Beruflich Dokumente
Kultur Dokumente
Guide
Microsoft Corporation
Published: April 2008
Author: James McIllece
Editor: Scott Somohano
Abstract
The Network Policy Server Operations Guide provides information about how to administer NPS
after it is installed and deployed. It also includes troubleshooting information for specific problems
and scenarios.
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Your right to copy this documentation is limited by copyright law and the terms of the software
license agreement. As the software licensee, you may make a reasonable number of copies or
printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative
works for commercial distribution is prohibited and constitutes a punishable violation of the law.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Network Policy Server (NPS) Operations Guide.............................................................................1
Abstract....................................................................................................................................1
Contents..........................................................................................................................................3
Administering NPS........................................................................................................................13
Installing NPS...............................................................................................................................15
Note
In Windows Server 2008, Network Policy Server replaces the Internet Authentication
Service (IAS) component of Windows Server 2003.
NPS is the Microsoft implementation of the Remote Authentication Dial-In User Service (RADIUS)
protocol, and can be configured to act as a RADIUS server or RADIUS proxy, providing
centralized network access management. When you configure NPS as a RADIUS server, network
access servers that are configured as RADIUS clients in NPS forward connection requests to
NPS for authentication and authorization.
When you configure NPS as a RADIUS proxy, NPS forwards authentication and accounting
requests to RADIUS servers in a remote RADIUS server group.
The network access servers that you can configure as RADIUS clients in NPS are wireless
access points, virtual private network (VPN) servers, 802.1X authenticating switches, Terminal
Services Gateway (TS Gateway) servers, and dial-up servers.
In addition, you can configure NPS as a Network Access Protection (NAP) policy server. When
NAP is deployed, NPS acts as a NAP policy server, performing client health checks against
configured health policies.
You can also configure the NPS proxy to perform authorization locally while forwarding
authentication requests to a remote RADIUS server group. In addition, you can customize the
processing of accounting requests, processing them locally on the NPS proxy or forwarding them
to other RADIUS servers.
6
clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client
resolves to multiple IP addresses, the NPS server uses the first IP address returned in the
Domain Name System (DNS) query.
NPS resources
For NPS resources in addition to this guide, see Network Policy Server in the Windows
Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=104545).
7
How to use This guide
The operations areas are divided into the following types of content:
• Objectives are general goals for managing, monitoring, optimizing and securing NPS.
Each objective consists of one or more general tasks that describe how the objective is
accomplished.
• Tasks are used to group related procedures and provide general guidance for achieving
the goals of an objective.
• Procedures provide step-by-step instructions for completing tasks.
If you are an IT manager who will be delegating tasks to operators within your organization:
1. Read through the objectives and tasks to determine how to delegate permissions and
whether you need to install tools before operators perform the procedures for each task.
2. Before assigning tasks to individual operators, ensure that you have all the tools installed
where operators can use them.
3. When necessary, create “tear sheets” for each task that operators perform in your
organization. Cut and paste the task and its related procedures into a separate document,
and then either print these documents or store them online, depending on the preference of
your organization.
Installation
Before installing NPS, do the following:
• Install and test each of your network access servers by using local authentication
methods before you make them RADIUS clients.
• After you install and configure NPS, save the configuration by using the netsh nps
export command. Use this command to save the NPS configuration to an XML file every time
a configuration change is made.
• If you install additional Extensible Authentication Protocol (EAP) types on your NPS
server, ensure that you document the server configuration in case you need to rebuild the
server or duplicate the configuration on other NPS servers.
• If you install additional system health validators (SHVs) on your NPS server, ensure that
you document the server configuration in case you need to rebuild the server or duplicate the
configuration on other NPS servers.
• Do not install Windows Server 2008 on the same partition with another version of
Windows Server.
8
• Do not configure a server running NPS or the Routing and Remote Access service as a
member of a Windows NT Server 4.0 domain if your user accounts database is stored on a
domain controller running Windows Server 2008 in another domain. Doing this will cause
Lightweight Directory Access Protocol (LDAP) queries from the NPS server to the domain
controller to fail.
Instead, configure your server running NPS or Routing and Remote Access as a member of a
Windows Server 2008 domain. An alternative is to configure a server running NPS as a
RADIUS proxy server that forwards authentication and accounting requests from the
Windows NT Server 4.0 domain to an NPS server in the Windows Server 2008 domain.
Authentication
Following are the best practices for authentication:
• Use authentication methods, such as Protected Extensible Authentication Protocol
(PEAP) and Extensible Authentication Protocol (EAP), that provide authentication types, such
as Transport Layer Security (EAP-TLS and PEAP-TLS) and Microsoft Challenge Handshake
Authentication Protocol version two (PEAP-MS-CHAP v2), that support the use of certificates
for strong authentication. Do not use password-based authentication methods because they
are vulnerable to a variety of attacks and are not secure.
• Use PEAP, which is required for all Network Access Protection (NAP) enforcement
methods. Determine the PEAP authentication types that you want to use, such as PEAP-TLS
and PEAP-MS-CHAP v2, and then plan and deploy your public key infrastructure (PKI) to
ensure that all computers and users can enroll the certificates required by the authentication
types.
• Deploy a certification authority (CA) by using Active Directory® Certificate Services
(AD CS) if you use strong certificate-based authentication methods that require the use of a
server certificate on NPS servers. You can also use your CA to deploy computer certificates
to domain member computers and user certificates to members of the Users group in Active
Directory.
