NAP Health Policy Server Message Processing

Updated: October 21, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

This section provides information about how Network Policy Server (NPS) processes an incoming Access-Request message when NPS is configured as a Network Access Protection (NAP) policy server.

When you configure NPS as a NAP policy server, Access-Request messages are processed locally. In this process, NPS does the following:

  1. Validates the RADIUS message. The incoming Access-Request message is validated for source IP address, the digital signature, valid attributes, and so on. If the RADIUS message is not valid, an event is logged in the system event log and the RADIUS Access-Request message is discarded. An Access-Reject message is not sent.

  2. Checks for Auto Reject. Auto Reject, also called Ping User-Name for the corresponding registry entry, is used to send an immediate Access-Reject message when the User-Name attribute in the Access-Request message matches the registry entry value.

    Some RADIUS clients (RADIUS proxy servers and network access servers) periodically send artificial authentication and accounting requests, called ping requests, to verify that the NPS server is present on the network. These ping requests include fictional user names and do not represent an actual connection request by a real user or computer. When NPS processes these requests, the event and accounting logs become filled with access reject records, making it difficult to keep track of records for valid connection attempts by real users. When you configure a registry entry for Ping User-Name, NPS matches the registry entry value against the value of the User-Name attribute in ping requests that other servers make. If the registry entry and the user name value match, NPS automatically rejects the request and does not create an event or accounting log entry.

  3. Performs connection request policy evaluation. If no connection request policies are matched, an event is logged in the system event log and the RADIUS Access-Request message is discarded.

  4. Applies realm stripping rules. NPS determines or defines the domain name and the user identity for the Access-Request message. If the User-Name attribute in the Access-Request message is not the Auto Reject name, then the user identity is determined. User identity is how NPS identifies the user for the purposes of authentication and authorization. Typically, the user identity is the string value of the User-Name RADIUS attribute. If the User-Name attribute is not present, the user identity is set to the Guest account or the account specified by the Default User Identity registry entry.

    NPS can use any RADIUS attribute to identify the user. The RADIUS attribute that NPS uses to identify the user is configurable by setting the User Identity Attribute registry entry.

  5. Determines authentication server. NPS determines whether to authenticate locally or forward to a remote RADIUS server group (When NPS is configured as a NAP policy server, the message is authenticated locally and is not forwarded.)

  6. Performs user name cracking. Name cracking is the resolution of the user identity to a user account by using user principal names (UPNs), Lightweight Directory Access Protocol (LDAP), distinguished names (DNAs), canonical names, and so on. If a user principal name is encountered by NPS, NPS performs a query to the Active Directory Domain Services (AD DS) global Ccatalog in an attempt to resolve the name. To speed up this process, a copy of the global catalog must be located on a domain controller within the same site as the NPS server.

    When the user identity does not contain a domain name, NPS supplies a domain name. By default, the NPS-supplied domain name is the domain for which the NPS server is a member. You can specify the NPS-supplied domain by means of the DefaultDomain registry entry.

  7. Evaluates EAP authentication configured in connection request policy. If connection request policy is configured with an Extensible Authentication Protocol (EAP) authentication method, this setting overrides all authentication settings in all network policies.

  8. Requests the client Statement of Health (SoH). NPS requests the SoH from the NAP-capable client.

  9. Performs computer name cracking. NPS resolves the computer identity to a computer account in Active Directory Domain Services.

  10. Checks for authentication plug-ins. Authentication plug-ins are optional components created by using the NPS software development kit (SDK); each plug-in can return Accept, Reject, or Continue. If an authentication plug-in returns an Accept, the user is authenticated and the account is validated. If the authentication plug-in returns a Reject, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authentication plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user still needs to be authenticated.

    The authentication plug-in can also return RADIUS attributes to be included in the Access-Accept message.

  11. Checks for remote access account lockout. The registry on the NPS server is read for remote access account lockout entry for the user account. If the account is locked out, NPS sends an Access-Reject message and logs an authentication event. For more information, see Network Policy Server Tools and Settings.

