Exam Ref 70-411 Administering Windows Server 2012 R2 (2014)
Chapter 4. Configure a Network Policy Server infrastructure
The Network Policy Server (NPS) is used to create and enforce network access policies for client health and the authentication and authorization of connection requests. NPS can be configured as a Remote Authentication Dial-In User Service (RADIUS) server or RADIUS proxy to forward connection requests to other NPS or RADIUS servers. Windows Server 2012 includes a new NPS module for Windows PowerShell.
Objectives in this chapter:
Objective 4.1: Configure Network Policy Server (NPS)
Objective 4.2: Configure NPS policies
Objective 4.3: Configure Network Access Protection (NAP)
Objective 4.1: Configure Network Policy Server (NPS)
NPS can be configured as a RADIUS server, as a RADIUS proxy, and as a Network Access Protection (NAP) server. NPS can be configured as any combination of these three servers. This objective covers how to configure RADIUS and RADIUS proxy, leaving the NAP configuration for Objective 4.3.
This objective covers how to:
Configure a RADIUS server, including RADIUS proxy
Configure multiple RADIUS server infrastructures
Configure RADIUS clients
Manage RADIUS templates
Configure RADIUS accounting
Configure certificates
Configure NPS templates
Configuring a RADIUS server, including RADIUS proxy
You can install the Network Policy and Access Services (NPAS) role to enable Windows Server to act as a RADIUS server. To do that, follow these steps on Windows Server 2012 R2:
1. In Server Manager, select Add Roles And Features from the Manage menu.
2. If you see the Before You Begin page, click Next.
3. Select Role-based Or Feature-based Installation and click Next.
4. Select the server on which you want to install NPS and click Next.
5. On the Select Server Roles page, select Network Policy And Access Services.
6. On the Add Features That Are Required For Network Policy And Access Services page, click Add Features to return to the Select Server Roles page.
7. Click Next twice, read the Network Policy And Access Services page, and click Next again.
8. On the Select Role Services page, shown in Figure 4-1, select Network Policy Server. You don’t need either of the other two roles right now.
FIGURE 4-1 The Select Role Services page of the Add Roles And Features Wizard
9. Click Next and then click Install. When the installation is complete, click Close to close the Add Roles And Features Wizard.
To install the NPAS role, including only the NPS role service, by using Windows PowerShell, use the following command:
Install-WindowsFeature -Name NPAS,NPAS-Policy-Server -IncludeManagementTools
Exam Tip
NPS can’t be installed on a failover cluster, nor can it be installed on a Windows Server Core installation. These are the kinds of details that exam writers like.
Configuring RADIUS server for VPN
After NPS is installed, you have to do basic configuration: set a friendly name, the IP address, and a shared secret with the virtual private network (VPN) client.
To configure NPS as a RADIUS server for VPN, follow these steps:
1. Open the Network Policy Server console, shown in Figure 4-2, from Server Manager or by typing nps.msc at an elevated command prompt.
FIGURE 4-2 The Network Policy Server console
2. In the Standard Configuration pane, select RADIUS Server For Dial-up Or VPN Connections from the list.
3. Click Configure VPN Or Dial-up. Select Virtual Private Network (VPN) Connections and click Next to accept the default text for the connection.
4. On the Specify Dial-up Or VPN Server page, click Add to add a RADIUS client.
Note: RADIUS Clients
RADIUS clients are not Windows client computers; they are VPN servers such as Windows Server 2012 R2 running the Remote Access role. The VPN server is a client of the authorization and authentication service of the RADIUS server. The NPS or RADIUS server services authentication requests from RADIUS clients (VPN servers).
5. On the New RADIUS Client page, shown in Figure 4-3, enter a name in the Friendly Name box.
FIGURE 4-3 The New RADIUS Client dialog box
6. Enter the IP address or DNS name of the VPN server (RADIUS Client). Click Verify.
7. In the Verify Address dialog box, shown in Figure 4-4, click Resolve to verify that the name or IP address can be resolved.
FIGURE 4-4 The Verify Address dialog box
8. Click OK to return to the New RADIUS Client dialog box.
9. In the Shared Secret section of the New Radius Client dialog box, select Manual to type in a manual shared secret. Or select Generate and then click Generate to generate a very long, random shared secret.
Note: Long shared secrets
The shared secret generated by the wizard is longer than some RADIUS clients can support. You can shorten it by deleting a portion and still retain the preferred randomness of the shared secret. However, if your RADIUS client is Windows Server 2012 R2 with the Remote Access role installed, the full length of the generated secret can be used.
10. Copy the shared secret and paste into the RADIUS client, as shown in Figure 4-5. (This is a Windows Server 2012 R2 server with the Remote Access role installed, configured for VPN, but there is an equivalent for any brand or type of RADIUS client.)
FIGURE 4-5 The Routing And Remote Access Server Setup Wizard
11. Click OK to add the RADIUS client. Click Add to add additional clients, Edit to change the settings for a client, or Remove to remove a client from the list of supported RADIUS clients.
12. Click Next to open the Configure Authentication Methods page shown in Figure 4-6. The authentication methods supported are as follows:
Extensible Authentication Protocol Use this protocol to support smart cards, Protected Extensible Authentication Protocol (PEAP), and EAP-MSCHAPv2.
Microsoft Encrypted Authentication Version 2 (MS-CHAPv2) The default; it allows users to specify a password for authentication.
Microsoft Encrypted Authentication (MS-CHAP) Use only if you need to support operating systems that don’t support MS-CHAPv2.
FIGURE 4-6 The Configure Authentication Methods page of the Configure VPN Or Dial-Up Wizard
13. Click Next; on the Specify User Groups page, add the security groups that should be allowed to connect via VPN. Click Next.
14. On the Specify IP Filters page, shown in Figure 4-7, you can specify input and output filters for IPv4, IPv6, or both. You can choose from a filter template or specify directly. IP filters allow you to specify source or destination network ranges, along with the protocols that are allowed or disallowed.
FIGURE 4-7 The Specify IP Filters page of the Configure VPN Or Dial-Up Wizard
15. Click Next to specify the level of encryption that will be supported:
Basic Encryption (MPPE 40-bit)
Strong Encryption (MPPE 56-bit)
Strongest Encryption (MPPE 128-bit)
16. Deselect any encryption levels you don’t need to support and click Next.
17. In Specify A Realm Name, you can specify a realm name that an ISP can use to specify which connections should be routed to this server.
18. Click Next, confirm the settings, and then click Finish to complete the wizard.
Configuring RADIUS server for dial-up
The steps for configuring the RADIUS server for dial-up connections are identical to those for VPN connections. The only difference is in the first page. The Type Of Connections, as shown in Figure 4-8, sets the portion of the name related to the type.
FIGURE 4-8 The Select Dial-Up Or Virtual Private Network Connections Type page
Even if the wizard makes no other distinction during the process of creating the policies for VPN and dial-up clients, the resulting policies are different. The policy for a VPN connection is to use a NAS port type of Virtual (VPN). For dial-up, it is Async (Modem) OR ISDN Sync OR ISDN AsyncV.120 OR ISDN Async V.110.
You can also configure a different set of users, authentication methods, realm, and encryption strength for dial-up and VPN clients, even when using the same server to support both methods of remote access.
Configuring a RADIUS proxy
You can configure a RADIUS server to act as a proxy that forwards requests for RADIUS authentication to other RADIUS servers, depending on the client making the request and the connection request policies configured on the RADIUS server. A RADIUS proxy can also act as a proxy for RADIUS Accounting, described later in this objective.
A RADIUS proxy acts as a traffic coordinator between RADIUS clients and other RADIUS servers or other RADIUS proxies. An NPS server acting as a RADIUS proxy can connect to other Microsoft NPS servers or third-party RADIUS servers, or any combination thereof. Figure 4-9shows a Microsoft NPS server acting as a RADIUS proxy.
FIGURE 4-9 A RADIUS architecture with an NPS RADIUS proxy
To enable an NPS server to act as a RADIUS proxy, follow these steps:
1. Open the Network Policy Server console.
2. Select NPS (Local) at the top of the console tree.
3. In the Getting Started details pane, expand the Advanced Configuration section.
4. Scroll down to the Configure RADIUS Proxy section near the bottom of the Getting Started section, as shown in Figure 4-10.
FIGURE 4-10 The Network Policy Server console
5. Click RADIUS Clients to specify which RADIUS clients will connect through this proxy.
6. Right-click in the RADIUS Clients details pane and select New from the menu to open the New RADIUS Client dialog box shown in Figure 4-11.
FIGURE 4-11 The New RADIUS Client dialog box
7. Specify the friendly name, IP address and shared secret to connect with the client.
8. Click Advanced to specify a specific RADIUS vendor and specify additional options, as shown in Figure 4-12.
FIGURE 4-12 The Advanced tab of the New RADIUS Client dialog box
9. Click OK to return to the Network Policy Server console.
10. Right-click Connection Request Policy in the Policies folder of the console tree and select New from the menu to open the New Connection Request Policy Wizard.
11. Enter a Policy Name and specify a Type Of Network Access Server, as shown in Figure 4-13.
FIGURE 4-13 The Specify Connection Request Policy Name And Connection Type page
12. Click Next and then Add to specify the conditions for this connection request policy.
13. Select a condition from the Select Condition list shown in Figure 4-14 and click Add.
FIGURE 4-14 The Select Condition page
14. In the condition dialog box for the specified condition, select the appropriate conditions. For the shown NAS Port Type, you would specify Virtual (VPN) to build a policy for VPNs.
15. Click OK to return to the Select Condition page. If you want to add additional conditions, click Add again and repeat steps 13 and 14 as desired. Click Next to select the Specify Connection Request Forwarding page shown in Figure 4-15.
FIGURE 4-15 The Specify Connection Request Forwarding page
16. Select the server group to which this RADIUS server should forward authentication requests. You can create a new group of servers by clicking New and defining a new RADIUS server group.
17. Select Accounting in the Settings pane to specify forwarding of RADIUS Accounting to a RADIUS server group.
18. Click Next to open the Configure Settings page shown in Figure 4-16.
FIGURE 4-16 The Configure Settings page of the New Connection Request Policy Wizard
19. Specify any additional settings, such as the Realm Name Attribute, click Next, and then click Finish to complete the policy creation.
20. You can also configure Remote RADIUS Server Groups And Accounting from the Getting Started details pane if you need to add a new group of servers.
Configuring multiple RADIUS server infrastructures
You can use NPS as a RADIUS proxy to build a multiple RADIUS server infrastructure. Acting as a RADIUS proxy, NPS can forward requests to different RADIUS servers based on the RADIUS client criteria, type of authentication or port used, or the originating or targeted IP address of the request. Remote RADIUS servers do not need to be in a trusted domain, allowing you to use NPS to service authentication requests against a RADIUS server that is not part of the Windows domain.
Use RADIUS server groups to configure a named group that has one or more RADIUS servers. Each member of a RADIUS server group must have a unique IP address or DNS name that resolves to a unique IP address. You can forward authentication requests, accounting requests, or both to each member of a remote RADIUS server group.
Using priority and weight settings for the group members in a remote RADIUS server group enables you to do load balancing for the group. Within a group, the primary server has a priority of 1. All members of the group with the same priority are sent RADIUS messages in weighted order. Consider server group RADIUS1, with three members (server1, server2, and server3) in the group. All servers have a priority of 1, and the servers have the following weights:
Server1, weight 10
Server2, weight 15
Server3, weight 25
If the RADIUS proxy has 100 RADIUS messages for the group to process, server1 will be sent 20 to process, server2 will get 30 messages, and server3 will process 50 messages.
Exam Tip
Exam writers like to use features like priority and weight to build questions that test not only your understanding of basic math, but also your understanding of precedence. Be alert for combinations that go against expectations, such as a low priority number and a low weight combined with a higher priority number and higher weight.
You can create a remote RADIUS server group while configuring a connection policy with the New Connection Request Policy Wizard, or by following these steps:
1. Open the Network Policy Server console.
2. Expand NPS (Local) at the top of the console tree.
3. Right-click Remote RADIUS Server Groups in the RADIUS Clients And Servers folder. Select New from the menu.
4. In the New Remote RADIUS Server Group dialog box shown in Figure 4-17, enter a Group Name and then click Add to add a server to the group.
FIGURE 4-17 The New Remote RADIUS Server Group dialog box
5. On the Address tab of the Add RADIUS Server dialog box, specify the IP address or DNS name for the server. Click the Authentication/Accounting tab.
6. On the Authentication/Accounting tab shown in Figure 4-18, you can specify the details for the server, including Authentication Port, Shared Secret, Accounting Port, and a separate shared secret for the accounting function if needed.
FIGURE 4-18 The Authentication/Accounting tab of the Add RADIUS Server dialog box
7. Click the Load Balancing tab shown in Figure 4-19, to specify Priority and Weight for the new server, along with timeout settings.
FIGURE 4-19 The Load Balancing tab of the New RADIUS Server dialog box
8. Click OK to close the dialog box and add the RADIUS server to the server group.
9. Click Add to add additional servers to the Remote RADIUS Server Group, Edit to change an existing server’s settings, Remove to delete a server from the group, or OK to finish adding servers to the group and return to the Network Policy Server console.
Configuring RADIUS clients
You need to configure RADIUS clients to connect to the RADIUS server. To configure an existing RADIUS client, right-click the client in the RADIUS Clients node of the RADIUS Clients And Servers folder of the Network Policy Server console and select Properties from the menu. To configure a new RADIUS client, follow these steps:
1. Open the Network Policy Server console (nps.msc) and expand NPS (Local) in the console tree.
2. In the RADIUS Clients and Servers folder, right-click RADIUS Clients and select New from the menu.
3. On the Settings page of the New RADIUS Client dialog box shown in Figure 4-20, enter a Friendly Name to identify the RADIUS client, and then enter the DNS name or IP address of the RADIUS client.
FIGURE 4-20 The New RADIUS Client dialog box
4. Click Verify to open the Verify Address dialog box shown in Figure 4-21. Click Resolve to resolve the address. If more than one IP address is identified for the client, select the preferred IP address and click OK.
FIGURE 4-21 The Verify Address dialog box
5. Enter and Confirm a shared secret, or select Generate and click the Generate button to generate a very long, random shared secret. This shared secret is case-sensitive and must be entered into the shared secret box on the RADIUS client exactly.
Note: Long shared secrets
The shared secret generated by the wizard is longer than some RADIUS clients can support. You can shorten it by deleting a portion and still retain the preferred randomness of the shared secret. However, if your RADIUS client is Windows Server 2012 R2 with the Remote Access role installed, the full length of the generated secret can be used.
6. Click the Advanced tab to configure the RADIUS Vendor and additional options. Choose RADIUS Standard for the Vendor Name unless your RADIUS client specifically requires a vendor-specific setting.
Note: RADIUS Proxy
The value of the Vendor Name is hidden from any downstream RADIUS server when operating as a RADIUS proxy, creating problems for network policy conditions if they’re based on vendor-specific recognition. There probably won’t be a vendor-specific question on the exam, but it’s good to be aware that running as a proxy will hide the vendor.
7. If your RADIUS client supports the Message-Authenticator attribute, select Access-Request Messages Must Contain The Message-Authentication Attribute to improve security when using MS-CHAPv2.