Security issues
Your NPS server provides authentication, authorization, and accounting for connection attempts
to your organization network. You can protect your NPS server and RADIUS messages from
unwanted internal and external intrusion.
9
When you are administering an NPS server remotely, do not send sensitive or confidential data
(for example, shared secrets or passwords) over the network in plaintext. There are two
recommended methods for remote administration of NPS servers:
• Use Remote Desktop Connection to access the NPS server.
When Remote Desktop Connection users log on, they can view only their individual client
sessions, which are managed by the server and are independent of each other. In addition,
Remote Desktop Connection provides 128-bit encryption between client and server.
• Use Internet Protocol security (IPsec) to encrypt confidential data.
If you manage one or more remote NPS servers from a local NPS server by using the NPS
Microsoft Management Console (MMC) snap-in, you can use IPsec to encrypt communication
between the local NPS server and the remote NPS server.
Accounting
There are two types of accounting, or logging, in NPS:
• Event logging for NPS. You can use event logging to record NPS events in the system
and security event logs. Recording NPS events to the security event log is a new feature in
Windows Server 2008, and much more information is logged for NPS than in previous
operating system versions for Internet Authentication Service (IAS). This information is used
primarily for auditing and troubleshooting connection attempts.
• Logging user authentication and accounting requests. You can log user
authentication and accounting requests to log files in text format or database format, or you
can log to a stored procedure in a SQL Server 2000, SQL Server 2005, or SQL Server 2008
database. Request logging is used primarily for connection analysis and billing purposes, and
is also useful as a security investigation tool, providing you with a method of tracking down
activity after an attack.
To make the most effective use of NPS logging:
• Turn on logging (initially) for both authentication and accounting records. Modify these
selections after you have determined what is appropriate for your environment.
• Ensure that event logging is configured with a capacity that is sufficient to maintain your
logs.
• Back up all log files on a regular basis because they cannot be recreated after they are
damaged or deleted.
• For billing purposes, use the RADIUS Class attribute to both track usage and simplify the
identification of which department or user to charge for usage. Although the automatically
generated Class attribute is unique for each request, duplicate records might exist in cases
when the reply to the access server is lost and the request is resent. You might need to delete
duplicate requests from your logs to accurately track usage.
• If you use SQL Server logging, ensure that you store credentials and other connection
properties in a secure location. This information is not exported to file when you use the
netsh nps export command.
10
• To provide failover and redundancy with SQL Server logging, place two computers
running SQL Server on different subnets. Use the SQL Server tools to set up database
replication between the two servers. For more information, see SQL Server documentation.
Important
If your NPS server is configured to log accounting data but cannot write to the configured
data store (a log file, a SQL Server database, or both), NPS discards all connection
requests and authentication fails. In this circumstance, users cannot access the network
by using connections through RADIUS clients. This ensures that accounting data is
accurate.
Optimizing NPS
Following are ways to tune NPS performance:
• To optimize NPS authentication and authorization response times and minimize network
traffic, install NPS on a domain controller.
• When universal principal names (UPNs) or Windows Server 2008 and Windows
Server 2003 domains are used, NPS uses the global catalog to authenticate users. To
minimize the time it takes to do this, install NPS on either a global catalog server or a server
that is on the same subnet.
• Disable start and stop notification forwarding from network access servers (NASs) to
individual servers in each remote RADIUS server group if you are not forwarding accounting
requests to the group. For more information, see Disable NAS Notification Forwarding.
11
Note
To effectively balance the load of either a large number of authorizations or a large
volume of RADIUS authentication traffic (such as a large wireless implementation using
certificate-based authentication), install NPS as a RADIUS server on all of your domain
controllers. Next, configure two or more NPS proxies to forward the authentication
requests between the access servers and the RADIUS servers. Next, configure your
access servers to use the NPS proxies as RADIUS servers.
12
Administering NPS
By effectively administering your NPS deployment, you can provide secure network access for
your organization, ensuring that authorized organization employees, business partners, and
guests can access the network when and where they need to do so.
Note
The procedures in this guide do not include instructions for those cases in which the User
Account Control dialog box opens to request your permission to continue. If this dialog
box opens while you are performing the procedures in this guide, and if the dialog box
was opened in response to your actions, click Continue.
The following objectives are part of administering NPS:
• Managing NPS Servers
• Managing Certificates Used with NPS
• Managing RADIUS Clients
• Managing Network Policies
13
• Verify Configuration After Renaming an NPS Server
14
Enter the Netsh NPS Context on an NPS
Server
You can use commands in the Netsh NPS context to show and set the configuration of the
authentication, authorization, accounting, and auditing database used both by NPS and the
Routing and Remote Access service. Use commands in the Netsh NPS context to:
• Configure or reconfigure an NPS server, including all aspects of NPS that are also
available for configuration by using the NPS console in the Windows interface.
• Export the configuration of one NPS server (the source server), including registry keys
and the NPS configuration store, as a Netsh script.
• Import the configuration to another NPS server by using a Netsh script and the exported
configuration file from the source NPS server.
You can run these commands from the Windows Server 2008 command prompt or from the
command prompt for the Netsh NPS context. For these commands to work at the Windows
Server 2008 command prompt, you must type netsh nps before typing additional commands and
their parameters.
There are functional differences between Netsh context commands in the Windows Server 2003
family and Netsh commands in Windows Server 2008.
Administrative Credentials
To perform this procedure, you must be a member of the Administrators group on the local
computer.