  12. Checks for PAP, CHAP, MS-CHAP. If Password Authentication Protocol (PAP), CHAP, Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1), or MS-CHAP v2 are used to authenticate the remote access client, NPS consults an authentication sub-module based on the authentication protocol to perform the authentication. The user credentials (user name and password) are authenticated against the user name and password of the accounts database (either a domain or the local accounts database), and the group membership of the user account is determined. The exact method of authentication varies depending on the authentication protocol.

    If the authentication of the credentials is not successful, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.

    If either EAP or unauthenticated access is being used, then the user authentication process is bypassed. EAP authentication takes place later in this process. For unauthenticated access, no user authentication is performed.

  13. Validates the user or computer account. Based on the user or computer account determined by name cracking, the account is validated to discover whether it is locked out (which is not the same as remote access account lockout), whether the account is disabled, and whether the user account password has expired. If the account is not valid, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.

  14. Performs network policy-to-connection request matching. NPS evaluates the ordered list of network policies until it finds one whose conditions exactly match the connection request. When starting this process, NPS first evaluates the policies that match the network connection type, if there are any. For example, if the connection request is received from a Terminal Services Gateway (TS Gateway) server, NPS first evaluates network policies whose network connection type is TS Gateway.

    If no match is found, and if there are policies with a network connection type of Unspecified, NPS evaluates these policies next. If a matching policy is found, NPS adds the network policy settings to the connection request. If a matching policy is not found, an Access-Reject message is sent and an event is logged.

  15. Performs health policy evaluation. If NPS matches the connection request to a network policy that is configured with a health policy, the health policy is evaluated against the SoH and the health of the NAP-capable client is determined. NPS enforces NAP based on the settings in the health policy.

  16. Performs network policy constraints processing. Network policy constraints are processed by NPS. If all constraints do not match the connection request, NPS sends an Access-Reject message, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. In this circumstance, NPS does not evaluate additional policies.

  17. Checks user account properties and network policy authorization properties. If the Ignore-User-Dialin-Properties attribute is set to 0, the dial-in properties of the user account and the properties of the matching network policy are evaluated against the parameters of the connection attempt to ensure that the connection attempt is allowed. If the Ignore-User-Dialin-Properties attribute is set to 1 (True), NPS does not evaluate the dial-in properties of the user account in AD DS and the properties from the matching network policy are the only properties used to authorize the connection.

    If the connection attempt is not allowed, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.

  18. Checks for EAP authentication. If EAP is the authentication protocol used for the connection attempt, EAP authentication takes place. The initial negotiation for EAP consists of selecting EAP as the authentication protocol and negotiating an EAP type with the access client. Based on the EAP type, the settings for the matching connection request policy or network policy are checked to ensure that the EAP type is allowed. If the EAP type is not allowed, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS accounting log, depending on the configured logging settings.

    If the EAP type is allowed by connection request policy or network policy settings, EAP authentication for the EAP type occurs. NPS sends an EAP challenge to the NAS requesting it to start EAP negotiation. Communications between EAP modules on a RADIUS client and server are tunneled using the RADIUS protocol. After negotiation is complete, an EAP provider can return attributes that are sent back to the NAS in the Access-Accept message. If EAP authentication fails, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.

  19. Checks for authorization plug-ins. Authorization plug-ins are optional components created by using the NPS software development kit (SDK). Each plug-in can return either Reject or Continue. If the authorization plug-in returns a Reject, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authorization plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user is authorized.

    The authorization plug-in can also return RADIUS attributes to be included in the Access-Accept message.

  20. Sends an Access-Accept message. If the dial-in properties of the user account, the properties of the matching network policy, and the conditions imposed by authorization plug-ins allow the connection attempt, an Access-Accept message is sent back to the NAS. Included with the Access-Accept message are NPS settings and the set of RADIUS attributes for the restrictions on the connection. In addition, an authentication success event is logged in either the system event log or the NPS authentication log, depending on the configured logging settings.

After NPS sends the Access-Accept message, the NAS completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged in Internet Authentication Service (IAS) format, database-compatible format, or to a SQL Server database. The NPS server then sends an Accounting-Response to the NAS to verify that it has received and recorded accounting data for the connection.

noteNote
The NAS also sends Accounting-Request messages when the connection is being established, when the access client connection is closed, and when the NAS is started and stopped.

Community Additions

ADD
Show: