Windows Server 2008 Network Policy Server (nps) Operations Guide icon

Windows Server 2008 Network Policy Server (nps) Operations Guide




Скачати 326.71 Kb.
НазваWindows Server 2008 Network Policy Server (nps) Operations Guide
Сторінка16/16
Дата конвертації17.02.2014
Розмір326.71 Kb.
ТипДокументи
1   ...   8   9   10   11   12   13   14   15   16
^

Set up RADIUS Clients by IP Address Range


Use this procedure to configure two or more network access servers as RADIUS clients in NPS by using an IP address range. If you are running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter, you can configure RADIUS clients in NPS by IP address range. This allows you to add a large number of RADIUS clients (such as wireless access points) to the NPS console at one time, rather than adding each RADIUS client individually.

You cannot configure RADIUS clients by IP address range if you are running NPS on Windows Server 2008 Standard.

Use this procedure to add a group of network access servers (NASs) as RADIUS clients that are all configured with IP addresses from the same IP address range.

All of the RADIUS clients in the range must use the same configuration and shared secret.

^ Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To set up RADIUS clients by IP address range

    1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.

    2. In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.

    3. In New RADIUS Client, in Friendly name type a display name for the collection of NASs.

    4. In New RADIUS Client, in Address (IP or DNS), type the IP address range for the RADIUS clients by using Classless Inter-Domain Routing (CIDR) notation. For example, if the IP address range for the NASs is 10.10.0.0, type 10.10.0.0/16.

    5. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, or if you have NASs from multiple vendors, select RADIUS Standard.

    6. In New RADIUS Client, in Shared secret, do one of the following:

     Ensure that Manual is selected, and then in Shared secret, type the strong password that is also configured on all of the NASs. Retype the shared secret in ^ Confirm shared secret.

     Select Generate, and then click Generate to automatically generate a shared secret. Save the generated shared secret for configuration on the NASs so that they can communicate with the NPS server.

    7. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if all of your NASs support use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.

    8. In New RADIUS Client, in ^ Additional Options, if you plan on deploying Network Access Protection (NAP) and all of your NASs support NAP, select RADIUS client is NAP-capable.

    9. Click OK. Your NASs appears in the list of RADIUS clients configured on the NPS server.


^

Managing Network Policies


This section provides information about how to manage NPS network policies.

After NPS authenticates users or computers connecting to your network, it performs authorization to determine whether to grant the user or computer permission to connect.

Authorization is performed when NPS checks the dial-in properties of user accounts in Active Directory and when NPS evaluates the connection request against the network policies configured in the NPS console.

In the Active Directory Users and Computers snap-in, on the ^ Dial-in tab of user account properties, the Network Access Permission setting is used by NPS to make authorization decisions, as follows:

     If the value of Network Access Permission is Deny access, the user is always denied access to the network by NPS, regardless of any settings in network policy.

     If the value of ^ Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.

     If the value of Network Access Permission is Control access through NPS Network Policy, NPS makes authorization decisions based solely on network policy settings.

^ Note

For ease of administration of network access, it is recommended that the Network Access Permission setting is always set to Control access through NPS Network Policy. By default, if your forest functional level is Windows Server 2008, when you create a user account, the value of Network Access Permission is set to Control access through NPS Network Policy.

You can also specify connection settings in an NPS network policy that are applied after the connection is authenticated and authorized. For example, you can define IP filters for the connection that specify the network resources to which the user has permission to connect.
^

An ordered list of rules


When you configure multiple network policies in NPS, the policies are an ordered list of rules. NPS evaluates the policies in listed order from first to last. If there is a network policy that matches the connection request, NPS uses the policy to determine whether to grant or deny access to the user or computer connection.

When you order the network policies in the NPS console, ensure that rules created in one policy do not unintentionally counteract the rules in a different policy.

For example, a member of the Domain Users group might also be a member of the Wireless Users group that is created (by you or by another administrator) in Active Directory. Perhaps your organization has limited wireless resources, so members of the Domain Users group are denied access when connecting through wireless access points; however, members of the Wireless Users group are granted access when connecting by wireless. If the network policy that denies wireless access to Domain Users is evaluated before the Wireless Users policy is evaluated, NPS denies access to members of the Wireless Users group when they attempt to connect by wireless — even though your intention is to grant them access.

