Network Policy Server (NPS) can be used as a Remote Authentication Dial-In User Service (RADIUS) server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be an access server, such as a dial-up server or wireless access point, or a RADIUS proxy. When NPS is used as a RADIUS server, it provides the following:
-
A central authentication and authorization service for all access requests that are sent by RADIUS clients.
NPS uses a Microsoft® Windows NT® Server 4.0 domain, an Active Directory® Domain Services (AD DS) domain, or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts. NPS uses the dial-in properties of the user account and network policies to authorize a connection.
-
A central accounting recording service for all accounting requests that are sent by RADIUS clients.
Accounting requests are stored in a local log file or a Microsoft® SQL Server™ database for analysis.
The following illustration shows NPS as a RADIUS server for a variety of access clients, and also shows a RADIUS proxy. NPS uses an AD DS domain for user credential authentication of incoming RADIUS Access-Request messages.
When NPS is used as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:
-
Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients.
-
The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server.
-
The NPS server evaluates the Access-Request message.
-
If required, the NPS server sends an Access-Challenge message to the access server. The access server processes the challenge and sends an updated Access-Request to the NPS server.
-
The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.
-
The connection attempt is authorized with both the dial-in properties of the user account and network policies.
-
If the connection attempt is both authenticated and authorized, the NPS server sends an Access-Accept message to the access server.
If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server.
-
The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged.
-
The NPS server sends an Accounting-Response to the access server.
Note | |
The access server also sends Accounting-Request messages during the time in which the connection is established, when the access client connection is closed, and when the access server is started and stopped. |
You can use NPS as a RADIUS server when:
-
You are using a Windows NT Server 4.0 domain, an AD DS domain, or the local SAM user accounts database as your user account database for access clients.
-
You are using Routing and Remote Access on multiple dial-up servers, VPN servers, or demand-dial routers and you want to centralize both the configuration of network policies and connection logging for accounting.
-
You are outsourcing your dial-up, VPN, or wireless access to a service provider. The access servers use RADIUS to authenticate and authorize connections that are made by members of your organization.
-
You want to centralize authentication, authorization, and accounting for a heterogeneous set of access servers.
Note | |
In Internet Authentication Service (IAS) in the Windows Server® 2003 operating systems, network policies are referred to as remote access policies. |