規劃 NPS RADIUS 伺服器Plan NPS as a RADIUS server

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

當您要部署的網路原則伺服器 (NPS) 為遠端驗證 Dial 使用者服務 (RADIUS) 伺服器時、 NPS 執行驗證、 授權及計量本機網域和信任本機網域的連接要求。When you deploy Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server, NPS performs authentication, authorization, and accounting for connection requests for the local domain and for domains that trust the local domain. 您可以使用下列計劃的指導方針操作來簡化 RADIUS 部署。You can use these planning guidelines to simplify your RADIUS deployment.

這些計劃的指導方針不包含您要部署 NPS RADIUS proxy 為的環境。These planning guidelines do not include circumstances in which you want to deploy NPS as a RADIUS proxy. 當您部署 NPS RADIUS proxy 為時,NPS 轉送執行 NPS 或其他 RADIUS 伺服器遠端網域,不受信任的網域,或兩者伺服器連接要求。When you deploy NPS as a RADIUS proxy, NPS forwards connection requests to a server running NPS or other RADIUS servers in remote domains, untrusted domains, or both.

您部署 NPS RADIUS 伺服器以您網路上之前,請使用下列指導方針計劃部署。Before you deploy NPS as a RADIUS server on your network, use the following guidelines to plan your deployment.

  • 規劃伺服器 NPS 的設定。Plan NPS server configuration.

  • 規劃 RADIUS 戶端。Plan RADIUS clients.

  • 計畫使用的驗證方法。Plan the use of authentication methods.

  • 規劃網路原則。Plan network policies.

  • 規劃 NPS 計量。Plan NPS accounting.

計劃 NPS 伺服器設定Plan NPS server configuration

您必須認為網域 NPS 伺服器是成員。You must decide in which domain the NPS server is a member. 多重網域環境,NPS 伺服器可以進行驗證網域中的就是成員帳號和所有網域信任本機網域 NPS 伺服器的憑證。For multiple-domain environments, an NPS server can authenticate credentials for user accounts in the domain of which it is a member and for all domains that trust the local domain of the NPS server. 若要允許 NPS 伺服器讀取撥號屬性的帳號授權程序期間,您必須為每個網域 RAS 及 NPS 伺服器群組新增電腦 account NPS 伺服器。To allow the NPS server to read the dial-in properties of user accounts during the authorization process, you must add the computer account of the NPS server to the RAS and NPS servers group for each domain.

在您確定 NPS 伺服器的網域成員資格後,必須設定伺服器與 RADIUS 戶端,稱為網路存取伺服器,使用 RADIUS 通訊協定進行通訊。After you have determined the domain membership of the NPS server, the server must be configured to communicate with RADIUS clients, also called network access servers, by using the RADIUS protocol. 此外,您可以設定的事件類型該 NPS 記錄事件登入,您可以輸入伺服器的描述。In addition, you can configure the types of events that NPS records in the event log and you can enter a description for the server.

步驟鍵Key steps

規劃伺服器 NPS 的設定,您可以使用下列步驟。During the planning for NPS server configuration, you can use the following steps.

  • 判斷 NPS 伺服器用來從 RADIUS 接收 RADIUS 訊息 RADIUS 連接埠。Determine the RADIUS ports that the NPS server uses to receive RADIUS messages from RADIUS clients. 預設連接埠是 UDP 連接埠 1812年和 RADIUS 驗證郵件 1645年和 1813年和 RADIUS 計量郵件 1646年連接埠。The default ports are UDP ports 1812 and 1645 for RADIUS authentication messages and ports 1813 and 1646 for RADIUS accounting messages.

  • 如果 NPS 伺服器設定多個網路介面卡,來判斷要允許 RADIUS 流量的介面卡。If the NPS server is configured with multiple network adapters, determine the adapters over which you want RADIUS traffic to be allowed.

  • 確定您想要在事件登入記錄 NPS 活動的類型。Determine the types of events that you want NPS to record in the Event Log. 您可以登入拒絕的驗證要求、 要求成功驗證或兩種類型的要求。You can log rejected authentication requests, successful authentication requests, or both types of requests.

