The Cable Guy - August 2010
Templates and Accounting Improvements for Network Policy Server (NPS) in Windows Server 2008 R2
This article describes the new templates feature and the enhancements to accounting in the Network Policy Server (NPS) service in Windows Server 2008 R2. NPS is Microsoft's Remote Authentication Dial-In User Service (RADIUS) server and proxy, providing authentication, authorization, and accounting (AAA) of network access request and acting as a Network Access Protection (NAP) health policy server.
NPS templates can reduce the cost of ownership for the deployment of NPS environments by separating common RADIUS configuration elements such as RADIUS shared secrets and initial RADIUS client settings from the configuration running on the server. When selected, the RADIUS configuration element inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is selected.
For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, that change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is selected.
You can also use NPS templates to assist in configuration by temporarily selecting them. For example, you can create a RADIUS client template that contains common settings, such as the vendor type or shared secret, for a specific group of RADIUS clients, such as all wireless access points (APs) from a specific vendor. When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you de-select the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client's IP address.
Note Commands in the netsh nps context do not support template settings. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.
The following types of NPS configuration elements use templates:
RADIUS shared secrets
Remote RADIUS servers
Remediation server groups
You configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. Figure 1 shows an example.
Figure 1 The Templates Management node in the Network Policy Server snap-in
Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be selected and de-selected in the appropriate dialog boxes in the Network Policy Server snap-in.
Table 1 lists the different types of templates and where they are used in the Network Policy Server snap-in.
|Template||Where it is used|
|RADIUS shared secret||When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates|
|RADIUS clients||When creating or configuring RADIUS clients|
|IP filters||When configuring IP Filters settings for a network policy|
|Health policies||When creating or configuring health policies|
|Remediation server groups||When creating or configuring remediation server groups|
Table 1 Templates and where they are used in the Network Policy Server snap-in
Example: Using the RADIUS Shared Secret Template
Templates for RADIUS shared secrets allow you to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:
From the Network Policy Server snap-in, open the Templates Management node.
In the console tree, right-click Shared Secrets, and then click New.
In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.
Click OK to save changes.
To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. Figure 2 shows an example.
Figure 2 Example of selecting a shared secrets template
To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template in contents pane of the Network Policy Server snap-in, and then click View Usage.
Migrating and Synchronizing Template Configuration between NPS Servers
Because templates are independent of the running configuration of the NPS server, they can be exported and imported independently of the NPS server configuration. You can export and import templates using the Network Policy Server snap-in. These operations are independent of the export and import of the NPS server configuration using the netsh nps export and netsh nps import commands.
To export the templates of an NPS server, right-click Templates Management in the Network Policy Server snap-in, and then click Export Templates to a File. To import the templates of an NPS server, click Import Templates from a File. You can use these steps to migrate the templates of one NPS server to another.
To quickly synchronize the templates of one NPS server with that of another, right-click Templates Management in the Network Policy Server snap-in, and then click Import Templates from a Computer. You are prompted to specify the name of a remote NPS server. When you click OK, NPS synchronizes the templates of the local NPS server with those of the remote NPS server.
Managing a Windows Server 2008 NPS Server from a Windows Server 2008 R2 NPS Server
The Network Policy Server snap-in for Windows Server 2008 R2 provides support for remotely managing NPS servers. When you add the Network Policy Server snap-in to a Microsoft Management Console (MMC), you can specify the local computer or a remote computer. You can also remotely manage a Windows Server 2008 NPS server from a Windows Server 2008 R2 NPS server, however the console tree does not contain the Templates Management node and configuration dialog boxes do not display template configuration.
Windows Server 2008 R2 includes a number of features that improve the accounting capabilities of NPS and significantly reduce its cost of deployment. Among these are a number of new logging capabilities that enable correlation between Structured Query Language (SQL) and file logging as well as a new Accounting Configuration wizard. These enhancements are integrated into the Accounting node of the Network Policy Server snap-in.