Installing NPS
There are multiple ways to install NPS, and to understand the differences between these
methods, an understanding of the Network Policy and Access Services (NPAS) server role is
required.
The NPAS server role is a logical grouping of the following network access technologies:
• Network Policy Server (NPS)
• Routing and Remote Access service (RRAS)
• Health Registration Authority (HRA)
• Host Credential Authorization Protocol (HCAP)
15
These technologies are the role services of the NPAS server role. When you install the NPAS
server role, you can install one or more role service while running the Add Roles Wizard.
Note
The Add Roles Wizard is opened by using either Server Manager or Initial Configuration
Tasks.
After you have run the Add Roles Wizard and you have installed one or more role service of the
NPAS server role, you cannot install additional role services by using the same wizard.
For this reason, if you run the Add Roles Wizard and you install NPAS role services other than
NPS, you cannot run the Add Roles Wizard again to install NPS later — you must instead open a
similar wizard named the Add Role Services Wizard.
If you want to install NPS, and you have not yet installed any other role services of the NPAS
server role, follow the instructions in the procedure Install Network Policy Server (NPS).
If you want to install NPS, but you have already installed other NPAS role services, follow the
instructions in the procedure Install NPS by Using the Add Role Services Wizard.
Note
By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all
installed network adapters. If Windows Firewall with Advanced Security is enabled when
you install NPS, firewall exceptions for these ports are automatically created during the
installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your
network access servers are configured to send RADIUS traffic over ports other than
these defaults, remove the exceptions created in Windows Firewall with Advanced
Security during NPS installation, and create exceptions for the ports that you do use for
RADIUS traffic.
Administrative Credentials
To complete this procedure, you must be a member of the Administrators group.
To install NPS
1. Do one of the following:
• In Initial Configuration Tasks, in Customize This Server, click Add roles. The
Add Roles Wizard opens.
• Click Start, and then click Server Manager. In the left pane of Server Manager,
click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add
Roles Wizard opens.
2. In Before You Begin, click Next.
16
Note
The Before You Begin page of the Add Roles Wizard is not displayed if you
have previously selected Do not show this page again when the Add Roles
Wizard was run.
3. In Select Server Roles, in Roles, select Network Policy and Access Services,
and then click Next.
4. In Network Policy and Access Services, click Next.
5. In Select Role Services, in Role Services, select Network Policy Server, and then
click Next.
6. In Confirm Installation Selections, click Install.
7. In Installation Results, review your installation results, and then click Close.
Important
To successfully use this procedure to install NPS, it is required that you previously
installed the NPAS server role with a different role service, such as the Routing and
Remote Access service (RRAS). If you have not previously installed NPAS, do not use
this procedure; instead, use the procedure Install Network Policy Server (NPS).
Administrative Credentials
To complete this procedure, you must be a member of the Administrators group.
17
Manage an NPS Server by Using Remote
Desktop Connection
Use this procedure to manage a remote NPS server by using Remote Desktop Connection.
By using Remote Desktop Connection, you can remotely manage your NPS servers running
Windows Server 2008. You can also remotely manage NPS servers from a computer running
Windows Vista.
Administrative Credentials
To complete this procedure, you must be a member of the Administrators group.
18
Manage Multiple NPS Servers by Using the
NPS MMC Snap-in
Use this procedure to manage multiple NPS servers by using the NPS Microsoft Management
Console (MMC) snap-in.
You can also use the instructions below to manage a local NPS server and one or more remote
NPS servers from the Microsoft Management Console (MMC) on the local NPS server.
Before performing the procedure below, you must install NPS on the local computer and on
remote computers.
Important
Before you can manage a remote NPS server, you must configure the remote server to
allow remote administration. For more information, see Enable Remote Administration of
an NPS Server.
Depending on network conditions and the number of NPS servers you manage by using the NPS
MMC snap-in, response of the MMC snap-in might be slow. In addition, NPS server configuration
traffic is sent over the network during a remote administration session by using the NPS snap-in.
Ensure that your network is physically secure and that malicious users do not have access to this
network traffic.
Administrative Credentials
To complete this procedure, you must be a member of the Administrators group.
19
8. To save the NPS snap-in for later use, click File, click Save, type a name for your
Microsoft Management Console (.msc) file, and then click Save.
20
• On a per-network adapter basis, whether NPS monitors RADIUS traffic on Internet
Protocol version 4 (IPv4), IPv6, or both IPv4 and IPv6.
• The UDP ports over which RADIUS traffic is sent and received on a per-protocol (IPv4 or
IPv6), per-network adapter basis.
By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both IPv6 and
IPv4 for all installed network adapters. Because NPS automatically uses all network adapters for
RADIUS traffic, you only need to specify the network adapters that you want NPS to use for
RADIUS traffic when you want to prevent NPS from using an adapter for RADIUS traffic.
Note
If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS
traffic for the uninstalled protocol.
On an NPS server that has multiple network adapters installed, you might want to configure NPS
to send RADIUS traffic only on a specific adapter.
For example, one network adapter installed in the NPS server might lead to a network segment
that does not contain RADIUS clients, while a second network adapter provides NPS with a
network path to its configured RADIUS clients. In this scenario it is important to direct NPS to use
the second network adapter for all RADIUS traffic.
In another example, if your NPS server has three network adapters installed, but you only want
NPS to use two of the adapters for RADIUS traffic, you should configure port information for the
two adapters only. By excluding port configuration for the third adapter, you prevent NPS from
using the adapter for RADIUS traffic.
