規劃 NPS RADIUS proxy 為Plan NPS as a RADIUS proxy

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

當您要部署的網路原則伺服器 (NPS) 為撥號使用者服務遠端驗證 (RADIUS) proxy 時,NPS 接收連接要求從 RADIUS,例如網路存取伺服器或其他 RADIUS proxy,,然後再轉寄執行 NPS 或其他 RADIUS 伺服器伺服器這些連接要求。When you deploy Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, NPS receives connection requests from RADIUS clients, such as network access servers or other RADIUS proxies, and then forwards these connection requests to servers running NPS or other RADIUS servers. 您可以使用下列計劃的指導方針操作來簡化 RADIUS 部署。You can use these planning guidelines to simplify your RADIUS deployment.

這些計劃的指導方針不包含您要部署 NPS RADIUS 伺服器的環境。These planning guidelines do not include circumstances in which you want to deploy NPS as a RADIUS server. 當您部署 NPS RADIUS 伺服器時、 NPS 執行驗證、 授權及計量本機網域和信任本機網域的連接要求。When you deploy NPS as a RADIUS server, NPS performs authentication, authorization, and accounting for connection requests for the local domain and for domains that trust the local domain.

您部署 NPS RADIUS proxy 為您網路上之前,請使用下列指導方針計劃部署。Before you deploy NPS as a RADIUS proxy on your network, use the following guidelines to plan your deployment.

  • 規劃伺服器 NPS 的設定。Plan NPS server configuration.

  • 規劃 RADIUS 戶端。Plan RADIUS clients.

  • 規劃遠端 RADIUS 伺服器群組。Plan remote RADIUS server groups.

  • 規劃郵件轉寄屬性操作規則。Plan attribute manipulation rules for message forwarding.

  • 規劃連接要求原則。Plan connection request policies.

  • 規劃 NPS 計量。Plan NPS accounting.

計劃 NPS 伺服器設定Plan NPS server configuration

當您使用 NPS RADIUS proxy 時,NPS 轉送 NPS 伺服器或處理其他 RADIUS 伺服器連接要求。When you use NPS as a RADIUS proxy, NPS forwards connection requests to an NPS server or other RADIUS servers for processing. 因此,NPS proxy 的網域成員資格無關。Because of this, the domain membership of the NPS proxy is irrelevant. 不需要 proxy 登記在 Active Directory Domain Services (AD DS) 因為就不需要存取權的使用者帳號撥號屬性。The proxy does not need to be registered in Active Directory Domain Services (AD DS) because it does not need access to the dial-in properties of user accounts. 此外,您不需要的網路原則設定 NPS proxy 上,因為 proxy 不會執行連接要求的授權。In addition, you do not need to configure network policies on an NPS proxy because the proxy does not perform authorization for connection requests. NPS proxy 可以網域隸屬或不網域成員資格獨立伺服器。The NPS proxy can be a domain member or it can be a stand-alone server with no domain membership.

必須設定 NPS RADIUS 戶端,也透過使用 RADIUS 通訊協定稱為網路存取伺服器的通訊。NPS must be configured to communicate with RADIUS clients, also called network access servers, by using the RADIUS protocol. 此外,您可以設定的事件類型該 NPS 記錄事件登入,您可以輸入伺服器的描述。In addition, you can configure the types of events that NPS records in the event log and you can enter a description for the server.

步驟鍵Key steps

規劃 NPS proxy 設定,您可以使用下列步驟。During the planning for NPS proxy configuration, you can use the following steps.

  • 判斷 RADIUS 用連接埠的 NPS proxy RADIUS 從接收 RADIUS 訊息和傳送簡訊 RADIUS 遠端 RADIUS 伺服器群組成員。Determine the RADIUS ports that the NPS proxy uses to receive RADIUS messages from RADIUS clients and to send RADIUS messages to members of remote RADIUS server groups. 預設的使用者資料流通訊協定 (UDP) 連接埠的 1812年和 RADIUS 驗證訊息與 UDP 連接埠 1813年和 RADIUS 計量郵件 1646年 1645年。The default User Datagram Protocol (UDP) ports are 1812 and 1645 for RADIUS authentication messages and UDP ports 1813 and 1646 for RADIUS accounting messages.

