IST 164 Chapter 11
Is ping user-name installed by default?
ping user-name is not installed by default. You must add ping user-name to the registry. You can add an entry to the registry using a registry editor.
PowerShell cmdlet Remove-NpsRadiusClient
remove the RADIUS client from the list of RADIUS clients on a Windows Server 2016 NPS RADIUS server.
When can you not use powerShell cmdlet Add-RemoteAccessRadius?
to add an external RADIUS server into the RADIUS Server Group on a Windows Server 2016 VPN server
When can you not use the Remove-RemoteAccessRadius PowerShell cmdlet?
to remove an external RADIUS server from the RADIUS Server Group on a Windows Server 2016 VPN server if the external RADIUS server you want to remove is the last RADIUS server in the list of RADIUS servers on the VPN server
How do you implement a Windows Server 2016 RADIUS client?
you simply have to add the RADIUS client to the list of RADIUS clients on the Windows Server 2016 RADIUS server. You can do this in the NPS console with New RADIUS Client. You must type in a friendly name, IP address, or DNS name of the RADIUS client and a shared secret.
steps to create a new connection request policy
1. In Server Manager, click Tools > Network Policy Server. 2. In the console tree, double-click Policies. 3. Right-click Connection Request Policies, and then click New Connection Request Policy. 4. Use the New Connection Request Policy Wizard to configure your connection request policy and, if not previously configured, a remote RADIUS server group.
Tunnel-Pvt-Group-ID Attributes
Enter the integer that represents the VLAN number to which group members will be assigned.
When you're using the Windows Server 2016 NPS (network policy server) for a VPN server, which authentication methods will you use so that the NPS server hosts the connection request policies and network policies for the VPN connections?
1. PEAP (Protected Extensible Authentication Protocol) 2. EAP (Extensible Authentication Protocol) 3. MS-CHAP (Microsoft Encrypted Authentication) 4. MS-CHAPv2 (Microsoft Encrypted Authentication version 2)
When using PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate store, with what exceptions?
1. Certificates that do not contain the Server Authentication purpose are not displayed. 2. Certificates that do not contain a subject name are not displayed. 3. Registry-based and smart card logon certificates are not displayed
When you use the Windows Server 2016 NPS for a VPN server, you use the following authentication methods so that the NPS server hosts the connection request policies and Network Policies for the VPN connections
1. Protected Extensible Authentication Protocol (PEAP) 2. Extensible Authentication Protocol (EAP) 3. Microsoft Encrypted Authentication (MS-CHAP) 4. Microsoft Encrypted Authentication version 2 (MS-CHAPv2)
What settings can be configured in Windows Server 2016 NPS templates?
1. Shared Secrets 2. RADIUS Clients 3. Remote RADIUS Servers 4. IP Filters
With connection request policies, you can use NPS servers as a RADIUS server or RADIUS proxy, based on a variety of factors
1. Time of day and day of the week 2. Realm name in the connection request 3. Connection type you are requesting 4. RADIUS client's IP address
When can you use Windows Server 2016 NPS as a RADIUS server?
1. Using a domain or local SAM user accounts database as a user account database for clients. 2.. Using Remote Access on multiple dial-up servers, VPN servers, or demand-dial routers. You want to centralize both the configuration of Network Policies and connection logging and accounting. 3. Outsourcing dial-up, VPN, or wireless access to a service provider. The access servers can use RADIUS to authenticate and authorize connections that are made by members of your organization. 4. Centralizing authentication, authorization, and accounting for a heterogeneous set of access servers.
When using an NPS server as a RADIUS proxy, you configure the NPS server to forward to other RADIUS servers. You can create different NPS configurations for what solutions?
1. Wireless access 2. Organizational dial-up or VPN remote access 3. Outsourced dial-up or wireless access 4. Internet access 5. Authenticated access to extranet resources for business partners
RADIUS client
A RADIUS client is a client that forwards authentication requests for network connections to a RADIUS server. Examples of RADIUS clients are VPN servers, wireless access points, 802.1X-capable switches, and dial-up servers.