When you use the procedure in Configure NPS UDP Port Information, you can configure NPS to
listen for and send RADIUS traffic on a network adapter by using the following syntax:
• IPv4 traffic syntax: IPAddress:UDPport, where IPAddress is the IPv4 address that is
configured on the network adapter over which you want to send RADIUS traffic, and UDPport
is the RADIUS port number that you want to use for RADIUS authentication or accounting
traffic.
• IPv6 traffic syntax: [IPv6Address]:UDPport, where the brackets around IPv6Address
are required, IPv6Address is the IPv6 address that is configured on the network adapter over
which you want to send RADIUS traffic, and UDPport is the RADIUS port number that you
want to use for RADIUS authentication or accounting traffic.
The following characters can be used as delimiters for configuring IP address and UDP port
information:
• Address/port delimiter: colon (:)
• Port delimiter: comma (,)
• Interface delimiter: semicolon (;)
Make sure that your network access servers are configured with the same RADIUS UDP ports
that you configure on your NPS servers. The RADIUS standard UDP ports defined in RFCs 2865
and 2866 are 1812 for authentication and 1813 for accounting; however, some access servers
are configured by default to use UDP port 1645 for authentication requests and UDP port 1646 for
accounting requests.
21
Important
If you do not use the default RADIUS ports, you must configure exceptions on the firewall
for the local computer to allow RADIUS traffic on the new ports.
Note
If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS
traffic for the uninstalled protocol.
The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports
defined in RFCs 2865 and 2866. However, by default, many access servers use ports 1645 for
authentication requests and 1646 for accounting requests. No matter which ports you decide to
use, make sure that NPS and your access server are configured to use the same ones.
Important
If you do not use the default RADIUS ports, you must configure exceptions on the firewall
for the local computer to allow RADIUS traffic on the new ports.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
22
Disable NAS Notification Forwarding
You can use this procedure to disable the forwarding of start and stop messages from network
access servers (NASs) to members of a remote RADIUS server group configured in NPS.
When you have remote RADIUS server groups configured and, in NPS Connection Request
Policies, you clear the Forward accounting requests to this remote RADIUS server group
check box, these groups are still sent NAS start and stop notification messages.
This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification
forwarding for individual servers in each remote RADIUS server group.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
Important
Do not use this procedure if the source NPS database has a higher version number than
the version number of the destination NPS database. You can view the version number of
the NPS database from the display of the netsh nps show config command.
When the netsh import command is run, NPS is automatically refreshed with the updated
configuration settings. You do not need to stop NPS on the destination computer to run the netsh
23
import command, however if the NPS console or NPS MMC snap-in is open during the
configuration import, changes to the server configuration are not visible until you refresh the view.
Note
When you use the netsh nps export command, you are required to provide the
command parameter exportPSK with the value YES. This parameter and value explicitly
state that you understand that you are exporting the NPS server configuration, and that
the exported XML file contains unencrypted shared secrets for RADIUS clients and
members of remote RADIUS server groups.
Because NPS server configurations are not encrypted in the exported XML file, sending it over a
network might pose a security risk, so take precautions when moving the XML file from the source
server to the destination servers. For example, add the file to an encrypted, password protected
archive file before moving the file. In addition, store the file in a secure location to prevent
malicious users from accessing it.
Note
If SQL Server logging is configured on the source NPS server, SQL Server logging
settings are not exported to the XML file. After you import the file on another NPS server,
you must manually configure SQL Server logging.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
To copy an NPS server configuration to another NPS server using Netsh commands
1. On the source NPS server, open Command Prompt, type netsh, and then press
ENTER.
2. At the netsh prompt, type nps, and then press ENTER.
3. At the netsh nps prompt, type export filename="path\file.xml" exportPSK=YES,
where path is the folder location where you want to save the NPS server configuration
file, and file is the name of the XML file that you want to save. Press ENTER.
This stores configuration settings (including registry settings) in an XML file. The path can
be relative or absolute, or it can be a Universal Naming Convention (UNC) path. After you
press ENTER, a message appears indicating whether the export to file was successful.
4. Copy the file you created to the destination NPS server.
5. At a command prompt on the destination NPS server, type netsh nps import
filename="path\file.xml", and then press ENTER. A message appears indicating whether
the import from the XML file was successful.
24
Increase the Number of NPS Concurrent
Authentications
You can use this procedure to increase the number of concurrent authentications between NPS
and domain controllers when NPS is not installed on a domain controller.
If the NPS server is on a computer other than a domain controller and it is receiving a very large
number of authentication requests per second, you can improve performance by increasing the
number of concurrent authentications between the NPS server and the domain controller.
Caution
Incorrectly editing the registry can severely damage your system. Before making changes
to the registry, you should back up any valued data on the computer.
Administrative Credentials
To complete this procedure, you must be a member of the Administrators group.
Note
Although NPS supports both IAS-formatted and database-compatible log files, use the
database-compatible log format in most instances because it supports tools compliant
with Open Database Connectivity (ODBC).
25
Entries recorded in database-compatible log files
The following are example entries (Access-Request and Access-Accept) from a database-
compatible log file.
Note
In the examples below, "IAS" refers to Internet Authentication Service. In Windows
Server 2008. NPS replaces IAS. In NPS accounting data, the term IAS refers to the
Network Policy Server service.
This is the first example:
"CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,,
,,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
The following table shows the attributes that can be contained in a record in the database-
compatible log file, the sequence in which they are recorded, and how the preceding examples
are interpreted.
Additional information
• A blank field in the first column of the table indicates that the network access server did
not include a value with the attribute in the packets for the preceding example entries.
• The Data type column identifies the data type (text, number, or time) for each attribute.
When you create a database into which log files are imported, you must define each field for
the data type of the attribute value that will be imported into it. In database-compatible log
files, text values (such as strings, octet strings, and IP addresses) are always surrounded by
double quotes. If the double quotes appear within the string, then they are replaced with a
double set of double quotes.
This table shows the values for the example entries of an IAS-internal attribute.
"CLIENTCOMP" ComputerName Text The name of the server where the packet
was received (this is an IAS-internal
attribute).
"IAS" ServiceName Text The name of the service that generated the
record—IAS or the Routing and Remote
Access service (this is an IAS-internal
attribute).
26
Value shown in Attribute Data type Description
example
internal attribute).
"npsclient" Client-Friendly- Text The friendly name for the RADIUS client
Name (this is an IAS-internal attribute).
Event-Timestamp Time The date and time that this event occurred
27
Value shown in Attribute Data type Description
example
28
Value shown in Attribute Data type Description
example
• 2 = IAS_ACCESS_DENIED
• 3 = IAS_MALFORMED_REQUEST
• 4=
IAS_GLOBAL_CATALOG_UNAVAILAB
LE
• 5 = IAS_DOMAIN_UNAVAILABLE
• 6 = IAS_SERVER_UNAVAILABLE
• 7 = IAS_NO_SUCH_DOMAIN
• 8 = IAS_NO_SUCH_USER
• 16 = IAS_AUTH_FAILURE
• 17 =
IAS_CHANGE_PASSWORD_FAILUR
E
• 18 =
IAS_UNSUPPORTED_AUTH_TYPE
• 32 = IAS_LOCAL_USERS_ONLY
• 33 =
IAS_PASSWORD_MUST_CHANGE
• 34 = IAS_ACCOUNT_DISABLED
• 35 = IAS_ACCOUNT_EXPIRED
• 36 =
IAS_ACCOUNT_LOCKED_OUT
• 37 =
IAS_INVALID_LOGON_HOURS
• 38 =
IAS_ACCOUNT_RESTRICTION
• 48 = IAS_NO_POLICY_MATCH
• 64 = IAS_DIALIN_LOCKED_OUT
• 65 = IAS_DIALIN_DISABLED
• 66 = IAS_INVALID_AUTH_TYPE
• 67 =
IAS_INVALID_CALLING_STATION
• 68 =
IAS_INVALID_DIALIN_HOURS
• 69 =
IAS_INVALID_CALLED_STATION
29
Value shown in Attribute Data type Description
example
• 70 = IAS_INVALID_PORT_TYPE
• 71 = IAS_INVALID_RESTRICTION
• 80 = IAS_NO_RECORD
• 96 = IAS_SESSION_TIMEOUT
• 97 =
IAS_UNEXPECTED_REQUEST
This is an IAS-internal attribute.
31
Value shown in Attribute Data type Description
example
32
Value shown in Attribute Data type Description
example
"CLIENTCOMP" MS-RAS-Client- Text The name of the remote access client. The
Name Vendor-Length of the Value field, including
the vendor ID, vendor-type, vendor-length,
and value, must be at least 7 and less than
40.
Value, which specifies the computer name
of the endpoint that is requesting network
access, is sent in ASCII format and is null
terminated.
The valid character set for the computer
name includes letters, numbers, and the
following symbols: ! @ # $ % ^ & ‘ ) ( . - _
{ } ~.
33
Diagnostic codes
The WSHV entries contain elements that correspond to components that might be installed or
enabled on client computers, such as firewalls, antivirus applications, and Windows Automatic
Updates.
The WSHV log file entries always present the WSHV list of elements as diagnostic codes, and
these codes are always presented in the following order:
1. Firewall (On/Off)
2. Antivirus - On/Off
3. Antivirus - Up-to-date status
4. Antispyware - On/Off
5. Antispyware - Up-to-date status
6. Automatic Updates (On/Off)
7. Security Updates - Compliance code
8. Security Updates - Severity
9. Security Updates - Legitimate Source (Windows Update, Windows Server Update
Services, or Microsoft Update)
For item 9 above, the following codes are possible values in the log file.
Important
If the configuration allows the receipt of updates from more than one source, the log file
entry combines the codes. For example, if both Windows Update and Microsoft Update
are legitimate sources, the log file code is 0x00024000.
When each of the other eight elements is evaluated as compliant by NPS, the diagnostic code is
0x0. When an element of the SHV is compliant, the corresponding component on the client
computer is either on, as in the case of a firewall application, or it is up-to-date, as in the case of
Windows Automatic Updates or signatures for an antispyware application. If the Windows SHV is
not configured to enforce any specific element, such as Firewall or Security Updates, log entries
for the element are not relevant and should be ignored.
The Security Updates element provides a severity rating. To interpret the severity rating when
reviewing the NPS log file, you can use the following severity levels.
Unspecified 0x0040
34
Severity level Code in NPS log
Low 0x0080
Moderate 0x0100
Important 0x0200
Critical 0x0400
Error codes
On the client computer, the NAP agent can receive errors from the Windows System Health
Agent, which monitors the components on the client operating system, such as firewalls and
antivirus applications. When the NAP agent sends a statement of health (SoH) to NPS, the
statement contains information about errors on the client computer.
In turn, NPS records the error in the NPS log file.
The following table provides the possible error codes that can be logged by NPS.
0xC0FF0001 E_MSSHV_PRODUCT_NOT_ENABLED
A system health component is not enabled.
0xC0FF0002 E_MSSHAV_PRODUCT_NOT_INSTALLED
A system health component is not installed.
0xC0FF0003 E_MSSHAV_WSC_SERVICE_DOWN
The Windows Security Center service is not running.
0xC0FF0004 E_MSSHV_PRODUCT_NOT_UPTODATE
The signatures for a specific system health component are not
up to date.
0x00FF0008 E_MSSHAV_WUA_SERVICE_NOT_STARTED_SINCE_BOOT
The Windows Server Update Services has not started. An
administrator must try to start the service manually.
0xC0FF000C E_MSSHAV_NO_WUS_SERVER
The Windows Update Agent on this computer is not configured
to synchronize with a Windows Server Update Services server.
An administrator must configure the Windows Update Agent
service. Click the Try again button after configuration is done
for the changes to take effect.
0xC0FF000D E_MSSHAV_NO_CLIENT_ID
35
Error code Description
0xC0FF000E E_MSSHAV_WUA_SERVICE_DISABLED
The Windows Update Agent service has been disabled or not
configured to start automatically. An administrator must enable
the service.
0xC0FF000F E_MSSHAV_WUA_COMM_FAILURE
The periodic scan of this computer for security updates failed.
An administrator must ensure that a Windows Server Update
Services server is available and that the Windows Update
Agent on this computer is configured to synchronize with the
server.
0xC0FF0010 E_MSSHAV_UPDATES_INSTALLED_REQUIRE_REBOOT
Security updates have been installed and require this computer
to be restarted. Please close all applications and restart this
computer.
0xC0FF0012 E_MSSHV_WUS_SHC_FAILURE
The NPS server failed to validate the security update status of
this computer. An administrator must ensure that a Windows
Server Update Services server is available and that the
Windows Update Agent on this computer is configured to
synchronize with the server.
0xC0FF0014 E_MSSHV_UNKNOWN_CLIENT
Unknown client
0xC0FF0017 E_MSSHV_INVALID_SOH
The Windows Security Health Validator did not process the
latest Statement of Health (SoH) because the SoH is not valid.
0xC0FF0018 E_MSSHAV_WSC_SERVICE_NOT_STARTED_SINCE_BOOT
The Windows Security Center service has not started. An
administrator must try to start the service manually.
0xC0FF0047 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_ENABLED
A third-party system health component is not enabled.
0xC0FF0048 E_MSSHV_THIRD_PARTY_PRODUCT_NOT_UPTODATE
The signatures for a specific third-party system health
component are not up to date.
0xC0FF004EL E_MSSHAV_BAD_UPDATE_SOURCE_MU
36
Error code Description
0xC0FF004FL E_MSSHAV_BAD_UPDATE_SOURCE_WUMU
This computer is not configured to receive security updates
from a source approved for this network. An administrator must
configure the Windows Update Agent service to receive
updates from Windows Update or Microsoft Update.
0xC0FF0050L E_MSSHAV_BAD_UPDATE_SOURCE_MUWSUS
This computer is not configured to receive security updates
from a source approved for this network. An administrator must
configure the Windows Update Agent service to receive
updates from Windows Server Update Services or Microsoft
Update.
0xC0FF0051L E_MSSHAV_NO_UPDATE_SOURCE
The Windows Update Agent on this computer is not configured
to receive security updates. An administrator must configure the
Windows Update Agent service. The NAP agent might have to
be restarted for changes to take effect.
37
First example log file entry
Machine testclient was quarantined.
Fully-Qualified-Machine-Name = <undetermined>
Fully-Qualified-User-Name = <undetermined>
NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1
NAS-Identifier = testserver
Account-Session-Identifier = F1290E5E59241D44A57539224835F0FDC46427E9FBCAC601
Quarantine-Session-Identifier =
Quarantine-Help-URL = <undetermined>
Quarantine-System-Health-Result =
NonCompliant
None
done for the changes to take effect.) Diagnostic code for Security Updates from
Diagnostic Code table
38
Second example log file entry
The second example log file entry depicts an entry for a client computer running Windows Vista
that is configured to use the Windows Security Center for the firewall, antivirus, antispyware and
Automatic Updates. Because Windows Security Center is disabled, as is detailed in the log file
entry, the diagnostic codes for the Windows SHV do not have meaning and should be ignored.
Machine testclient was quarantined.
Fully-Qualified-Machine-Name = <undetermined>
Fully-Qualified-User-Name = <undetermined>
NAS-IPv6-Address = fe80::e1dc:49f:af27:d0c1
NAS-Identifier = testserver
Account-Session-Identifier = 32049473A12646448AB5DCFD9BF69271B0477E2E58CCC601
Quarantine-Help-URL = <undetermined>
Quarantine-System-Health-Result =
NonCompliant
None
(0x0-)
(0x0-)
(0x0-)
(0x40-)
39
Register an NPS Server in Another Domain
To provide an NPS server with permission to read the dial-in properties of user accounts in Active
Directory, the NPS server must be registered in the domain where the accounts reside.
You can use this procedure to register an NPS server in a domain where the NPS server is not a
domain member.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
You can perform this procedure by using the following methods:
To register an NPS server in another domain by using Netsh commands for NPS
1. Open Command Prompt.
2. Type the following at the command prompt: netsh nps add registeredserver
domain server, and then press ENTER.
In the preceding command, domain is the DNS domain name of the domain where you
want to register the NPS server, and server is the name of the NPS server computer.
40
To complete this procedure, you must be a member of the Administrators group.
41
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
42
Verify Configuration After Renaming an NPS
Server
There might be circumstances when you need to change the name of an NPS server or proxy,
such as when you redesign the naming conventions for your servers.
If you change an NPS server or proxy name, it is necessary to reconfigure portions of your NPS
deployment.
Use the following general guidelines to assist you in verifying that a server name change does not
interrupt network access authentication, authorization, or accounting.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
43
Managing Certificates Used with NPS
If you deploy a certificate-based authentication method, such as EAP-TLS, PEAP-TLS, or PEAP-
MS-CHAP v2, you must enroll a server certificate to all of your NPS servers. The server certificate
must:
• Meet the minimum server certificate requirements as described in Certificate
Requirements for PEAP and EAP at http://go.microsoft.com/fwlink/?LinkID=101491.
• Be issued by a certification authority (CA) that is trusted by client computers. A CA is
trusted when its certificate exists in the Trusted Root Certification Authorities certificate store
for the current user and local computer.
The following objectives assist in managing NPS server certificates in deployments where the
trusted root CA is a third-party CA, such as Verisign, or is a CA that you have deployed for your
public key infrastructure (PKI) by using Active Directory Certificate Services (AD CS) in Windows
Server 2008.
The following objectives are part of managing NPS server certificates:
• Change the Cached TLS Handle Expiry
• Obtain the SHA-1 Hash of a Trusted Root CA Certificate
44
For example, you might want to decrease the TLS handle expiry time is in a scenario where a
user's certificate is revoked by an administrator and the certificate has expired. In this scenario,
the user can still connect to the network if an NPS server has a cached TLS handle that has not
expired. Reducing the TLS handle expiry might help prevent such users with revoked certificates
from reconnecting.
Note
The best solution to this scenario is to disable the user account in Active Directory, or to
remove the user account from the Active Directory group that is granted permission to
connect to the network in network policy. The propagation of these changes to all domain
controllers might also be delayed, however, due to replication latency.
Use the following tasks to configure the TLS handle expiry:
• Configure the TLS Handle Expiry Time on Client Computers
• Configure the TLS Handle Expiry Time on NPS Servers
Important
This procedure must be performed on an NPS server, not on a client computer.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
45
Configure the TLS Handle Expiry Time on
NPS Servers
Use this procedure to change the amount of time that NPS servers cache the Transport Layer
Security (TLS) handle of client computers. After successfully authenticating an access client, NPS
servers cache TLS connection properties of the client computer as a TLS handle. The TLS handle
has a default duration of 10 hours (36,000,000 milliseconds). You can increase or decrease the
TLS handle expiry time by using the following procedure.
Important
This procedure must be performed on an NPS server, not on a client computer.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
To configure the TLS handle expiry time on NPS servers using the Windows interface
1. On an NPS server, open Registry Editor.
2. Browse to the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SC
HANNEL
3. On the Edit menu, click New, and then click Key.
4. Type ServerCacheTime, and then press ENTER.
5. Right-click ServerCacheTime, click New, and then click DWORD (32-bit) Value.
6. Type the amount of time, in milliseconds, that you want NPS servers to cache the
TLS handle of a client computer after the first successful authentication attempt by the
client.
46
EAP or PEAP. To designate a trusted root CA certificate that clients must use to validate the
server certificate, you can enter the SHA-1 hash of the certificate.
This procedure demonstrates how to obtain the SHA-1 hash of a trusted root CA certificate by
using the Certificates Microsoft Management Console (MMC) snap-in.
Administrative credentials
To complete this procedure, you must be a member of the Users group on the local computer.
47
• Terminal Services Gateway (TS Gateway) servers
To use NPS to manage network access, you must configure one or more RADIUS clients in NPS.
If you are configuring an NPS proxy as a RADIUS client on an NPS server, the NPS proxy must
also be configured with RADIUS clients that forward connection requests to the proxy. The proxy
forwards the connection request to a remote RADIUS server group based on the connection
request processing rules defined on the proxy.
The following objectives are part of managing RADIUS clients:
• Set up RADIUS Clients
• Set up RADIUS Clients by IP Address Range
Important
Client computers, such as wireless laptop computers and other computers running client
operating systems, are not RADIUS clients. RADIUS clients are network access servers
—such as wireless access points, 802.1X authenticating switches, virtual private network
(VPN) servers, and dial-up servers—because they use the RADIUS protocol to
communicate with RADIUS servers such as Network Policy Server (NPS) servers.
This step is also necessary when your NPS server is a member of a remote RADIUS server
group that is configured on an NPS proxy. In this circumstance, in addition to performing the
steps in this task on the NPS proxy, you must do the following:
• On the NPS proxy, configure a remote RADIUS server group that contains the NPS
server.
• On the remote NPS server, configure the NPS proxy as a RADIUS client.
Task requirements
The following are required to perform the procedures for this task:
• You must have at least one network access server (VPN server, wireless access point,
authenticating switch, or dial-up server) or NPS proxy physically installed on your network.
To complete this task, perform the following procedures:
• Configure the Network Access Server
• Add the Network Access Server as a RADIUS Client in NPS
48
Configure the Network Access Server
Use this procedure to configure network access servers for use with NPS. When you deploy
network access servers (NASs) as RADIUS clients, you must configure the clients to
communicate with the NPS servers where the NASs are configured as clients.
