Network Access Authorization

  • Article

Applies To: Windows Server 2008

Network access authorization

Network access authorization is granted or denied on the basis of both Active Directory® user account dial-in properties and network policies that are configured in Network Policy Server (NPS).

Network policies allow you to grant or deny network access for users and computers that are members of Windows groups, while the network access permission setting on the dial-up properties of each user account in Active Directory Domain Services (AD DS) allows you to grant or deny network access for individual users. AD DS also allows you to designate that network access permission is granted based on network policy settings.

When designing your authorization scheme, you must determine whether you want to manage authorization by user or by group.

Authorization by user

If you are managing authorization by user, set the network access permission on the user or computer account to either Grant access or Deny access and, optionally, create different network policies based on different types of connections.

For example, you might want to create one network policy that is used for virtual private network (VPN) connections and a different network policy that is used for wireless connections.

Managing authorization by user is recommended only when you have a small number of user or computer accounts to manage.

If you are managing authorization by user, the basic process used by NPS to authorize a connection request occurs as follows:

  • If NPS finds that the connection request matches all of the conditions of the network policy, it checks the network access permission setting of the user account.

  • If the network access permission setting of the user account is set to grant access, NPS applies the network policy and user account connection settings to the connection, which is granted.

  • If the network access permission setting of the user account is set to deny access, NPS rejects the connection request.

  • If the connection request does not match all conditions of the first network policy, NPS processes the next network policy.

  • If the connection request does not match all conditions of any network policy, NPS rejects the connection request.

Authorization by group

If you are managing authorization by group, set the network access permission on the user account to Control access through NPS Network Policy and create network policies that are based on different types of connections and on Windows group membership.

For example, you might want to create one network policy for dial-up connections for employees (members of the Employees group that you have created in AD DS) and a different network policy for dial-up connections for contractors (members of the Contractors group that you have created in AD DS).

If you are managing authorization by group, the basic process used by NPS to authorize a connection request occurs as follows:

  • If NPS finds that the connection request matches all of the conditions of the network policy, it checks the Access Permission setting of the network policy.

  • If the Access Permission setting is configured to grant access, NPS applies the network policy and user account connection settings to the connection, which is granted.

  • If the Access Permission setting is configured to deny access, NPS rejects the connection request.

  • If the connection request does not match all conditions of the first network policy, NPS processes the next network policy.

  • If the connection request does not match all conditions of any network policy, NPS rejects the connection request.