  • 如果 NPS proxy 設定多個網路介面卡,來判斷要允許 RADIUS 流量的介面卡。If the NPS proxy is configured with multiple network adapters, determine the adapters over which you want RADIUS traffic to be allowed.

  • 確定您想要在事件登入記錄 NPS 活動的類型。Determine the types of events that you want NPS to record in the Event Log. 您可以登入拒絕的連接要求、 要求連接成功,或兩者。You can log rejected connection requests, successful connection requests, or both.

  • 判斷是否部署多個 NPS proxy。Determine whether you are deploying more than one NPS proxy. 若要提供容錯,使用兩個以上 NPS proxy。To provide fault tolerance, use at least two NPS proxies. 一個 NPS proxy 做為主要 RADIUS proxy,並用另做為備份。One NPS proxy is used as the primary RADIUS proxy and the other is used as a backup. 每個 RADIUS client 再是在兩個 NPS proxy 設定。Each RADIUS client is then configured on both NPS proxies. 如果主要 NPS proxy 無法使用,RADIUS 戶端再傳送存取要求訊息給其他 NPS proxy。If the primary NPS proxy becomes unavailable, RADIUS clients then send Access-Request messages to the alternate NPS proxy.

  • 規劃用一個 NPS proxy 設定複製到其他 NPS proxy 儲存在 [管理費用,並使的伺服器設定正確的指令碼。Plan the script used to copy one NPS proxy configuration to other NPS proxies to save on administrative overhead and to prevent the incorrect configuration of a server. NPS 提供可讓您要匯入到另一個 NPS proxy NPS proxy 設定的部分或全部複製 Netsh 命令。NPS provides the Netsh commands that allow you to copy all or part of an NPS proxy configuration for import onto another NPS proxy. 您可以在 Netsh 命令提示字元中手動執行的命令。You can run the commands manually at the Netsh prompt. 不過,如果您儲存您命令順序做為指令碼時,您可以日後執行指令碼如果您要變更您的 proxy 設定。However, if you save your command sequence as a script, you can run the script at a later date if you decide to change your proxy configurations.

RADIUS 戶端計劃Plan RADIUS clients

RADIUS 戶端的網路存取伺服器 wireless 存取點,例如 virtual 私人網路 (VPN) 伺服器 802.1 X 處理能力的參數和撥號伺服器。RADIUS clients are network access servers, such as wireless access points, virtual private network (VPN) servers, 802.1X-capable switches, and dial-up servers. RADIUS proxy,向前連接 RADIUS 伺服器要求訊息,也有 RADIUS 戶端。RADIUS proxies, which forward connection request messages to RADIUS servers, are also RADIUS clients. NPS 支援所有的網路存取伺服器以及 RADIUS 通訊協定,以符合 RADIUS proxy RFC 2865 中所述 」 遠端驗證入的使用者服務 (RADIUS),「 RFC 2866,和 「 RADIUS 計量 」。NPS supports all network access servers and RADIUS proxies that comply with the RADIUS protocol, as described in RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting."

此外,同時 wireless 存取點和參數必須 802.1 X 驗證的功能。In addition, both wireless access points and switches must be capable of 802.1X authentication. 如果您想要部署延伸驗證通訊協定 (EAP) 或保護延伸驗證通訊協定 (PEAP),存取點和參數必須支援 EAP 使用。If you want to deploy Extensible Authentication Protocol (EAP) or Protected Extensible Authentication Protocol (PEAP), access points and switches must support the use of EAP.

若要測試交互的 PPP 連接 wireless 存取點的基本操作,設定存取點及存取 client 使用密碼驗證通訊協定 (PAP)。To test basic interoperability for PPP connections for wireless access points, configure the access point and the access client to use Password Authentication Protocol (PAP). 使用其他 PPP 驗證通訊協定,PEAP,例如,直到您想要使用的網路存取權的測試結果。Use additional PPP-based authentication protocols, such as PEAP, until you have tested the ones that you intend to use for network access.

步驟鍵Key steps

規劃 RADIUS 戶端,您可以使用下列步驟。During the planning for RADIUS clients, you can use the following steps.

  • 您必須設定 NPS 文件特定廠商屬性 (Vsa)。Document the vendor-specific attributes (VSAs) you must configure in NPS. 如果您 Nas 需要 Vsa,當您設定您的網路原則 NPS 在登入 VSA 資訊以供之後使用。If your NASs require VSAs, log the VSA information for later use when you configure your network policies in NPS.

  • 文件 RADIUS 戶端和您 NPS proxy 簡化的所有裝置的組態的 IP 位址。Document the IP addresses of RADIUS clients and your NPS proxy to simplify the configuration of all devices. 當部署 RADIUS 戶端時,您必須他們使用 RADIUS 通訊協定,以驗證伺服器輸入 NPS proxy IP 位址設定。When you deploy your RADIUS clients, you must configure them to use the RADIUS protocol, with the NPS proxy IP address entered as the authenticating server. 當您設定 NPS RADIUS 戶端的通訊,您必須到 NPS 嵌入式管理單元輸入 RADIUS client IP 位址。And when you configure NPS to communicate with your RADIUS clients, you must enter the RADIUS client IP addresses into the NPS snap-in.

  • 在 RADIUS 戶端和 NPS 嵌入式管理單元,建立共用機密資料的設定。Create shared secrets for configuration on the RADIUS clients and in the NPS snap-in. 您必須設定 RADIUS 戶端共用的密碼,或您也會在設定 NPS RADIUS 戶端時 NPS 嵌入式管理單元輸入的密碼。You must configure RADIUS clients with a shared secret, or password, that you will also enter into the NPS snap-in while configuring RADIUS clients in NPS.

規劃遠端 RADIUS 伺服器群組Plan remote RADIUS server groups

當您在 NPS proxy 設定遠端 RADIUS 伺服器群組時,您會告訴 NPS proxy 將部分或所有連接要求從網路存取伺服器或其他 RADIUS proxy NPS proxy 收到的簡訊的位置。When you configure a remote RADIUS server group on an NPS proxy, you are telling the NPS proxy where to send some or all connection request messages that it receives from network access servers and NPS proxies or other RADIUS proxies.

您可以使用 NPS RADIUS proxy 連接轉送給要求一或多個遠端 RADIUS 伺服器群組,與每個群組可以包含一或多個 RADIUS 伺服器。You can use NPS as a RADIUS proxy to forward connection requests to one or more remote RADIUS server groups, and each group can contain one or more RADIUS servers. 當您想 NPS proxy 轉寄簡訊多個群組時,設定一個連接要求原則每個群組。When you want the NPS proxy to forward messages to multiple groups, configure one connection request policy per group. 連接要求原則包含額外的資訊,例如屬性操作規則,告訴 NPS proxy 傳送到遠端 RADIUS 伺服器群組原則中指定的訊息。The connection request policy contains additional information, such as attribute manipulation rules, that tell the NPS proxy which messages to send to the remote RADIUS server group specified in the policy.

使用 Netsh 命令 NPS、 直接 NPS 嵌入式管理單元遠端 RADIUS 伺服器群組] 下設定群組或執行全新連接要求原則精靈,您可以設定遠端 RADIUS 伺服器群組。You can configure remote RADIUS server groups by using the Netsh commands for NPS, by configuring groups directly in the NPS snap-in under Remote RADIUS Server Groups, or by running the New Connection Request Policy wizard.

步驟鍵Key steps

規劃遠端 RADIUS 伺服器群組,您可以使用下列步驟。During the planning for remote RADIUS server groups, you can use the following steps.

  • 判斷包含您想要轉送連接要求 proxy NPS RADIUS 伺服器的網域。Determine the domains that contain the RADIUS servers to which you want the NPS proxy to forward connection requests. 這些網域包含帳號連接到您的部署 RADIUS 戶端網路的使用者。These domains contain the user accounts for users that connect to the network through the RADIUS clients you deploy.

  • 判斷您要新增位置 RADIUS 不已經部署的網域中的新 RADIUS 伺服器。Determine whether you need to add new RADIUS servers in domains where RADIUS is not already deployed.

  • 文件您想要新增到遠端 RADIUS 伺服器群組 RADIUS 伺服器的 IP 位址。Document the IP addresses of RADIUS servers that you want to add to remote RADIUS server groups.

