Network Policy and Access Services Overview

Applies To: Windows Server 2008 R2

Network Policy and Access Services provides the following network connectivity solutions:

  • Network Access Protection (NAP). NAP is a client health policy creation, enforcement, and remediation technology that is included in the Windows Vista® client operating system and in the Windows Server® 2008 operating system. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, required computer configurations, and other settings. Client computers that are not in compliance with health policy can be provided restricted network access until their configuration is updated and brought into compliance with policy. Depending on how you choose to deploy NAP, noncompliant clients can be automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.

  • Secure wireless and wired access. When you deploy 802.1X wireless access points, secure wireless access provides wireless users with a secure password-based authentication method that is easy to deploy. When you deploy 802.1X authenticating switches, wired access allows you to secure your network by ensuring that intranet users are authenticated before they can connect to the network or obtain an IP address using DHCP.

  • Remote access solutions. With remote access solutions, you can provide users with virtual private network (VPN) and traditional dial-up access to your organization's network. You can also connect branch offices to your network with VPN solutions, deploy full-featured software routers on your network, and share Internet connections across the intranet.

  • Central network policy management with RADIUS server and proxy. Rather than configuring network access policy at each network access server, such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network.

Role services for Network Policy and Access Services

When you install Network Policy and Access Services, the following role services are available:

  • Network Policy Server (NPS). NPS is the Microsoft implementation of a RADIUS server and proxy. You can use NPS to centrally manage network access through a variety of network access servers, including wireless access points, VPN servers, dial-up servers, and 802.1X authenticating switches. In addition, you can use NPS to deploy secure password authentication with Protected Extensible Authentication Protocol (PEAP)-MS-CHAP v2 for wireless connections. NPS also contains key components for deploying NAP on your network.

    The following technologies can be deployed after the installation of the NPS role service:

    • NAP health policy server. When you configure NPS as a NAP health policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to communicate on the network. You can configure NAP policies on NPS that allow client computers to update their configuration to become compliant with your organization's network policy.

    • IEEE 802.11 Wireless. Using the NPS MMC snap-in, you can configure 802.1X-based connection request policies for IEEE 802.11 wireless client network access. You can also configure wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients in NPS, and use NPS as a RADIUS server to process connection requests, as well as perform authentication, authorization, and accounting for 802.11 wireless connections. You can fully integrate IEEE 802.11 wireless access with NAP when you deploy a wireless 802.1X authentication infrastructure so that the health status of wireless clients is verified against health policy before clients are allowed to connect to the network.

    • IEEE 802.3 Wired. Using the NPS MMC snap-in, you can configure 802.1X-based connection request policies for IEEE 802.3 wired client Ethernet network access. You can also configure 802.1X-compliant switches as RADIUS clients in NPS, and use NPS as a RADIUS server to process connection requests, as well as perform authentication, authorization, and accounting for 802.3 Ethernet connections. You can fully integrate IEEE 802.3 wired client access with NAP when you deploy a wired 802.1X authentication infrastructure.

    • RADIUS server. NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and remote access dial-up and VPN connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft® SQL Server™ database.

    • RADIUS proxy. When you use NPS as a RADIUS proxy, you configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group.

  • Routing and Remote Access. With Routing and Remote Access, you can deploy VPN and dial-up remote access services and multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services.

    The following technologies can be deployed during the installation of the Routing and Remote Access role service:

    • Remote Access Service. Using Routing and Remote Access, you can deploy Point-to-Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two Tunneling Protocol (L2TP) with Internet Protocol security (IPsec) VPN connections to provide end users with remote access to your organization's network. You can also create a site-to-site VPN connection between two servers at different locations. Each server is configured with Routing and Remote Access to send private data securely. The connection between the two servers can be persistent (always on) or on-demand (demand-dial).

      Remote Access also provides traditional dial-up remote access to support mobile users or home users who are dialing in to an organization's intranets. Dial-up equipment that is installed on the server running Routing and Remote Access answers incoming connection requests from dial-up networking clients. The remote access server answers the call, authenticates and authorizes the caller, and transfers data between the dial-up networking client and the organization intranet.

    • Routing. Routing provides a full-featured software router and an open platform for routing and internetworking. It offers routing services to businesses in local area network (LAN) and wide area network (WAN) environments.

      When you deploy NAT, the server running Routing and Remote Access is configured to share an Internet connection with computers on the private network and to translate traffic between its public address and the private network. By using NAT, the computers on the private network gain some measure of protection because the router with NAT configured does not forward traffic from the Internet to the private network unless a private network client had requested it or unless the traffic is explicitly allowed.

      When you deploy VPN and NAT, the server running Routing and Remote Access is configured to provide NAT for the private network and to accept VPN connections. Computers on the Internet will not be able to determine the IP addresses of computers on the private network. However, VPN clients will be able to connect to computers on the private network as if they were physically attached to the same network.

  • Health Registration Authority (HRA). HRA is a NAP component that issues health certificates to clients that pass the health policy verification that is performed by NPS using the client SoH. HRA is used only with the NAP IPsec enforcement method.