8. Click OK to create the new RADIUS client.
You can create a new RADIUS client with the New-NpsRadiusClient cmdlet, as shown here:
New-NpsRadiusClient `
-Name trey-edge-01 `
-Address 192.168.10.1 `
-SharedSecret "qboTFf^&JK#kHq17ffHXwIK2WcVLzNcABv"
Managing RADIUS templates
You can create templates that simplify setting and configuring NPS across multiple servers and clients, as follows:
Shared secrets
RADIUS clients
Remote RADIUS servers
IP filters
Health policies
Remediation server groups
Each template contains the settings for that type of configuration, and can be saved and used to simplify configuring additional items. In addition, the templates can be exported and used on other NPS RADIUS servers.
To create a new shared secrets template, follow these steps:
1. In the Network Policy Server console, expand the Templates Management node.
2. Right-click Shared Secrets and select New.
3. In the New RADIUS Shared Secret Template dialog box, enter a name for the template.
4. Select Manual to manually enter a shared secret or Generate to generate a very long random secret, as shown in Figure 4-22.
FIGURE 4-22 The New RADIUS Shared Secret Template dialog box
5. Click Generate to generate the shared secret and then click OK to save the template.
To create a template for RADIUS clients, right-click RADIUS Clients in Templates Management and select New from the menu. Follow the steps described earlier in the “Configuring RADIUS clients” section to configure the template; the settings will be saved as a template when you finish and click OK. You can use a similar process to create templates for Remote RADIUS Servers, IP filters, health policies, and Remediation Server Groups.
Configuring RADIUS accounting
In addition to authenticating and authorizing access, NPS supports RADIUS Accounting to log user authentication and accounting requests to either a local file or a SQL Server XML-compliant database. You can configure accounting to four different modes:
SQL logging only Configures NPS to connect log accounting data to a SQL Server database.
Test logging only Configures NPS to log accounting data to a local text file.
Parallel logging Configures NPS to log to both a local text file and a SQL Server database.
SQL logging with backup Configures NPS to log to a SQL Server database, and configures text logging to be used if the SQL Server logging fails.
To configure RADIUS accounting to a local file, follow these steps:
1. In the Network Policy Server console, select the Accounting node in the console tree and click Configure Accounting in the details pane.
2. On the Introduction page, click Next. On the Select Accounting Options page, select Log To A Text File On The Local Computer and click Next.
3. On the Configure Local File Logging page shown in Figure 4-23, select which events to log and specify a new location to store the logs.
FIGURE 4-23 The Configure Local File Logging page of the Accounting Configuration Wizard
4. The default log file location is C:\Windows\system32\LogFiles. This location should be changed, ideally to a separate partition, because an active RADIUS server can generate large amounts of log data. Click Browse to select a new location to use for accounting logs.
5. If you want users to be able to connect even if there is a problem with accounting, clear the If Logging Fails, Discard Connection Requests check box.
Note: Logging versus Access
Clearing the If Logging Fails, Discard Connection Requests check box setting allows NPS to continue to process connection requests, allowing users to continue to connect remotely, but it also means the loss of data accuracy if there is a later need to evaluate access attempts and successes. The default value is for logging to be enforced.
6. Click Next and then Next again on the Summary page. The accounting configuration is complete. Click Close to exit the wizard.
The NPS server can be configured to use SQL Server for logging. When you configure SQL Server Logging, the Accounting Configuration Wizard configures the data connection to the SQL Server and either configures an existing database or creates a new one. The choices of what to log and whether to fail connection requests if the logging is unavailable are the same as for file logging. The Data Link Properties dialog box is shown in Figure 4-24.
FIGURE 4-24 The Data Link Properties dialog box
Configuring certificates
The NPS server can be configured to do certificate-based authentication PEAP and Extensible Authentication Protocol (EAP) authentication, which requires a Workstation Authentication certificate for the client computer and a Server Authentication certificate for the NPS server. Full coverage of how to configure Active Directory Certificate Services (AD CS) is in Exam 70-412, but what you need to know for this exam is the type of certificate template to use and how to configure for autoenrollment.
Configuring autoenrollment
If you’re using AD CS, configure Group Policy to autoenroll certificates to both servers and clients by configuring the Default Domain Policy. To enable autoenrollment, follow these steps:
1. Open the Group Policy Management Console (gpmc.msc); in the console tree, expand the domain you want to configure.
2. Expand Group Policy Objects and right-click Default Domain Policy. Select Edit from the menu.
3. In the Group Policy Management Editor, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies.
4. In the Object Type pane, double-click Certificate Services Client - Auto-Enrollment.
5. On the Enrollment Policy Configuration tab shown in Figure 4-25, select Enabled from the Configuration Model list.
FIGURE 4-25 The Certificate Services Client - Auto-Enrollment Properties dialog box
6. Select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates check box, and then select Update Certificates That Use Certificate Templates.
7. Click OK, and then exit out of the Group Policy Management Editor and the Group Policy Management Console.
Configuring computer certificates for client and server authentication
You need to configure the purpose of the certificate you will use to support client and server authentication. To do this, start with the Workstation Authentication certificate template.
Exam Tip
Some certificates are created with a purpose named All. This kind of certificate is intended to work for all purposes, but does not work for NPS client authentication or server authentication. Sounds like an exam question to me!
To configure a certificate for use by NPS, follow these steps on the AD CS computer:
1. Open the Certificate Authority and expand the domain for which you’re creating the certificate.
2. Right-click Certificate Templates and select Manage from the menu.
3. In the Certificate Templates Console shown in Figure 4-26, right-click Workstation Authentication and select Duplicate Template from the menu.
FIGURE 4-26 The Certificate Templates Console
4. On the General tab, type a new Template Display Name that describes the use of the certificate, such as NPS Client-Server Authentication, and select Publish Certificate In Active Directory.
5. Click the Extensions tab shown in Figure 4-27 and then click Edit.
FIGURE 4-27 The Extensions tab of the Properties of New Template dialog box
6. In the Edit Application Policies Extension, click Add and then select Server Authentication from the list of Application Policies, as shown in Figure 4-28.
FIGURE 4-28 The Add Application Policy dialog box
7. Click OK and then OK again to return to the Properties dialog box.
8. Click the Security tab and select Domain Computers.
9. Select the Allow box for Autoenroll. Click OK to close the Properties dialog box.
10. Close the Certificate Templates Console.
11. In the Certification Authority console, right-click Certificate Templates and select New and then Certificate Template To Issue.
12. In the Enable Certificate Templates dialog box shown in Figure 4-29, select the certificate template you just configured and click OK.
FIGURE 4-29 The Enable Certificate Templates dialog box
13. Close the Certificate Authority console.
Configuring NPS templates
The configuration of several RADIUS–related NPS templates were shown earlier in the “Managing RADIUS templates” section, but there are a couple of additional template types you should know about: the health policies and remediation server groups templates.
The health policies templates cover the system health validator (SHV) checks. To create a new health policy template, follow these steps:
1. Expand the Templates Management node of the Network Policy Server console and right-click Health Policies.
2. In the Create New Health Policy dialog box shown in Figure 4-30, enter a Policy Name and specify the client reporting of the SHVs.
FIGURE 4-30 The Create New Health Policy dialog box
3. The options for Client SHV Checks are these:
Client Passes All SHV Checks
Client Fails All SHV Checks
Client Passes One Or More SHV Checks
Client Fails One Or More SHV Checks
Client Reported As Transitional By One Or More SHVs
Client Reported As Infected By One Or More SHVs
Client Reported As Unknown By One Or More SHVs
4. Under SHVs Used In This Health Policy, select Windows Security Health Validator with the Default Configuration, as shown in Figure 4-30.
5. Click OK to create the template.
Note: NAP
The details for creating, configuring, and using SHVs are covered in Objective 4.3. This objective deals only with how to create a template that uses an SHV.
You can create a remediation server group template by following these steps:
1. Expand the Templates Management node of the Network Policy Server console and right-click Remediation Server Groups.
2. Select New from the menu to open the New Remediation Server Group template shown in Figure 4-31.
FIGURE 4-31 The New Remediation Server Group dialog box
3. Type a Group Name for the template group.
4. Click Add to add servers to the group.
5. Enter a Friendly Name for the server and then enter the IP Address Or DNS Name of the server. Click Resolve to resolve an IP address for a DNS name.
