Understanding the new Windows Server 2008 Network Policy Server
Although I was familiar with all the concepts and terms regarding the Microsoft Network Access Protection (NAP) and the Cisco NAC technologies, what actually prompted me to take a look at the new Windows Server 2008 Network Policy Server was unrelated to either of those. My interest in the Windows 2008 Network Policy Server (NPS) was to be able to use RADIUS on a Windows 2008 System. Specifically, I wanted to use a Windows 2008 Server to allow me to authenticate PCs using 802.1x and users logging into network devices like Cisco routers.
Traditionally, if I wanted to perform one of these tasks with Windows 2000 or 2003 Server, I would use the Microsoft Internet Authentication Service (IAS). In the past, WindowsNetworking.com has offered a number of articles on using IAS. For example, Wireless Networking in Windows 2003 and Setting up Windows 2000 RADIUS to authenticate wireless 802.1x clients. However, in Windows Server 2008, you will quickly find out that IAS has been replaced with the Network Policy Server (NPS).
So what is NPS and how can it help me?
What is Windows Server 2008 Network Policy Server?
NPS is not just a replacement for IAS, it does what IAS did and much more. While many of us may be just looking to do the same thing that IAS did in Windows 2003, when you install NPS, you will find that you have opened up yourself to a lot of new functionality.
Here is what NPS does that is the SAME as what IAS offered:
- Routing of LAN and WAN traffic.
- Allow access to local resources through VPN or dial-up connections.
- Creating and enforcing network access through VPN or dial-up connections.
For example, NPS can provide these functions:
- VPN Services
- Dial-up Services
- 802.11 protected access
- Routing & Remote Access (RRAS)
- Offer Authentication through Windows Active Directory
- Control network access with policies
What NPS does that is new are all the functions related to Network Access Protection (NAP). For example – System Health Validators, Remediation Server Groups, Health Polices, and more.
For a detailed step-by-step example of how to use NPS to perform Network Access Protection (NAP), please see Brian Posey’s series An Introduction to Network Access Protection - Part 1 to Part 7
How do I install NPS?
NPS is a Windows 2008 Server Component. That means that you install it by “Adding a Component”, like this:
Figure 1: Adding the NPS Component
Next, choose the Network Policy and Access Services, like this:
Figure 2: Choosing the NPS Role
You will be given a screen full of overview information on NPS, like this:
Figure 3: Overview screen on NPS
Now, choose the services for this role that you want to install. Note that if you choose either the Health Registration Authority or the Host Credential Authorization protocol, you will be prompted to install more roles for your server (like IIS web server). Both of these services are related to either Microsoft’s NAP or Cisco’s NAC.
To go into this list a little further, the Network Policy Service is actually the RADIUS server that you are used to seeing with IAS. The RRAS services are the second piece that has traditionally been included with IAS. With these being broken out, you can selectively install what you choose.
Figure 4: Selecting the NPS installation options
After you make your choices and click Next, you will see this final confirmation screen where you can click Install.
Figure 5: NPS Installation Confirmation Screen
At the conclusion of the install, look for a screen like this:
Figure 6: NPS Installation Completed
Now, let’s move on to how you manage your new Network Policy Server…
How do I manage NPS?
If you are looking to perform the traditional IAS functions, the easiest way to manage your new network policy server (NPS) services is to use the Windows 2008 Server Manager. Inside Server Manager, you will see Roles and inside roles, you will find Network Policy and Access Services, like this:
Figure 7: NPS Services in Server Manager
As you can see, there are 3 services associated with NPS, the network policy server (named IAS), the remote access connection manager (RasMan), and the routing and remote access service (named RemoteAccess). For those who use IAS, the names of these services will seem familiar.
To configure and manage the separate Network Policy Server (NPS) service, there is a new Windows 2008 Server administrative tool, called Network Policy Server.
Figure 8: Starting the NPS Management Tool
Once loaded, here is what it looks like:
Figure 9: The NPS Management Tool
As you can see, the RADIUS Clients and Servers section is familiar, as is the Polices section. What looks new is that the old IAS “Remote Access Logging” has been renamed “Accounting” and the Network Access Protection folder is new.
Still, it isn’t just that pieces of the interface and name of IAS are new, what is truly different is the Network Access Protection functionality that NPS provides.
Network Policy Server Architecture
There are a number of parts to the Network Policy Server architecture. Below is a graphic originally published at Microsoft TechNet in an article titled “Network Policy Server Infrastructure”.
Figure 10: NPS Architecture (Source: Microsoft)
As you can see from the graphic, the NPS server that we installed in this article is just one of the many pieces of the total NPS Infrastructure. Not all of these pieces are required. The pieces of this infrastructure that are required are based on the function that you are trying to perform.
For example, in my introduction, I talked about how I would like to use NPS to authenticate Cisco networking devices using RADIUS. To do that, all I would need is this NPS RADIUS Server and the Network Policy Server (NPS). The Cisco router (or other network device) would be the NPS RADIUS Client. The NPS RADIUS Server is what accepts the request for user credential authentication from the network device. The NPS RADIUS Server usually checks with the Network Policy Server to see if it is accepting authentication requests from the RADIUS Client and, if the policy is met, the credentials are sent, usually to the Windows Active Directory (AD) to be validated. If they are validated, the authentication accepted request is sent back to the NPS RADIUS Client (the network device, such as a Cisco router, in my example).
When combined with the Microsoft NAP client, Microsoft calls Network Policy Server a “system health policy enforcement platform”. Still, I just think of NPS as an AAA server (authentication, authorization, and accounting). If you just need the traditional RADIUS server, you won’t see much difference when using NPS. However, I encourage you to take a look at how NPS can help you with a total Network Access Protection (NAP) solution for your company. By allowing only computers that have up to date patches, anti-virus definitions, and firewall settings to access your network, the entire company will be more secure.
For more information on the Windows 2008 Server Network Policy Server and Network Access Protection (NAP), see the following links:
- An Introduction to Network Access Protection - Part 1 to Part 7
- Network Access Protection (NAP) for Windows Server 2008
- Configuring the Network Policy Server for Configuration Manager
- Microsoft TechNet – Network Policy Server
- Network Policy Server Infrastructure
- Network Access Protection Web site
- Step-by-Step Guide: Demonstrate VPN NAP Enforcement in a Test Lab
- Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab