Applies To: Windows Server 2008
Network Policy Server (NPS) can be used as a RADIUS server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be either a network access server or a RADIUS proxy. When NPS is used as a RADIUS server, it provides the following:
- A central authentication and authorization service for all access requests that are sent by RADIUS clients.NPS uses a Microsoft® Windows NT® Server 4.0 domain, an Active Directory® domain, or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts. NPS uses the dial-in properties of the user account and network policies to authorize a connection.
- A central accounting recording service for all accounting requests that are sent by RADIUS clients.Accounting requests are stored in a local log file or Microsoft® SQL Server™ database for analysis.
The following illustration shows NPS as a RADIUS server for a variety of access clients, and also shows a RADIUS proxy. NPS uses an Active Directory® domain for user credential authentication of incoming RADIUS Access-Request messages.
When NPS is used as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:
- Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients.
- The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server.
- The NPS server evaluates the Access-Request message.
- If required, the NPS server sends an Access-Challenge message to the access server. The access server processes the challenge and sends an updated Access-Request to the NPS server.
- The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.
- The connection attempt is authorized with both the dial-in properties of the user account and network policies.
- If the connection attempt is both authenticated and authorized, the NPS server sends an Access-Accept message to the access server.If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server.
- The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged.
- The NPS server sends an Accounting-Response to the access server.
|The access server also sends Accounting-Request messages during the time in which the connection is established, when the access client connection is closed, and when the access server is started and stopped.|
You can use NPS as a RADIUS server when:
- You are using a Windows NT Server 4.0 domain, an Active Directory domain, or the local SAM user accounts database as your user account database for access clients.
- You are using Routing and Remote Access on multiple dial-up servers, VPN servers, or demand-dial routers and you want to centralize both the configuration of network policies and connection logging for accounting.
- You are outsourcing your dial-up, VPN, or wireless access to a service provider. The access servers use RADIUS to authenticate and authorize connections that are made by members of your organization.
- You want to centralize authentication, authorization, and accounting for a heterogeneous set of access servers.
|In Internet Authentication Service (IAS) in the Windows Server® 2003 operating systems, network policies are referred to as remote access policies.|