Network Policy Server (NPS)

  • Article
  • 12 minutes to read

Applies to: Windows Server 2022, Windows Server 2016, Windows Server 2019

Yous can apply this topic for an overview of Network Policy Server in Windows Server 2016 and Windows Server 2019. NPS is installed when you install the Network Policy and Access Services (NPAS) feature in Windows Server 2016 and Server 2019.

Network Policy Server (NPS) allows y'all to create and enforce organization-wide network access policies for connection request authentication and authorization.

You tin can too configure NPS as a Remote Authentication Punch-In User Service (RADIUS) proxy to forward connection requests to a remote NPS or other RADIUS server and then that y'all tin load residual connection requests and forrad them to the correct domain for authentication and authorization.

NPS allows y'all to centrally configure and manage network access authentication, say-so, and accounting with the following features:

  • RADIUS server. NPS performs centralized authentication, dominance, and accounting for wireless, authenticating switch, remote access punch-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you lot configure network access servers, such every bit wireless access points and VPN servers, as RADIUS clients in NPS. You likewise configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS bookkeeping then that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database. For more data, see RADIUS server.
  • RADIUS proxy. When yous use NPS every bit a RADIUS proxy, you configure connection request policies that tell the NPS which connectedness requests to forward to other RADIUS servers and to which RADIUS servers you lot want to frontwards connection requests. You tin can also configure NPS to forrard bookkeeping data to be logged by one or more than computers in a remote RADIUS server grouping. To configure NPS every bit a RADIUS proxy server, see the following topics. For more than information, see RADIUS proxy.
    • Configure Connexion Request Policies
  • RADIUS accounting. You tin can configure NPS to log events to a local log file or to a local or remote instance of Microsoft SQL Server. For more information, see NPS logging.

Of import

Network Access Protection (NAP), Health Registration Authority (HRA), and Host Credential Potency Protocol (HCAP) were deprecated in Windows Server 2012 R2, and are not available in Windows Server 2016. If you have a NAP deployment using operating systems earlier than Windows Server 2016, you cannot drift your NAP deployment to Windows Server 2016.

You can configure NPS with any combination of these features. For example, you lot can configure one NPS as a RADIUS server for VPN connections and also equally a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain.

Windows Server Editions and NPS

NPS provides dissimilar functionality depending on the edition of Windows Server that you lot install.

Windows Server 2016 or Windows Server 2019 Standard/Datacenter Edition

With NPS in Windows Server 2016 Standard or Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In add-on, you lot tin can configure RADIUS clients by specifying an IP address range.

Note

The WIndows Network Policy and Admission Services feature is non available on systems installed with a Server Core installation choice.

The following sections provide more than detailed information about NPS equally a RADIUS server and proxy.

RADIUS server and proxy

Y'all can use NPS as a RADIUS server, a RADIUS proxy, or both.

RADIUS server

NPS is the Microsoft implementation of the RADIUS standard specified past the Internet Engineering Job Force (IETF) in RFCs 2865 and 2866. As a RADIUS server, NPS performs centralized connection authentication, say-so, and bookkeeping for many types of network access, including wireless, authenticating switch, dial-upwardly and virtual individual network (VPN) remote admission, and router-to-router connections.

NPS enables the apply of a heterogeneous set of wireless, switch, remote access, or VPN equipment. You can utilize NPS with the Remote Access service, which is available in Windows Server 2016.

NPS uses an Active Directory Domain Services (Advertising DS) domain or the local Security Accounts Manager (SAM) user accounts database to cosign user credentials for connection attempts. When a server running NPS is a member of an Advertisement DS domain, NPS uses the directory service every bit its user account database and is part of a unmarried sign-on solution. The same ready of credentials is used for network access control (authenticating and authorizing access to a network) and to log on to an Advert DS domain.

Annotation

NPS uses the dial-in properties of the user business relationship and network policies to qualify a connection.

