Nps windows что это

Для работы проектов iXBT.com нужны файлы cookie и сервисы аналитики.
Продолжая посещать сайты проектов вы соглашаетесь с нашей
Политикой в отношении файлов cookie

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A Network Policy Server (NPS) allows network administrators to create and enforce policies for network access, ensuring that only authorized users and devices can access network resources. This versatile tool plays a key role in centralized authentication, authorization, and accounting for users and devices that connect to a network.

Essentially, NPS is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in the Windows Server operating systems. It is a crucial component in network management and security.

To better understand NPS, we’ll first take a look at what RADIUS servers are, then explore the purpose of NPS, its benefits, its role in networking, and best practices for managing an NPS.

What is the importance of network security and policy management?

With the increasing reliance on technology and the internet for business operations, data exchange, and communication, networks and servers have become primary targets for cyberthreats. This elevated risk landscape underscores the necessity of robust network security and meticulous policy management.

Here are the key reasons why network security and policy management are important:

• Protection against cyberthreats: The foremost importance of network security is the protection it offers against a variety of cyberthreats, such as malware, ransomware, phishing attacks, and unauthorized access. Effective security measures prevent attackers from breaching network systems, safeguarding sensitive data and the overall integrity of the network.
• Data privacy and compliance: Adhering to regulatory standards and protecting personal and sensitive information is crucial. Network security and policy management ensure compliance with laws and regulations, such as GDPR, HIPAA, and others, thereby avoiding legal ramifications and maintaining customer trust.
• Business continuity: Cyberattacks can cause significant downtime, leading to loss of productivity and revenue. A secure and well-managed network minimizes the risk of disruptions, ensuring that business operations can continue unhindered.
• Policy management as a framework: Effective policy management sets a clear framework for how network security is handled within an organization. It defines the protocols for access control, user authentication, data handling, and response to security incidents. This structured approach ensures consistency, efficiency, and adaptability in responding to evolving security threats.
• Adaptability to changing threats: The cyberthreat landscape is constantly evolving, with new vulnerabilities emerging regularly. A robust network security strategy, underpinned by dynamic policy management, allows organizations to adapt quickly to these changes, implementing necessary updates and defenses to stay ahead of potential threats.

What is the RADIUS protocol?

The RADIUS protocol is a networking protocol that provides comprehensive and centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

Since its inception in 1991, RADIUS has become a standard for network access servers responsible for connecting users to networks, playing a pivotal role in managing network access control.

Authentication

The first A in AAA refers to Authentication, or the process of verifying a user’s identity. When a user attempts to access a network, they must provide credentials, such as a username and password.

The RADIUS server checks these credentials against its database to confirm the user’s identity. This process ensures that only legitimate users can access the network.

Authorization

Once a user is authenticated, the next step is Authorization. This process determines what an authenticated user is permitted to do on the network.

For example, an administrator may have different access rights compared to a standard user. RADIUS servers manage these permissions, ensuring users can only access resources appropriate to their authorization level.

Accounting

The final A stands for Accounting, which involves tracking the usage of network resources by users. This includes monitoring the amount of time users are connected, the services they access, and the data they transfer. This information is crucial for billing, auditing, and understanding network usage patterns.

What do RADIUS servers do?

RADIUS operates in a client-server model. The RADIUS client, usually a network access server like a VPN or wireless access point, sends user credentials and connection requests to the RADIUS server.

The server then processes these requests against its user database and policies to authenticate and authorize the user. Post-authentication, it sends a response back to the client, either granting or denying access.

Some of the main features of RADIUS servers are:

• Scalability: RADIUS can handle a large number of authentication requests, making it suitable for both small and large networks.
• Flexibility: It supports various authentication methods, including password-based, token-based, and certificate-based authentication.
• Interoperability: RADIUS is widely supported and can be integrated with a variety of network devices and servers.
• Security: The protocol includes methods for encrypting data, such as passwords, during transmission, reducing the risk of interception by unauthorized parties.

What is the purpose of NPS?

An NPS serves as a critical element within the network infrastructure of many organizations, primarily functioning as Microsoft’s implementation of a RADIUS server and proxy. The overarching purpose of NPS is to centralize and streamline the authentication, authorization, and accounting (AAA) of users and devices accessing a network, thereby enhancing security and management efficiency.

