.png)
Network Policy and Access Services Overview
Published: February 29, 2012
Updated: February 29, 2012
Applies To: Windows Server 2012
This topic provides an overview of Network Policy and Access Services in Windows Server® 2012, including the specific role services of Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). Use the Network Policy and Access Services server role to deploy and configure Network Access Protection (NAP), secure wired and wireless access points, and RADIUS servers and proxies.
Did you mean…
-
NAP Client Configuration Overview
-
Network Policy and Access Services Overview for Windows Server 2008 R2
Network Policy and Access Services provides the following network connectivity solutions:
| Solution | Description |
|---|---|
|
Network Access Protection (NAP) |
NAP is a client health policy creation, enforcement, and remediation technology. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, and other settings. Client computers that are not in compliance with health policy can be provided restricted network access until their configuration is updated and brought into compliance with policy. |
|
802.1X authenticated wired and wireless access |
When you deploy 802.1X-capable wireless access points and Ethernet switches, you can use Network Policy Server (NPS) to deploy certificate-based authentication methods that are more secure than password-based authentication. Deploying 802.1X-capable hardware with NPS allows you to ensure that intranet users are authenticated before they can connect to the network or obtain an IP address from a DHCP server. |
|
Central network policy management with RADIUS server and proxy |
Rather than configuring network access policy at each network access server, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network. |
The following table lists the primary differences in the Network Policy and Access Services server role by operating system:
| Feature/functionality | Windows Server® 2008 R2 and Windows Server® 2008 | Windows Server 2012 |
|---|---|---|
|
Support for Windows PowerShell® |
None |
X |
You can now use Windows PowerShell to automate the installation of the Network Policy and Access Services server role. You can also deploy and configure some aspects of Network Policy Server by using Windows PowerShell. For more information, see Windows PowerShell for Network Policy and Access Services.
In Windows Server® 2008 R2 and Windows Server® 2008, Network Policy and Access Services included the Routing and Remote Access Service (RRAS) role service. In Windows Server 2012, RRAS is now a role service in the Remote Access server role.
The following role services can be installed with this role.
| Role service | Description |
|---|---|
|
Network Policy Server (NPS) |
You can use NPS to centrally manage network access through a variety of network access servers, including RADIUS-compliant 802.1X-capable wireless access points, VPN servers, dial-up servers, and 802.1X-capable Ethernet switches. In addition, you can use NPS to deploy secure password authentication with Protected Extensible Authentication Protocol (PEAP)-MS-CHAP v2 for wireless connections. NPS also contains key components for deploying NAP on your network. |
|
Health Registration Authority (HRA) |
HRA is a NAP component that issues health certificates to clients that pass the health policy verification that is performed by NPS using the client SoH. HRA is used only with the NAP IPsec enforcement method. |
|
Host Credential Authorization Protocol (HCAP) |
HCAP allows you to integrate your Microsoft NAP solution with Cisco Network Access Control Server. When you deploy HCAP with NPS and NAP, NPS can perform client health evaluation and the authorization of Cisco 802.1X access clients. |
You can use to deploy and configure some aspects of Network Policy and Access Services. For more information about Windows PowerShell® cmdlets and scripts that you can use to deploy and manage Network Policy and Access Services, see Windows PowerShell for Network Policy and Access Services.
You can deploy NPS servers for different functions. For example, you can deploy one NPS server as a RADIUS server for authentication, another as a RADIUS proxy, in order to distribute policy evaluation between servers with different roles, and another as a NAP policy server. For more information about multi-server management of Network Policy and Access Services, see Network Policy Server Overview.
Yes, you can run Network Policy and Access Services on Hyper-V virtual machines.
No, Network Policy and Access Services cannot be run in a server cluster.
You can manage Network Policy and Access Services remotely. For more information about running Network Policy and Access Services from a remote computer, see Administer NPS by Using Tools.
You cannot install or run Network Policy and Access Services on the Server Core installation option of Windows Server 2012.
The following table provides links to more content about Network Policy and Access Services.
| Content type | References |
|---|---|
|
Product evaluation |
|
|
Planning |
|
|
Deployment |
Deploying NPS | Checklist for deploying an HRA server | NAP Deployment Guide |
|
Operations |
|
|
Troubleshooting |
Best Practices Analyzer for Network Policy and Access Services | Network Policy Server Infrastructure (Errors and Events) | NAP Infrastructure (Errors and Events) | Network Access Protection Troubleshooting Guide | Tools for Troubleshooting NAP | Troubleshooting HRA Guide |
|
Tools and settings |
Windows PowerShell for Network Policy and Access Services | Netsh Commands for Network Policy Server | Netsh Commands for Health Registration Authority | Netsh Commands for Network Access Protection (NAP) Client |
|
Community resources |