  • 判斷多少遠端的 RADIUS 伺服器群組您必須建立。Determine how many remote RADIUS server groups you need to create. 有時候,最好建立網域每一個遠端 RADIUS 伺服器群組,然後將 RADIUS 伺服器的網域新增到群組。In some cases, it is best to create one remote RADIUS server group per domain, and then add the RADIUS servers for the domain to the group. 不過,可能是您有大量的資源,包括大量的使用者使用帳號網域,大量的網域控制站和大量 RADIUS 伺服器一個網域中的案例。However, there might be cases in which you have a large amount of resources in one domain, including a large number of users with user accounts in the domain, a large number of domain controllers, and a large number of RADIUS servers. 或在您的網域可能實體鍵盤保護蓋大的地理區域,導致網路存取伺服器以及 RADIUS 伺服器彼此的位置。Or your domain might cover a large geographical area, causing you to have network access servers and RADIUS servers in locations that are distant from each other. 您可以在這些,可能有時建立網域每多遠端 RADIUS 伺服器群組。In these and possibly other cases, you can create multiple remote RADIUS server groups per domain.

  • 建立設定共用的密碼,在 NPS proxy 和遠端 RADIUS 伺服器上。Create shared secrets for configuration on the NPS proxy and on the remote RADIUS servers.

規劃郵件轉寄屬性操作規則Plan attribute manipulation rules for message forwarding

屬性操作規則連接要求原則設定可讓您找出您想要到特定遠端 RADIUS 伺服器群組轉寄要求存取訊息。Attribute manipulation rules, which are configured in connection request policies, allow you to identify the Access-Request messages that you want to forward to a specific remote RADIUS server group.

您可以設定 NPS 轉寄給一個遠端 RADIUS 伺服器群組的所有連接要求不用屬性操作規則。You can configure NPS to forward all connection requests to one remote RADIUS server group without using attribute manipulation rules.

如果您有多個位置,您要轉送連接要求,但是,您必須建立連接要求原則為每個位置,然後設定原則,使用遠端 RADIUS 伺服器群組到您想要轉寄簡訊,以及與定期 NPS 轉寄屬性操作規則。If you have more than one location to which you want to forward connection requests, however, you must create a connection request policy for each location, then configure the policy with the remote RADIUS server group to which you want to forward messages as well as with the attribute manipulation rules that tell NPS which messages to forward.

您可以建立規則下列屬性。You can create rules for the following attributes.

  • 呼叫基座 id。Called-Station-ID. 電話號碼的網路存取伺服器 (NAS)。The phone number of the network access server (NAS). 此屬性的值為字串。The value of this attribute is a character string. 您可以使用模式符合語法指定區域驗證碼。You can use pattern-matching syntax to specify area codes.

  • Id 基座通話。Calling-Station-ID. 使用的電話號碼的來電者。The phone number used by the caller. 此屬性的值為字串。The value of this attribute is a character string. 您可以使用模式符合語法指定區域驗證碼。You can use pattern-matching syntax to specify area codes.

  • 使用者名稱。User-Name. 存取 client,提供及 NAS RADIUS 存取要求訊息中所包含的使用者名稱。The user name that is provided by the access client and that is included by the NAS in the RADIUS Access-Request message. 此屬性的值為字元字串,通常會包含領域名稱與 account 使用者名稱。The value of this attribute is a character string that typically contains a realm name and a user account name.

正確取代或轉換領域名稱連接要求的使用者名稱,您必須在適當地連接要求原則設定屬性操作規則的使用者名稱屬性。To correctly replace or convert realm names in the user name of a connection request, you must configure attribute manipulation rules for the User-Name attribute on the appropriate connection request policy.

步驟鍵Key steps

規劃屬性操作規則,您可以使用下列步驟。During the planning for attribute manipulation rules, you can use the following steps.

  • 規劃訊息路由透過 proxy NAS 從遠端 RADIUS 伺服器以確認您擁有轉寄簡訊 RADIUS 伺服器的邏輯路徑。Plan message routing from the NAS through the proxy to the remote RADIUS servers to verify that you have a logical path with which to forward messages to the RADIUS servers.