  • 判斷是否部署一部以上的 NPS 伺服器。Determine whether you are deploying more than one NPS server. 若要提供容錯 RADIUS 驗證及計量,使用至少兩部 NPS 伺服器。To provide fault tolerance for RADIUS-based authentication and accounting, use at least two NPS servers. 一個 NPS server 作為主要 RADIUS 伺服器,並用另做為備份。One NPS server is used as the primary RADIUS server and the other is used as a backup. 每個 RADIUS client 再是在兩個 NPS 伺服器設定。Each RADIUS client is then configured on both NPS servers. 如果主要 NPS 伺服器無法使用,RADIUS 戶端再傳送存取要求訊息給其他 NPS 伺服器。If the primary NPS server becomes unavailable, RADIUS clients then send Access-Request messages to the alternate NPS server.

  • 規劃用一個 NPS 伺服器設定複製到其他 NPS 伺服器儲存在 [管理費用,並避免 cofiguration 不正確的伺服器的指令碼。Plan the script used to copy one NPS server configuration to other NPS servers to save on administrative overhead and to prevent the incorrect cofiguration of a server. NPS 提供可讓您要匯入到另一個 NPS 伺服器 NPS 伺服器設定的部分或全部複製 Netsh 命令。NPS provides the Netsh commands that allow you to copy all or part of an NPS server configuration for import onto another NPS server. 您可以在 Netsh 命令提示字元中手動執行的命令。You can run the commands manually at the Netsh prompt. 不過,如果您儲存您命令順序做為指令碼時,您可以日後執行指令碼如果您要變更您的伺服器設定。However, if you save your command sequence as a script, you can run the script at a later date if you decide to change your server configurations.

RADIUS 戶端計劃Plan RADIUS clients

RADIUS 戶端的網路存取伺服器 wireless 存取點,例如私人網路 virtual (VPN) 伺服器、 802.1 X 處理能力的參數和撥號伺服器。RADIUS clients are network access servers, such as wireless access points, virtual private network (VPN) servers, 802.1X-capable switches, and dial-up servers. RADIUS proxy,向前連接 RADIUS 伺服器要求訊息,也有 RADIUS 戶端。RADIUS proxies, which forward connection request messages to RADIUS servers, are also RADIUS clients. NPS 支援所有的網路存取伺服器,並且 RFC 2865,「 遠端驗證 Dial 使用者服務 (RADIUS),」 中所述,符合 RADIUS RADIUS proxy 通訊協定與 RFC 2866,「 RADIUS 計量 」。NPS supports all network access servers and RADIUS proxies that comply with the RADIUS protocol as described in RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting."

重要

存取戶端,例如 client 的電腦,不是 RADIUS 戶端。Access clients, such as client computers, are not RADIUS clients. 僅限網路存取伺服器以及支援 RADIUS 通訊協定的 proxy 伺服器的 RADIUS 戶端。Only network access servers and proxy servers that support the RADIUS protocol are RADIUS clients.

此外,同時 wireless 存取點和參數必須 802.1 X 驗證的功能。In addition, both wireless access points and switches must be capable of 802.1X authentication. 如果您想要部署延伸驗證通訊協定 (EAP) 或受延伸驗證通訊協定 (PEAP),存取點和參數必須支援 EAP 使用。If you want to deploy Extensible Authentication Protocol (EAP) or Protected Extensible Authentication Protocol (PEAP), access points and switches must support the use of EAP.

若要測試交互的 PPP 連接 wireless 存取點的基本操作,設定存取點及存取 client 使用密碼驗證通訊協定 (PAP)。To test basic interoperability for PPP connections for wireless access points, configure the access point and the access client to use Password Authentication Protocol (PAP). 使用其他 PPP 驗證通訊協定,PEAP,例如,直到您想要使用的網路存取權的測試結果。Use additional PPP-based authentication protocols, such as PEAP, until you have tested the ones that you intend to use for network access.

步驟鍵Key steps

規劃 RADIUS 戶端,您可以使用下列步驟。During the planning for RADIUS clients, you can use the following steps.

  • 您必須設定 NPS 文件特定廠商屬性 (Vsa)。Document the vendor-specific attributes (VSAs) you must configure in NPS. 如果您的網路存取伺服器需要 Vsa,當您設定您的網路原則 NPS 在登入 VSA 資訊以供之後使用。If your network access servers require VSAs, log the VSA information for later use when you configure your network policies in NPS.

  • 文件以簡化的所有裝置的組態 RADIUS 戶端和 NPS 伺服器的 IP 位址。Document the IP addresses of RADIUS clients and your NPS server to simplify the configuration of all devices. 當部署 RADIUS 戶端時,您必須設定這些使用 RADIUS 通訊協定,以輸入驗證伺服器 NPS 伺服器的 IP 位址。When you deploy your RADIUS clients, you must configure them to use the RADIUS protocol, with the NPS server IP address entered as the authenticating server. 當您設定 NPS RADIUS 戶端的通訊,您必須到 NPS 嵌入式管理單元輸入 RADIUS client IP 位址。And when you configure NPS to communicate with your RADIUS clients, you must enter the RADIUS client IP addresses into the NPS snap-in.

  • 在 RADIUS 戶端和 NPS 嵌入式管理單元,建立共用機密資料的設定。Create shared secrets for configuration on the RADIUS clients and in the NPS snap-in. 您必須設定 RADIUS 戶端共用的密碼,或您也會在設定 NPS RADIUS 戶端時 NPS 嵌入式管理單元輸入的密碼。You must configure RADIUS clients with a shared secret, or password, that you will also enter into the NPS snap-in while configuring RADIUS clients in NPS.

使用的驗證方法計劃Plan the use of authentication methods

NPS 支援兩種密碼與憑證基礎驗證方法。NPS supports both password-based and certificate-based authentication methods. 不過,並非所有的網路存取伺服器支援相同的驗證方法。However, not all network access servers support the same authentication methods. 有時候,您可能想要部署不同的驗證方法根據網路存取權的類型。In some cases, you might want to deploy a different authentication method based on the type of network access.

例如,您可能想要部署無線和 VPN 存取您的組織,但的存取權的每一種使用不同的驗證方法: EAP-TLS 的 VPN 連接穩固安全性 EAP 使用 Tls (EAP-TLS) 提供,因為和 PEAP MS-CHAP v2 802.1 X wireless 連接。For example, you might want to deploy both wireless and VPN access for your organization, but use a different authentication method for each type of access: EAP-TLS for VPN connections, due to the strong security that EAP with Transport Layer Security (EAP-TLS) provides, and PEAP-MS-CHAP v2 for 802.1X wireless connections.

Microsoft 挑戰交換驗證通訊協定第 2 (PEAP MS-CHAP v2) 提供一個名為 「 快速頻道 」 的功能 PEAP 重新連接的專為筆記型電腦與其他 wireless 裝置使用。PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) provides a feature named fast reconnect that is specifically designed for use with portable computers and other wireless devices. 「 快速頻道 」 重新連接讓 wireless 戶端他們建立新的存取點而不需要每次相同的網路上的 wireless 存取點之間移動。Fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new access point. 這 wireless 使用者提供更好的體驗,可讓存取點而不需要重新輸入認證之間移動。This provides a better experience for wireless users and allows them to move between access points without having to retype their credentials. 因為 「 積極型 」 重新連接,提供的安全性 PEAP MS-CHAP v2,PEAP MS-CHAP v2 是邏輯選擇 wireless 連接的驗證方法。Because of fast reconnect and the security that PEAP-MS-CHAP v2 provides, PEAP-MS-CHAP v2 is a logical choice as an authentication method for wireless connections.

VPN 連接 EAP-TLS 是提供穩固般傳輸到您的組織 VPN 伺服器的家用或行動裝置版電腦網際網路上保護的網路流量的安全性憑證為基礎的驗證方法。For VPN connections, EAP-TLS is a certificate-based authentication method that provides strong security that protects network traffic even as it is transmitted across the Internet from home or mobile computers to your organization VPN servers.

憑證式的驗證方法Certificate-based authentication methods

憑證式的驗證方法有提供穩固安全性; 的優點而且他們會更難以部署比密碼為基礎的驗證方法的缺點。Certificate-based authentication methods have the advantage of providing strong security; and they have the disadvantage of being more difficult to deploy than password-based authentication methods.

PEAP MS-CHAP v2 和 EAP-TLS 憑證架構的驗證方法,但有許多不同之處他們,他們部署的方式。Both PEAP-MS-CHAP v2 and EAP-TLS are certificate-based authentication methods, but there are many differences between them and the way in which they are deployed.

EAP-TLSEAP-TLS

EAP-TLS 使用 client 和伺服器驗證憑證,並要求您在組織中部署公用基礎結構 (PKI)。EAP-TLS uses certificates for both client and server authentication, and requires that you deploy a public key infrastructure (PKI) in your organization. 部署 PKI 複雜,並需要規劃階段的獨立規劃 NPS RADIUS 伺服器為使用。Deploying a PKI can be complex, and requires a planning phase that is independent of planning for the use of NPS as a RADIUS server.

EAP-TLS 具有 NPS 伺服器註冊伺服器的憑證憑證授權單位 (CA),以及憑證會儲存在本機電腦的憑證存放區。With EAP-TLS, the NPS server enrolls a server certificate from a certification authority (CA), and the certificate is saved on the local computer in the certificate store. 驗證程序期間當 NPS 伺服器將其身份存取 client 存取 client 來傳送它伺服器的憑證,就會發生伺服器的驗證。During the authentication process, server authentication occurs when the NPS server sends its server certificate to the access client to prove its identity to the access client. 存取 client 檢查以判斷是否憑證無效的而且伺服器的驗證期間是適用於各種憑證屬性。The access client examines various certificate properties to determine whether the certificate is valid and is appropriate for use during server authentication. 如果伺服器的憑證符合最低伺服器的憑證,來存取 client 信任的憑證授權單位發行 NPS 伺服器成功驗證 client 的。If the server certificate meets the minimum server certificate requirements and is issued by a CA that the access client trusts, the NPS server is successfully authenticated by the client.

同樣地,client 進行驗證驗證程序期間當 client 將其 client 憑證傳送至其身份 NPS 伺服器 NPS 伺服器。Similarly, client authentication occurs during the authentication process when the client sends its client certificate to the NPS server to prove its identity to the NPS server. NPS 伺服器檢查憑證,並如果 client 憑證符合最低 client 憑證,並由 NPS 伺服器信任的憑證授權單位發行,NPS 伺服器成功驗證存取 client。The NPS server examines the certificate, and if the client certificate meets the minimum client certificate requirements and is issued by a CA that the NPS server trusts, the access client is successfully authenticated by the NPS server.

雖然它所需的伺服器的憑證,會儲存在 NPS 伺服器的憑證存放區,client 或使用者憑證可以儲存任一憑證存放區 client 或智慧卡上。Although it is required that the server certificate is stored in the certificate store on the NPS server, the client or user certificate can be stored in either the certificate store on the client or on a smart card.

成功此驗證程序,如有需要的所有電腦目前的使用者的本機電腦的受信任的根憑證授權單位憑證存放區都有您組織的憑證。For this authentication process to succeed, it is required that all computers have your organization's CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and the Current User.

PEAP MS-CHAP v2PEAP-MS-CHAP v2

PEAP MS-CHAP v2 伺服器的驗證並密碼型使用者驗證憑證的使用的憑證。PEAP-MS-CHAP v2 uses a certificate for server authentication and password-based credentials for user authentication. 由於伺服器驗證只會使用的憑證,您就不需要部署 PKI,才能使用了 v2 PEAP MS-CHAP。Because certificates are used only for server authentication, you are not required to deploy a PKI in order to use PEAP-MS-CHAP v2. 當部署 PEAP MS-CHAP v2 時,您可以在下列兩種方式取得伺服器 NPS 伺服器的憑證:When you deploy PEAP-MS-CHAP v2, you can obtain a server certificate for the NPS server in one of the following two ways:

  • 您可以安裝 Active Directory 憑證 Services (AD CS),然後自動註冊憑證 NPS 伺服器。You can install Active Directory Certificate Services (AD CS), and then autoenroll certificates to NPS servers. 如果您使用此方法,您還必須註冊 CA 憑證 client 電腦連接到您的網路,讓它們在信任發行 NPS 伺服器的憑證。If you use this method, you must also enroll the CA certificate to client computers connecting to your network so that they trust the certificate issued to the NPS server.