Centralized authentication and authorization

Centralized authentication ensures that all users and devices are verified before gaining access to network resources, enhancing security. Authorization, on the other hand, defines what resources authenticated entities are permitted to use.

Below are how an NPS server manages these crucial functions to maintain a secure and efficient network environment.

• User authentication: NPS authenticates users and devices attempting to connect to the network, ensuring that only those with valid credentials can gain access. This authentication process is crucial for securing network access points, such as VPNs, wireless networks, and dial-up connections.
• Authorization management: Once authenticated, NPS determines what resources the user or device is allowed to access based on predefined policies. This role is vital for enforcing security protocols and ensuring users can only reach areas of the network appropriate for their role and clearance.

Accounting and compliance

Accounting involves tracking and logging user activities and resource usage within the network, which is pivotal for auditing and monitoring purposes. The following list discusses how NPS aids in ensuring compliance with various regulatory standards, a critical factor for businesses in today’s data-sensitive world.

• Monitoring network usage: NPS tracks the activities of authenticated users on the network, logging details such as the duration of their connections, the services they use, and the data they transfer. This accounting feature is essential for auditing purposes, ensuring compliance with regulatory standards, and understanding network usage patterns.
• Compliance enforcement: By providing detailed records of network access and usage, NPS assists organizations in meeting various regulatory requirements, essential for businesses handling sensitive data.

Policy-based network management

Policy-based network management allows administrators to create and enforce specific network access policies, tailoring network security and usage according to organizational needs. Here is how NPS facilitates the creation of these policies and how they impact network security, user access, and overall network management:

• Network policies: NPS allows administrators to define and implement network policies that control access to network resources. These policies can be tailored to meet specific security needs and organizational protocols, providing a flexible yet secure network environment.
• Condition-based access control: NPS enables the creation of conditions for network access, such as time-of-day restrictions, group membership requirements, or the health of a device (in the context of Network Access Protection, or NAP).

Benefits of using NPS

The implementation of NPS in a network infrastructure offers a range of benefits that enhance both security and operational efficiency. These advantages make NPS a valuable asset for organizations looking to optimize their network management practices.

• Robust authentication and authorization: NPS strengthens network security by ensuring robust authentication and authorization of users and devices. This reduces the risk of unauthorized access and potential security breaches.
• Consistent policy enforcement: With NPS, network policies are applied uniformly across all access points. This consistent enforcement of security policies helps maintain a high-security standard throughout the network.
• Fine-grained access management: NPS enables administrators to define detailed access policies, granting appropriate access levels to different user groups. This granularity ensures that users have access only to the resources necessary for their roles.
• Dynamic response to security threats: NPS can be configured to respond to security incidents dynamically, such as temporarily increasing security measures during a detected threat.
• Adapts to organizational growth: NPS is scalable and can handle an increasing number of authentication requests as an organization grows. This scalability ensures that the network can expand without compromising on security or performance.
• Support for a variety of network types: NPS is versatile and supports various network types and access methods, including VPNs, wireless, and dial-up networks, making it a flexible solution for diverse network environments.
• Centralized management: By centralizing the management of network policies and access controls, NPS simplifies administrative tasks, saving time and reducing the likelihood of errors.
• Integration with existing systems: NPS integrates well with other Microsoft products and services, such as Active Directory, providing a seamless management experience.
• Detailed logging and reporting: NPS maintains comprehensive logs of network access and activities, which are invaluable for auditing purposes and to ensure regulatory compliance.
• Supports compliance requirements: The detailed accounting and reporting capabilities of NPS assist organizations in meeting various data privacy and security standards such as GDPR, HIPAA, and PCI DSS.

The 3 roles of NPS

NPS fulfills three key roles in managing network access and policies. Each role represents a distinct functionality that contributes to the comprehensive network management capabilities of NPS.

1. NPS as a RADIUS server

NPS processes authentication and authorization requests for network access. When a user or device attempts to connect to the network, NPS verifies their credentials and determines their access level based on predefined policies.

Additionally, NPS can work with a variety of network access servers, such as VPN servers, wireless access points, and dial-up servers, making it a versatile solution for different network types. It is also pivotal in enhancing network security by centralizing and streamlining the authentication process, thus efficiently managing user access across the network.