  • 判斷您想要使用的每個連接要求原則的一個或多個屬性。Determine one or more attributes that you want to use for each connection request policy.

  • 想要使用的每個連接要求原則,屬性操作規則文件和符合規則遠端 RADIUS 伺服器群組的轉寄簡訊。Document the attribute manipulation rules that you plan to use for each connection request policy, and match the rules to the remote RADIUS server group to which messages are forwarded.

規劃連接要求原則Plan connection request policies

預設連接要求原則被設定為 NPS RADIUS 伺服器為使用時。The default connection request policy is configured for NPS when it is used as a RADIUS server. 連接其他要求原則可用來定義特定更多的條件,請定期 NPS RADIUS 伺服器群組遠端,轉送給並指定進階的屬性的操作規則建立屬性。Additional connection request policies can be used to define more specific conditions, create attribute manipulation rules that tell NPS which messages to forward to remote RADIUS server groups, and to specify advanced attributes. 使用新的連接要求原則精靈建立一般] 或 [自訂連接要求原則。Use the New Connection Request Policy Wizard to create either common or custom connection request policies.

步驟鍵Key steps

規劃連接要求原則,您可以使用下列步驟。During the planning for connection request policies, you can use the following steps.

  • Delete 預設連接要求原則執行 NPS RADIUS proxy 僅作為運作的每個伺服器上。Delete the default connection request policy on each server running NPS that functions solely as a RADIUS proxy.

  • 規劃其他條件和設定所需的每個原則,與遠端 RADIUS 伺服器群組原則的計劃屬性操作規則組合這項資訊。Plan additional conditions and settings that are required for each policy, combining this information with the remote RADIUS server group and the attribute manipulation rules planned for the policy.

  • 設計通用連接要求原則所有 NPS proxy 將計畫。Design the plan to distribute common connection request policies to all NPS proxies. 原則常見多個 NPS proxy 伺服器上建立一個 NPS,並使用 Netsh 命令 NPS 匯入所有其他 proxy 連接要求原則和伺服器設定。Create policies common to multiple NPS proxies on one NPS server, and then use the Netsh commands for NPS to import the connection request policies and server configuration on all other proxies.

NPS 計量計劃Plan NPS accounting

當您設定 NPS RADIUS proxy 為時,您可以將它執行 RADIUS 計量使用 NPS 格式登入檔案,資料庫相容的格式登入或 NPS SQL Server 登設定。When you configure NPS as a RADIUS proxy, you can configure it to perform RADIUS accounting by using NPS format log files, database-compatible format log files, or NPS SQL Server logging.

您也可以使用其中一種登入格式執行計量遠端 RADIUS 伺服器群組轉寄計量訊息。You can also forward accounting messages to a remote RADIUS server group that performs accounting by using one of these logging formats.

步驟鍵Key steps

規劃 NPS 計量,您可以使用下列步驟。During the planning for NPS accounting, you can use the following steps.

  • 判斷您是否想要 NPS proxy 執行計量服務,或將計量郵件轉寄給計量遠端 RADIUS 伺服器群組。Determine whether you want the NPS proxy to perform accounting services or to forward accounting messages to a remote RADIUS server group for accounting.

  • 若要停用本機 NPS proxy 計量如果您想要將其他伺服器計量郵件轉寄計劃。Plan to disable local NPS proxy accounting if you plan to forward accounting messages to other servers.

  • 如果您想要將其他伺服器計量郵件轉寄,計劃連接要求原則設定步驟。Plan connection request policy configuration steps if you plan to forward accounting messages to other servers. 如果您停用本機計量 NPS proxy,每個您設定在 [proxy 連接要求原則必須計量郵件轉寄功能,並設定正確。If you disable local accounting for the NPS proxy, each connection request policy that you configure on that proxy must have accounting message forwarding enabled and configured properly.

  • 判斷您想要使用的登入格式: IAS 格式登入檔案,資料庫相容的格式登入或 NPS SQL Server 登入。Determine the logging format that you want to use: IAS format log files, database-compatible format log files, or NPS SQL Server logging.

若要設定的負載平衡 NPS RADIUS proxy 為,查看NPS Proxy 伺服器負載平衡To configure load balancing for NPS as a RADIUS proxy, see NPS Proxy Server Load Balancing.