Components of NPS

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

The following sections describe Network Policy Server (NPS) components that you can use to deploy NPS as a RADIUS server, RADIUS proxy, or as a NAP health policy server. You can configure these components by using the NPS console, the NPS Microsoft Management Console (MMC) snap-in, or the Netsh commands for NPS.

In this section

NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with the following three features:

  • RADIUS server. NPS performs centralized connection authentication, authorization, and accounting for wireless, 802.1X-capable switch, remote access dial-up, and virtual private network (VPN) connections. When you use a server running NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.

  • Network Access Protection (NAP) policy server. When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. NPS also acts as a RADIUS server when configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and Remediation Server Groups that allow client computers to update their configuration to become compliant with your organization's network policy.

  • RADIUS proxy. When you use NPS as a RADIUS proxy, you configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group.

You can configure NPS with any combination of the preceding features. For example, you can configure one NPS server to act as a NAP policy server using one or more enforcement methods, while also configuring NPS as a RADIUS server for dial-up connections and as a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain.

Configuration

To configure NPS as a RADIUS server or a NAP policy server, you can use either standard configuration or advanced configuration in the NPS console.

Note

To configure NPS as a RADIUS proxy, you must use advanced configuration.

Standard configuration

With standard configuration, wizards are provided to help you configure NPS for the following scenarios:

  • NAP policy server

  • RADIUS server for dial-up or VPN connections

  • RADIUS server for 802.1X wireless or wired connections

To configure NPS using a wizard, open the NPS console, select one of the preceding scenarios, and then click the link that opens the wizard.

Advanced configuration

When you use advanced configuration, you individually configure NPS features to configure NPS as a RADIUS server, NAP policy server, or RADIUS proxy. Wizards are provided to assist you with policy and NAP configuration; however, these wizards are opened from the NPS folder tree in the NPS console rather than from the Getting Started section in the details pane of the console.

To configure NPS by using advanced configuration, open the NPS console and then click the arrow next to Advanced Configuration to expand this section.

The following advanced configuration items are provided:

  • Configure RADIUS server

    To configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.

  • Configure RADIUS proxy

    To configure NPS as a RADIUS proxy, you must configure RADIUS clients, connection request policies, remote RADIUS server groups, and RADIUS accounting.

  • Configure NAP policy server

    To deploy NAP, you must configure NAP components in addition to configuring RADIUS clients and network policy.

NPS logging

NPS logging is also called RADIUS accounting, and should be configured to your requirements whether NPS is used as a RADIUS server, proxy, NAP policy server, or any combination of the three configurations.

To configure NPS logging, you must configure the events logged and viewed with Event Viewer and determine other information you want to log. In addition, you must decide whether you want to log user authentication and accounting information to text log files stored on the local computer or to a SQL Server database on either the local computer or a remote computer.