This procedure provides general guidelines about the settings you should use to configure your
NASs; for specific instructions on how to configure the device you are deploying on your network,
see your NAS product documentation.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
Important
Client computers, such as wireless laptop computers and other computers running client
operating systems, are not RADIUS clients. RADIUS clients are network access servers
—such as wireless access points, 802.1X authenticating switches, virtual private network
49
(VPN) servers, and dial-up servers—because they use the RADIUS protocol to
communicate with RADIUS servers such as Network Policy Server (NPS) servers.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
51
Managing Network Policies
This section provides information about how to manage NPS network policies.
After NPS authenticates users or computers connecting to your network, it performs authorization
to determine whether to grant the user or computer permission to connect.
Authorization is performed when NPS checks the dial-in properties of user accounts in Active
Directory and when NPS evaluates the connection request against the network policies
configured in the NPS console.
In the Active Directory Users and Computers snap-in, on the Dial-in tab of user account
properties, the Network Access Permission setting is used by NPS to make authorization
decisions, as follows:
• If the value of Network Access Permission is Deny access, the user is always denied
access to the network by NPS, regardless of any settings in network policy.
• If the value of Network Access Permission is Allow access, the user is allowed
network access unless there is a network policy that explicitly denies access to the user.
• If the value of Network Access Permission is Control access through NPS Network
Policy, NPS makes authorization decisions based solely on network policy settings.
Note
For ease of administration of network access, it is recommended that the Network
Access Permission setting is always set to Control access through NPS Network
Policy. By default, if your forest functional level is Windows Server 2008, when you
create a user account, the value of Network Access Permission is set to Control
access through NPS Network Policy.
You can also specify connection settings in an NPS network policy that are applied after the
connection is authenticated and authorized. For example, you can define IP filters for the
connection that specify the network resources to which the user has permission to connect.
52
access when connecting through wireless access points; however, members of the Wireless
Users group are granted access when connecting by wireless. If the network policy that denies
wireless access to Domain Users is evaluated before the Wireless Users policy is evaluated, NPS
denies access to members of the Wireless Users group when they attempt to connect by wireless
— even though your intention is to grant them access.
The solution to this problem is to move the Wireless Users network policy higher in the list of
policies in the NPS console so that it is evaluated before the Domain Users policy is evaluated. In
this circumstance, when a member of the Wireless Users group attempts to connect, NPS
evaluates the Wireless Users policy first and then authorizes the connection. When NPS receives
a wireless connection attempt from a member of the Domain Users group that is not also a
member of the Wireless Users group, the connection attempt does not match the Wireless Users
policy, so that policy is not evaluated by NPS. Instead, NPS moves down to the Domain Users
wireless policy, and then denies the connection to the member of the Domain Users group.
The following objectives are part of managing NPS network policies:
• Configure NPS for VLANs
• Configure the EAP Payload Size
• Configure NPS to Ignore User Account Dial-in Properties
53
Configure a Network Policy for VLANs
Use this procedure to configure a network policy that assigns users to a VLAN. When you use
VLAN-aware network hardware, such as routers, switches, and access controllers, you can
configure network policy to instruct the access servers to place members of specific Active
Directory groups on specific VLANs. This ability to group network resources logically with VLANs
provides flexibility when designing and implementing network solutions.
When you configure the settings of an NPS network policy for use with VLANs, you must
configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-
Tag.
You can use the following procedure to create a network policy that assigns users to a VLAN.
This procedure is provided as a guideline; your network configuration might require different
settings than those provided below.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
54
following steps to add the Tunnel-Tag attribute to the network policy. If your NAS
documentation does not mention this attribute, do not add it to the policy. Add the
attributes as follows:
a. In policy Properties, in Settings, in RADIUS Attributes, click Vendor Specific.
b. In the details pane, click Add. The Add Vendor Specific Attribute dialog box
opens.
c. In Attributes, scroll down to and select Tunnel-Tag, and then click Add. The
Attribute Information dialog box opens.
d. In Attribute value, type the value that you obtained from your hardware
documentation.
Use this procedure to lower the maximum EAP payload size by using the Framed-MTU attribute
in an NPS network policy. You can lower the EAP payload size by configuring the Framed-MTU
attribute in network policy settings properties in the NPS console.
Perform this procedure if you have routers or firewalls that are not capable of performing
fragmentation. The recommended Framed-MTU value in this circumstance is 1344 bytes or less.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group.
55
To configure the Framed-MTU attribute
1. Click Start, click Administrative Tools, and then click Network Policy Server. The
NPS console opens.
2. Double-click Policies, click Network Policies, and then in the details pane double-
click the policy that you want to configure.
3. In the policy Properties dialog box, click the Settings tab.
4. In Settings, in RADIUS Attributes, click Standard. In the details pane, click Add.
The Add Standard RADIUS Attribute dialog box opens.
5. In Attributes, scroll down to and click Framed-MTU, and then click Add. The
Attribute Information dialog box opens.
6. In Attribute Value, type a value equal to or less than 1344. Click OK, click Close,
and then click OK.
56
To configure NPS to ignore user account dial-in properties
1. Click Start, click Administrative Tools, and then click Network Policy Server. The
NPS console opens.
2. Double-click Policies, click Network Policies, and then in the details pane double-
click the policy that you want to configure.
3. In the policy Properties dialog box, on the Overview tab, in Access Permission,
select the Ignore user account dial-in properties check box, and then click OK.
57