RADIUS proxy
A RADIUS proxy forwards and routes connection requests and accounting messages between RADIUS clients/proxies and RADIUS servers/proxies. A RADIUS proxy uses information within the RADIUS message, such as username or Called-Station-ID, to route the RADIUS message to the appropriate RADIUS server.
RADIUS server
A RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients or RADIUS proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. Based on a set of rules and the information in the user account database, the RADIUS server either authenticates and authorizes the connection and sends back an Access-Accept message or sends back an Access-Reject message. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection. To configure a Windows Server 2016 RADIUS server, you must install a Network Policy Server (NPS).
Network Policy
A Windows Server 2016 NPS offers two types of Network Policies: connection request policies and Network Policies. Health policies for NAP servers are no longer available on a Windows Server 2016 NPS server. Network Policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and under which circumstances they can or cannot connect.
RADIUS
A client/server protocol that enables network access equipment, used as RADIUS clients, to submit authentication and accounting requests to a RADIUS server.
What does a ping user-name registry entry specify?
A ping user-name registry entry specifies the fictional username (or a username pattern, with variables, that matches the fictional username) sent by RADIUS proxy servers and network access servers.
PowerShell cmdlet Add-RemoteAccessRadius
Adds a new external RADIUS server for VPN authentication, accounting for DirectAccess (DA) and VPN, or one-time password (OTP) authentication for DA. The RADIUS server properties for authentication and accounting are the same except for the AccountingOnOffMsg parameter, which is applicable only to accounting RADIUS, and the MsgAuthenticator parameter, which is applicable only to authentication RADIUS. These properties are not relevant for DA OTP authentication.
What is the RADIUS client?
Clients such as wireless portable computers and other computers running client operating systems are not the RADIUS clients. RADIUS clients are network access servers such as wireless access points, 802.1X-capable switches, and VPN and dial-up servers because they use the RADIUS protocol to communicate with RADIUS servers such as Windows Server 2016 NPS servers.
What do connection request policies allows users to do?
Connection request policies allow you to designate whether the local NPS server processes connection requests locally or whether they are forwarded for processing to another RADIUS server.
Constraints
Constraints are additional parameters of the network policy required to match the connection request.
PowerShell cmdlet Get-RemoteAccessRadius
Displays the list of RADIUS servers, including RADIUS for VPN authentication, RADIUS for DirectAccess and VPN accounting, and RADIUS for OTP authentication for DirectAccess.
PowerShell cmdlet Set-RemoteAccessRadius
Edits the properties associated with an external RADIUS server being used for VPN authentication, accounting for DirectAccess and VPN, and OTP authentication for DirectAccess. -You cannot use this cmdlet to change the purpose for which a RADIUS server is currently being used. You can modify only other properties of the server. -The RADIUS server properties for authentication and accounting are the same except for the AccountingOnOffMsg parameter, which is applicable only to accounting RADIUS, and the MsgAuthenticator parameter, which is applicable only to RADIUS authentication. These parameters are not relevant for DirectAccess OTP authentication. -If a user tries to edit the properties of a RADIUS server for a particular purpose but specifies a parameter that is not applicable to that purpose, this cmdlet still runs, but the parameter is ignored and a warning message displays; the other parameters specified still are modified.
HCAP
Host Credential Authorization Protocol (HCAP) is removed in Windows Server 2016.
What happens if RADIUS Accounting fails due to a full hard disk drive or other causes?
If RADIUS Accounting fails due to a full hard disk drive or other causes, NPS stops processing connection requests, preventing users from accessing network resources
If the NPS server has to work as both a RADIUS server, processing connection requests locally, and a RADIUS proxy, add a new connection request policy using the following steps; then verify that the default connection request policy is the last policy processed by placing it last in the list of policies
If the NPS server has to work as both a RADIUS server, processing connection requests locally, and a RADIUS proxy, add a new connection request policy using the following steps; then verify that the default connection request policy is the last policy processed by placing it last in the list of policies
NPS as both RADIUS server and RADIUS proxy
In addition to the default connection request policy, which specifies that connection requests must be processed locally, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. This second policy is named the Proxy policy. In this example, the Proxy policy appears first in the ordered list of policies. If the connection request matches the Proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. If the connection request does not match the Proxy policy but does match the default connection request policy, NPS processes the connection request on the local server.
Do the VPN connections need certificates?
MS-CHAPv2 and MS-CHAP can work without using certificates, but PEAP must use certificates
NPS with Remote RADIUS to Windows User Mapping
NPS acts as both a RADIUS server and a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. This configuration is implemented by configuring the Remote RADIUS to the Windows User Mapping attribute as a condition of the connection request policy.
NPS as a RADIUS server
NPS is configured as a RADIUS server, the default connection request policy is the only configured policy, and all connection requests are processed by the local NPS server. The NPS server can authenticate and authorize users whose accounts are in the domain of the NPS server and in trusted domains.
When NPS receives ping requests that match the ping user-name registry entry value, what happens?
NPS rejects the authentication requests without processing the requests.
NPS as RADIUS proxy
NPS server is configured as a RADIUS proxy that forwards connection requests to remote RADIUS server groups in two untrusted domains. The default connection request policy is deleted, and two new connection request policies are created to forward requests to each of the two untrusted domains. In this example, NPS does not process any connection requests on the local server.
________ server can be administered only remotely and is OS (operating system) optimized for private clouds and datacenters.
Nano
Network Access Protection
Network Access Protection (NAP) is removed in Windows Server 2016.
If the current configuration is Windows accounting, a user can switch to external RADIUS Accounting by doing one of the following
Option 1. Running the same cmdlet to enable RADIUS Accounting and specifying an external RADIUS server. Option 2. Adding an external RADIUS server using the Add-RemoteAccessRadius cmdlet. This enables RADIUS Accounting without running this cmdlet. Option 3. Switching back to Windows accounting by deleting all the configured external RADIUS servers.
Overview properties
Overview properties allow to specify whether the policy is enabled, whether the policy grants or denies access, and whether a specific network connection method or type of network access server is required for connection requests.
Windows Server 2016 NPS network policy categories
Overview, Constraints, Settings
The ________ ____________________ setting can be used to configure the SQL Server data link and database.
Parallel logging
With the use of a ___________________ server, you can collect and maintain network access user authentication, authorization, and accounting data in a central location.
RADIUS
What does RADIUS stand for?
RADIUS (remote authentication dial-in user service)
RADIUS protocol
RADIUS messages are sent as UDP messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, NPS supports receiving RADIUS messages destined to both sets of UDP ports.
PowerShell cmdlet Remove-RemoteAccessRadius
Removes an external RADIUS server from being used for VPN authentication, accounting for both DirectAccess and VPN, and OTP authentication for DirectAccess. -If a RADIUS server is currently being used for multiple purposes, it can be removed for one or more of those purposes. However, the cmdlet then must be run separately for each purpose. -If the last RADIUS server being used for accounting is removed, the accounting type automatically switches to Windows accounting. -The user is not allowed to delete the last RADIUS server being used for VPN authentication if RADIUS authentication is configured.
Tunnel-Type Attributes
Select Virtual LANs (VLAN).
Tunnel-Medium-Type Attributes
Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes All 802 Media Plus Ethernet Canonical Format).
PowerShell cmdlet Set-RemoteAccessAccounting
Sets the enabled state for the inbox and RADIUS Accounting for both external RADIUS and Windows accounting, and configures the settings when enabled. -Both inbox accounting and RADIUS Accounting can be active at the same time. RADIUS Accounting includes Windows accounting, external RADIUS Accounting, and accounting on the local Network Policy Server (NPS), but only one type of accounting can be active at any time. The RadiusServer, SharedSecret, RadiusPort, RadiusScore, RadiusTimeout, and AccountingOnOffMsg parameters are applicable only when RADIUS Accounting is enabled and cannot be specified when inbox accounting is enabled. -If Windows Accounting is enabled for VPN, it will not work for DirectAccess because this is not a supported configuration for DirectAccess. For accounting to work for DirectAccess in this scenario, either NPS needs to be installed locally or an external RADIUS server needs to be configured for accounting.
Settings
Settings allow to specify the settings that the NPS server applies to the connection request, if all of the policy's network policy conditions are matched and the request is accepted.
create a network policy for 802.1X wired or wireless
Step 1. On the NPS server, in Server Manager, click Tools and then click Network Policy Server. Step 2. Click NPS (Local). Select the server. Step 3. In Getting Started and Standard Configuration, select RADIUS Server for 802.1X Wireless or Wired Connections. Step 4. Click Configure 802.1X Using a Wizard. The New IEEE 802.1X Secure Wired and Wireless Connections Wizard opens. Step 5. Follow the instructions in the wizard to finish creating your new policies
steps to configure a network policy for VLANs
Step 1. On the NPS server, in Server Manager, click Tools and then click Network Policy Server. Step 2. Double-click Policies, click Network Policies, and then, in the details pane, double-click the policy that you want to configure. Step 3. In the policy Properties dialog box, click the Settings tab. Step 4. In RADIUS Attributes, ensure that Standard is selected. Step 5. In the details pane, the Service-Type attribute is configured with a default value of Framed. By default, for policies with access methods of VPN and dial-up, the Framed-Protocol attribute is configured with a value of PPP. To specify additional connection attributes required for VLANs, click Add. The Add Standard RADIUS Attribute dialog box opens. Step 6. In Add Standard RADIUS Attribute, in Attributes, scroll down and add the following attributes:Tunnel-Medium-Type: Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes All 802 Media Plus Ethernet Canonical Format).Tunnel-Pvt-Group-ID: Enter the integer that represents the VLAN number to which group members will be assigned.Tunnel-Type: Select Virtual LANs (VLAN).
To configure NPS UDP port information, you can do the following steps
Step 1. Open the NPS console. Step 2. Right-click Network Policy Server, and then click Properties. Step 3. Click the Ports tab and examine the settings for the ports. If your RADIUS authentication and RADIUS Accounting UDP ports vary from the default values provided (1812 and 1645 for authentication, and 1813 and 1646 for accounting), type your port settings in Authentication and Accounting. Step 4. To use multiple port settings for authentication or accounting requests, separate the port numbers with commas.
Health Registration Authority
The Health Registration Authority (HRA) is removed in Windows Server 2016.
A Windows Server 2016 NPS as a RADIUS server can verify network access authentication credentials. If the user's credentials are approved and RADIUS authorizes the connection attempt, what happens?
The RADIUS server authorizes the user's access based on configured conditions. It also logs the network access connections in an accounting log.
NPS as a RADIUS server with remote accounting servers
The local NPS server is not configured to perform accounting and the default connection request policy is revised so that RADIUS Accounting messages are forwarded to an NPS server or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded; the local NPS server performs these functions for the local domain and all trusted domains.
What is recommended to prevent NPS log files from filling the hard drive?
To prevent NPS log files from filling the hard drive, it is recommended that you keep them on a partition that is separate from the system partition.
SQL logging only
With this choice, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL Server. In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL Server logging.
Text logging only
With this setting, you can configure NPS to log accounting data to a text file.
SQL logging with backup
With this setting, you can configure the SQL Server data link and database. In addition, you can configure text file logging that NPS uses if SQL Server logging fails.
Parallel logging
With this setting, you can configure the SQL Server data link and database. You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database
PowerShell cmdlet New-NpsRadiusClient
add the RADIUS client to the Windows Server 2016 RADIUS server
PowerShell cmdlet Set-NpsRadiusClient
change settings for the RADIUS client
import or export the NPS settings through PowerShell
cmdlets Import-NpsConfiguration and Export-NpsConfiguration
You can register the NPS server using the NPS console, but you also can do so through the command prompt with what command?
command netsh ras add registeredserver
Connection request policies
condition sets and settings that allow administrators to designate which RADIUS servers do the authentication and authorization of connection requests that the NPS server receives from RADIUS clients.
PowerShell cmdlet Get-NpsRadiusClient
display all settings of the RADIUS client you have applied