6. Click OK to add the server to the group.
7. You can add additional servers to the group by repeating steps 4–6.
8. Click OK after you finish adding servers to the group, and the template is created.
Thought experiment: Configuring different servers for different users
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net and are designing a Remote Access policy to support connection for different groups of users. Network administrators will have access to dial-up modems, and the HR department has special requirements to ensure additional security.
1. How do you need to configure the dial-up access? Will you need to have a separate NPS server?
2. How can you configure extra security for HR without requiring it for everyone?
3. Can you use a single server to implement these requirements? What are the considerations?
Objective summary
NPS can be configured as a RADIUS server or a RADIUS proxy.
RADIUS can be used for both VPN and dial-up authentication and authorization.
As a RADIUS proxy, NPS can connect to other Microsoft NPS servers or to third-party RADIUS servers.
Use priority and weighting to load balance groups of RADIUS servers in RADIUS server groups.
RADIUS clients can be network access servers or other RADIUS servers.
NPS and RADIUS settings can be configured in templates to simplify deployment.
RADIUS Accounting logs user authentication and accounting requests, and can use a local file or a SQL Server database.
Use certificates for client authentication and server authentication.
Objective review
1. When installing NPS as a RADIUS proxy, which NPS role services are required in Windows Server 2012 R2? (Choose all that apply.)
A. NPS
B. Health Registration Authority
C. Host Credential Authorization Protocol
D. Routing and Remote access service (RRAS)
2. Certificates with which purposes can be used for mutual authentication of NPS and client computers? (Choose all that apply.)
A. All Purpose certificates
B. Server authentication certificates
C. Root certificates
D. Client authentication certificates
3. When you configure NPS as a RADIUS proxy, it means the following:
A. It acts as a RADIUS client, authenticating all connection requests locally and notifying the RADIUS server group that the request should have access.
B. It acts as a member of a RADIUS server group that accepts requests from RADIUS clients and authenticates them.
C. It acts as a member of a RADIUS server group that accepts authenticated requests from RADIUS clients and assigns remote computers to a network.
D. It acts as a RADIUS client, forwarding connection requests to a RADIUS server group for authentication and authorization.
Objective 4.2: Configure NPS policies
NPS supports three different kinds of policies: connection request policies, network policies, and health policies. I’ll leave health policies for Objective 4.3, but focus here on the first two policies.
Together, the client request policy and the network policy control which clients are allowed to connect to the network. The connection request policy handles the initial request by a client to connect to the network, and (depending on what port it came in on and other factors) it passes the connection to the appropriate network policy. The network policy determines how a client is authenticated, and whether a client is authorized to connect to the network.
This objective covers how to:
Configure connection request policies
Configure network policies for VPN clients
Manage NPS templates
Import and export NPS configuration
Note: Import and export NPS policies
The Microsoft description for this exam includes “Import and export NPS policies” as a covered item, but this is likely a remnant from an older version. The relevant technologies for NPS are the import and export of templates, and the import and export of the entire NPS configuration.
Configuring connection request policies
NPS creates a dial-up or VPN connection policy when you initially configure the RADIUS server. You can modify that policy or create a new one from scratch. Each policy is evaluated as part of the network policies to determine whether access is granted or denied.
Creating a new connection request policy
To create a new connection request policy, follow these steps:
1. In the Network Policy Server console, expand Policies and right-click Connection Request Policies.
2. Select New from the menu to open the New Connection Request Policy Wizard.
3. Enter a name in the Policy Name box and select the type of policy from the Type Of Network Access Server list, as shown in Figure 4-32.
FIGURE 4-32 The Specify Connection Request Policy Name And Connection Type page
4. Click Next to open the Specify Conditions page. Click Add to open the Select Condition dialog box shown in Figure 4-33. For a full list of conditions, see Table 4-1.
FIGURE 4-33 The Select Condition dialog box
5. Select the condition type and click Add. Fill in additional details appropriate to the condition type and click OK.
6. Add additional conditions as appropriate. The conditions are additive, meaning that all separate conditions must be met before a connection request is accepted. Within conditions, the conditions are OR’d.
7. Click Next to open the Specify Connection Request Forwarding page shown in Figure 4-34. On this page, specify whether requests are authenticated locally, or forwarded to a RADIUS server group (RADIUS proxy). Only users who meet the conditions specified can be accepted without validating credentials.
FIGURE 4-34 The Specify Connection Request Forwarding page
8. Click Next to open the Specify Authentication Methods page. On this page, you can choose to override the network policy authentication settings to require specific authentication for this connection policy.
9. Click Next to open the Configure Settings page. On this page, you can specify a realm name, RADIUS standard attribute, or a vendor-specific attribute.
10. Click Next and then Finish to create the policy.
Configuring an existing connection request policy
After the New Connection Request Policy Wizard completes, you can fine-tune the settings for a connection. You can configure both a connection request policy and a network policy for each connection.
To configure additional settings for the connection request policy, follow these steps:
1. Open the Network Policy Server console and expand Policies in the console tree.
2. Select the connection request policy in the console tree and right-click the policy for which you want to configure additional settings in the Connection Request Policies detail pane and select Properties from the menu.
3. On the Overview tab, you can specify the Policy Name, Type Of Network Access Server, and whether the policy is enabled or disabled. The type of access servers supported are the following:
Remote Access Server (VPN-Dial up) server A Microsoft or other VPN or dial-up remote access server acting as a RADIUS client.
Remote Desktop Gateway server A Remote Desktop Gateway (RD Gateway) server providing access to RD Session Hosts or RD Virtualization Hosts.
DHCP server A Dynamic Host Configuration Protocol server.
Health Registration Authority server A Health Registration Authority (HRA) server obtains health certificates on behalf of NAP clients.
HCAP server A Host Credential Authorization Protocol (HCAP) server is used to integrate Microsoft NAP with Cisco Network Access Control Server.
4. On the Conditions tab, you can specify the details for the type of connection you are configuring. These conditions can include User Names, IP addresses, Framing Protocol type, Service Type, Tunnel Type, date and time restrictions, and NAS type. For a full list of conditions, seeTable 4-1.
TABLE 4-1 Connection request policy conditions
5. On the Settings tab, shown in Figure 4-35, you can configure authentication methods, allowing you to override the network policy for the authentication method, and configure whether authentication occurs locally or on another RADIUS server (proxy).
FIGURE 4-35 The Settings tab of the Virtual Private Network (VPN) Connections Properties Wizard
6. Select Accounting in the left pane to configure where accounting requests are forwarded to.
7. Configure a Realm Name, and any RADIUS Standard or Vendor-specific attributes, and then click OK to close the dialog box and implement the changes.
Configuring network policies for VPN clients
NPS has two sets of policies for all VPNs: connection request policies and network policies. Additionally, if configured to use them, NPS can apply health policies as well (these policies are covered in Objective 4.3).
Connection request policies define which connections are processed on the NPS server and which are processed on remote RADIUS servers. Network policies define who is allowed to connect to the network, how they are authenticated, and what network access is permitted. When you configure the NPS RADIUS server for a VPN connection, the wizard creates both a connection request policy and a network policy. But that default network policy can be further configured, and you can create additional new VPN network policies. Network policies are processed in the processing order defined in the network policies details pane of the NPS server.
Policy processing
When a connection request is processed, the policy conditions must all be met for the policy to succeed. If a condition is not met, NPS processes the next policy in the ordered list of policies. If all the conditions of that policy are met, the policy succeeds. If all the conditions of the second policy are not met, the third policy is processed, and so on until all policies have been processed or a policy succeeds. When a policy succeeds, it either grants access or denies access, based on the setting in the policy. If no policy succeeds, access is denied.
