Network Policy Server and Network Access Protection
In
the RRAS there are a number of snap-in roles that can be used in
configuring and setting up your network access needs for Windows Server
2008. In previous incarnations of Windows Server 2003, Internet
Authentication Service (IAS) snap-in was Microsoft’s implementation of
a Remote Authentication Dial-in User Service (RADIUS) server and proxy.
It was capable of performing localized connection AAA Protocol for many
types of network access, including wireless and VPN connections.
For
Windows Server 2008, Microsoft has replaced IAS with a new snap-in
called Network Policy Server (NPS). NPS is the Microsoft implementation
of a RADIUS server and proxy in Windows Server 2008, and promises to be
even simpler to use than IAS. For your exam, you will be required to be
familiar with NPS.
NPS
is not just a replacement for IAS; it does what IAS did but also offers
another role called Network Access Protection (NAP). When you install
NPS you will find that you have a lot of new functionality.
NPS does many of the same things that IAS did such as:
Routing of LAN and WAN traffic.
Allow access to local resources through VPN or dial-up connections.
Creating and enforcing network access through VPN or dial-up connections.
For example, NPS can provide these functions:
What
NPS does that is new, are all the functions related to NAP. NAP when
used in unison with NPS creates a “total system health policy
enforcement platform,” which helps in the creation of health policies
for your network, as shown in Figure 2.
NAP
is designed to enhance a corporate VPN. This is accomplished when
clients establish a VPN session with a Windows Server 2008 system that
is running the RRAS. Once a connection is made, a NPS will validate the
remote system and determine the status of its health. The NPS collects
information and compares the remote computer’s configuration against a
pre-determined network access policy that can be customized by the
administrator. Policies can be configured to either monitor or isolate
based on the administrators preference as, shown in Figure 3.
Although
monitoring will not prevent any PCs from gaining access to your
network, each PC logging on to the network will be recorded for
compliance. Isolation will put non-compliant users onto an isolated
segment of the network, where it cannot interfere with production or
resources. Of course, the administrator is ultimately responsible for
configuring what access non-compliant computers will be allowed.
If you are already familiar with Windows Server 2003 and the IAS snap-in, you will notice many changes to the NPS snap-in:
Network policies have replaced remote access policies and have been moved to the policies node.
RADIUS Clients and Servers node has replaced the RADIUS Client node.
There is no Connection Request Processing node.
Policies and the Remote RADIUS Server Groups node have been moved under RADIUS Clients and Servers.
Remote
access policy conditions and profile settings have been reorganized on
the Overview, Conditions, Constraints, and Settings tabs for the
properties of a network policy.
The Remote Access Logging folder has been renamed the Accounting node, and no longer has the Local File or SQL Server nodes.
In
addition, the System Health Validators node allows you to set up and
adjust all NAP health requirements. The Remediation Server Groups node
allows you to set up the group of servers that restricted NAP clients
can access for the VPN and Dynamic Host Configuration Protocol (DHCP)
NAP enforcement methods. Last, the Accounting node allows you to set up
how NPS stores accounting information for the network.
The
NAP wizard automatically configures all of the connection request
policies, network policies, and health policies. Knowing how to set up
and configure this feature will put you steps ahead of the competition.
To configure policies and settings for NAP enforcement methods in NPS:
1. | Select Network Access Protection in the Standard Configuration drop-down box.
| 2. | Click Configure NAP.
To configure policies and settings for VPN or dial-up network access:
| 3. | Select RADIUS server for Dial-Up or VPN Connections from the drop-down box.
| 4. | Click Configure VPN or Dial-Up.
To configure policies and settings for 802.1X-authenticated wired or wireless access:
| 5. | Select RADIUS server for 802.1X Wireless or Wired Connections from the drop-down box.
| 6. | Click Configure 802.1X.
|
|
The
wizard will guide you through the configuration process for your chosen
scenario. The NAP wizard for VPN enforcement has a number of policy
creation options, including ones for compliant NAP clients,
noncompliant NAP clients, and non-NAP capable clients. It also includes
two health policies for compliant and noncompliant NAP clients. The new
NAP wizards and other wizards contained within will help you with
creating RADIUS clients, remote RADIUS server groups, connection
request policies, and network policies. Overall, this will make it that
much easier to configure NPS for a variety of network access scenarios,
and this will make your job and exam all the more simple.