路資源,例如 client 電腦、伺服器及印表機成員可能位於數個不同的建築,您的組織,但所有這類資源置於有一個名為使用相同的 IP 位址。For example, members of your sales department and their network resources, such as client computers, servers, and printers, might be located in several different buildings at your organization, but you can place all of these resources on one VLAN that uses the same IP address range. VLAN 然後功能,從使用者的觀點,成單一的子網路中。The VLAN then functions, from the end-user perspective, as a single subnet.

當您想要將不同的使用者群組之間的網路,您也可以使用 Vlan。You can also use VLANs when you want to segregate a network between different groups of users. 您確定要如何定義群組之後,您就可以建立安全性群組 Active Directory 使用者和電腦嵌入式管理單元,然後將成員新增到群組。After you have determined how you want to define your groups, you can create security groups in the Active Directory Users and Computers snap-in, and then add members to the groups.

網路原則設定的 VlanConfigure a Network Policy for VLANs

您可以使用此程序,設定會使用者指派給 VLAN 的網路原則。You can use this procedure to configure a network policy that assigns users to a VLAN. 當您使用的 VLAN 感知網路之類的硬體,路由器、參數,以及存取控制器,您可以設定的網路原則,將特定的 Vlan 上的特定 Active Directory 群組成員存取伺服器的指示。When you use VLAN-aware network hardware, such as routers, switches, and access controllers, you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. 這項功能的 Vlan 邏輯群組網路資源彈性的設計和實作網路方案時。This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions.

當您設定的使用 NPS 的網路原則設定的 Vlan 時,您必須設定屬性通道媒體類型通道 Pvt 群組-ID通道類型,和通道標籤When you configure the settings of an NPS network policy for use with VLANs, you must configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-Tag.

此程序提供為指導方針。您的網路設定可能會需要比如下所述不同的設定。This procedure is provided as a guideline; your network configuration might require different settings than those described below.

資格在系統管理員,或相當於,才能完成此程序最小值。Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

若要網路原則設定的 VlanTo configure a network policy for VLANs

  1. NPS 伺服器,在伺服器管理員中,按一下 [工具,然後按一下 [的網路原則伺服器On the NPS server, in Server Manager, click Tools, and then click Network Policy Server. NPS 主控台開啟。The NPS console opens.

  2. 按兩下原則,按一下 [的網路原則,然後在詳細資料窗格中按兩下您想要設定的原則。Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.

  3. 在原則屬性對話方塊中,按設定索引標籤。In the policy Properties dialog box, click the Settings tab.

  4. 在原則屬性,請在設定,請在RADIUS 屬性,確認標準選取。In policy Properties, in Settings, in RADIUS Attributes, ensure that Standard is selected.

  5. 在詳細資料窗格中,在屬性服務類型屬性設定預設值為框架In the details pane, in Attributes, the Service-Type attribute is configured with a default value of Framed. 預設原則存取方法 VPN 和撥號,使用框架-通訊協定設定屬性的值為PPPBy default, for policies with access methods of VPN and dial-up, the Framed-Protocol attribute is configured with a value of PPP. 若要指定所需的 Vlan 其他連接屬性,請按一下新增To specify additional connection attributes required for VLANs, click Add. 新增標準 RADIUS 屬性對話方塊。The Add Standard RADIUS Attribute dialog box opens.

  6. 新增標準 RADIUS 屬性,在屬性,向下捲動到新增下列屬性:In Add Standard RADIUS Attribute, in Attributes, scroll down to and add the following attributes:

    • 通道媒體類型Tunnel-Medium-Type. 選取 [適用於先前選取的項目所做的原則值。Select a value appropriate to the previous selections you have made for the policy. 例如,如果您要設定的網路原則 wireless 原則,請選取值:802(包含所有 802 媒體加上乙太網路標準格式)For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).

    • 通道 Pvt 群組-IDTunnel-Pvt-Group-ID. 輸入整數代表 VLAN 數目指派群組成員。Enter the integer that represents the VLAN number to which group members will be assigned.

    • 通道類型Tunnel-Type. 選取 [ (VLAN) VlanSelect Virtual LANs (VLAN).

  7. 新增標準 RADIUS 屬性,按一下 [關閉In Add Standard RADIUS Attribute, click Close.