Configuring an existing policy
To configure an existing network policy, follow these steps:
1. In the Network Policy Server console, expand Policies and then click Network Policies.
2. In the details pane, double-click the policy you want to configure.
3. On the Overview tab, you can configure the following settings:
Policy Name Sets the name of the policy.
Policy Enabled When selected, the policy is processed and evaluated while authorizing. When disabled, the policy is not evaluated.
Grant Access/Deny Access When set to Grant Access, access is granted if the policy matches the connection request. When set to Deny Access, the connection request is denied if it matches the policy.
Ignore User Account Dial-in Properties When selected, the RADIUS network and connection properties control access regardless of what the dial-in setting is for the user account.
Type of Network Access Server Typically set to Remote Access Server (VPN-Dial up) for VPN connections.
4. Click the Conditions tab, shown in Figure 4-36. All network policies must have at least one condition but can also have multiple conditions. When you set conditions on a policy, all the conditions must be met for the policy to succeed. If any condition fails, the policy isn’t processed, and the next policy in the processing order is evaluated. Click Add to add additional conditions, Edit to change one of the conditions, or Remove to remove a condition. The conditions for network policies are shown in Table 4-2.
FIGURE 4-36 The Conditions tab of the network policy properties dialog box
TABLE 4-2 Network policy conditions
5. Click the Constraints tab to set constraints for the network policy. If all constraints are not met by the connection request, access is denied. The constraints are detailed in Table 4-3.
TABLE 4-3 Network policy constraints
6. Click the Settings tab. If all the conditions and constraints are met and the connection request is authorized, the settings are applied. The settings for network policies are shown in Table 4-4.
TABLE 4-4 Network policy settings
7. Click OK; the network policy is updated.
IP filters
You can use IP filters as part of a network policy or a connection request policy to control which input and output packets are allowed for both IPv4 and IPv6. You can configure IP filters individually in the policy, or create a template and apply the template. It makes sense in most cases to create an IP filter template because you can reuse the settings.
To create an IP filter template, follow these steps:
1. In the Network Policy Server, expand the Templates Management pane.
2. Right-click IP Filters and select New from the menu to open the New IP Filters Template dialog box.
3. Enter a name for the template and then click Input Filters in the IPv4 section to start creating the filter.
4. In the Inbound Filters dialog box, shown in Figure 4-37, click New to add a filter.
FIGURE 4-37 The Inbound Filters dialog box
5. In the Add IP Filter dialog box, select Destination Mask.
6. Enter an IP address and a subnet mask, and select the protocol, as shown in Figure 4-38. You can choose from the following protocols:
TCP Enter a Source Port and Destination Port.
TCP (established) Enter a Source Port and Destination Port.
UDP Enter a Source Port and Destination Port.
ICMP Enter an ICMP Type and an ICMP Code.
Any Includes any protocol and any port.
Other Specify a Protocol Number.
FIGURE 4-38 The Add IP Filter dialog box
7. Click OK to return to the Inbound Filters dialog box.
8. Select Do Not Permit Packets Listed Below or Permit Only the Packets Listed Below.
9. Click New to add additional Inbound IPv4 Filters. After you finish adding filters, click OK.
10. Repeat the process for IPv4 Output Filters, except select a Source IP Address and Subnet Mask.
11. Repeat for IPv6 Input Filters and IPv6 Output Filters, specifying an IPv6 Address and Prefix Length.
12. Click OK to create the template.
After you have created an IP filter, you can use it to build network policies.
Managing NPS templates
Templates that you create in NPS can be exported to a file. You export the templates to a file by right-clicking Templates Management and selecting Export Templates To A File. Files are exported as XML files that can be backed up as part of normal backup procedures.
After a set of templates has been exported to an XML file, it can then be imported to replace the templates on an NPS server. Importing templates is a destructive process that replaces any existing templates with the templates in the exported XML file.
You can import the templates from a running NPS server by importing them directly. Right-click Templates Management in the console tree and select Import Templates From A Computer. Enter the name or IP address of the remote NPS server and then click OK to import the templates. If the server isn’t available online, you can import the settings from a file by selecting Import Templates From A File.
Importing and exporting NPS configuration
You can export the configuration of an NPS server, including policies, templates, NAP configuration, and client information. The exported file includes the shared secrets used between RADIUS clients and the RADIUS server, or between the RADIUS server and remote RADIUS servers. This is sensitive information and should be stored in a secure location except when actually being used to recover a server configuration.
Exam Tip
Let me emphasize this, since it’s very likely to show up on the exam. The exported configuration of an NPS server contains sensitive information. How you use the export, and how you store it, are significant security concerns.
Note: RADIUS accounting
If RADIUS accounting is being logged to a SQL Server database, the exported NPS configuration does not include the SQL Server logging information. After importing this to another server, you must manually reconfigure SQL Server logging.
To export the NPS configuration, follow these steps:
1. Open the Network Policy Server console.
2. Right-click NPS (Local) at the very top of the console tree.
3. Select Export Configuration from the menu.
4. Select I Am Aware That I Am Exporting All Shared Secrets and then click OK.
5. Select the location and file name for saving the XML file and click OK.
You can export the NPS server configuration by using the Export-NpsConfiguration cmdlet; for example:
Export-NpsConfiguraton -Path "C:\Temp\NPSConfig.xml"
Exam Tip
While netsh has been deprecated, it’s still possible it will show up on the exam. The command to export the NPS server configuration using netsh is:
netsh nps export filename=c:\temp\npsconfig.xml exportpsk=yes
You can import the configuration from an NPS configuration export. This import includes all policies, shared secrets, templates, RADIUS clients, and remote RADIUS server information. Follow these steps to import the NPS configuration:
1. Open the Network Policy Server console.
2. Right-click NPS (Local) at the very top of the console tree.
3. Select Import Configuration from the menu.
4. Navigate to the location where the exported XML file is stored and select the file.
5. When the import completes, click OK.
You can import the NPS server configuration by using the Import-NpsConfiguration cmdlet; for example:
Import-NpsConfiguraton -Path "C:\Temp\NPSConfig.xml"
Thought experiment: Copying NPS server configurations
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. Company policy requires that all sensitive company data be encrypted, and that all remote access to the corporate network use two-factor authentication (2FA). The current NPS server, remote1, is configured to enforce company policy and is working correctly, but to improve redundancy and increase throughput, you’ve been tasked with creating a second NPS server, remote2, that will use the same configuration as remote1. You need to accomplish this with the minimum administrative overhead while ensuring that the configuration is replicated accurately.
1. How should you go about copying the configuration of the existing server?
2. What security considerations does this raise?
3. How should you mitigate these security considerations? Describe the alternatives.
Objective summary
The connection request policy controls the initial connection from a requesting client.
The connection request policy controls whether NPS acts as a RADIUS server or a RADIUS proxy.
The network policy is responsible for authorizing and authenticating the client.
VPN and dial-up use different connection request policies, based on the different types of ports on which they request access.
Network policies have one or more conditions, and may have constraints.
Network policies can impose IP filters to control which input and output packets are allowed for both IPv4 and IPv6.
Use NPS templates to simplify configuring policies, and deploying additional servers.
Export NPS configuration to store for recovery purposes or to configure a new NPS server.
Exported NPS configuration files contain unencrypted shared secrets.
Objective review
1. The connection request policy supports which of the following conditions? (Choose all that apply.)
A. User Groups
B. User Name
C. NAS Port Type
D. MS Service Class
2. You have a Windows Server 2012 R2 server (RAD1) acting as a RADIUS proxy and a RADIUS server group with a single Windows Server 2012 server (RAD2) as a RADIUS server in it. You need to configure a second RADIUS server to distribute the load. What should you do?
A. Deploy a second Windows Server 2012 R2 server (RAD3) and install the Routing and Remote access service (RRAS) on it. Export the configuration from RAD1 and import it to RAD3.
B. Deploy a second Windows Server 2012 server (RAD3) and install RRAS on it. Export the configuration from RAD2 and import it to RAD3.
