Table of contents
TOC
Collapse the table of content
Expand the table of content

Verify Configuration After NPS Server Changes

James McIllece|Last Updated: 1/25/2017

Applies To: windows Server 2016

You can use this topic to verify NPS server configuration after an IP address or name change to the server.

Verify Configuration After an NPS Server IP Address Change

There might be circumstances where you need to change the IP address of an NPS server or proxy, such as when you move the server to a different IP subnet.

If you change an NPS server or proxy IP address, it is necessary to reconfigure portions of your NPS deployment.

Use the following general guidelines to assist you in verifying that an IP address change does not interrupt network access authentication, authorization, or accounting on your network for NPS RADIUS servers and RADIUS proxy servers.

You must be a member of Administrators, or equivalent, to perform these procedures.

To verify configuration after an NPS server IP address change

  1. Reconfigure all RADIUS clients, such as wireless access points and VPN servers, with the new IP address of the NPS server.

  2. If the NPS server is a member of a remote RADIUS server group, reconfigure the NPS proxy with the new IP address of the NPS server.

  3. If you have configured the NPS server to use SQL Server logging, verify that connectivity between the computer running SQL Server and the NPS server is still functioning properly.

  4. If you have deployed IPsec to secure RADIUS traffic between your NPS server and an NPS proxy or other servers or devices, reconfigure the IPsec policy or the connection security rule in Windows Firewall with Advanced Security to use the new IP address of the NPS server.

  5. If the NPS server is multihomed and you have configured the server to bind to a specific network adapter, reconfigure NPS port settings with the new IP address.

To verify configuration after an NPS proxy IP address change

  1. Reconfigure all RADIUS clients, such as wireless access points and VPN servers, with the new IP address of the NPS proxy.

  2. If the NPS proxy is multihomed and you have configured the proxy to bind to a specific network adapter, reconfigure NPS port settings with the new IP address.

  3. Reconfigure all members of all remote RADIUS server groups with the proxy server IP address. To accomplish this task, at each NPS server that has the NPS proxy configured as a RADIUS client:

    a. Double-click NPS (Local), double-click RADIUS Clients and Servers, click RADIUS Clients, and then in the details pane, double-click the RADIUS client that you want to change.

    b. In RADIUS client Properties, in Address (IP or DNS), type the new IP address of the NPS proxy.

  4. If you have configured the NPS proxy to use SQL Server logging, verify that connectivity between the computer running SQL Server and the NPS proxy is still functioning properly.

Verify Configuration After Renaming an NPS Server

There might be circumstances when you need to change the name of an NPS server or proxy, such as when you redesign the naming conventions for your servers.

If you change an NPS server or proxy name, it is necessary to reconfigure portions of your NPS deployment.

Use the following general guidelines to assist you in verifying that a server name change does not interrupt network access authentication, authorization, or accounting.

You must be a member of Administrators, or equivalent, to perform this procedure.

To verify configuration after an NPS server or proxy name change

  1. If the NPS server is a member of a remote RADIUS server group and the group is configured with computer names rather than IP addresses, reconfigure the remote RADIUS server group with the new NPS server name.

  2. If certificate-based authentication methods are deployed at the NPS server, the name change invalidates the server certificate. You can request a new certificate from the certification authority (CA) administrator or, if the computer is a domain member computer and you autoenroll certificates to domain members, you can refresh Group Policy to obtain a new certificate through autoenrollment. To refresh Group Policy:

    a. Open Command Prompt or Windows PowerShell.

    b. Type gpupdate, and then press ENTER.

  3. After you have a new server certificate, request that the CA administrator revoke the old certificate.

    After the old certificate is revoked, NPS continues to use it until the old certificate expires. By default, the old certificate remains valid for a maximum time of one week and 10 hours. This time period might be different depending on whether the Certificate Revocation List (CRL) expiry and the Transport Layer Security (TLS) cache time expiry have been modified from their defaults. The default CRL expiry is one week; the default TLS cache time expiry is 10 hours.

    If you want to configure NPS to use the new certificate immediately, however, you can manually reconfigure network policies with the new certificate.

  4. After the old certificate expires, NPS automatically begins using the new certificate.

  5. If you have configured the NPS server to use SQL Server logging, verify that connectivity between the computer running SQL Server and the NPS server is still functioning properly.

© 2017 Microsoft