New File Type for NPS File Logging
To better correlate SQL and file logging configurations, Windows Server 2008 R2 includes a new file type known as DTS Compliant. The new file type is designed for easy mapping to the NPS standard SQL database using the SQL server Data Transformation Services (DTS). You can select this new file type from the Log File tab of the Log File Properties dialog box. Figure 3 shows an example.
Figure 3 Example of selecting the DTS Compliant local log format
NPS SQL and File Logging Correlation
The following Windows Server 2008 R2 features enable accounting configurations that utilize both SQL and file logging:
Failover logging from SQL to a file
You can configure NPS to log to a SQL database (local or remote) and fail over to a preconfigured log file if connectivity to the SQL server is lost. You enable this feature by selecting the Enable text file logging for failover check box in the SQL Server Logging Properties dialog box.
Parallel logging to both a file and SQL
You can configure NPS to log every accounting entry to both a SQL server and a file. This new functionality does not have any explicit configuration. You enable parallel logging by configuring both logging modes without file logging failover.
Authentication without accounting
You can configure NPS to perform authentication and authorization without logging. This feature, disabled by default, ensures that NPS can operate even when it is unable to perform logging and allows for network access authentication and authorization without requiring logging. This feature can be enabled independently for file and SQL logging, allowing for a variety of scenarios when used in conjunction with parallel and failover logging.
This functionality is controlled independently in both the SQL Server Logging Properties and Log File Logging dialog boxes by clearing the If logging fails, discard connection requests checkbox. When either checkbox is selected, access requests require successful logging.
NPS Accounting Configuration Wizard
To run the new Accounting Configuration wizard, select the Accounting node and then click Configure Accounting link in the contents pane of the Network Policy Server snap-in. The Accounting Configuration wizard walks you through the full accounting configuration for common configurations, including those settings required on a SQL server to create the NPS standard database, table, and store procedures. Figure 4 shows the Select Accounting Options page of the Accounting Configuration wizard.
Figure 4 The new Accounting Configuration wizard
From this page, you can configure the following:
Log to a SQL Server database
Use this option to only log to a SQL database using the default NPS SQL table format and store procedures.
Log to a text file on the local computer
Use this option to only log to a text file using the new DTS Compliant file format.
Simultaneously log to a SQL Server database and to a local text file
Use this option to configure both SQL and file logging and enable parallel logging. SQL logging configuration uses the default NPS SQL table format and store procedures. The file logging uses the DTS Compliant file format. You configure the information logged in each data store independently.
Log to a SQL Server database using text file logging for failover
Use this option to configure both SQL and file logging and enable file logging only in cases where SQL logging fails. SQL logging configuration uses the default NPS SQL table format, table, and store procedures. The file logging uses the DTS Compliant file format. You configure the information logged in each data store independently.
Automated SQL Database Configuration
In addition to configuring NPS accounting, the new Accounting Configuration wizard automatically generates the required database, tables, and store procedures on an existing SQL server. On any of the configurations available from the Select Accounting Options page of the Accounting Configuration wizard that include a SQL logging configuration, the wizard will automatically configure the SQL server for the standard NPS data store. Figure 5 shows the Configure SQL Server Logging page of the Accounting Configuration wizard.
Figure 5 The Configure SQL Server Logging page
When you click Configure, NPS displays the Data Link Properties dialog box, as shown in Figure 6.
Figure 6 The Data Link Properties dialog box
After you specify a SQL server and credentials (sections 1 and 2), Select the database on the server lists the existing databases on the SQL server. If you select an existing database from this list, when the wizard is complete, you are prompted to continue using the specified database as is or to re-initialize the database using the default NPS SQL data store configuration.
Alternatively, you can type a new database name into the Select the database on the server list box. In this case, the Accounting Configuration wizard automatically configures the default NPS data store using the specified database name on the SQL server.
For More Information
For more information about NPS in Windows Server 2008 R2, consult the following resources:
For a list of all The Cable Guy articles, click here.