C. Deploy a second Windows Server 2012 R2 server (RAD3) and install NPS Server on it. Export the configuration from RAD2 and import it to RAD3.
D. Deploy a second Windows Server 2012 server (RAD3) and install NPS on it. Export the configuration from RAD1 and import it to RAD3.
3. You need to improve the security of your remote access and want to limit the protocols that are used to connect to the RADIUS server. What condition could you use to limit the protocols?
A. Use a Tunnel Type condition in the connection request policy.
B. Use a Framed Protocol condition in the connection request policy.
C. Use an Authentication Type condition in the network policy.
D. Use an Allowed EAP Types condition in the network policy.
Objective 4.3: Configure Network Access Protection (NAP)
Network Access Protection (NAP) works with NPS server to ensure that clients connecting to the network meet specific health requirements. These requirements are validated by SHVs. NPS health policies work with connection request policies and network polices to enforce NAP health requirements and remediation. NAP is deprecated in Windows Server 2012 R2. This means that NAP is still supported in Windows Server 2012 R2 and Windows 8.1, but will not be supported in future versions of Windows.
This objective covers how to:
Configure system health validators (SHVs)
Configure health policies
Configure NAP enforcement using DHCP and VPN
Configure isolation and remediation of noncompliant computers using DHCP and VPN
Configure NAP client settings
Configuring system health validators (SHVs)
The only system health validator (SHV) that ships with Windows Server 2012 R2 is the Windows Security Health Validator (WSHV). You can modify the Default Configuration (ID 0) of the WSHV or you can create new configurations.
To create a new WSHV configuration, follow these steps:
1. Open the Network Policy Server console and expand NPS (Local) in the console tree.
2. In the Network Access Protection pane, expand System Health Validators and then Windows Security Health Validator.
3. Right-click Settings and select New from the menu to open the Windows Security Health Validator dialog box shown in Figure 4-39.
FIGURE 4-39 The Windows Security Health Validator dialog box
4. Select Windows 8/Windows 7/Windows Vista in the console tree to change the following settings for these Windows versions:
Firewall Settings
A Firewall Is Enabled For All Network Connections
Antivirus Settings
An Antivirus Application Is On
Antivirus Is Up To Date
Spyware Protection Settings
An Antispyware Application Is On
Antispyware Is Up To Date
Automatic Update Settings
Automatic Updating Is Enabled
Security Update Settings
Restrict access for clients that do not have all available security updates installed
Choose from four levels:
Critical Only
Important And Above
Moderate And Above
Low And Above
Specify the minimum number of hours allowed since the client has checked for new security updates (maximum allowed is 72 hours; default is 22 hours).
By default, clients can receive security updates from Microsoft Update. If additional sources are required for your deployment, select one or both of the following sources:
Windows Update
Windows Server Update Services
5. Select Windows 8/Windows 7/Windows Vista in the console tree to change the following settings for these Windows versions:
Firewall Settings
A Firewall Is Enabled For All Network Connections
Antivirus Settings
An Antivirus Application Is On
Antivirus Is Up To Date
Automatic Update Settings
Automatic Updating Is Enabled
Security Update Settings
Restrict access for clients that do not have all available security updates installed
Choose from four levels:
Critical Only
Important And Above
Moderate And Above
Low And Above
Specify the minimum number of hours allowed since the client has checked for new security updates (maximum allowed is 72 hours, default is 22 hours).
By default, clients can receive security updates from Microsoft Update. If additional sources are required for your deployment, select one or both of the following sources:
Windows Update
Windows Server Update Services
6. Click OK to close the Windows Security Health Validator settings dialog box.
7. Right-click Error Codes and select Properties to change the default error codes shown in Figure 4-40.
FIGURE 4-40 The Windows Security Health Validator Settings tab for error codes
The error codes can be set to Noncompliant or Compliant. If you want the WSHV to ignore a particular error, set the error code to Compliant.
8. Click OK to close the settings dialog box.
Configuring health policies
You can configure an existing health policy or create a new one. The settings available are the same. To create a new health policy, follow these steps:
1. Open the Network Policy Server console and expand NPS (Local) in the console tree.
2. In the Network Access Protection pane, and expand Policies.
3. Right-click Health Policies and select New.
4. In the Create New Health Policy dialog box, enter a Policy Name.
5. From the Client SHV Checks list, select one of the following:
Client Passes All SHV Checks
Client Fails All SHV Checks
Client Passes One Or More SHV Checks
Client Fails One Or More SHV Checks
Client Reported AS Transitional By One Or More SHVs
Client Reported As Infected By One Or More SHVs
Client Reported As Unknown By One Or More SHVs
6. Select an SHV in the SHVs Used In This Health Policy list. If the SHV supports more than one configuration, choose the configuration you want.
7. Click OK to save the policy.
You can save an existing health policy as a template to use to build new health policies. To save a policy as a template, right-click the policy in the Health Policies folder and select Save And Apply As Template, as shown in Figure 4-41.
FIGURE 4-41 The Network Policy Server Health Policies details pane
Configuring NAP enforcement using DHCP and VPN
You can configure Network Access Protection enforcement to prevent noncompliant computers from connecting to the main network. They can be configured either to fail the connection or to be placed on a restricted network for remediation. There are multiple scenarios for NAP enforcement, including IEEE 802.1x for either wired or wireless connections, RD Gateway, DHCP, and VPN. The exam covers only the two most common NAP scenarios: DHCP and VPN.
NAP enforcement for DHCP
The DHCP scenario is straightforward and prevents noncompliant computers from getting a DHCP address on the main network. The scenario depends on DHCP either being installed on the main NAP computer or on a remote computer in the network that then gets NPS installed on it in RADIUS Proxy mode.
Exam Tip
NAP enforcement by using DHCP is not a secure enforcement method. The knowledgeable user can bypass it by assigning a fixed IP address from the IP address range of the network. This makes the use of the DHCP for NAP enforcement an obvious exam question scenario.
To configure NAP enforcement, use the following process:
If DHCP is already running on the network, install the Network Policy Server role on the remote computer running DHCP. Configure as a RADIUS proxy, as described in Objective 4.1. Configure the Remote RADIUS Server Group to include the NAP enforcement server as the server to which RADIUS messages are forwarded. If installing DCHP on the NAP enforcement server, this step isn’t necessary.
Create a connection request policy using NAS Port as the condition and set it to the specific types of DHCP clients on which you want NAP enforcement. Configure the connection request policy to forward both authentication and accounting messages to the NAP enforcement computer.
On the DHCP server, select the properties for the DHCP scope on which you want to enforce NAP and enable Network Access Protection settings for the scope, as shown in Figure 4-42.
FIGURE 4-42 The Network Access Protection tab of the Properties dialog box for a DHCP scope
Enable the DHCP server as a RADIUS client, as covered in Objective 4.1.
To enable authorization by group, create a security group in AD DS and add the users who are authorized to obtain IP addresses via DHCP to that group.
On NAP–capable client computers, configure as described later in this chapter in the “Configuring NAP clients” section.
If using remediation servers, configure them as described in the “Configuring isolation and remediation of noncompliant computers using DHCP and VPN” section.
Configure a health policy, connection request policy, and network policy to enforce NAP for DHCP.
Configure the constraints in the network policy to allow health checks on DHCP IP address renewal.
Select the network policy you want to configure in the Network Policy Server console and double-click.
On the Constraints tab, ensure that Authentication Methods has Perform Machine Health Check Only selected, as shown in Figure 4-43.
FIGURE 4-43 The Constraints tab of the network policy properties.
NAP enforcement for VPN
The VPN scenario for NAP enforcement follows a similar process to that for DHCP, but with some differences. The process flow for NAP enforcement for VPNs is as follows:
Create a global security group in AD DS that has as members the users that will be permitted to use VPN.
Configure the NPS server as a RADIUS server for VPN connections, using PEAP or EAP for authentication (see Objective 4.1 for details).
