Windows nps server requirements

This monitor returns the time elapsed in hundredths of a second since the configuration of this NPS server was reset because of a configuration change or because the service control manager sent a reset to the NPS service.

This monitor returns the time elapsed in hundredths of a second since the server process was started on this NPS server.

This monitor returns the average number of packets received per second on the authentication port. This monitor returns the average number of incoming packets per second that are silently discarded for a reason other than "malformed," "invalid Message Authenticator," or "unknown type.

This monitor returns the average number of Full-Access decisions sent per second to this client. This monitor returns the average number of packets containing malformed data received per second. This monitor returns the average number of probation decisions sent per second to this client. This monitor returns the average number of quarantine decisions sent per second to this client. This monitor returns the interval in hundredths of a second between the most recent request to the policy engine and its response.

This monitor returns the average number of remote access policies that were matched per second. This monitor returns the number of requests that have entered the policy engine but have not yet completed the process. For VPN connections, EAP-TLS is a certificate-based authentication method that provides strong security that protects network traffic even as it is transmitted across the Internet from home or mobile computers to your organization VPN servers.

Certificate-based authentication methods have the advantage of providing strong security; and they have the disadvantage of being more difficult to deploy than password-based authentication methods. EAP-TLS uses certificates for both client and server authentication, and requires that you deploy a public key infrastructure PKI in your organization.

During the authentication process, server authentication occurs when the NPS sends its server certificate to the access client to prove its identity to the access client.

The access client examines various certificate properties to determine whether the certificate is valid and is appropriate for use during server authentication. If the server certificate meets the minimum server certificate requirements and is issued by a CA that the access client trusts, the NPS is successfully authenticated by the client.

Similarly, client authentication occurs during the authentication process when the client sends its client certificate to the NPS to prove its identity to the NPS. The NPS examines the certificate, and if the client certificate meets the minimum client certificate requirements and is issued by a CA that the NPS trusts, the access client is successfully authenticated by the NPS.

Although it is required that the server certificate is stored in the certificate store on the NPS, the client or user certificate can be stored in either the certificate store on the client or on a smart card. For this authentication process to succeed, it is required that all computers have your organization's CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and the Current User. If you use this method, you must also enroll the CA certificate to client computers connecting to your network so that they trust the certificate issued to the NPS.

You can purchase a server certificate from a public CA such as VeriSign. If you use this method, make sure that you select a CA that is already trusted by client computers. If there is a certificate from the CA in these certificate stores, the client computer trusts the CA and will therefore trust any certificate issued by the CA.

User authentication occurs when a user attempting to connect to the network types password-based credentials and tries to log on. NPS receives the credentials and performs authentication and authorization. If the user is authenticated and authorized successfully, and if the client computer successfully authenticated the NPS, the connection request is granted.

Identify the types of network access you plan to offer, such as wireless, VPN, Determine the authentication method or methods that you want to use for each type of access. It is recommended that you use the certificate-based authentication methods that provide strong security; however, it might not be practical for you to deploy a PKI, so other authentication methods might provide a better balance of what you need for your network.

This includes planning the certificate templates you are going to use for server certificates and client computer certificates. It also includes determining how to enroll certificates to domain member and non-domain member computers, and determining whether you want to use smart cards.

NPS also uses the dial-in properties of the user account to make an authorization determination. Request logging is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method of tracking down the activity of an attacker.

Turn on logging initially for both authentication and accounting records. Modify these selections after you have determined what is appropriate for your environment. Ensure that event logging is configured with a capacity that is sufficient to maintain your logs. Back up all log files on a regular basis because they cannot be recreated when they are damaged or deleted.

Although the automatically generated Class attribute is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to accurately track usage. This setting configures NPS to automatically reject these false connection requests without processing them. In addition, NPS does not record transactions involving the fictional user name in any log files, which makes the event log easier to interpret.

To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller. To minimize the time it takes to do this, install NPS on either a global catalog server or a server that is on the same subnet as the global catalog server.

The same set of credentials is used for network access control authenticating and authorizing access to a network and to log on to an AD DS domain. NPS uses the dial-in properties of the user account and network policies to authorize a connection.

Internet service providers ISPs and organizations that maintain network access have the increased challenge of managing all types of network access from a single point of administration, regardless of the type of network access equipment used.

If user credentials are authenticated and the connection attempt is authorized, the RADIUS server authorizes user access on the basis of specified conditions, and then logs the network access connection in an accounting log. The use of RADIUS allows the network access user authentication, authorization, and accounting data to be collected and maintained in a central location, rather than on each access server.

NPS records information in an accounting log about the messages that are forwarded. With NPS, organizations can also outsource remote access infrastructure to a service provider while retaining control over user authentication, authorization, and accounting. The default connection request policy is deleted, and two new connection request policies are created to forward requests to each of the two untrusted domains.

In this example, NPS does not process any connection requests on the local server. In addition to the default connection request policy, which designates that connection requests are processed locally, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain.