Network Policy and Access Services provides the following network connectivity solutions:
- Network Access Protection (NAP). NAP is a
client health policy creation, enforcement, and remediation
technology that is included in the Windows Vista® client
operating system and in the Windows Server® 2008
operating system. With NAP, system administrators can establish and
automatically enforce health policies, which can include software
requirements, security update requirements, required computer
configurations, and other settings. Client computers that are not
in compliance with health policy can be provided restricted network
access until their configuration is updated and brought into
compliance with policy. Depending on how you choose to deploy NAP,
noncompliant clients can be automatically updated so that users can
quickly regain full network access without manually updating or
reconfiguring their computers.
- Secure wireless and wired access. When you
deploy 802.1X wireless access points, secure wireless access
provides wireless users with a secure password-based authentication
method that is easy to deploy. When you deploy 802.1X
authenticating switches, wired access allows you to secure your
network by ensuring that intranet users are authenticated before
they can connect to the network or obtain an IP address using
DHCP.
- Remote access solutions. With remote access
solutions, you can provide users with virtual private network (VPN)
and traditional dial-up access to your organization's network. You
can also connect branch offices to your network with VPN solutions,
deploy full-featured software routers on your network, and share
Internet connections across the intranet.
- Central network policy management with RADIUS
server and proxy. Rather than configuring network access policy at
each network access server, such as wireless access points, 802.1X
authenticating switches, VPN servers, and dial-up servers, you can
create policies in a single location that specify all aspects of
network connection requests, including who is allowed to connect,
when they can connect, and the level of security they must use to
connect to your network.
Role services for Network Policy and Access Services
When you install Network Policy and Access Services, the following role services are available:
- Network Policy Server (NPS). NPS is
the Microsoft implementation of a RADIUS server and proxy. You can
use NPS to centrally manage network access through a variety of
network access servers, including wireless access points, VPN
servers, dial-up servers, and 802.1X authenticating switches. In
addition, you can use NPS to deploy secure password authentication
with Protected Extensible Authentication Protocol (PEAP)-MS-CHAP v2
for wireless connections. NPS also contains key components for
deploying NAP on your network.
The following technologies can be deployed after the installation of the NPS role service:
- NAP health policy server. When you
configure NPS as a NAP health policy server, NPS evaluates
statements of health (SoH) sent by NAP-capable client computers
that want to communicate on the network. You can configure NAP
policies on NPS that allow client computers to update their
configuration to become compliant with your organization's network
policy.
- IEEE 802.11 Wireless. Using the NPS
MMC snap-in, you can configure 802.1X-based connection request
policies for IEEE 802.11 wireless client network access. You can
also configure wireless access points as Remote Authentication
Dial-In User Service (RADIUS) clients in NPS, and use NPS as a
RADIUS server to process connection requests, as well as perform
authentication, authorization, and accounting for 802.11 wireless
connections. You can fully integrate IEEE 802.11 wireless access
with NAP when you deploy a wireless 802.1X authentication
infrastructure so that the health status of wireless clients is
verified against health policy before clients are allowed to
connect to the network.
- IEEE 802.3 Wired. Using the NPS MMC
snap-in, you can configure 802.1X-based connection request policies
for IEEE 802.3 wired client Ethernet network access. You can also
configure 802.1X-compliant switches as RADIUS clients in NPS, and
use NPS as a RADIUS server to process connection requests, as well
as perform authentication, authorization, and accounting for 802.3
Ethernet connections. You can fully integrate IEEE 802.3 wired
client access with NAP when you deploy a wired 802.1X
authentication infrastructure.
- RADIUS server. NPS performs
centralized connection authentication, authorization, and
accounting for wireless, authenticating switch, and remote access
dial-up and VPN connections. When you use NPS as a RADIUS server,
you configure network access servers, such as wireless access
points and VPN servers, as RADIUS clients in NPS. You also
configure network policies that NPS uses to authorize connection
requests, and you can configure RADIUS accounting so that NPS logs
accounting information to log files on the local hard disk or in a
Microsoft® SQL Server™ database.
- RADIUS proxy. When you use NPS as a
RADIUS proxy, you configure connection request policies that tell
the NPS server which connection requests to forward to other RADIUS
servers and to which RADIUS servers you want to forward connection
requests. You can also configure NPS to forward accounting data to
be logged by one or more computers in a remote RADIUS server
group.
