NPS: Network Policy Server (NPS) should have at least one connection request policy enabled

Updated: March 29, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2

Product/Feature

Network Policy Server (NPS)

Severity

Error

Category

Configuration

Issue

No connection request policies are enabled on Network Policy Server (NPS).

Impact

Client computers requesting access to the network cannot authenticate and are denied network access.

Resolution

Create and enable a connection request policy on Network Policy Server (NPS) to process client computer authentication requests.

NPS is the Microsoft implementation of the Remote Authentication Dial-In User Service (RADIUS) protocol. You can configure NPS to act as a RADIUS server or RADIUS proxy to provide centralized network access management. Connection request policies in NPS are sets of conditions and settings that network administrators can use to designate which RADIUS servers perform the authentication and authorization of connection requests that the server that is running NPS receives from RADIUS clients. You can configure connection request policies to designate which RADIUS servers are used for RADIUS accounting. You can create connection request policies so that some RADIUS request messages that are sent from RADIUS clients are processed locally (NPS is being used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (NPS is being used as a RADIUS proxy).

A default connection request policy is created when you install NPS. The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally. If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy. However, at least one connection request policy must be running on your NPS server for it to authenticate and authorize connection requests from RADIUS clients.

To complete these procedures, you must be a member of Domain Admins, or equivalent.

To verify the status of connection request policies on your NPS server

  1. To open the NPS console, click Start, click Administrative Tools, and then click Network Policy Server.

  2. In the NPS console tree, double-click Policies.

  3. In the console tree, click Connection Request Policies.

  4. In the details pane, locate the connection request policies that are configured on your NPS server. Make sure that at least one connection request policy’s state is set to Enabled.

    To enable a connection request policy, double-click the connection request policy that you want to modify. In the Use Windows authentication for all users Properties dialog box, under Policy State, make sure that the Policy enabled check box is selected.

To add a new connection request policy

  1. To open the NPS console, click Start, click Administrative Tools, and then click Network Policy Server.

  2. In the NPS console tree, double-click Policies.

  3. In the console tree, right-click Connection Request Policies, and then click New.

  4. Use the New Connection Request Policy wizard to configure your connection request policy and, if it is not previously configured, a remote RADIUS server group.

Additional references

For more information about connection request policies, see Connection Request Policies at https://go.microsoft.com/fwlink/?LinkID=169520.