2. NPS as a RADIUS proxy

When functioning as a RADIUS proxy, NPS forwards authentication and configuration requests to other RADIUS servers in the network. This is particularly useful in complex or distributed network environments. Also, it can provide load balancing by distributing requests among multiple RADIUS servers and ensure continuity through failover mechanisms in case of server unavailability.

This role enables NPS to handle requests across different networks or sub-networks, facilitating seamless cross-network authentication and management.

3. NPS as a network policy server

NPS primarily manages and enforces network policies. It defines the conditions under which users and devices are granted or denied network access. It also allows the creation of policies based on various conditions like time of day, group membership, or the health status of a device, providing a high degree of control over network access.

In this role, NPS can also integrate with NAP to enforce device health policies, ensuring that only compliant and healthy devices can access or communicate on the network.

NPS best practices

Using NPS effectively requires adherence to certain network and server management best practices. These practices ensure that NPS operates efficiently, securely, and in alignment with the organization’s network management goals. Here are some recommendations from Microsoft:

Картинка с сайта: www.serverwatch.com

Below are some additional best practices to consider when deploying and managing an NPS.

1. Regular policy review and update: Regularly review and update NPS policies to ensure they align with the latest organizational requirements and security standards. Modify policies in response to changes in network infrastructure or security landscape.
2. Secure configuration and maintenance: Use strong authentication methods, like multi-factor authentication (MFA), to enhance security. Keep NPS and related network software up-to-date to protect against vulnerabilities and exploits.
3. Scalable and redundant setup: Design the NPS deployment with scalability in mind to handle increasing loads and future network expansion. Implement redundancy and failover mechanisms to ensure NPS availability even during server or network outages.
4. Efficient network policy design: Create clear, concise, and understandable policies to avoid confusion and ensure they are enforced as intended. Apply the principle of least privilege in policy design, granting users only the access necessary for their roles.
5. Monitoring and auditing: Actively monitor NPS performance and access logs to quickly identify and respond to unusual activities or potential security breaches. Maintain comprehensive audit trails for compliance purposes and to analyze historical access and usage patterns.
6. Integration with other systems: Integrate NPS with Active Directory for streamlined user authentication and management. Ensure compatibility and integration with other systems and services used within the network.
7. User education and support: Educate users about network policies and the importance of adhering to security protocols. Provide clear support channels for users to report issues or seek assistance related to network access.
8. Documenting procedures and policies: Maintain detailed documentation of NPS configurations, policies, and procedures for reference and training purposes. Document any changes made to the NPS setup or policies, including the rationale and impact of these changes.

Bottom line: The integral role of NPS in modern network management

NPS has emerged as an indispensable network and server tool offering a robust and flexible solution for ensuring secure and efficient network operations. The integration of NPS within an organization’s network infrastructure not only enhances security by enforcing rigorous access policies but also simplifies administrative tasks, leading to a more efficient management of network resources.

By adhering to best practices in deploying and managing NPS, organizations can significantly mitigate risks associated with network security and ensure a seamless operational flow.

Improve your NPS functionality and performance with one of the best free RADIUS server testing and monitoring tools, selected and reviewed by our experts.

Sam Ingalls contributed to this article.

Featured Partners: Network Monitoring Software

ManageEngine Log360

Картинка с сайта: www.serverwatch.com

Visit website

Log360 is a SIEM solution that helps combat threats on premises, in the cloud, or in a hybrid environment. It also helps organizations adhere to several compliance mandates. You can customize the solution to cater to your unique use cases. It offers real-time log collection, analysis, correlation, alerting and archiving abilities. You can monitor activities that occur in your Active Directory, network devices, employee workstations, file servers, Microsoft 365 and more. Try free for 30 days!

Learn more about ManageEngine Log360

In an era dominated by cloud-centric solutions, Microsoft NPS sets out as an on-premise network security tool for Windows Server. Its primary goal is centralizing network regulations, user identities, and authorization protocols. As organizations increasingly use cloud computing, integrating Microsoft NPS with Azure services like Azure AD Connect and Azure AD Sync becomes critical. The NPS extension is essential for extending on-premises NPS infrastructure into the Azure cloud, resulting in a unified ecosystem for safe access control.

Microsoft NPS, as defined, is a policy server that enforces access control based on user accounts identification, device characteristics, and connection settings. It is important for network security because it helps keep privacy policies uniform.