  8. 如果您的網路存取伺服器 (NAS) 必須使用通道標籤屬性,使用下列步驟來新增標籤通道的網路原則屬性。If your network access server (NAS) requires use of the Tunnel-Tag attribute, use the following steps to add the Tunnel-Tag attribute to the network policy. 若您 NAS 文件不會提到此屬性,不加入原則。If your NAS documentation does not mention this attribute, do not add it to the policy. 如果需要的話,新增屬性,如下所示:If required, add the attributes as follows:

    • 原則在屬性,請在設定,請在RADIUS 屬性,按一下廠商特定In policy Properties, in Settings, in RADIUS Attributes, click Vendor Specific.

    • 在詳細資料窗格中,按一下新增In the details pane, click Add. 新增廠商特定屬性對話方塊。The Add Vendor Specific Attribute dialog box opens.

    • 屬性、向下捲動並選取 [通道標籤,然後按一下 [新增In Attributes, scroll down to and select Tunnel-Tag, and then click Add. 屬性資訊對話方塊。The Attribute Information dialog box opens.

    • 屬性值的,輸入您取得您硬體文件從的值。In Attribute value, type the value that you obtained from your hardware documentation.

設定 EAP 承載大小Configure the EAP Payload Size

有時候,路由器或防火牆卸除封包因為他們已捨棄需要分散封包。In some cases, routers or firewalls drop packets because they are configured to discard packets that require fragmentation.

當您使用延伸驗證通訊協定 (EAP) Tls (TLS) 或 EAP-TLS,以驗證方法的網路原則部署 NPS 時,預設的最大傳輸單位 (MTU) NPS EAP 裝載使用的是 1500 位元組。When you deploy NPS with network policies that use the Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), or EAP-TLS, as an authentication method, the default maximum transmission unit (MTU) that NPS uses for EAP payloads is 1500 bytes.

最大的 EAP 裝載可以建立需要路由器或之間伺服器 NPS RADIUS client 防火牆分散 RADIUS 訊息。This maximum size for the EAP payload can create RADIUS messages that require fragmentation by a router or firewall between the NPS server and a RADIUS client. 如果這是如此,請路由器或定位伺服器 NPS RADIUS client 之間防火牆無訊息方式執行可能會捨棄驗證失敗以及連上網路的存取 client 無法,會導致某些片段。If this is the case, a router or firewall positioned between the RADIUS client and the NPS server might silently discard some fragments, resulting in authentication failure and the inability of the access client to connect to the network.

使用下列程序降低 NPS 使用 EAP 裝載調整框架-MTU 屬性大於不 1344 年網路原則中的最大。Use the following procedure to lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344.

資格在系統管理員,或相當於,才能完成此程序最小值。Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

若要設定框架-MTU 屬性To configure the Framed-MTU attribute

  1. NPS 伺服器,在伺服器管理員中,按一下 [工具,然後按一下 [的網路原則伺服器On the NPS server, in Server Manager, click Tools, and then click Network Policy Server. NPS 主控台開啟。The NPS console opens.

  2. 按兩下原則,按一下 [的網路原則,然後在詳細資料窗格中按兩下您想要設定的原則。Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.

  3. 在原則屬性對話方塊中,按設定索引標籤。In the policy Properties dialog box, click the Settings tab.

  4. 設定,請在屬性 RADIUS,按一下 [標準In Settings, in RADIUS Attributes, click Standard. 在詳細資料窗格中,按一下新增In the details pane, click Add. 新增標準 RADIUS 屬性對話方塊。The Add Standard RADIUS Attribute dialog box opens.

  5. 屬性、向下捲動並按一下 [框架-MTU,然後按一下 [新增In Attributes, scroll down to and click Framed-MTU, and then click Add. 屬性資訊對話方塊。The Attribute Information dialog box opens.

  6. 屬性的值,輸入為等於或較少比1344 年In Attribute Value, type a value equal to or less than 1344. 按一下[確定],按一下 [關閉,然後按一下 [ [確定]Click OK, click Close, and then click OK.

如需原則的網路相關資訊,的網路原則For more information about network policies, see Network Policies.

範例模式比語法指定的網路原則屬性,請查看使用規則運算式 NPS 在For examples of pattern-matching syntax to specify network policy attributes, see Use Regular Expressions in NPS.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).