RADIUS 戶端RADIUS Clients

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

網路存取伺服器 (NAS) 是提供更大網路的存取權的一些層級的裝置。A network access server (NAS) is a device that provides some level of access to a larger network. 使用介紹 NAS 也會傳送連接要求和計量訊息 RADIUS 伺服器的驗證,驗證,以及計量 RADIUS client。A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.

注意

Client 電腦、膝上型電腦和其他執行 client 作業系統的電腦不是 RADIUS 戶端。Client computers, such as laptop computers and other computers running client operating systems, are not RADIUS clients. RADIUS 戶端而網路存取伺服器-例如 wireless 存取點,802.1 X 驗證的參數,virtual 私人網路 (VPN) 伺服器撥號伺服器-因為它們可以使用 RADIUS 通訊協定進行通訊的網路原則伺服器 (NPS) 伺服器例如 RADIUS 伺服器。RADIUS clients are network access servers - such as wireless access points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-up servers - because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

若要部署 NPS RADIUS 伺服器或 RADIUS proxy,您必須設定 NPS RADIUS 戶端。To deploy NPS as a RADIUS server or a RADIUS proxy, you must configure RADIUS clients in NPS.

RADIUS client 範例RADIUS client examples

網路存取伺服器的範例包括:Examples of network access servers are:

  • 提供遠端存取連接到組織網路或網際網路的網路存取伺服器。Network access servers that provide remote access connectivity to an organization network or the Internet. 一個範例是執行 Windows Server 2016 作業系統和遠端存取服務,可提供「傳統撥號或 virtual 私人網路 (VPN) 遠端存取服務與組織內部網路的電腦。An example is a computer running the Windows Server 2016 operating system and the Remote Access service that provides either traditional dial-up or virtual private network (VPN) remote access services to an organization intranet.
  • Wireless 存取點,提供層實體網路的存取權的組織使用無線傳送和接收技術。Wireless access points that provide physical layer access to an organization network using wireless-based transmission and reception technologies.
  • 提供實體層組織的網路,使用傳統區域網路技術,例如乙太網路的存取權的參數。Switches that provide physical layer access to an organization's network, using traditional LAN technologies, such as Ethernet.
  • RADIUS proxy 轉送連接要求 RADIUS 伺服器 RADIUS proxy 設定遠端 RADIUS 伺服器群組成員。RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that is configured on the RADIUS proxy.

RADIUS 存取要求訊息RADIUS Access-Request messages

RADIUS 戶端建立 RADIUS 存取要求訊息和轉寄 RADIUS proxy 或 RADIUS 伺服器,或他們轉寄要求存取 RADIUS 伺服器收到從另一位 RADIUS 用,但無法建立自己的訊息。RADIUS clients either create RADIUS Access-Request messages and forward them to a RADIUS proxy or RADIUS server, or they forward Access-Request messages to a RADIUS server that they have received from another RADIUS client but have not created themselves.

RADIUS 戶端不執行驗證,驗證,並計量處理要求存取訊息。RADIUS clients do not process Access-Request messages by performing authentication, authorization, and accounting. 只有 RADIUS 伺服器執行這些功能。Only RADIUS servers perform these functions.

NPS,但是,可以設定為 RADIUS proxy 和 RADIUS 伺服器同時,處理一些要求存取訊息,使其轉送其他訊息。NPS, however, can be configured as both a RADIUS proxy and a RADIUS server simultaneously, so that it processes some Access-Request messages and forwards other messages.

NPS RADIUS client 為NPS as a RADIUS client

當您將其設定為 [轉寄存取要求訊息,以處理的其他 RADIUS 伺服器 RADIUS proxy NPS 作為 RADIUS client。NPS acts as a RADIUS client when you configure it as a RADIUS proxy to forward Access-Request messages to other RADIUS servers for processing. 當您使用 NPS RADIUS proxy 時,所一般設定下列步驟:When you use NPS as a RADIUS proxy, the following general configuration steps are required:

  1. Wireless 存取點和 VPN 伺服器的網路存取伺服器具有 NPS proxy 指定的 RADIUS 伺服器或驗證伺服器的 IP 位址設定。Network access servers, such as wireless access points and VPN servers, are configured with the IP address of the NPS proxy as the designated RADIUS server or authenticating server. 這可讓建立要求存取訊息依據他們會從存取,來將郵件轉寄給 NPS proxy 收到網路存取伺服器。This allows the network access servers, which create Access-Request messages based on information they receive from access clients, to forward messages to the NPS proxy.