Internet service providers (ISPs) and organizations that maintain network access have the increased claiming of managing all types of network access from a single point of assistants, regardless of the type of network access equipment used. The RADIUS standard supports this functionality in both homogeneous and heterogeneous environments. RADIUS is a client-server protocol that enables network access equipment (used every bit RADIUS clients) to submit authentication and accounting requests to a RADIUS server.

A RADIUS server has access to user account information and tin can check network admission authentication credentials. If user credentials are authenticated and the connection try is authorized, the RADIUS server authorizes user access on the ground of specified conditions, and so logs the network access connexion in an accounting log. The utilize of RADIUS allows the network admission user hallmark, authorization, and bookkeeping data to be collected and maintained in a key location, rather than on each access server.

Using NPS as a RADIUS server

You can employ NPS as a RADIUS server when:

  • You are using an AD DS domain or the local SAM user accounts database every bit your user account database for access clients.
  • You are using Remote Admission on multiple dial-up servers, VPN servers, or demand-punch routers and you want to centralize both the configuration of network policies and connection logging and bookkeeping.
  • You are outsourcing your punch-up, VPN, or wireless access to a service provider. The access servers utilize RADIUS to cosign and authorize connections that are made past members of your organization.
  • Y'all want to centralize authentication, say-so, and accounting for a heterogeneous set of access servers.

The following illustration shows NPS as a RADIUS server for a multifariousness of access clients.

NPS as a RADIUS Server

RADIUS proxy

As a RADIUS proxy, NPS forwards authentication and bookkeeping letters to NPS and other RADIUS servers. Y'all tin can use NPS equally a RADIUS proxy to provide the routing of RADIUS messages betwixt RADIUS clients (also chosen network access servers) and RADIUS servers that perform user authentication, authorisation, and accounting for the connectedness attempt.

When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and bookkeeping messages menses. NPS records information in an accounting log about the messages that are forwarded.

Using NPS every bit a RADIUS proxy

You can use NPS every bit a RADIUS proxy when:

  • You are a service provider who offers outsourced dial-upwards, VPN, or wireless network admission services to multiple customers. Your NASs transport connexion requests to the NPS RADIUS proxy. Based on the realm portion of the user name in the connection request, the NPS RADIUS proxy forwards the connection asking to a RADIUS server that is maintained by the customer and tin cosign and qualify the connection attempt.
  • Y'all want to provide authentication and authorization for user accounts that are not members of either the domain in which the NPS is a member or another domain that has a 2-way trust with the domain in which the NPS is a member. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to ship their connexion requests to an NPS RADIUS server, you can configure them to transport their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm name portion of the user name and forwards the request to an NPS in the correct domain or forest. Connectedness attempts for user accounts in i domain or forest tin can exist authenticated for NASs in some other domain or woods.
  • You want to perform authentication and authorization by using a database that is non a Windows account database. In this case, connection requests that match a specified realm name are forwarded to a RADIUS server, which has access to a different database of user accounts and authorization information. Examples of other user databases include Novell Directory Services (NDS) and Structured Query Language (SQL) databases.
  • You want to process a big number of connexion requests. In this case, instead of configuring your RADIUS clients to attempt to residue their connexion and accounting requests beyond multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers and increases the processing of large numbers of RADIUS clients and authentications per second.
  • You desire to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration. An intranet firewall is betwixt your perimeter network (the network betwixt your intranet and the Internet) and intranet. By placing an NPS on your perimeter network, the firewall between your perimeter network and intranet must allow traffic to menstruation between the NPS and multiple domain controllers. By replacing the NPS with an NPS proxy, the firewall must allow only RADIUS traffic to menstruum between the NPS proxy and one or multiple NPSs within your intranet.

The following illustration shows NPS every bit a RADIUS proxy between RADIUS clients and RADIUS servers.

NPS as a RADIUS Proxy

With NPS, organizations tin besides outsource remote admission infrastructure to a service provider while retaining control over user authentication, authorization, and bookkeeping.