A strong network security posture is bolstered by the seamless authentication and authorization procedures ensured by the interconnection of Azure AD Connect, NPS extension, Microsoft NPS, and Azure AD Sync. However, recognizing several challenges with integrating NPS and Azure AD is important. This article will explore these issues, offering advice and solutions for a smooth deployment.

What Is NPS?

The origins of Network Policy Server (NPS) may be traced back to Microsoft’s dedication to delivering strong and secure networking solutions inside the Windows Server environment. The origins of NPS may be traced back to older versions of the Windows Server operating system when the necessity for a centralized system to control network policy became obvious. Microsoft recognized the need to reduce authentication and authorization operations to improve network security and efficiency.
Organizations that used Active Directory for 802.1X authentication often used NPS concurrently. It is commonly accomplished using EAP methods, such as PEAP-MSCHAPv2 or EAP-TLS, because they can be configured using server certificates. NPS was originally intended to integrate AD with network add-ons, such as VPN, much easier.

How NPS Safeguard Networks?

Centralized authentication guarantees that all users and devices are validated before access to network resources, increasing security. Conversely, authorization establishes the resources that authenticated entities are allowed to utilize.

These are the key tasks that an NPS server oversees to keep a safe and effective network environment.
Users Authentication: NPS ensures that only those with legitimate credentials may access the network by authenticating users and devices making connection attempts. Secure network access points, including dial-up connections, wireless networks, and VPNs, depend on this authentication procedure.

Authorization Management: Following authentication, NPS applies preset policies to decide which resources the users or devices may access. Enforcing safety protocols and guaranteeing that users may only access network locations that correspond to their function and clearance are made possible by this role.

Transitioning to Cloud-Centric Azure AD (Azure Active Directory)

When adopting a cloud-centric identity and access management system, organizations frequently struggle to integrate cloud-based solutions like Azure AD with on-premises components like Microsoft Network Policy Server (NPS). The fundamental incompatibility results from the difficulty of NPS, built on an on-premises 802.1X security approach, integrating with Azure AD’s cloud-based architecture. Many companies use NPS extensions for Azure Multi-Factor Authentication (MFA) after realizing the necessity for a connecting link.

This road is not without complications, though. There are peculiarities in the integration process that need to be carefully considered. Managing the interplay between cloud-centric setup and on-premises components is the problem. A successful transition requires finding the ideal mix between adopting a cloud-first infrastructure and setting up an on-premise, self-managed RADIUS server like Microsoft NPS.

This is how on-premises NPS with cloud-facing architecture looks like –

Картинка с сайта: www.securew2.com

The Challenges With NPS

NPS’s main issue is that it is generally an on-premises RADIUS solution. Organizations that want to manage cloud-based resources undoubtedly need additional network add-ons and a reliable IT department with some spare time. Organizations face This significant issue when they want to move their AD to the cloud and use Azure while still supporting 802.1x. This doesn’t even mention the extreme cost of building physical servers. The Service that organizations need to pay with on-premise servers include, but are not limited to:

⦁ Software acquisition
⦁ Licensing fees
⦁ Scalability for users’ growth
⦁ Hardware infrastructure
⦁ Creation and management of group policies
⦁ Certificate Revocation Lists administration
⦁ Certificate lifecycle management
⦁ Personnel training

Spending hundreds and thousands of dollars for an on-prem NPS server is not out of the question.
To operate NPS in a cloud environment, you must use it as a RADIUS proxy and combine it with a cloud-based RADIUS solution. A user would first send their authentication to the Cloud RADIUS, and then the request would be forwarded to NPS for final authentication. This is an inefficient solution because it requires unnecessary steps for the same level of authentication.
Another issue with NPS is that Microsoft’s products tend to integrate smoothly with other Microsoft products. NPS isn’t your solution if your environment has devices with several operating systems.

Картинка с сайта: www.securew2.com

Challenges and Drawbacks of On-premise Setups

The main issue with Microsoft Network Policy Server (NPS) is that it is an on-premises solution, which might cause problems for businesses moving to the cloud. This change necessitates more network expansions and a skilled IT staff and presents challenges for moving Active Directory to the cloud while maintaining 802.1x compliance. The difficulty is compounded by the financial expense of setting up a physical server, including hardware infrastructure charges, software licensing, software procurement, and scalability issues. Ongoing tasks, including staff training, certificate lifecycle management, group policy formulation, and administration of Certificate Revocation Lists, also increase the complexity of on-premises NPS.