  • 您可以從 VeriSign 例如公用 CA 購買伺服器的憑證。You can purchase a server certificate from a public CA such as VeriSign. 如果您使用此方法,請確定已選取已經信任的樹系 client 電腦,CA。If you use this method, make sure that you select a CA that is already trusted by client computers. 若要判斷是否 client 電腦信任 CA,請打開憑證 Microsoft Management Console (MMC) 嵌入式管理單元 client 的電腦上,然後檢視 [本機電腦,以及目前的使用者的受信任的根憑證授權單位存放區。To determine whether client computers trust a CA, open the Certificates Microsoft Management Console (MMC) snap-in on a client computer, and then view the Trusted Root Certification Authorities store for the Local Computer and for the Current User. 如果從這些憑證存放區 CA 憑證,client 電腦信任 CA,進而信任任何 CA 所發行的憑證。If there is a certificate from the CA in these certificate stores, the client computer trusts the CA and will therefore trust any certificate issued by the CA.

PEAP MS-CHAP v2 驗證程序期間當 NPS 伺服器 client 電腦來傳送它伺服器的憑證,就會發生伺服器的驗證。During the authentication process with PEAP-MS-CHAP v2, server authentication occurs when the NPS server sends its server certificate to the client computer. 存取 client 檢查以判斷是否憑證無效的而且伺服器的驗證期間是適用於各種憑證屬性。The access client examines various certificate properties to determine whether the certificate is valid and is appropriate for use during server authentication. 如果伺服器的憑證符合最低伺服器的憑證,來存取 client 信任的憑證授權單位發行 NPS 伺服器成功驗證 client 的。If the server certificate meets the minimum server certificate requirements and is issued by a CA that the access client trusts, the NPS server is successfully authenticated by the client.

使用者驗證發生於使用者想要的網路類型密碼基礎認證來連接,並嘗試登入。User authentication occurs when a user attempting to connect to the network types password-based credentials and tries to log on. NPS 接收憑證,並執行驗證及授權。NPS receives the credentials and performs authentication and authorization. 如果驗證使用者並獲得授權成功,且驗證 NPS 伺服器成功 client 電腦,會授與連接要求。If the user is authenticated and authorized successfully, and if the client computer successfully authenticated the NPS server, the connection request is granted.

步驟鍵Key steps

規劃的驗證方法使用,您可以使用下列步驟。During the planning for the use of authentication methods, you can use the following steps.

  • 找出您想要提供,例如無線、 VPN、 802.1 X 能力切換,網路存取和撥號存取的類型。Identify the types of network access you plan to offer, such as wireless, VPN, 802.1X-capable switch, and dial-up access.

  • 判斷您想要使用的存取權的每一種方法的驗證方法。Determine the authentication method or methods that you want to use for each type of access. 我們建議您使用的憑證為基礎的驗證方法,提供穩固安全性。不過,它可能不適合您,其他的驗證方法可能會提供更好所需的網路款項部署 PKI。It is recommended that you use the certificate-based authentication methods that provide strong security; however, it might not be practical for you to deploy a PKI, so other authentication methods might provide a better balance of what you need for your network.

  • 如果您要部署 EAP-TLS,計劃 PKI 部署。If you are deploying EAP-TLS, plan your PKI deployment. 這包括計劃要使用的伺服器的憑證,以及 client 電腦憑證憑證範本。This includes planning the certificate templates you are going to use for server certificates and client computer certificates. 它也會包括判斷如何加入網域成員成員非網域的電腦,並判斷您是否要使用智慧卡來憑證。It also includes determining how to enroll certificates to domain member and non-domain member computers, and determining whether you want to use smart cards.

  • 如果您要部署 PEAP MS-CHAP v2,判斷是否您想要安裝 AD CS NPS 伺服器,或您是否要從公用 CA,例如 VeriSign 購買伺服器的憑證問題伺服器憑證。If you are deploying PEAP-MS-CHAP v2, determine whether you want to install AD CS to issue server certificates to your NPS servers or whether you want to purchase server certificates from a public CA, such as VeriSign.

規劃網路原則Plan network policies

NPS 使用網路原則來判斷是否有權從 RADIUS 收到連接要求。Network policies are used by NPS to determine whether connection requests received from RADIUS clients are authorized. NPS 也會讓授權判斷使用使用者 account 撥號的屬性。NPS also uses the dial-in properties of the user account to make an authorization determination.

NPS 嵌入式管理單元出現的順序處理的網路原則,因為計畫原則的清單中第一次放置最低原則。Because network policies are processed in the order in which they appear in the NPS snap-in, plan to place your most restrictive policies first in the list of policies. 針對每個連接要求 NPS 嘗試符合的條件的連接要求屬性的原則。For each connection request, NPS attempts to match the conditions of the policy with the connection request properties. NPS 會檢查每個的網路原則順序直到找到符合。NPS examines each network policy in order until it finds a match. 如果找不到相符項目,會拒絕連接要求。If it does not find a match, the connection request is rejected.

步驟鍵Key steps

規劃網路原則,您可以使用下列步驟。During the planning for network policies, you can use the following steps.

  • 判斷慣用的網路原則,從最低到最高限制 NPS 處理訂單。Determine the preferred NPS processing order of network policies, from most restrictive to least restrictive.

  • 判斷原則狀態。Determine the policy state. 功能或停用狀態原則可能的值。The policy state can have the value of enabled or disabled. 如果支援原則,NPS 會同時執行授權評估原則。If the policy is enabled, NPS evaluates the policy while performing authorization. 如果不支援原則,則不會評估。If the policy is not enabled, it is not evaluated.

  • 判斷原則類型。Determine the policy type. 您必須判斷原則的設計目的是要權限授與時連接要求或是否原則的設計目的是即可時連接要求,以符合的條件原則的授權符合的條件的原則。You must determine whether the policy is designed to grant access when the conditions of the policy are matched by the connection request or whether the policy is designed to deny access when the conditions of the policy are matched by the connection request. 例如,如果您想要即可明確授權 wireless Windows 群組成員,您可以建立指定群組、 wireless 連接方法,以及的已輸入的拒絕存取設定原則的網路原則。For example, if you want to explicitly deny wireless access to the members of a Windows group, you can create a network policy that specifies the group, the wireless connection method, and that has a policy type setting of Deny access.

  • 判斷您是否想要 NPS 略過的群組原則所依據的帳號撥號屬性。Determine whether you want NPS to ignore the dial-in properties of user accounts that are members of the group on which the policy is based. 當不支援此設定時的帳號撥號屬性覆寫的網路原則設定的設定。When this setting is not enabled, the dial-in properties of user accounts override settings that are configured in network policies. 例如,如果您的網路原則設定所授與的使用者存取權,但撥號屬性使用者的使用者帳號設定即可授權,使用者無法存取。For example, if a network policy is configured that grants access to a user but the dial-in properties of the user account for that user are set to deny access, the user is denied access. 但如果您可以原則類型略過使用者 account 撥號中設定屬性的相同使用者授與網路的存取權。But if you enable the policy type setting Ignore user account dial-in properties, the same user is granted access to the network.

  • 判斷原則是否使用這項原則來源設定。Determine whether the policy uses the policy source setting. 這項設定可讓您輕鬆地指定的所有存取要求來源。This setting allows you to easily specify a source for all access requests. 來源可能是車票服務閘道器 (TS 閘道)、 遠端存取伺服器 (VPN 或撥號)、 DHCP 伺服器、 wireless 存取點和健康登記授權單位伺服器。Possible sources are a Terminal Services Gateway (TS Gateway), a remote access server (VPN or dial-up), a DHCP server, a wireless access point, and a Health Registration Authority server. 或者,您可以指定廠商特定來源。Alternatively, you can specify a vendor-specific source.

  • 判斷要套用的網路原則必須符合的條件。Determine the conditions that must be matched in order for the network policy to be applied.

  • 判斷是否連接要求,以符合的條件的網路原則已經套用的設定。Determine the settings that are applied if the conditions of the network policy are matched by the connection request.

  • 判斷您是否要使用、 修改或 delete 預設的網路原則。Determine whether you want to use, modify, or delete the default network policies.

NPS 計量計劃Plan NPS accounting

NPS 提供三個格式登入 RADIUS 計量資料,例如驗證使用者與計量要求的功能: IAS 格式、 資料庫相容格式和 Microsoft SQL Server 登入。NPS provides the ability to log RADIUS accounting data, such as user authentication and accounting requests, in three formats: IAS format, database-compatible format, and Microsoft SQL Server logging.