Deploy a certification authority (CA) or buy a Server certificate for PEAP-MS-CHAPv2). (See Objective 4.1 for details on setting up certificate autoenrollment.)
Deploy client computer and user certificates. (See Objective 4.1 for details on setting up certificate autoenrollment.)
If using multiple VPN servers, configure the NPS server as the primary RADIUS server, with the other servers being RADIUS clients of the NPS server. (See Objective 4.1 for how to configure RADIUS clients.)
On the NPS server, configure health policies, connection request policies, and network policies for VPN that enforce NAP for those VPN connections.
On NAP–capable client computers, configure as described later in this chapter in the “Configuring NAP clients” section.
If using remediation servers, configure them as described in the following section, “Configuring isolation and remediation of noncompliant computers using DHCP and VPN.”
Configure the client computers with a VPN connection, setting the configuration to PEAP or EAP.
Configuring isolation and remediation of noncompliant computers using DHCP and VPN
When creating a NAP enforcement policy, you can choose the following:
Non-enforcement, allowing you to simply monitor the computers that are noncompliant with the NAP health policy
Limited enforcement, allowing computers that are noncompliant access to the network for a limited time
Full enforcement, blocking access to the network for all noncompliant computers
Full enforcement with remediation, allowing noncompliant computers access to a limited set of servers to correct the noncompliance, including the automatic corrections of some conditions that cause noncompliance.
This last bullet is the one of interest in this section. To configure isolation and remediation, you have to configure a remediation server group and set NAP Enforcement to Allow Limited Network Access Only. You can also enable Auto-remediation to automatically remediate computers that fail the health check.
The first step is to configure a remediation server group and optionally a troubleshooting URL. The remediation server group is a group of one or more servers that have the resources to remediate the noncompliant servers to bring them back into compliance. The troubleshooting URL should point to a web page with descriptions of what is required for compliance and links to resources to correct noncompliance.
To configure a remediation server group, follow these steps:
1. Open the Network Policy Server console and navigate to Network Access Protection.
2. Click Configure Remediation Server Groups in the details pane shown in Figure 4-44.
FIGURE 4-44 The Network Policy Server console
3. Right-click Remediation Server Groups and select New from the menu.
4. Select a Remediation Server Group template or create a new group.
5. Enter a Group Name and click Add to open the Add New Server dialog box shown in Figure 4-45.
FIGURE 4-45 The Add New Server dialog box
6. Enter a Friendly Name for the server and type in an IP Address Or DNS Name.
7. Click Resolve. If you used a DNS name, and it resolves to more than one IP address, select the IP address to use and click OK. If you used an IP address and it resolves, click OK.
8. To add additional servers to the Remediation Server Group, click Add and repeat steps 6 and 7 to add servers as required.
9. After you add all the servers that need to be in the group, click OK.
10. You can now use this Remediation Server Group in network policies to allow non-compliant clients to correct the problem and return to compliance.
To create an NPS Remediation Server Group and add an NPS Remediation Server to it, use the New-NpsRemediationServerGroup and New-NpsRemediationServer cmdlets; for example:
New-NpsRemediationServerGroup -Name "RemGroup1"
New-NpsRemediationServer -RemediationServerGroup "RemGroup1" -Address "192.168.10.1"
To isolate the noncompliant clients, you need to configure a noncompliant NAP policy, as described in the earlier section, “Configuring network policies for VPN clients.” The process is similar for both VPN and DHCP policies. To create a new noncompliant network policy, follow these steps:
1. Right-click Network Policies in the Policies folder of the console tree.
2. Select New to open the New Network Policy Wizard.
3. Enter a Policy Name, such as NAP Noncompliant.
4. Select the type of Network Access Server, such as DHCP Server or Remote Access Server (VPN-Dial-up).
5. Click Next to open the Specify Conditions page and click Add to add policy conditions.
6. Scroll down and select Health Policies and click Add to open the Health Policies dialog box shown in Figure 4-46.
FIGURE 4-46 The Health Policies dialog box
7. Select a health policy from the Health Policies list or click New to create a new health policy, as described in the “Configuring health policies” section earlier in this objective. The policy should be one of noncompliance with one or more SHV checks.
8. Click OK after you either create a new health policy or select an existing one.
9. Click Add again to select additional conditions (such as user group or machine group), as shown in Figure 4-47.
FIGURE 4-47 The Specify Conditions page of the New Network Policy Wizard
10. Click Next and select Access Granted on the Specify Access Permission page.
Exam Tip
A network policy for remediation of noncompliance must be set to Grant Access, even though you might think it should be set to Deny Access. But Deny Access would prevent the computer from reaching the remediation servers. This is an easy mistake to make, and it is one that exam writers are likely to use to make compelling distractors.
11. Select Access Is Determined By User Dial-In Properties (Which Overrides NPS Policy) to deny access to users who are not normally allowed remote access rather than continuing to the remediation steps.
12. Click Next to open the Configure Authentication Method. Select Perform Machine Health Check Only for DHCP or the authentication types you support for VPN.
13. Click Next to open the Configure Constraints page. Add constraints here only if your particular network environment requires them.
14. Click Next to open the Configure Settings page.
15. Select NAP Enforcement in the left pane, as shown in Figure 4-48.
FIGURE 4-48 The Configure Settings page of the New Network Policy Wizard
16. Select Allow Limited Access and click Configure to open the Remediation Servers And Troubleshooting URL dialog box shown in Figure 4-49.
FIGURE 4-49 The Remediation Servers And Troubleshooting URL dialog box
17. Select a Remediation Server Group from the list or click New Group to create a new one.
18. Specify a troubleshooting URL if you have (or will have) a web page to provide troubleshooting information and resources for remediation. This page should be reachable by computers in the restricted network. Click OK to return to the Configure Settings page.
19. Select Enable Auto-Remediation Of Client Computers to have health requirements automatically corrected. (For example, if there is a requirement for a firewall, and the health check fails this requirement, Windows Firewall is enabled.)
20. Click Next and then Finish to create the new policy.
Note: Steps for DHCP
The steps for this procedure are those for creating a network policy for a noncompliant VPN connection. The steps for a noncompliant DHCP connection are slightly different, and you’ll be asked to specify the name of the DHCP scope to use. The scope name becomes part of the policy to match the MS-Service Class condition. Exams aren’t about exact steps, but what you’re configuring, and the basic process is the same.
Configuring NAP client settings
You need to configure NAP-capable clients to work correctly with NAP enforcement. The settings you need to configure are shown in the following steps:
1. Start the Network Access Protection Agent Windows Service.
2. Set the Network Access Protection Agent Windows Service startup type to Automatic.
3. Use the NAP Client Configuration console (Napclcfg.msc) on the client computer to enable the following enforcement clients:
DHCP Quarantine Enforcement Agent
EAP Quarantine Enforcement Agent
4. Configure Group Policy to enable the Security Center.
5. Edit the Default Domain Policy.
6. Navigate to Computer Configuration/Administrative Templates/Windows Components/Security Center.
7. Double-click Turn On Security Center (Domain PCs Only).
8. Select Enabled. Click OK and exit the Group Policy Management Editor and the GPMC.
Thought experiment: Performing health checks
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. As a result of a recent virus attack on the network that originated with an unprotected remote user, you have been asked to immediately implement network access policies to ensure that computers that connect remotely are fully updated and protected.
1. What changes do you need to make to your existing NPS RADIUS infrastructure to support the change?
2. What changes do you need to make on remote client computers? How can you implement them?
3. What transitional steps should you take before locking out noncompliant users?
Objective summary
NAP uses SHVs to verify that network clients meet specific health requirements.
NAP health policies work with connection request policies and network policies to determine which clients are allowed to connect to the network.
NAP enforcement can be set to monitor, limited enforcement, or full enforcement.
NAP enforcement can use remediation server groups to remediate noncompliant clients.
