Network Policies and Authorization

Applies To: Windows Server 2008, Windows Server 2008 R2

A network policy is an ordered set of rules that defines how connections are either authorized or rejected. For each rule, there are one or more conditions that must match the connection request for the policy to apply. In addition, each network policy contains constraints, settings, and an Access Permission property.

Network policies validate several connection settings before authorizing the connection, including the following:

• Access permission

• Group membership

• Type of connection

• Time of day

• Authentication methods

• Access server identity

• Access client phone number or media access control (MAC) address

• Whether account dial-in properties are ignored

• Whether unauthenticated access is allowed

After the connection is authorized, network policies can also be used to specify connection settings, including the following:

• Idle time-out time

• Maximum session time

• Encryption strength

• IP packet filters

• IP address for PPP connections

• Static routes

The following settings can also affect connection restrictions:

• Group membership

• Type of connection

• Time of day

• Authentication methods

• Identity of the access server

• Access client phone number or MAC address

It is important to remember that connection requests are accepted only if the properties of the connection request matches all of the conditions and constraints of at least one of the configured network policies (subject to the conditions of the dial-in properties of the account). If the connection request does not match at least one of the network policies, the connection attempt is rejected regardless of the dial-in properties of the user account.

For more information, see Network Policies.

Network policy configuration issues

Following are several issues that might impact your configuration of NPS, depending on your network and needs:

• Some elements of a network policy correspond to RADIUS attributes that are used during RADIUS-based authentication. For network policies on an NPS server, verify that the network access servers (NASs) used are sending RADIUS attributes that correspond to the configured network policy conditions and settings. If a NAS does not send a RADIUS attribute that corresponds to a network policy condition or setting, then all RADIUS authentication requests from that NAS are denied.

• You can only use the Generate-Session-Time-out attribute if your user account database is a Security Accounts Manager (SAM) database or is the user account database for an Active Directory Domain Services (AD DS) domain. If the value of Generate-Session-Time-out is set to True, make sure the ForceLogoff value for a SAM database is set to 0. In the Local Security Settings console, ForceLogoff is changed to zero when Network security: Force logoff when logon hours expire is enabled.

• If you are using Wired Equivalent Privacy (WEP) encryption, you can configure wireless connection policy so that wireless clients using WEP periodically reauthenticate. This ensures that the client WEP encryption keys are changed often enough to provide adequate security for the wireless connection. To configure reauthentication, set the session time-out in your network policy or connection request policy for wireless connections (by using the Session-Time-out attribute) to the required interval (for example, 10 minutes). Additionally, configure the value of the Termination-Action attribute to RADIUS-Request. If the Termination-Action attribute is not set to RADIUS-Request, wireless APs might end the connection during reauthentication. For more information, see your hardware documentation.