  2. NPS proxy 設定來新增為 RADIUS client 的每個網路的存取伺服器。The NPS proxy is configured by adding each network access server as a RADIUS client. 這項設定步驟可讓您從網路存取伺服器接收簡訊並與他們在驗證期間 NPS proxy。This configuration step allows the NPS proxy to receive messages from the network access servers and to communicate with them throughout authentication. 此外,在 NPS proxy 連接要求原則設定來指定存取要求郵件轉寄給一或多個 RADIUS 伺服器。In addition, connection request policies on the NPS proxy are configured to specify which Access-Request messages to forward to one or more RADIUS servers. 這些原則也會以遠端 RADIUS 伺服器群組,可將您的位置告知 NPS 將它從網路存取伺服器接收簡訊的位置設定。These policies are also configured with a remote RADIUS server group, which tells NPS where to send the messages it receives from the network access servers.

  3. NPS 或 NPS proxy 的遠端 RADIUS 伺服器群組成員其他 RADIUS 伺服器設定為從 NPS proxy 收到簡訊。The NPS or other RADIUS servers that are members of the remote RADIUS server group on the NPS proxy are configured to receive messages from the NPS proxy. 這是 NPS proxy RADIUS client 設定。This is accomplished by configuring the NPS proxy as a RADIUS client.

RADIUS client 屬性RADIUS client properties

當您新增 RADIUS client NPS 設定透過 NPS 主機或使用 netsh 命令 NPS 或 Windows PowerShell 命令時,您 NPS RADIUS 存取要求簡訊接收網路存取伺服器或 RADIUS proxy 設定。When you add a RADIUS client to the NPS configuration through the NPS console or through the use of the netsh commands for NPS or Windows PowerShell commands, you are configuring NPS to receive RADIUS Access-Request messages from either a network access server or a RADIUS proxy.

當您設定 NPS RADIUS client 時,您可以指定下列屬性:When you configure a RADIUS client in NPS, you can designate the following properties:

Client 名稱Client name

RADIUS client,讓它變得更容易使用 NPS NPS 嵌入式管理單元或 netsh 命令時,找出的易記名稱。A friendly name for the RADIUS client, which makes it easier to identify when using the NPS snap-in or netsh commands for NPS.

IP 位址IP address

網際網路通訊協定第 4 版 (IPv4) 地址或 RADIUS client 的網域名稱系統 (DNS) 名稱。The Internet Protocol version 4 (IPv4) address or the Domain Name System (DNS) name of the RADIUS client.

Client 廠商Client-Vendor

RADIUS client 廠商。The vendor of the RADIUS client. 否則,您可以使用 RADIUS 標準值為 Client 廠商。Otherwise, you can use the RADIUS standard value for Client-Vendor.

共用的密碼Shared secret

做為密碼 RADIUS 戶端、RADIUS 伺服器、和 RADIUS proxy 之間的文字。A text string that is used as a password between RADIUS clients, RADIUS servers, and RADIUS proxies. 當使用訊息 Authenticator 屬性時,共用的密碼也來做為鍵加密 RADIUS 訊息。When the Message Authenticator attribute is used, the shared secret is also used as the key to encrypt RADIUS messages. 在 RADIUS client 和 NPS 嵌入式管理單元必須設定此字串。This string must be configured on the RADIUS client and in the NPS snap-in.

訊息 Authenticator 屬性Message Authenticator attribute

RFC 2869,「RADIUS 擴充功能」RADIUS 整個訊息的郵件摘要 5 (MD5) hash 所述。Described in RFC 2869, "RADIUS Extensions," a Message Digest 5 (MD5) hash of the entire RADIUS message. 如果有 RADIUS 訊息 Authenticator 屬性,它被確認。If the RADIUS Message Authenticator attribute is present, it is verified. 驗證失敗時,會捨棄 RADIUS 訊息。If it fails verification, the RADIUS message is discarded. 如果 client 設定需要訊息 Authenticator 屬性,並不存在,會捨棄 RADIUS 訊息。If the client settings require the Message Authenticator attribute and it is not present, the RADIUS message is discarded. 建議使用的訊息 Authenticator 屬性。Use of the Message Authenticator attribute is recommended.

注意

訊息 Authenticator 屬性需要並使用延伸驗證通訊協定 (EAP) 驗證時,預設支援。The Message Authenticator attribute is required and enabled by default when you use Extensible Authentication Protocol (EAP) authentication.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).