NPS configurations tin can be created for the following scenarios:

  • Wireless access
  • Arrangement dial-up or virtual private network (VPN) remote admission
  • Outsourced dial-up or wireless access
  • Internet admission
  • Authenticated access to extranet resources for business partners

RADIUS server and RADIUS proxy configuration examples

The post-obit configuration examples demonstrate how you can configure NPS as a RADIUS server and a RADIUS proxy.

NPS as a RADIUS server. In this example, NPS is configured as a RADIUS server, the default connection request policy is the only configured policy, and all connection requests are processed by the local NPS. The NPS can authenticate and authorize users whose accounts are in the domain of the NPS and in trusted domains.

NPS as a RADIUS proxy. In this instance, the NPS is configured as a RADIUS proxy that forwards connection requests to remote RADIUS server groups in two untrusted domains. The default connection asking policy is deleted, and two new connexion request policies are created to forward requests to each of the two untrusted domains. In this example, NPS does not process whatever connection requests on the local server.

NPS as both RADIUS server and RADIUS proxy. In addition to the default connectedness request policy, which designates that connection requests are candy locally, a new connexion request policy is created that forwards connectedness requests to an NPS or other RADIUS server in an untrusted domain. This second policy is named the Proxy policy. In this case, the Proxy policy appears get-go in the ordered listing of policies. If the connection request matches the Proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server grouping. If the connection request does not lucifer the Proxy policy simply does lucifer the default connectedness asking policy, NPS processes the connectedness request on the local server. If the connexion request does not match either policy, it is discarded.

NPS as a RADIUS server with remote accounting servers. In this example, the local NPS is not configured to perform accounting and the default connection request policy is revised so that RADIUS accounting letters are forwarded to an NPS or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the local NPS performs these functions for the local domain and all trusted domains.

NPS with remote RADIUS to Windows user mapping. In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each private connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authority. This configuration is implemented past configuring the Remote RADIUS to Windows User Mapping attribute every bit a condition of the connection asking policy. (In improver, a user account must exist created locally on the RADIUS server that has the aforementioned name as the remote user account against which authentication is performed by the remote RADIUS server.)

Configuration

To configure NPS as a RADIUS server, you tin can use either standard configuration or advanced configuration in the NPS console or in Server Manager. To configure NPS as a RADIUS proxy, you lot must apply advanced configuration.

Standard configuration

With standard configuration, wizards are provided to help you configure NPS for the following scenarios:

  • RADIUS server for dial-up or VPN connections
  • RADIUS server for 802.1X wireless or wired connections

To configure NPS using a wizard, open up the NPS console, select one of the preceding scenarios, and then click the link that opens the wizard.

Advanced configuration

When yous utilize avant-garde configuration, you manually configure NPS equally a RADIUS server or RADIUS proxy.

To configure NPS by using advanced configuration, open the NPS console, and so click the pointer next to Advanced Configuration to aggrandize this department.

The following advanced configuration items are provided.

Configure RADIUS server

To configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.

For instructions on making these configurations, see the post-obit topics.

  • Configure RADIUS Clients
  • Configure Network Policies
  • Configure Network Policy Server Accounting

Configure RADIUS proxy

To configure NPS as a RADIUS proxy, y'all must configure RADIUS clients, remote RADIUS server groups, and connectedness request policies.

For instructions on making these configurations, run into the post-obit topics.

  • Configure RADIUS Clients
  • Configure Remote RADIUS Server Groups
  • Configure Connexion Request Policies

NPS logging

NPS logging is also called RADIUS accounting. Configure NPS logging to your requirements whether NPS is used every bit a RADIUS server, proxy, or any combination of these configurations.

To configure NPS logging, you lot must configure which events you want logged and viewed with Effect Viewer, and and then decide which other information you desire to log. In addition, yous must decide whether y'all desire to log user authentication and accounting information to text log files stored on the local estimator or to a SQL Server database on either the local figurer or a remote computer.

For more data, see Configure Network Policy Server Accounting.