Connection Request Processing

Applies To: Windows Server 2008, Windows Server 2008 R2

In this section

• Load Balancing with NPS Proxy

• Realm Names

• Using Pattern-Matching Syntax in NPS

To determine whether a specific connection attempt request or an accounting message received from a Remote Authentication Dial-In User Service (RADIUS) client must be processed locally or forwarded to another RADIUS server, the NPS server uses connection request processing. Connection request processing is a combination of the following:

• Connection request policies that determine, for any incoming RADIUS request message, whether the message is processed locally or forwarded to another RADIUS server. For more information, see Connection Request Policies.

• Remote RADIUS server groups that contain one or more RADIUS servers to which RADIUS request messages are forwarded. For more information, see Remote RADIUS Server Groups.

If connection request policy is configured to forward connection requests to members of a remote RADIUS server group, NPS is configured as a RADIUS proxy.

NPS Proxy Process Overview

When NPS is a RADIUS proxy between a RADIUS client and a RADIUS server, the messages that RADIUS sends for network access are forwarded as follows:

1. Access servers, such as dial-up network access servers, virtual private network (VPN) servers, and wireless access points, receive connection requests from access clients.

2. The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server that is being used as the NPS RADIUS proxy.

3. The NPS RADIUS proxy receives the Access-Request message and, based on the locally configured connection request policies, determines where to forward the Access-Request message.

4. The NPS RADIUS proxy forwards the Access-Request message to the appropriate RADIUS server.

5. The RADIUS server evaluates the Access-Request message.

6. If required, the RADIUS server sends an Access-Challenge message to the NPS RADIUS proxy, where it is forwarded to the access server. The access server processes the challenge with the access client, and then sends an updated Access-Request to the NPS RADIUS proxy, where it is forwarded to the RADIUS server.

7. The RADIUS server authenticates and authorizes the connection attempt.

8. If the connection attempt is both authenticated and authorized, the RADIUS server sends an Access-Accept message to the NPS RADIUS proxy, where it is forwarded to the access server.

9. If the connection attempt is either not authenticated or not authorized, the RADIUS server sends an Access-Reject message to the NPS RADIUS proxy, where it is forwarded to the access server.

10. The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS RADIUS proxy. The NPS RADIUS proxy logs the accounting data and forwards the message to the RADIUS server.

11. The RADIUS server sends an Accounting-Response to the NPS RADIUS proxy, where it is forwarded to the access server.

The following sections provide information about how an NPS RADIUS proxy changes each type of RADIUS message when it forwards the message.

Access-Request messages

Forwarding a RADIUS Access-Request message from a RADIUS client to a RADIUS server results in the following changes to the RADIUS Access-Request message:

• Attribute manipulation rules are applied and the RADIUS attribute is modified according to the configured find and replace rules.

• All RADIUS message fields for which the RADIUS shared secret is used are recalculated. The recalculation is performed by using the shared secret of the NPS RADIUS proxy and the remote RADIUS server to which the message is being forwarded. These RADIUS attributes include the Message Authenticator (also known as the Signature attribute), User-Name, Tunnel-Password, and MS-CHAP-MPPE-Keys. Additionally, the Authenticator field in the RADIUS header is recalculated.

• If the Access-Request message contains a Proxy-State attribute indicating that the message has been forwarded by another RADIUS proxy, the contents of the Proxy-State attribute are saved in a proxy session table and the Proxy-State attribute is rewritten with a value determined by the NPS RADIUS proxy. The new value of the Proxy-State attribute is stored in a proxy session table.

When forwarding the Access-Request message, any additional RADIUS attributes that are configured in connection request policy Settings are stored in the proxy session table. These attributes are not actually added to the Access-Request message but are saved for the response to the Access-Request message.

Access-Accept messages

The Proxy-State attribute in the Access-Accept message is used to find the corresponding entry in the proxy session table. The entry in the proxy session table indicates the IP address of the client to which the message is forwarded, the Proxy-State attribute of the original Access-Request message, and any additional RADIUS attributes to add. If an entry is not found, the Access-Accept message is discarded.

Forwarding a RADIUS Access-Accept message from a RADIUS server to a RADIUS client results in the following changes to the RADIUS Access-Accept message:

• All RADIUS message fields for which the RADIUS shared secret is used are recalculated by using the shared secret of the NPS RADIUS proxy and the RADIUS client to which the message is being forwarded. These RADIUS attributes include the Message Authenticator (also known as the Signature attribute), Tunnel-Password, and MS-CHAP-MPPE-Keys. Additionally, the Authenticator field in the RADIUS header is recalculated.

• If the proxy session table entry contains an original Proxy-State attribute, the Proxy-State attribute in the Access-Accept message is replaced with the original Proxy-State attribute of the Access-Request message.

• If the proxy session table entry contains any additional RADIUS attributes, these RADIUS attributes are added to the Access-Accept message. If any of these RADIUS attributes are already present, their values are overwritten with new values.

Access-Reject messages

The Proxy-State attribute in the Access-Reject message is used to find the corresponding entry in the proxy session table. The entry in the proxy session table indicates the IP address of the client to which the message is to be forwarded, the Proxy-State attribute of the original Access-Request message, and any additional RADIUS attributes to add. If an entry is not found, the Access-Reject message is discarded.

Forwarding a RADIUS Access-Reject message from a RADIUS server to a RADIUS client results in the following changes to the RADIUS Access-Reject message:

• All RADIUS message fields for which the RADIUS shared secret is used are recalculated by using the shared secret of the NPS RADIUS proxy and the RADIUS client to which the message is being forwarded. These RADIUS attributes include the Message Authenticator (also known as the Signature attribute), Tunnel-Password, and MS-CHAP-MPPE-Keys. Additionally, the Authenticator field in the RADIUS header is recalculated.

• If the proxy session table entry contains an original Proxy-State attribute, the Proxy-State attribute in the Access-Reject message is replaced with the Proxy-State attribute of the original Access-Request message.

• If the proxy session table entry contains any additional RADIUS attributes, these RADIUS attributes are added to the Access-Reject message. If any of these RADIUS attributes are already present, their values are overwritten with new values.

Accounting-Request messages

When an NPS RADIUS proxy forwards a RADIUS Accounting-Request message from a RADIUS client to a RADIUS server, it results in the following changes:

• Attribute manipulation rules are applied and the RADIUS attribute is modified according to the configured find and replace rules.

• All RADIUS message fields for which the RADIUS shared secret are used are recalculated by using the shared secret of the NPS RADIUS proxy and the remote RADIUS server to which the message is being forwarded. These RADIUS attributes include the Message Authenticator (also known as the Signature attribute) and User-Name. Additionally, the Authenticator field in the RADIUS header is recalculated.

• If the Accounting-Request message contains a Proxy-State attribute indicating that the message has been forwarded by another RADIUS proxy, the contents of the Proxy-State attribute are saved in a proxy session table and the Proxy-State attribute is rewritten with a value determined by the NPS RADIUS proxy. The new value of the Proxy-State attribute is stored in a proxy session table.

When forwarding the Accounting-Request message, the set of additional RADIUS attributes as configured on the Advanced tab from the profile settings of the matching connection request policy is stored in the proxy session table. These attributes are not actually added to the Accounting-Request message but are saved for the response to the Accounting-Request message.

Accounting-Response messages

The Proxy-State attribute in the Accounting-Response message is used to find the corresponding entry in the proxy session table. The entry in the proxy session table indicates the IP address of the client to which the message is to be forwarded, the Proxy-State attribute of the original Accounting-Request message, and any additional RADIUS attributes to add. If an entry is not found, the Accounting-Response message is discarded.

When an NPS RADIUS proxy forwards a RADIUS Accounting-Response message from a RADIUS server to a RADIUS client, it results in the following changes to the RADIUS Accounting-Response message:

• All RADIUS message fields for which the RADIUS shared secret is used are recalculated by using the shared secret of the NPS RADIUS proxy and the RADIUS client to which the message is being forwarded, such as the Message Authenticator (also known as the Signature attribute). Additionally, the Authenticator field in the RADIUS header is recalculated.

• If the proxy session table entry contains an original Proxy-State attribute, the Proxy-State attribute in the Accounting-Response message is replaced with the original Proxy-State attribute of the Accounting-Request message.

• If the proxy session table entry contains additional RADIUS attributes, these RADIUS attributes are added to the Accounting-Response message. If any of these RADIUS attributes are already present, their values are overwritten with new values.

When you configure connection request policies so that connection requests are forwarded to members of a remote RADIUS server group, you can use regular expressions and realm names for the configuration process. The following sections provide additional information.