The solution to this problem is to move the Wireless Users network policy higher in the list of policies in the NPS console so that it is evaluated before the Domain Users policy is evaluated. In this circumstance, when a member of the Wireless Users group attempts to connect, NPS evaluates the Wireless Users policy first and then authorizes the connection. When NPS receives a wireless connection attempt from a member of the Domain Users group that is not also a member of the Wireless Users group, the connection attempt does not match the Wireless Users policy, so that policy is not evaluated by NPS. Instead, NPS moves down to the Domain Users wireless policy, and then denies the connection to the member of the Domain Users group.

The following objectives are part of managing NPS network policies:

    Configure NPS for VLANs

    Configure the EAP Payload Size

    Configure NPS to Ignore User Account Dial-in Properties
^

Configure NPS for VLANs


By using VLAN-aware network access servers and NPS in Windows Server 2008, you can provide groups of users with access only to the network resources that are appropriate for their security permissions. For example, you can provide visitors with wireless access to the Internet without allowing them access to your organization network.

In addition, VLANs allow you to logically group network resources that exist in different physical locations or on different physical subnets. For example, members of your sales department and their network resources, such as client computers, servers, and printers, might be located in several different buildings at your organization, but you can place all of these resources on one VLAN using the same IP address range. The VLAN then functions, from the end-user perspective, as a single subnet.

You can also use VLANs when you want to segregate a network between different groups of users. After you have determined how you want to define your groups, you can create security groups in the Active Directory Users and Computers snap-in, and then add members to the groups.

Use the following procedure to configure a network policy using VLANs:

    Configure a Network Policy for VLANs
^

Configure a Network Policy for VLANs


Use this procedure to configure a network policy that assigns users to a VLAN. When you use VLAN-aware network hardware, such as routers, switches, and access controllers, you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions.

When you configure the settings of an NPS network policy for use with VLANs, you must configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-Tag.

You can use the following procedure to create a network policy that assigns users to a VLAN. This procedure is provided as a guideline; your network configuration might require different settings than those provided below.

^ Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To configure a network policy for VLANs

    1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.

    2. Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.

    3. In the policy Properties dialog box, click the Settings tab.

    4. In policy Properties, in Settings, in RADIUS Attributes, ensure that Standard is selected.

    5. In the details pane, in Attributes, the Service-Type attribute is configured with a default value of Framed. By default, for policies with access methods of VPN and dial-up, the Framed-Protocol attribute is configured with a value of PPP. To specify additional connection attributes required for VLANs, click Add. The Add Standard RADIUS Attribute dialog box opens.

    6. In ^ Add Standard RADIUS Attribute, in Attributes, scroll down to and add the following attributes:

    a. Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select ^ Value: 802 (Includes all 802 media plus Ethernet canonical format).

    b. Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned.

    c. Tunnel-Type. Select Virtual LANs (VLAN).

    7. In ^ Add Standard RADIUS Attribute, click Close.

    8. If your network access server (NAS) requires use of the Tunnel-Tag attribute, use the following steps to add the Tunnel-Tag attribute to the network policy. If your NAS documentation does not mention this attribute, do not add it to the policy. Add the attributes as follows:

    a. In policy Properties, in Settings, in RADIUS Attributes, click Vendor Specific.

    b. In the details pane, click Add. The Add Vendor Specific Attribute dialog box opens.

    c. In Attributes, scroll down to and select Tunnel-Tag, and then click Add. The Attribute Information dialog box opens.

    d. In Attribute value, type the value that you obtained from your hardware documentation.


^

Configure the EAP Payload Size


In some cases, routers or firewalls drop packets because they are configured to discard packets that require fragmentation.

When you deploy NPS with network policies that use the Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), or EAP-TLS, as an authentication method, the default maximum transmission unit (MTU) that NPS uses for EAP payloads is 1500 bytes.

This maximum size for the EAP payload can create RADIUS messages that require fragmentation by a router or firewall between the NPS server and a RADIUS client. If this is the case, a router or firewall positioned between the RADIUS client and the NPS server might silently discard some fragments, resulting in authentication failure and the inability of the access client to connect to the network.

Use the following procedure to lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:

    Configure the Framed-MTU Attribute
^

Configure the Framed-MTU Attribute




Use this procedure to lower the maximum EAP payload size by using the Framed-MTU attribute in an NPS network policy. You can lower the EAP payload size by configuring the Framed-MTU attribute in network policy settings properties in the NPS console.

Perform this procedure if you have routers or firewalls that are not capable of performing fragmentation. The recommended Framed-MTU value in this circumstance is 1344 bytes or less.

^ Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To configure the Framed-MTU attribute

    1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.

    2. Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.

    3. In the policy Properties dialog box, click the Settings tab.

    4. In Settings, in RADIUS Attributes, click Standard. In the details pane, click Add. The Add Standard RADIUS Attribute dialog box opens.

    5. In Attributes, scroll down to and click Framed-MTU, and then click Add. The Attribute Information dialog box opens.

    6. In Attribute Value, type a value equal to or less than 1344. Click OK, click Close, and then click OK.


^

Configure NPS to Ignore User Account Dial-in Properties


Use this procedure to configure an NPS network policy to ignore the dial-in properties of user accounts in Active Directory during the authorization process. User accounts in Active Directory Users and Computers have dial-in properties that NPS evaluates during the authorization process unless the Network Access Permission property of the user account is set to Control access through NPS Network Policy.

There are two circumstances where you might want to configure NPS to ignore the dial-in properties of user accounts in Active Directory:

     When you want to simplify NPS authorization by using network policy but not all of your user accounts have the Network Access Permission property set to Control access through NPS Network Policy. For example, some user accounts might have the Network Access Permission property of the user account set to Deny access or Allow access.

     When other dial-in properties of user accounts are not applicable to the connection type configured in the network policy. For example, properties other than the ^ Network Access Permission setting are applicable only to dial-in or VPN connections, but the network policy you are creating is for wireless or authenticating switch connections.

You can use this procedure to configure NPS to ignore user account dial-in properties. If a connection request matches the network policy where this check box is selected, NPS does not use the dial-in properties of the user account to determine whether the user or computer is authorized to access the network; only the settings in the network policy are used to determine authorization.

^ Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To configure NPS to ignore user account dial-in properties

    1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.

    2. Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.

    3. In the policy Properties dialog box, on the Overview tab, in Access Permission, select the Ignore user account dial-in properties check box, and then click OK.


1   ...   8   9   10   11   12   13   14   15   16



Схожі:

Windows Server 2008 Network Policy Server (nps) Operations Guide iconStep-by-Step Guide for Configuring Network Load Balancing with Terminal Services: Windows Server 2008

Windows Server 2008 Network Policy Server (nps) Operations Guide iconStep-by-Step Guide for Configuring a Two-Node File Server Failover Cluster in Windows Server 2008

Windows Server 2008 Network Policy Server (nps) Operations Guide iconStep-by-Step Guide for Configuring a Two-Node Print Server Failover Cluster in Windows Server 2008

Windows Server 2008 Network Policy Server (nps) Operations Guide iconServer Core Installation Option of Windows Server 2008 Step-By-Step Guide

Windows Server 2008 Network Policy Server (nps) Operations Guide iconStep-by-Step Guide for File Server Resource Manager in Windows Server 2008

Windows Server 2008 Network Policy Server (nps) Operations Guide iconStep-by-Step Guide for Windows Deployment Services in Windows Server 2008

Windows Server 2008 Network Policy Server (nps) Operations Guide iconStep-by-Step Guide for Storage Manager for sans in Windows Server 2008

Windows Server 2008 Network Policy Server (nps) Operations Guide iconServices for nfs step-by-Step Guide for Windows Server 2008

Windows Server 2008 Network Policy Server (nps) Operations Guide iconWindows Server 2008 Active Directory Certificate Services Step-By-Step Guide

Windows Server 2008 Network Policy Server (nps) Operations Guide iconWindows Server 2008 ts licensing Step-By-Step Guide

Додайте кнопку на своєму сайті:
Документи


База даних захищена авторським правом ©te.zavantag.com 2000-2017
При копіюванні матеріалу обов'язкове зазначення активного посилання відкритою для індексації.
звернутися до адміністрації
Документи