Network Policy Server (NPS) Technical Reference for Windows Server 2016

Network Policy Server (NPS) Technical Reference for Windows Server 2016

Microsoft Corporation

Authors: James McIllece, Joseph Davies

Technical Contributors: IAS and NPS PM, Developer, and Test teams, with special thanks to Ashwin Palekar

Applies To: Windows Server 2016

Abstract

Network Policy Server (NPS) is a networking component of WindowsServer®2016 that allows you to create and enforce organization-wide network access policies for connection request authentication and connection request authorization. In addition, you can use a server running NPS as a RADIUS proxy to forward connection requests to NPS or other Remote Authentication Dial-In User Service (RADIUS) servers that you configure in remote RADIUS server groups.

The Network Policy Server (NPS) Technical Reference provides a detailed description of NPS, including how NPS works, and the tools and settings you can use to deploy, administer, and troubleshoot NPS.

Notes:

If you are running Network Policy Server in Windows Server 2008 through Windows Server 2012 R2, you can download the Network Policy Server (NPS) Technical Reference for WS08-WS12 R2 from TechNet Gallery.
Network Access Protection (NAP), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP) were deprecated in Windows Server 2012 R2, and are not available in Windows Server 2016. If you have a NAP deployment using operating systems earlier than Windows Server 2016, you cannot migrate your NAP deployment to Windows Server 2016.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

Network Policy Server (NPS) Technical Reference for Windows Server 2016

Abstract

Network Policy Server Technical Reference

Windows Server Editions and NPS

Windows Server 2016 Datacenter Edition

Windows Server 2016 Standard Edition

What Is Network Policy Server?

Components of a RADIUS Infrastructure

Access clients

Access servers used as RADIUS clients

NPS servers used as RADIUS servers

NPS proxies and RADIUS proxies

User accounts databases

NPS as a RADIUS Server and Proxy

RADIUS server

RADIUS proxy

RADIUS clients

New Features and Name Changes for NPS

NPS functionality in Windows Server 2008 and later

Additional features of NPS

Name changes from WindowsServer2003

NPS Terminology

Planning NPS as a RADIUS proxy

Plan NPS server configuration

Plan RADIUS clients

Plan remote RADIUS server groups

Plan attribute manipulation rules for message forwarding

Plan connection request policies

Plan NPS accounting

Planning NPS as a RADIUS server

Plan NPS server configuration

Plan RADIUS clients

Plan the use of authentication methods

Plan network policies

Plan NPS accounting

Components of NPS

Configuration

NPS logging

RADIUS Clients and Servers

Policies

Network Policies

Accounting

How Network Policy Server Works

NPS Architecture

Network Policy Server components

NPS Protocols

Authentication Protocols

RADIUS Protocol

RADIUS Attributes

NPS Processes and Interactions

Incoming RADIUS Message Validation

Network Access Quarantine Control in NPS

NPS and Tunneling

NPS Certificate Revocation List (CRL) Checks

Processing a User Name Without a Domain Name

Connection Request Processing

NPS Authorization Process

RADIUS Authentication Process Overview

NPS Accounting

Network Policy Server Tools and Settings

NPS Tools

NPS console

NPS MMC snap-in

Netsh commands for NPS

Network Monitor

NPS API sets

NPS Settings

NPS Server Registration in Active Directory

NPS Ports

Connecting to a remote SQL server

NPS Firewall Settings

NPS Message-Authenticator Attribute

NPS Shared Secrets

NPS Reason Codes

NPS Registry Entries

Network Policy Server Technical Reference

Network Policy Server (NPS) is a networking component of WindowsServer® that allows you to create and enforce organization-wide network access policies for connection request authentication and connection request authorization. In addition, you can use a server running NPS as a RADIUS proxy to forward connection requests to NPS or other Remote Authentication Dial-In User Service (RADIUS) servers that you configure in remote RADIUS server groups.

Important. Network Access Protection (NAP), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP) were deprecated in Windows Server 2012 R2, and are not available in Windows Server 2016. If you have a NAP deployment using operating systems earlier than Windows Server 2016, you cannot migrate your NAP deployment to Windows Server 2016.

In WindowsServer, Network Policy Server (NPS) is included in the Network Policy and Access Services (NPAS) server role.

The NPAS server role, in the Add Roles and Features installation wizard, includes the following role service:

Network Policy Server (NPS)

In previous versions of Windows Server, the NPAS server role also included Routing and Remote Access Service. Thistechnology is relocated in Windows Server 2016 to the Remote Access server role.

Windows Server Editions and NPS

NPS provides different functionality depending on the edition of Windows Serverthat you install.

