NPS Fast Facts for Windows Server 2008 R2

Applies To: Windows Server 2008 R2

In Windows Server® 2008 and Windows Server® 2008 R2, Network Policy Server (NPS) replaces Internet Authentication Service (IAS).

NPS is:

• The Microsoft implementation of the Remote Authentication Dial-In User Service (RADIUS) protocol.

• Configurable as a RADIUS server.

• Configurable as a RADIUS proxy that forwards connection requests to other RADIUS servers for processing.

• A required component of Network Access Protection (NAP). When you deploy NAP, NPS functions as a NAP health policy server.

• Configurable to perform all three functions (RADIUS server, RADIUS proxy, NAP health policy server) at the same time.

• Compatible with user account databases in Active Directory Domain Services (AD DS).

What's new in NPS in Windows Server 2008 R2?

Network Policy Server (NPS) provides the following new features in Windows Server 2008 R2:

• NPS templates and Templates Management. NPS templates allow you to create NPS server configuration elements, such as RADIUS clients or shared secrets, that you can reuse on the local server running NPS and export for use on other NPS servers. Templates Management provides a node in the NPS console where you can create, modify, and save templates. In addition, you can export templates for use on other NPS servers, or import templates into Templates Management for use on the local computer.

• RADIUS accounting improvements. These improvements include a new accounting configuration wizard that allows you to easily configure SQL Server logging, text file logging, or combinations of these two logging types. In addition, you can use the wizard to automatically configure an NPS database on a local or remote SQL Server.

• Full support for international, non-English character sets using UTF-8 encoding. In compliance with the Internet Engineering Task Force (IETF) request for comments (RFC) 2865, NPS processes the value of the User-Name attribute in a connection request using 8-bit Unicode Transformation Format (UTF-8) encoding. The User-Name attribute includes the user or computer identity and the realm. Optionally, the following registry key can be used to cause NPS to process the value of the User-Name attribute in American Standard Code for Information Interchange (ASCII) format if the registry key DWORD value is set to 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost\Configuration\IdentityEncodingFormat

Windows Server 2008 R2 editions and NPS

NPS provides different functionality depending on the edition of Windows Server 2008 R2 that you install:

• Windows Server® 2008 R2 Enterprise and Windows Server® 2008 R2 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 R2 Enterprise and Windows Server 2008 R2 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.

• Windows Server® 2008 R2 Standard. This server edition includes NPS. With NPS in Windows Server 2008 R2 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.

• Windows® Web Server 2008 R2. This server edition does not include NPS.

For more information, see Windows Server 2008 Overview of Editions at https://go.microsoft.com/fwlink/?LinkId=111845.

Upgrade from Windows Server 2003

You can upgrade a server running Windows Server 2003 and IAS to Windows Server 2008 R2 and NPS. During the upgrade process, the server configuration is preserved, including the RADIUS client, connection request policy, accounting, and remote access policy configurations. In NPS, however, remote access policies are renamed to network policies.

If you have installed new servers running Windows Server 2008 R2 and you want to migrate the configuration of a computer running IAS in Windows Server 2003 or running NPS in Windows Server 2008, use the netsh ias or netsh nps commands, respectively, to export the server configuration to a file. Next, copy the file to the new servers and use the netsh nps commands to import the configuration. For more information, see NPS servers in Windows Server 2008 systems cannot import configuration settings that were exported from IAS servers in Windows Server 2003 systems at https://go.microsoft.com/fwlink/?LinkID=139767.

NPS as a role service

NPS is a role service of the Network Policy and Access Services (NPAS) server role. Other role services of NPAS are the Routing and Remote Access service (RRAS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). For information about how to install NPS, see the NPS Operations Guide in the Windows Server 2008 Technical Library at https://go.microsoft.com/fwlink/?LinkId=114315.

NPS server administration

After you install NPS, you can administer NPS servers:

• Locally, by using the NPS Microsoft Management Console (MMC) snap-in, the static NPS console in Administrative Tools, or the network shell (Netsh) commands for NPS.

• From a remote NPS server, by using the NPS MMC snap-in, the Netsh commands for NPS, or Remote Desktop Connection.

• From a remote workstation, by using Remote Desktop Connection.

SQL Server compatibility

You can configure NPS RADIUS accounting to record accounting information to a stored procedure in a Microsoft SQL Server 2000, SQL Server 2005, or SQL Server 2008 database.