  • Host Credential Authorization Protocol (HCAP). HCAP allows you to integrate your Microsoft NAP solution with Cisco Network Access Control Server. When you deploy HCAP with NPS and NAP, NPS can perform client health evaluation and the authorization of Cisco 802.1X access clients.

Managing the Network Policy and Access Services server role

The following tools are provided to manage the Network Policy and Access Services server role:

  • NPS MMC snap-in. Use the NPS MMC to configure a RADIUS server, RADIUS proxy, or NAP technology.

  • Netsh commands for NPS. The Netsh commands for NPS provide a command set that is fully equivalent to all configuration settings that are available through the NPS MMC snap-in. Netsh commands can be run manually at the Netsh prompt or in administrator scripts.

  • HRA MMC snap-in. Use the HRA MMC to designate the certification authority (CA) that HRA uses to obtain health certificates for client computers and to define the NPS server to which HRA sends client SoHs for verification against health policy.

  • Netsh commands for HRA. The Netsh commands for HRA provide a command set that is fully equivalent to all configuration settings that are available through the HRA MMC snap-in. Netsh commands can be run manually at the Netsh prompt or in administrator-authored scripts.

  • NAP Client Management MMC snap-in. You can use the NAP Client Management snap-in to configure security settings and user interface settings on client computers that support the NAP architecture.

  • Netsh commands for configuring NAP client settings. The Netsh commands for NAP client settings provide a command set that is fully equivalent to all configuration settings that are available through the NAP Client Management snap-in. Netsh commands can be run manually at the Netsh prompt or in administrator-authored scripts.

  • Routing and Remote Access MMC snap-in. Use this MMC snap-in to configure a VPN server, a dial-up networking server, a router, NAT, VPN and NAT, or a VPN site-to-site connection.

  • Netsh commands for remote access. The Netsh commands for remote access provide a command set that is fully equivalent to all remote access configuration settings that are available through the Routing and Remote Access MMC snap-in. Netsh commands can be run manually at the Netsh prompt or in administrator scripts.

  • Netsh commands for routing. The Netsh commands for routing provide a command set that is fully equivalent to all routing configuration settings that are available through the Routing and Remote Access MMC snap-in. Netsh commands can be run manually at the Netsh prompt or in administrator scripts.

  • Wireless Network (IEEE 802.11) Policies - Group Policy Management Console (GPMC). The Wireless Network (IEEE 802.11) Policies extension automates the configuration of wireless network settings on computers with wireless network adapter drivers that support the Wireless LAN Autoconfiguration Service (WLAN Autoconfig Service). You can use the Wireless Network (IEEE 802.11) Policies extension in the Group Policy Management Console to specify configuration settings for either or both Windows XP and Windows Vista wireless clients. Wireless Network (IEEE 802.11) Policies Group Policy extensions include global wireless settings, the list of preferred networks, Wi-Fi Protected Access (WPA) settings, and IEEE 802.1X settings.

    When configured, the settings are downloaded to Windows wireless clients that are members of the domain. The wireless settings configured by this policy are part of the Computer Configuration Group Policy. By default, Wireless Network (IEEE 802.11) Policies are not configured or enabled.

  • Netsh commands for wireless local area network (WLAN). Netsh WLAN is an alternative to using Group Policy to configure Windows Vista wireless connectivity and security settings. You can use the Netsh wlan commands to configure the local computer, or to configure multiple computers using a logon script. You can also use the Netsh wlan commands to view wireless Group Policy settings and administer Wireless Internet Service Provider (WISP) and user wireless settings.

    The wireless Netsh interface has the following benefits:

    • Mixed mode support: Allows administrators to configure clients to support multiple security options. For example, a client can be configured to support both the WPA2 and the WPA authentication standards. This allows the client to use WPA2 to connect to networks that support WPA2 and use WPA to connect to networks that only support WPA.

    • Block undesirable networks: Administrators can block and hide access to non-corporate wireless networks by adding networks or network types to the list of denied networks. Similarly, administrators can allow access to corporate wireless networks.

  • Wired Network (IEEE 802.3) Policies - Group Policy Management Console (GPMC). You can use the Wired Network (IEEE 802.3) Policies to specify and modify configuration settings for Windows Vista clients that are equipped with network adapters and drivers that support Wired AutoConfig Service. Wireless Network (IEEE 802.11) Policies Group Policy extensions include global wired and IEEE 802.1X settings. These settings include the entire set of wired configuration items associated with the General tab and the Security tab.

    When configured, the settings are downloaded to Windows wireless clients that are members of the domain. The wireless settings configured by this policy are part of the Computer Configuration Group Policy. By default, Wired Network (IEEE 802.3) Policies are not configured or enabled.

  • Netsh commands for wired local area network (LAN). The Netsh LAN interface is an alternative to using Group Policy in Windows Server 2008 to configure Windows Vista wired connectivity and security settings. You can use the Netsh LAN command line to configure the local computer, or use the commands in logon scripts to configure multiple computers. You can also use the Netsh lan commands to view Wired Network (IEEE 802.3) Policies and to administer client wired 1x settings.

Additional Resources

To learn more about Network Policy and Access Services, open one of the following MMC snap-ins and then press F1 to display the Help:

  • NPS MMC snap-in

  • Routing and Remote Access MMC snap-in

  • HRA MMC snap-in