Windows Server 2016 Datacenter Edition

With NPS in Windows Server 2016 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.

Windows Server 2016 Standard Edition

With NPS in Windows Server 2016Standard, you can configure a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.

What Is Network Policy Server?

In this section

Components of a RADIUS Infrastructure
NPS as a RADIUS Server and Proxy
New Features and Name Changes for NPS
NPS Terminology
Planning NPS as a RADIUS proxy
Planning NPS as a RADIUS server
Components of NPS

When you provide your organization’s employees and their computers with network connectivity through network access servers, such as virtual private network (VPN) servers, 802.1X-capable wireless access points and authenticating switches, and dial-up servers, you can use NPS to create, centrally manage, and enforce the network access policies that determine whether users and computers can or cannot access the network.

During a connection attempt, users and computers typically provide account credentials in the form of a user name and password or a certificate. NPS can examine these credentials and use them to verify the identity of – or authenticate – the user or computer before allowing network access. NPS can also determine whether the user or computer has permission to access the network by authorizing the connection request against user account properties, network policies that you have created, or both.

NPS provides you with the advantage of configuring network policies at one server (the server running NPS) that are applied at many servers (the network access servers). For example, if you have 10 wireless access points and are not using NPS, you must configure access policies 10 times, once at each network access server; but if you use NPS, you must configure each policy only one time.

By using NPS, you can centrally manage network access for organizations of all sizes, including small businesses, medium organizations, enterprise-level organizations, and Internet service providers (ISPs). NPS provides you with the ability to secure and manage network access across a variety of network access scenarios such as the following:

Employees connecting to your organization network through dial-up, VPN, wireless, Terminal Services Gateway (TS Gateway), and wired connections, using a variety of devices, including organization computers, personal digital assistants, and non-domain member computers, such as employee-owned devices.
Employees connecting to other networks, including the Internet and business partner networks.
Business partners connecting to your organization network.

The underlying protocol that provides NPS with the ability to communicate with such a broad range of network access servers is the Remote Authentication Dial-In User Service (RADIUS) protocol.

Components of a RADIUS Infrastructure

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. NPS and network access servers use the RADIUS protocol to securely transmit RADIUS messages.

The RADIUS protocol is used solely between RADIUS servers and proxies, such as servers and proxies running NPS, and RADIUS-compliant network access servers. A fully functioning RADIUS infrastructure also contains components that do not use the RADIUS protocol, however, such as access clients and user accounts databases.

Note
RADIUS is an industry standard. For more information about RADIUS, see RFC 2865, “Remote Authentication Dial-In User Service (RADIUS),” and RFC 2866, “RADIUS Accounting.” For information about standards that apply to NPS in Windows Server2016, see RFC 2868, “RADIUS Attributes for Tunnel Protocol Support,” and RFC 2869, “RADIUS Extensions.”

There are five components to an NPS or RADIUS infrastructure: access clients, access servers (RADIUS clients), NPS servers (RADIUS servers), NPS proxies (RADIUS proxies), and user account databases.

A RADIUS infrastructure is used to perform authentication, authorization and accounting of user network access attempts.

Authentication is the process of verifying the credentials of the users attempting to connect to a network.

The authorization process determines whether users have permission to connect to the network, and the conditions under which permission has been granted. Accounting is an option that provides record keeping of successful or failed connection attempts.

The following figure, “Components of an NPS Infrastructure,” illustrates the relationships between the five components of an NPS infrastructure.

Components of an NPS Infrastructure

Access clients

An access client is a device that requires some level of access to a larger network. Examples of access clients are dial-up or virtual private network (VPN) clients, wireless clients, or local area network (LAN) clients connected to an authenticating switch.

Note
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

Access servers used as RADIUS clients

An access server is a device that provides some level of access to a larger network. An access server using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server.

NPS servers used as RADIUS servers

An NPS or RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients or RADIUS proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request.

NPS proxies and RADIUS proxies

An NPS or RADIUS proxy is a device that forwards or routes RADIUS connection requests and accounting messages between RADIUS clients and RADIUS servers. The RADIUS proxy uses information within the RADIUS message, such as the User-Name or Called-Station-ID RADIUS attributes, to route the RADIUS message to the appropriate RADIUS server.

A RADIUS proxy can be used as a forwarding point for RADIUS messages when the authentication, authorization, and accounting must occur at multiple RADIUS servers in different organizations.

User accounts databases

The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information.