IAS 格式和資料庫相容的格式建立文字檔案格式登入本機 NPS 伺服器上的檔案。IAS format and database-compatible format create log files on the local NPS server in text file format.

SQL Server 登入提供 SQL Server 2000 或 SQL Server 2005 XML 相容資料庫,將它擴展利用關聯資料庫來登入的優點 RADIUS 計量登的能力。SQL Server logging provides the ability to log to a SQL Server 2000 or SQL Server 2005 XML-compliant database, extending RADIUS accounting to leverage the advantages of logging to a relational database.

步驟鍵Key steps

規劃 NPS 計量,您可以使用下列步驟。During the planning for NPS accounting, you can use the following steps.

  • 判斷您是否要將 NPS 計量資料儲存在登入的檔案或 SQL Server 資料庫中。Determine whether you want to store NPS accounting data in log files or in a SQL Server database.

使用的登入本機檔案 NPS 計量NPS accounting using local log files

錄製使用者驗證及計量要求登入檔案中的主要用於連接分析及計費用途,並也適用於做為安全性調查工具,為您提供攻擊後追蹤惡意使用者的活動的方法。Recording user authentication and accounting requests in log files is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method for tracking the activity of a malicious user after an attack.

步驟鍵Key steps

規劃 NPS 計量使用登入本機的檔案,您可以使用下列步驟。During the planning for NPS accounting using local log files, you can use the following steps.

  • 判斷您想要使用的登入 NPS 檔案的文字檔案格式。Determine the text file format that you want to use for your NPS log files.

  • 選擇您想要登入資訊的類型。Choose the type of information that you want to log. 您可以登入計量要求、 驗證要求和定期狀態。You can log accounting requests, authentication requests, and periodic status.

  • 判斷您想要用來儲存您的登入檔案硬碟位置。Determine the hard disk location where you want to store your log files.

  • 設計登入檔案備份方案。Design your log file backup solution. 您儲存您的登入檔案所在的硬碟位置應該,可讓您輕鬆地備份您的資料的位置。The hard disk location where you store your log files should be a location that allows you to easily back up your data. 此外,硬碟位置應該受保護的設定檔的儲存位置的資料夾存取控制清單 (ACL)。In addition, the hard disk location should be protected by configuring the access control list (ACL) for the folder where the log files are stored.

  • 判斷您想要建立新的登入檔案的頻率。Determine the frequency at which you want new log files to be created. 如果您想要建立根據檔案的大小的登入檔案,判斷之前已建立新的登入檔案 nps 允許的最大的檔案大小。If you want log files to be created based on the file size, determine the maximum file size allowed before a new log file is created by NPS.

  • 判斷是否想要 NPS delete 登入較舊的檔案是否有硬碟用完儲存空間。Determine whether you want NPS to delete older log files if the hard disk runs out of storage space.

  • 判斷的應用程式或您想要用來檢視計量資料和產生報告的應用程式。Determine the application or applications that you want to use to view accounting data and produce reports.

NPS SQL Server 登入NPS SQL Server logging

當您需要時工作階段狀態的資訊,請報告建立的資料分析用途,並集中和簡化管理計量資料的使用 NPS SQL Server 登入。NPS SQL Server logging is used when you need session state information, for report creation and data analysis purposes, and to centralize and simplify management of your accounting data.

NPS 提供使用 SQL Server 使用者使用碼表進行驗證登入及計量資料來源晚 SQL Server 2000 執行的 Microsoft SQL Server 桌面引擎 (MSDE 2000) 或 SQL Server 的任何版本的電腦上收到一或多個網路的存取伺服器要求的功能。NPS provides the ability to use SQL Server logging to record user authentication and accounting requests received from one or more network access servers to a data source on a computer running the Microsoft SQL Server Desktop Engine (MSDE 2000), or any version of SQL Server later than SQL Server 2000.

計量資料會傳遞從 NPS XML 格式儲存在資料庫中,其支援兩個結構化的查詢語言程序 (SQL) 和 XML (SQLXML)。Accounting data is passed from NPS in XML format to a stored procedure in the database, which supports both structured query language (SQL) and XML (SQLXML). 錄製驗證使用者與計量 XML 相容 SQL Server 資料庫中的要求讓多個 NPS 伺服器有一個資料來源。Recording user authentication and accounting requests in an XML-compliant SQL Server database enables multiple NPS servers to have one data source.

