1 / 24

Week 6 – NPS and RADIUS

Week 6 – NPS and RADIUS. Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot a Network Policy Server. What Is a VPN Connection?. Corporate Headquarters. Large Branch Office. Small Branch Office. VPN Server.

hoshi
Télécharger la présentation

Week 6 – NPS and RADIUS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 6 – NPS and RADIUS • Install and Configure a Network Policy Server • Configure RADIUS Clients and Servers • NPS Authentication Methods • Monitor and Troubleshoot a Network Policy Server

  2. What Is a VPN Connection? Corporate Headquarters Large Branch Office Small Branch Office VPN Server VPN Server VPN Server Medium Branch Office VPN Home Office with VPN Client VPN Server Remote User with VPN Client

  3. Components of a VPN Connection Client Operating System VPN Tunnel Routing andRemote Access VPN Server VPN Client Virtual Network Authentication IP Configuration Domain Controller DHCP Server

  4. Tunneling Protocols for a VPN Connection Encrypted PPTP: PPP frame IP header GRE header PPP trailer PPP payload (IPv4 packet) L2TP: IP header PPP header PPP payload (IP diagram, IPX datagram, NetBEUI frame) UDP header L2TP header SSTP: PPP frame • Encapsulates PPP frames in IP datagrams, and uses port 443 (TCP) for tunnel management and PPP data frames • Encryption is performed by the SSL channel of the HTTPS protocol L2TP frame UDP message

  5. Components of a Dial-Up Connection Remote Access Server LAN and Remote Access Protocols WAN Options: Telephone, ISDN, X.25, or ATM Dial-Up Client Domain Controller Authentication DHCP Server Address and Name Server Allocation

  6. What Is the Connection Manager Administration Kit? The Connection Manager AdministrationKit: The connection profile can be distributed to users in the following ways: • Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks • Creates an executable file that can be run on a client computer to establish a network connection that you have designed • Reduces the likelihood of user errors when they configure their own connection objects • As part of an image for new computers • On removable media for the user to install manually • With software distribution tools, such as Systems Management Server or System Center Configuration Manager 2007

  7. Process for Configuring a Connection Profile The CMAK Connection Profile Wizard assists in the process of creating custom connection profiles for users Use the CMAK Connection Profile Wizard to configure: • The target operating system • Support for VPN • Support for Dial-up, including the custom phone book • Proxy • Custom Help file • Custom support information

  8. What Is a Network Policy? A network policy consists of the following elements: • Conditions • Constraints • Settings

  9. Process for Creating and Configuring a Network Policy Determine authorization by user or group ü Determine appropriate settings for the user account’s network access permissions ü • Configure the New Network Policy Wizard: • Configure Network Policy conditions • Configure Network Policy constraints • Configure Network Policy settings ü

  10. How Are Network Policies Processed? START Yes No Go to next policy Does connection attempt match policy conditions? Are there policies to process? No Yes Yes Is the remote access permission for the user account set to Deny Access? No Reject connection attempt Yes No Reject connection attempt Is the remote access permission for the user account set to Allow Access? Is the remote access permission on the policy set to Deny remote access permission? No Yes Accept connection attempt Yes No Does the connection attempt match the user object and profile settings?

  11. Network Policy Server Usage Scenarios NPS is used for the following scenarios: • Secure Wired and Wireless Access • RADIUS • Terminal Server Gateway • Network Access Protection • Enforcement for IPsec traffic • Enforcement for 802.1x wired and wireless • Enforcement for DHCP • Enforcement for VPN

  12. Tools Used for Managing a Network Policy Server Tools used to manage NPS include: • NPS MMC Console • Netsh command line to configure all aspects of NPS, such as: • NPS Server Commands • RADIUS Client Commands • Connection Request Policy Commands • Remote RADIUS Server Group Commands • Network Policy Commands • Network Access Protection Commands • Accounting Commands

  13. What Is a RADIUS Client? • NPS is a RADIUS server • RADIUS clients are network access servers, such as: • Wireless access points • 802.1x authenticating switches • VPN servers • Dial-up servers • RADIUS clients send connection requests and accounting messages to RADIUS servers for authentication, authorization, and accounting

  14. What Is a RADIUS Proxy? A RADIUS proxy receives connection attempts from RADIUS clients and forwards them to the appropriate RADIUS server or another RADIUS proxy for further routing A RADIUS proxy is required for: • Service providers offering outsourced dial-up, VPN, or wireless network access services • Providing authentication and authorization for user accounts that are not Active Directory members • Performing authentication and authorization using a database that is not a Windows account database • Load-balancing connection requests among multiple RADIUS servers • Providing RADIUS for outsourced service providers and limiting traffic types through the firewall

  15. Configuring Connection Request Processing

  16. What Is a Connection Request Policy? Connection Request policies are sets of conditions and settings that designate which RADIUS servers perform the authentication and authorization of connection requests that NPS receives from RADIUS clients Connection Request policies include: • Conditions, such as: • Framed Protocol • Service Type • Tunnel Type • Day and Time restrictions • Settings, such as: • Authentication • Accounting • Attribute Manipulation • Advanced settings Custom Connection Request policies are required to forward the request to another proxy or RADIUS server or server group for authorization and authentication, or to specify a different server for accounting information

  17. Password-Based Authentication Methods Authentication methods for an NPS server include: • MS-CHAPv2 • MS-CHAP • CHAP • PAP • Unauthenticated access

  18. Using Certificates for Authentication Certificate-based authentication in NPS: • Certificate types: • CA certificate: Verifies the trust path of other certificates • Client computer certificate:Issued to the computer to prove its identity to NPS during authentication • Server certificate:Issued to an NPS server to prove its identity to client computers during authentication • User certificate:Issued to individuals to prove their identity to NPS servers for authentication • Certificates can be obtained from public CA providers or you can host your own Active Directory certificate services • To specify certificate-based authentication in a network policy, configure the authentication methods on the Constraints tab

  19. Required Certificates for NPS Authentication Methods All certificates must meet the requirements for X.509 and must work for connections that use SSL/TLS

  20. Deploying Certificates for PEAP and EAP • For Domain Computer and User accounts, use the auto-enrollment feature in Group Policy • Nondomain member enrollment requires an administrator to request a user or computer certificate using the CA Web Enrollment tool • The administrator must save the computer or user certificate to a floppy disk or other removable media, and manually install the certificate on the nondomain member computer • The administrator can distribute user certificates on a smart card

  21. Methods Used to Monitor NPS NPS monitoring methods include: • Event logging • The process of logging NPS events in the System Event log • Useful for auditing and troubleshooting connection attempts • Logging user authentication and accounting requests • Useful for connection analysis and billing purposes • Can be in a text format • Can be in a database format within a SQL instance

  22. Configuring Log File Properties Use the NPS console to configure logging: Open NPS from the Administrative Tools menu 1 In the console tree, click Accounting 2 In the details pane, click Configure Local File Logging 3 On the Settings tab, select the information to be logged 4 On the Log File tab, select the log type and the frequency or size attributes of the log files to be generated 5 Log files should be stored on a separate partition from the system partition: If RADIUS accounting fails due to a full hard disk, NPS stops processing connection requests

  23. Configuring SQL Server Logging You can use SQL to log RADIUS accounting data: • Requires SQL to have a stored procedure named report_event • NPS formats accounting data as an XML document • Can be a local or remote SQL Server database

  24. Configuring NPS Events to Record in the Event Viewer How do I configure NPS events to be recorded in Event Viewer? • NPS is configured by default to record failed connections and successful connections in the event log • You can change this behavior on the General tab of the Properties sheet for the network policy • Common request failure events • What information does the failure event record? • What information does the success event record? What is Schannel logging, and how do I configure it? • Schannel is a security support provider that supports a set of Internet security protocols • You can configure Schannel logging in the following Registry key: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging

More Related