Network Policy Server (NPS) can be used as a Remote Authentication Dial-In User Service (RADIUS) server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be an access server, such as a dial-up server or wireless access point, or a RADIUS proxy. When NPS is used as a RADIUS server, it provides the following:
- A central authentication and authorization
service for all access requests that are sent by RADIUS
NPS uses a Microsoft® Windows NT® Server 4.0 domain, an Active Directory® Domain Services (AD DS) domain, or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts. NPS uses the dial-in properties of the user account and network policies to authorize a connection.
- A central accounting recording service for
all accounting requests that are sent by RADIUS clients.
Accounting requests are stored in a local log file or a Microsoft® SQL Server™ database for analysis.
The following illustration shows NPS as a RADIUS server for a variety of access clients, and also shows a RADIUS proxy. NPS uses an AD DS domain for user credential authentication of incoming RADIUS Access-Request messages.
When NPS is used as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:
- Access servers, such as dial-up network access servers, VPN
servers, and wireless access points, receive connection requests
from access clients.
- The access server, configured to use RADIUS as the
authentication, authorization, and accounting protocol, creates an
Access-Request message and sends it to the NPS server.
- The NPS server evaluates the Access-Request message.
- If required, the NPS server sends an Access-Challenge message
to the access server. The access server processes the challenge and
sends an updated Access-Request to the NPS server.
- The user credentials are checked and the dial-in properties of
the user account are obtained by using a secure connection to a
- The connection attempt is authorized with both the dial-in
properties of the user account and network policies.
- If the connection attempt is both authenticated and authorized,
the NPS server sends an Access-Accept message to the access
If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server.
- The access server completes the connection process with the
access client and sends an Accounting-Request message to the NPS
server, where the message is logged.
- The NPS server sends an Accounting-Response to the access
The access server also sends Accounting-Request messages during the time in which the connection is established, when the access client connection is closed, and when the access server is started and stopped.
You can use NPS as a RADIUS server when:
- You are using a Windows NT
Server 4.0 domain, an AD DS domain, or the local SAM user
accounts database as your user account database for access
- You are using Routing and Remote Access on
multiple dial-up servers, VPN servers, or demand-dial routers and
you want to centralize both the configuration of network policies
and connection logging for accounting.
- You are outsourcing your dial-up, VPN, or
wireless access to a service provider. The access servers use
RADIUS to authenticate and authorize connections that are made by
members of your organization.
- You want to centralize authentication,
authorization, and accounting for a heterogeneous set of access
In Internet Authentication Service (IAS) in the Windows Server® 2003 operating systems, network policies are referred to as remote access policies.