Network Policy Server Page 1 of 3

Network Policy Server

Updated: January 21, 2008

Network Policy Server (NPS) allows you to create and enforce organization-wide network access
policies for client health, connection request authentication, and connection request authorization.

What does Network Policy Server do?

Network Policy Server is the Microsoft implementation of a Remote Authentication Dial-In
User Service (RADIUS) server and proxy. You can use NPS to centrally manage network
access through a variety of network access servers, including wireless access points, VPN
servers, dial-up servers, and 802.1X authenticating switches. In addition, you can use NPS to
deploy secure password authentication with Protected Extensible Authentication Protocol
(PEAP)-MS-CHAP v2 for wireless connections. NPS also has key components for deploying
Network Access Protection (NAP) on your network.
The following technologies can be deployed after the NPS role service has been installed:
NAP policy server. When you configure NPS as a NAP policy server, NPS evaluates
statements of health (SoH) sent by NAP-capable client computers that want to
communicate on the network. You can create NAP policies in NPS that allow client
computers to update their configuration to comply with your organization's network
policy.
IEEE 802.11 Wireless. Using the NPS Microsoft Management Console (MMC) snap-in,
you can configure 802.1X-based connection request policies for IEEE 802.11 wireless
client network access. You can also configure wireless access points as RADIUS clients
in NPS, and use NPS as a RADIUS server to process connection requests, as well as
perform authentication, authorization, and accounting for 802.11 wireless connections.
You can fully integrate IEEE 802.11 wireless access with NAP when you deploy a
wireless 802.1X authentication infrastructure so that the health status of wireless
clients is verified against health policy before clients are allowed to connect to the
network.
IEEE 802.3 Wired. Using the NPS MMC snap-in, you can configure 802.1X-based
connection request policies for IEEE 802.3 wired client Ethernet network access. You
can also configure 802.1X-compliant switches as RADIUS clients in NPS, and use NPS
as a RADIUS server to process connection requests, as well as perform authentication,
authorization, and accounting for 802.3 Ethernet connections. You can fully integrate
IEEE 802.3 wired client access with NAP when you deploy a wired 802.1X
authentication infrastructure.
RADIUS server. NPS performs centralized connection authentication, authorization,
and accounting for wireless, authenticating switch, and remote access dial-up and VPN
connections, as well as for connections to computers running Terminal Services
Gateway (TS Gateway). When you use NPS as a RADIUS server, you configure network
access servers, such as wireless access points and VPN servers, as RADIUS clients in
NPS. You also configure network policies that NPS uses to authorize connection
requests. You can configure RADIUS accounting so that NPS records accounting
information to log files on the local hard disk or in a Microsoft® SQL Server™ database.
RADIUS proxy. When you use NPS as a RADIUS proxy, you configure connection
request policies that tell the server running NPS which connection requests to forward
to other RADIUS servers and to which RADIUS servers you want to forward connection
requests. You can also configure NPS to forward accounting data to be logged by one
or more computers in a remote RADIUS server group.

http://technet.microsoft.com/en-us/library/cc733085(d=printer,v=WS.10).aspx 4/17/2011
Network Policy Server Page 2 of 3

Who will be interested in this feature?

Network and systems administrators that want to centrally manage network access, including
authentication (verification of identity), authorization (verification of the right to access the
network), and accounting (the logging of NPS status and network connection process data), will be
interested in deploying Network Policy Server.

Are there any special considerations?

When a server running NPS is a member of an Active Directory® domain, NPS uses the directory
service as its user account database and is part of a single sign-on solution. The same set of
credentials is used for network access control (authenticating and authorizing access to a network)
and to log on to an Active Directory domain. Because of this, it is recommended that you use NPS
with Active Directory Domain Services (AD DS).

The following additional considerations apply when using NPS.

To deploy NPS with secure IEEE 802.1X wired or wireless access, you must enroll a server
certificate to the server running NPS using Active Directory Certificate Services (AD CS) or a
non-Microsoft public certification authority (CA). To deploy EAP-TLS or PEAP-TLS, you must
also enroll computer or user certificates, which requires that you design and deploy a public
key infrastructure (PKI) using AD CS. In addition, you must purchase and deploy network
access servers (wireless access points or 802.1X authenticating switches) that are
compatible with the RADIUS protocol and EAP.
To deploy NPS with TS Gateway, you must deploy TS Gateway on the local or a remote
computer that is running the Windows Server® 2008 operating system.
To deploy NPS with Routing and Remote Access configured as a VPN server, a member of a
VPN site-to-site configuration, or a dial-up server, you must deploy Routing and Remote
Access on the local or a remote computer that is running Windows Server 2008.
To deploy NPS with NAP, you must deploy additional NAP components as described in NPS
product Help and other NAP documentation.
To deploy NPS with SQL Server logging, you must deploy Microsoft SQL Server 2000 or
Microsoft SQL Server 2005 on the local or a remote computer.

What new functionality does this feature provide?

NPS provides the following new functionality in Windows Server 2008.

Network Access Protection (NAP). A client health policy creation, enforcement, and
remediation technology that is included in the Windows Vista® operating system and
Windows Server 2008. With NAP, you can establish health policies that define such things as
software requirements, security update requirements, and required configuration settings for
computers that connect to your network.
Network shell (Netsh) commands for NPS. A comprehensive command set that allows
you to manage all aspects of NPS using commands at the netsh prompt and in scripts and
batch files.
New Windows interface. Windows interface improvements, including policy creation
wizards for NAP, network policy, and connection request policy; and wizards designed
specifically for deployments of 802.1X wired and wireless and VPN and dial-up connections.
Support for Internet Protocol version 6 (IPv6). NPS can be deployed in IPv6-only
environments, IPv4-only environments, and in mixed environments where both IPv4 and
IPv6 are used.

http://technet.microsoft.com/en-us/library/cc733085(d=printer,v=WS.10).aspx 4/17/2011
Network Policy Server Page 3 of 3

Integration with Cisco Network Admission Control (NAC). With Host Credential
Authorization Protocol (HCAP) and NPS, you can integrate Network Access Protection (NAP)
with Cisco NAC. NPS provides the Extended State and Policy Expiration attributes in network
policy for Cisco integration.
Attributes to identify access clients. The operating system and access client conditions
allow you to create network access policies that apply to clients you specify and to clients
running operating system versions you specify.
Integration with Server Manager. NPS is integrated with Server Manager, which allows
you to manage multiple technologies from one Windows interface location.
Network policies that match the network connection method. You can create network
policies that are applied only if the network connection method, such as VPN, TS Gateway, or
DHCP, matches the policy. This allows NPS to process only the policies that match the type of
RADIUS client used for the connection.
Common Criteria support. NPS can be deployed in environments where support for
Common Criteria is required. For more information, see Common Criteria portal at
http://go.microsoft.com/fwlink/?LinkId=955671.
NPS extension library. NPS provides extensibility that enables non-Microsoft organizations
and companies to implement custom RADIUS solutions by authoring NPS extension dynamic-
link libraries (DLLs). NPS is now resilient to failures in non-Microsoft extension DLLs.
XML NPS configuration import and export. You can import NPS server configuration to a
XML file and import NPS server configurations using XML files with the netsh NPS commands.
EAPHost and EAP policy support. NPS supports EAPHost, which is also available in
Windows Vista. EAPHost is a Windows service that implements RFC 3748 and supports all
RFC-compliant EAP methods, including expanded EAP types. EAPHost also supports multiple
implementations of the same EAP method. NPS administrators can configure network policy
and connection request policy based on EAPHost EAP methods.

Additional references
For information about other Network Policy and Access Services features, see the Network Policy
and Access Services Role2 topic.

Links Table
1
http://go.microsoft.com/fwlink/?LinkId=95567
2
http://technet.microsoft.com/en-us/library/cc732217(v=WS.10).aspx

Community Content

© 2011 Microsoft. All rights reserved.

http://technet.microsoft.com/en-us/library/cc733085(d=printer,v=WS.10).aspx 4/17/2011