NPS Authorization Process

Applies To: Windows Server 2008, Windows Server 2008 R2

In this section

• Authorization by User and Group

• Dial-In Properties of Accounts

• MAC Address Authorization

• Network Policies and Authorization

Network Policy Server (NPS) grants or denies network access authorization on the basis of the following configurable items:

• The dial-in properties of Security Accounts Manager (SAM) database or Active Directory Domain Services (AD DS) user and computer accounts

• NPS network policies

Network policies allow you to grant or deny network access for users and computers that are members of Windows groups; this authorization management method is called Authorization by Group.

Alternately, the Network Access Permission setting on the dial-in properties of each user and computer account in AD DS allows you to grant or deny network access for individual users and computers. This authorization management method is called Authorization by User.

When NPS receives a connection request from a Remote Authentication Dial-In User Service (RADIUS) client, NPS accepts or rejects the connection request based on the following:

• The first policy in the ordered list of network policies is checked. If there are no network policies configured in NPS, the connection request is rejected.

• If all the conditions of the policy do not match the connection request, NPS moves on to and evaluates the next policy. If there are no more policies, NPS rejects the connection request.

• If all the conditions of the policy match the connection request, NPS checks the value of the Ignore-User-Dialin-Properties attribute (which is configurable as a property on the Overview tab) of the network policy.

• If the Ignore-User-Dialin-Properties attribute is set to False, NPS checks the Network Access Permission setting in user account dial-in properties for the user attempting the connection:

  • If Deny access is selected, NPS rejects the connection request.

  • If Allow access is selected, NPS applies the user account properties and network policy constraints:

    • If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request.

    • If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request.

• If Network Access Permission is not set to Allow access or Deny access, the network access permission is set to Control access through NPS Network Policy. In that case, NPS evaluates the Access Permission setting (which is configurable as a property on the Overview tab) of the network policy:

  • If Deny access is selected, NPS rejects the connection request.

  • If Grant access is selected, NPS applies the user account properties and network policy constraints:

    • If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request.

    • If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request.

• If the Ignore-User-Dialin-Properties attribute is set to True, NPS checks the Access Permission setting of the network policy:

  • If Deny access is selected, reject the connection request.

  • If Grant access is selected, NPS applies the network policy constraints:

    • If the connection request does not match the settings of the network policy constraints, NPS rejects the connection request.

    • If the connection request matches the network policy constraints, NPS accepts the connection request.