NAP clients need configuration to work with NAP enforcement.
Objective review
1. User1 has been on vacation for a week, with his laptop turned off. When he attempted to connect via modem to the Remote Access dial-in bank on day four of the vacation, his dial-in attempt was rejected. However, when he returns home three days later, he initially has a problem when he logs on to his laptop and attempts to connect to the network remotely. When he returns to the office, all is well, although his initial logon seems rather slow. When he goes home that night, he is again able to connect to the network. User1 is authorized for dial-up, and NAP policies are in place for both internal network connections and remote connections. What was a possible cause of the problem?
A. The connection request policy for dial-up connections has a condition on the Called Station ID that limits callers to the local area code.
B. The health policy for dial-up and VPN access requires that all client SHV checks must pass.
C. The health policy for internal network access requires that all client SHV checks must pass.
D. The network connection policy for dial-up connections is set to enable access.
2. What configuration changes do you need to make on client computers to support NAP?
A. Set the Network Access Protection Agent to Automatic.
B. Enable the DHCP Quarantine Enforcement Agent.
C. Enable the EAP Quarantine Enforcement Agent.
D. Use Group Policy to set the Turn On Security Center (Domain PCs Only) policy to Enabled.
E. A, B, D.
F. B, C, D.
G. All of the above.
3. When you configure NPS for DHCP, you configure the network policy to enforce the health policy. What settings do you need make in the network policy?
A. If the client SHV fails one or more SHV checks, deny access.
B. If the client SHV fails one or more SHV checks, grant access only for EAP clients.
C. If the client SHV passes one or more SHV checks, deny access.
D. If the client SHV passes one or more SHV checks, enable access.
Answers
This section contains the solutions to the thought experiments and answers to the lesson review questions in this chapter.
Objective 4.1: Thought experiment
1. You can use the Configure VPN Or Dial-up Wizard to create both VPN and dial-up connection request policies. The dial-up connection request policy works with a separate dial-up network policy to limit users to only members of the Domain Admins security group. It doesn’t require a separate NPS server.
2. Configure a network policy for HR that uses their membership in the HR Users security group to then limit access to only those authenticating with EAP Smart Card or other certificate. Because HR staff have access to sensitive data, they should be required to have TPM chips and BitLocker on their laptops, so by installing Windows 8 on their laptops, they can use a virtual smart card.
3. Although it is certainly possible to implement this policy on a single server, distributing it across multiple NPS servers enables you to have different policies for different Remote RADIUS Server Groups. The initial client access is handled by the RADIUS proxy, which distributes the load based on the priorities and weighting.
Objective 4.1: Review
1. Correct answer: A
A. Correct. The Network Policy Server role service is required for all RADIUS functionality.
B. Incorrect. The Health Registration Authority (HRA) is used only with the NAP IPsec enforcement method.
C. Incorrect. The Host Credential Authorization Protocol is used only for integration into a Cisco Network Access Control Server.
D. Incorrect. The RRAS role service is now part of the Remote Access role, not NPS.
2. Correct answers: B, D
A. Incorrect. Despite its name, the All Purpose certificate type doesn’t work for client authentication or server authentication.
B. Correct. The server authentication purpose is needed to authenticate the server to the client.
C. Incorrect. Although a root certificate for the CA used needs to be part of both the client’s and server’s root certificate store, this certificate is not used for mutual authentication.
D. Correct. The client authentication purpose is needed to authenticate the client to the server.
3. Correct answer: D
A. Incorrect. This is not how a RADIUS client works. The authentication happens at the RADIUS server.
B. Incorrect. RADIUS proxy means it acts as a RADIUS client.
C. Incorrect. RADIUS proxy means it acts as a RADIUS client.
D. Correct. As a RADIUS proxy, NPS forwards connections to a RADIUS server group for authentication and authorization.
Objective 4.2: Thought experiment
1. Export the current NPS configuration on remote1, and import it to the new NPS server, remote2. A more limited approach would be to only export and import the templates, but this would not meet the requirement.
2. An export of the NPS configuration of remote1 includes all of the shared secrets in plain text.
3. To mitigate the plain text shared secrets of an NPS export, you need to ensure that the configuration file itself is encrypted. Failure to do so would violate company policy. Two possible solutions, include:
Export the NPS configuration file to a shared folder on the network that is encrypted with the EFS file system.
Export the NPS configuration file to a USB stick, encrypted with BitLocker To Go.
Objective 4.2: Review
1. Correct answers: B, C
A. Incorrect. User groups are available only as a condition of the network policy
B. Correct. The user name is a possible condition for the connection request policy because it is part of a character string that typically includes a realm name.
C. Correct. The NAS Port Type identifies what port type was used by the client to connect to the RADIUS server.
D. Incorrect. The MS Service Class is not available in the connection request policy.
2. Correct answer: C
A. Incorrect. The RRAS service is not a RADIUS server.
B. Incorrect. The RRAS service is not a RADIUS server.
C. Correct. NPS is a RADIUS server. Copying the configuration from Windows Server 2012 is not a problem, and you should copy the configuration from another member of the same RADIUS server group.
D. Incorrect. NPS is a RADIUS server, and this is the same version of the operating system. But copying the configuration from RAD1 would copy the RADIUS proxy configuration, not the RADIUS server configuration.
3. Correct answer: A
A. Correct. The Tunnel Type condition includes the protocols that are used to connect to the RADIUS server.
B. Incorrect. The Framed Protocol primarily includes dial-up protocols such as SLIP and PPP.
C. Incorrect. Authentication Type specifies the authentication methods used, such as CHAP, EAP, and MS-CHAPv2.
D. Incorrect. Allowed EAP Types specifies which EAP authentication methods are allowed to be used.
Objective 4.3: Thought experiment
1. You need to enable NAP on your RADIUS servers and implement a health policy that requires users to have their firewall turned on, have all current updates, and be free of infection. You have to implement a remediation server group that you can redirect noncompliant users to, including clients that don’t have the NAP agent enabled.
2. You need to configure the remote computers to support NAP. Part of it can be done via Group Policy, but you’ll probably have to use a logon script during the transition phase to set the startup for the Network Access Protection Agent.
3. You need to configure remediation server groups to support remediating your current users who are not infected but just noncompliant. You need to have a separate policy that will lock out a user who is infected.
4. You probably want to start by creating the policies and setting them to monitor mode only, allowing access for noncompliant clients but logging their status. Doing this enables you to work directly with problem users who haven’t gotten compliant yet. But the infected users should be locked out anyway to prevent another incident.
Objective 4.3: Review
1. Correct answer: B
A. Incorrect. The Called Station ID is the phone number of the dial-up modem on the server, not the client.
B. Correct. The remote laptop fails because it hasn’t checked for updates in more than 72 hours.
C. Incorrect. The laptop would fail, but instead automatically routed to a remediation server that autoremediated on the local network. Makes for a slowish logon, however.
D. Incorrect. This would not prevent the remote access on day four of the vacation.
2. Correct answer: G
A. Incorrect. This answer forms part of the total answer, but is not sufficient in and of itself. The network access protection agent needs to start automatically.
B. Incorrect. This answer forms part of the total answer, but is not sufficient in and of itself. The DHCP Quarantine Enforcement Agent needs to be enabled.
C. Incorrect. This answer forms part of the total answer, but is not sufficient in and of itself. The EAP Quarantine Enforcement Agent needs to be enabled.
D. Incorrect. This answer forms part of the total answer, but is not sufficient in and of itself. The Group Policy needs to be changed.
E. Incorrect. You need all four of the items A–D.
F. Incorrect. You need all four of the items A–D.
G. Correct. This answer choice includes all four required elements of the correct answer.
3. Correct answer: D
A. Incorrect. By denying access, you prevent remediation.
B. Incorrect. EAP is a remote access protocol.
C. Incorrect. By denying access, you prevent remediation.
D. Correct. Allows the client to be forwarded to the remediation server group.