步驟鍵Key steps

在規劃 NPS 計量使用 NPS SQL Server 登入,您可以使用下列步驟。During the planning for NPS accounting by using NPS SQL Server logging, you can use the following steps.

  • 判斷您或您的組織的其他成員已體驗 SQL Server 2000 或 SQL Server 2005 關聯資料庫開發與您了解如何使用勘來建立、 修改、 管理及管理 SQL Server 資料庫。Determine whether you or another member of your organization has SQL Server 2000 or SQL Server 2005 relational database development experience and you understand how to use these products to create, modify, administer, and manage SQL Server databases.

  • 判斷 SQL Server 是否已安裝在 NPS 伺服器,或在遠端電腦上。Determine whether SQL Server is installed on the NPS server or on a remote computer.

  • 設計儲存程序將會 SQL Server 資料庫中使用處理包含 NPS 計量資料輸入 XML 檔案。Design the stored procedure that you will use in your SQL Server database to process incoming XML files that contain NPS accounting data.

  • 設計的 SQL Server 資料庫複寫結構和流程。Design the SQL Server database replication structure and flow.

  • 判斷的應用程式或您想要用來檢視計量資料和產生報告的應用程式。Determine the application or applications that you want to use to view accounting data and produce reports.

  • 若要使用的所有的計量要求傳送給課程屬性網路存取伺服器計劃。Plan to use network access servers that send the Class attribute in all accounting-requests. 課程屬性傳送到 RADIUS client 接受存取的訊息,且適合用來與驗證的工作階段相關聯計量要求訊息。The Class attribute is sent to the RADIUS client in an Access-Accept message, and is useful for correlating Accounting-Request messages with authentication sessions. 如果計量要求訊息中的網路存取伺服器來傳送課程屬性,它可以用於隸屬會計和驗證。If the Class attribute is sent by the network access server in the accounting request messages, it can be used to match the accounting and authentication records. 屬性獨特的序號服務重新開機時,並伺服器位址的組合必須為每個接受伺服器的驗證的唯一驗證。The combination of the attributes Unique-Serial-Number, Service-Reboot-Time, and Server-Address must be a unique identification for each authentication that the server accepts.

  • 若要使用的網路存取伺服器支援暫時計量計劃。Plan to use network access servers that support interim accounting.

  • 計畫使用網路存取伺服器傳送計量上及計量關閉訊息。Plan to use network access servers that send Accounting-on and Accounting-off messages.

  • 規劃網路存取伺服器支援儲存和轉接計量資料的使用。Plan to use network access servers that support the storing and forwarding of accounting data. 網路存取伺服器支援此功能可以儲存計量資料時網路存取伺服器無法具有 NPS 伺服器通訊。Network access servers that support this feature can store accounting data when the network access server cannot communicate with the NPS server. NPS 伺服器可用時,網路存取伺服器轉送儲存的記錄 NPS 伺服器,透過不提供這項功能的網路存取伺服器提供計量的可靠性。When the NPS server is available, the network access server forwards the stored records to the NPS server, providing increased reliability in accounting over network access servers that do not provide this feature.

  • 規劃網路原則設定帳號過渡間隔屬性。Plan to always configure the Acct-Interim-Interval attribute in network policies. 帳號過渡間隔屬性設定網路的存取伺服器傳送每個暫時更新 (以秒計) 長的時間間隔。The Acct-Interim-Interval attribute sets the interval (in seconds) between each interim update that the network access server sends. 根據 RFC 2869 帳號過渡間隔屬性的值不得小於 60 秒,或是 1 分鐘,且不得小於 600 秒或 10 分鐘。According to RFC 2869, the value of the Acct-Interim-Interval attribute must not be smaller than 60 seconds, or one minute, and should not be smaller than 600 seconds, or 10 minutes. 如需詳細資訊,請查看 RFC 2869,「 RADIUS 擴充功能]。For more information, see RFC 2869, "RADIUS Extensions."

  • 請確定定期狀態的登入尚未 NPS 伺服器上。Ensure that logging of periodic status is enabled on your NPS servers.