- NAP health policy server. When you
configure NPS as a NAP health policy server, NPS evaluates
statements of health (SoH) sent by NAP-capable client computers
that want to communicate on the network. You can configure NAP
policies on NPS that allow client computers to update their
configuration to become compliant with your organization's network
policy.
- Routing and Remote Access. With
Routing and Remote Access, you can deploy VPN and dial-up remote
access services and multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and
network address translation (NAT) routing services.
The following technologies can be deployed during the installation of the Routing and Remote Access role service:
- Remote Access Service. Using Routing
and Remote Access, you can deploy Point-to-Point Tunneling Protocol
(PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two
Tunneling Protocol (L2TP) with Internet Protocol security (IPsec)
VPN connections to provide end users with remote access to your
organization's network. You can also create a site-to-site VPN
connection between two servers at different locations. Each server
is configured with Routing and Remote Access to send private data
securely. The connection between the two servers can be persistent
(always on) or on-demand (demand-dial).
Remote Access also provides traditional dial-up remote access to support mobile users or home users who are dialing in to an organization's intranets. Dial-up equipment that is installed on the server running Routing and Remote Access answers incoming connection requests from dial-up networking clients. The remote access server answers the call, authenticates and authorizes the caller, and transfers data between the dial-up networking client and the organization intranet.
- Routing. Routing provides a
full-featured software router and an open platform for routing and
internetworking. It offers routing services to businesses in local
area network (LAN) and wide area network (WAN) environments.
When you deploy NAT, the server running Routing and Remote Access is configured to share an Internet connection with computers on the private network and to translate traffic between its public address and the private network. By using NAT, the computers on the private network gain some measure of protection because the router with NAT configured does not forward traffic from the Internet to the private network unless a private network client had requested it or unless the traffic is explicitly allowed.
When you deploy VPN and NAT, the server running Routing and Remote Access is configured to provide NAT for the private network and to accept VPN connections. Computers on the Internet will not be able to determine the IP addresses of computers on the private network. However, VPN clients will be able to connect to computers on the private network as if they were physically attached to the same network.
- Remote Access Service. Using Routing
and Remote Access, you can deploy Point-to-Point Tunneling Protocol
(PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two
Tunneling Protocol (L2TP) with Internet Protocol security (IPsec)
VPN connections to provide end users with remote access to your
organization's network. You can also create a site-to-site VPN
connection between two servers at different locations. Each server
is configured with Routing and Remote Access to send private data
securely. The connection between the two servers can be persistent
(always on) or on-demand (demand-dial).
- Health Registration Authority (HRA).
HRA is a NAP component that issues health certificates to clients
that pass the health policy verification that is performed by NPS
using the client SoH. HRA is used only with the NAP IPsec
enforcement method.
- Host Credential Authorization Protocol
(HCAP). HCAP allows you to integrate your Microsoft NAP
solution with Cisco Network Access Control Server. When you deploy
HCAP with NPS and NAP, NPS can perform client health evaluation and
the authorization of Cisco 802.1X access clients.
Managing the Network Policy and Access Services server role
The following tools are provided to manage the Network Policy and Access Services server role:
- NPS MMC snap-in. Use the NPS MMC to
configure a RADIUS server, RADIUS proxy, or NAP technology.
- Netsh commands for NPS. The Netsh
commands for NPS provide a command set that is fully equivalent to
all configuration settings that are available through the NPS MMC
snap-in. Netsh commands can be run manually at the Netsh prompt or
in administrator scripts.
- HRA MMC snap-in. Use the HRA MMC to
designate the certification authority (CA) that HRA uses to obtain
health certificates for client computers and to define the NPS
server to which HRA sends client SoHs for verification against
health policy.
- Netsh commands for HRA. The Netsh
commands for HRA provide a command set that is fully equivalent to
all configuration settings that are available through the HRA MMC
snap-in. Netsh commands can be run manually at the Netsh prompt or
in administrator-authored scripts.
- NAP Client Management MMC snap-in. You
can use the NAP Client Management snap-in to configure security
settings and user interface settings on client computers that
support the NAP architecture.
- Netsh commands for configuring NAP client
settings. The Netsh commands for NAP client settings provide a
command set that is fully equivalent to all configuration settings
that are available through the NAP Client Management snap-in. Netsh
commands can be run manually at the Netsh prompt or in
administrator-authored scripts.
- Routing and Remote Access MMC snap-in.
Use this MMC snap-in to configure a VPN server, a dial-up
networking server, a router, NAT, VPN and NAT, or a VPN
site-to-site connection.
- Netsh commands for remote access. The
Netsh commands for remote access provide a command set that is
fully equivalent to all remote access configuration settings that
are available through the Routing and Remote Access MMC snap-in.
Netsh commands can be run manually at the Netsh prompt or in
administrator scripts.
- Netsh commands for routing. The Netsh
commands for routing provide a command set that is fully equivalent
to all routing configuration settings that are available through
the Routing and Remote Access MMC snap-in. Netsh commands can be
run manually at the Netsh prompt or in administrator scripts.
- Wireless Network (IEEE 802.11) Policies -
Group Policy Management Console (GPMC). The Wireless Network
(IEEE 802.11) Policies extension automates the configuration of
wireless network settings on computers with wireless network
adapter drivers that support the Wireless LAN Autoconfiguration
Service (WLAN Autoconfig Service). You can use the Wireless Network
(IEEE 802.11) Policies extension in the Group Policy Management
Console to specify configuration settings for either or both
Windows XP and Windows Vista wireless clients. Wireless
Network (IEEE 802.11) Policies Group Policy extensions include
global wireless settings, the list of preferred networks, Wi-Fi
Protected Access (WPA) settings, and IEEE 802.1X settings.
When configured, the settings are downloaded to Windows wireless clients that are members of the domain. The wireless settings configured by this policy are part of the Computer Configuration Group Policy. By default, Wireless Network (IEEE 802.11) Policies are not configured or enabled.
- Netsh commands for wireless local area
network (WLAN). Netsh WLAN is an alternative to using Group
Policy to configure Windows Vista wireless connectivity and
security settings. You can use the Netsh wlan commands to configure
the local computer, or to configure multiple computers using a
logon script. You can also use the Netsh wlan commands to view
wireless Group Policy settings and administer Wireless Internet
Service Provider (WISP) and user wireless settings.
The wireless Netsh interface has the following benefits:
- Mixed mode support: Allows administrators to
configure clients to support multiple security options. For
example, a client can be configured to support both the WPA2 and
the WPA authentication standards. This allows the client to use
WPA2 to connect to networks that support WPA2 and use WPA to
connect to networks that only support WPA.
- Block undesirable networks: Administrators
can block and hide access to non-corporate wireless networks by
adding networks or network types to the list of denied networks.
Similarly, administrators can allow access to corporate wireless
networks.
- Mixed mode support: Allows administrators to
configure clients to support multiple security options. For
example, a client can be configured to support both the WPA2 and
the WPA authentication standards. This allows the client to use
WPA2 to connect to networks that support WPA2 and use WPA to
connect to networks that only support WPA.
- Wired Network (IEEE 802.3) Policies -
Group Policy Management Console (GPMC). You can use the Wired
Network (IEEE 802.3) Policies to specify and modify configuration
settings for Windows Vista clients that are equipped with
network adapters and drivers that support Wired AutoConfig Service.
Wireless Network (IEEE 802.11) Policies Group Policy extensions
include global wired and IEEE 802.1X settings. These settings
include the entire set of wired configuration items associated with
the General tab and the Security tab.
When configured, the settings are downloaded to Windows wireless clients that are members of the domain. The wireless settings configured by this policy are part of the Computer Configuration Group Policy. By default, Wired Network (IEEE 802.3) Policies are not configured or enabled.
- Netsh commands for wired local area
network (LAN). The Netsh LAN interface is an alternative to
using Group Policy in Windows Server 2008 to configure
Windows Vista wired connectivity and security settings. You
can use the Netsh LAN command line to configure the local computer,
or use the commands in logon scripts to configure multiple
computers. You can also use the Netsh lan commands to view Wired
Network (IEEE 802.3) Policies and to administer client wired 1x
settings.
Additional Resources
To learn more about Network Policy and Access Services, open one of the following MMC snap-ins and then press F1 to display the Help:
- NPS MMC snap-in
- Routing and Remote Access MMC snap-in
- HRA MMC snap-in