The user account databases that NPS can use are the local Security Accounts Manager (SAM); a Microsoft WindowsNTServer4.0 domain; the Active Directory directory service and user accounts database included with Windows Server 2003 and Windows 2000; and the user accounts database provided with Active Directory Domain Services (AD DS) in Windows Server 2008 through Windows Server 2016.

When NPS is a domain member of an AD DS domain, NPS can provide authentication and authorization for user or computer accounts that exist in the following locations:

In the domain in which the NPS server is a member.
In domains for which there is a two-way trust with the NPS server domain.
In trusted forests with domain controllers running Windows Server2008 through Windows Server 2016 and AD DS.

If the user accounts for authentication reside in a different type of database, NPS can be configured as a RADIUS proxy to forward the authentication request to a RADIUS server that does have access to the user account database. Different databases for Active Directory include untrusted forests, untrusted domains, or one-way trusted domains.

NPS as a RADIUS Server and Proxy

RADIUS servers process connection requests, whereas RADIUS proxies forward connection requests to other RADIUS servers for processing. You can configure a server running NPS to act as a RADIUS server, a RADIUS proxy, or both.

RADIUS server

When you deploy NPS as a RADIUS server, NPS receives connection requests from network access servers, and then processes the requests. NPS performs centralized connection authentication, authorization, and accounting for many types of network access.

When NPS is used as a RADIUS server, it provides the following:

A central authentication and authorization service for all access requests that are sent by RADIUS clients.
NPS uses a Microsoft WindowsNT Server 4.0 domain, an Active Directory domain, or the local SAM to authenticate user credentials for a connection attempt. NPS uses the dial-in properties of the user account and network policies to authorize a connection.
A central accounting recording service for all accounting requests that RADIUS clients send.Accounting requests are stored in a local log file or a SQL server database for analysis.

RADIUS proxy

As a RADIUS proxy, NPS provides the routing of RADIUS messages between RADIUS clients (access servers), other RADIUS proxies, and the RADIUS servers that perform AAAA for the connection attempt. When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow.

Note
When you configure NPS as a RADIUS proxy, network access servers are configured as RADIUS clients on the RADIUS proxy. In other words, connection requests originate at and are sent by RADIUS clients to the RADIUS proxy. Because the RADIUS proxy forwards these connection requests to remote RADIUS servers for processing, the proxy is acting as a RADIUS client to the remote RADIUS server.

The following illustration shows NPS as a RADIUS proxy between RADIUS clients (access servers) and either RADIUS servers or another RADIUS proxy.

You can use NPS as a RADIUS proxy when:

You are a service provider who offers outsourced dial-up, VPN, or wireless network access services to multiple customers. Your network access servers send connection requests to the NPS RADIUS proxy. Based on the realm portion of the user name in the connection request, the NPS RADIUS proxy forwards the connection request to a RADIUS server that is maintained by the customer and can authenticate and authorize the connection attempt. For more information, see the section Realm Names later in this guide.
You want to provide authentication and authorization for user accounts that are not members of either the domain in which the NPS server is a member or another domain that has a two-way trust with the domain in which the NPS server is a member. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm name portion of the user name and forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be authenticated for network access servers in another domain or forest.
NPS supports authentication across forests without a RADIUS proxy when the two forests contain only domains that consist of domain controllers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server2008, Windows Server2003, Standard Edition; Windows Server2003, Enterprise Edition; and Windows Server2003, Datacenter Edition. The forest functional level must be Windows Server2003 or higher, and there must be a two-way trust relationship between forests. If you use EAP-TLS or PEAP-TLS with certificates as your authentication method, you must use a RADIUS proxy for authentication across forests that consist of Windows Server 2016 through Windows Server2003 domains.
You want to perform authentication and authorization by using a database that is not a Windows account database. In this case, connection requests that match a specified realm name are forwarded to a RADIUS server, which has access to a different database of user accounts and authorization data. Examples of other user databases include Novell Directory Services (NDS) and Structured Query Language (SQL) databases.
You want to process a large number of connection requests. In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers and increases the processing of large numbers of RADIUS clients and authentications per second.
You want to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration. An intranet firewall is between your perimeter network (the network between your intranet and the Internet) and intranet. By placing an NPS server on your perimeter network, the firewall between your perimeter network and intranet must allow traffic to flow between the NPS server and multiple domain controllers. When replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow between the NPS proxy and one or multiple NPS servers within your intranet.

The following illustration shows the path of an Access-Request message from a network access server to a RADIUS proxy, and then on to a RADIUS server in a remote RADIUS server group. On the RADIUS proxy, the network access server is configured as a RADIUS client; and on each RADIUS server, the RADIUS proxy is configured as a RADIUS client.