A RADIUS proxy must be set up to operate NPS in a cloud environment. This causes inefficiencies since user authentication must go via Cloud RADIUS before it can be finalized and reach NPS. This complicated procedure adds pointless steps and reduces authentication efficiency. Furthermore, the substantial expenses linked to setting up and managing NPS servers on-site cast doubt on the viability of such expenditures. The inability of NPS to integrate seamlessly with various environments—particularly those with devices that run various operating systems—highlights the necessity for organizations to look into other options.

Vulnerabilities Associated With NPS and Azure AD Integration

Integrating cloud services like Azure Active Directory (Azure AD) with an on-premises environment poses security problems due to the fundamental differences in authentication methods and architecture. Azure AD’s cloud-based architecture and Microsoft Network Policy Server (NPS), initially intended for on-premise implementation, are incompatible.

Attempting authorization and authentication across two different systems might lead to a potentially fragmented security environment, like having several sets of keys to open a vault. The necessity for safe data transmission between on-premises AD and cloud-based systems, protocol incompatibilities, and attribute mapping problems are common problems.

Businesses frequently use complex infrastructure solutions to overcome these obstacles and bridge the gap between cloud-based and on-premises systems. Specific technologies and protocols must be implemented to provide dependable data flow between NPS and Azure AD.

Furthermore, to adjust to the changing nature of cloud environments, organizations must always be alert in implementing updated security measures. Organizations that rely only on traditional on-premises AD technology run the risk of experiencing new security vulnerabilities. A strong security posture in today’s hybrid IT environments requires a proactive security strategy and a thorough grasp of the challenges of combining on-premise and cloud-based systems.

Azure NPS Extension and Azure AD Integrations

Role of NPS Extension in the Transition

NPS extensions are critical for organizations transitioning from the on-premise world of Microsoft Network Policy Server (NPS) to the cloud-based world of Azure Active Directory (Azure AD). These extensions are essential add-ons that improve compatibility, bridge the gap between NPS and Azure AD, and enable NPS to interact with Azure AD easily according to various regulations.

Картинка с сайта: www.securew2.com

Technical Challenges in Integration

The technological complexities of combining Azure Active Directory (Azure AD) with NPS extensions provide complicated hurdles beyond surface-level understanding. Given that NPS is dependent on Active Directory and cannot communicate directly with Azure AD, it is important to comprehend thoroughly how compatible NPS and Azure AD are. Common concerns include handling complex rule sets inside NPS, guaranteeing connectivity across various devices, and resolving device identification issues. You’ll need technical know-how, proactive monitoring, and preventative measures to navigate these obstacles properly.

Limitations of NPS Extensions

NPS extensions have disadvantages even though they aim to make the transition easier. Authentication failures can cause user accounts access issues, resulting in delays and possibly compatibility concerns. Specific difficulties include problems with RADIUS attribute flow, which necessitate extra scripts and administrative work. Text-based MFA-based authentication techniques could have problems, and allowing multiple MFA techniques might put networks at risk for security flaws like MITM attacks. It becomes essential for administrators navigating the integration process to weigh the advantages of NPS enhancements against these restrictions.

Картинка с сайта: www.securew2.com

SecureW2’s Cloud RADIUS Solution for Seamless Transition

Картинка с сайта: www.securew2.com

There are several obstacles to overcome when moving from on-premises infrastructure to the cloud, especially when integrating Microsoft Network Policy Server (NPS) with Azure Active Directory (Azure AD). A grasp of compatibility issues and the fine balance between security and ease are essential to navigating the complexity between legacy infrastructure and cloud-centric solutions.

In the face of these difficulties, SecureW2’s Cloud RADIUS is a reliable solution for businesses negotiating this complex environment. SecureW2’s Cloud RADIUS solves the security and compatibility issues related to integrating NPS and Azure AD by providing a complete and safe solution. Its increased security features and ability to seamlessly bridge on-premise and cloud-based systems are invaluable for facilitating a safe and seamless transfer.

SecureW2’s Azure RADIUS Solution replaces NPS for Azure AD by easily transferring AD infrastructure to the cloud. CloudRADIUS offers easy-to-use certificate onboarding and integrates with AD CS to supply server and client certificates. JoinNow onboarding software and a turnkey PKI solution are included in SecureW2’s toolset, which streamlines certificate deployment. JoinNow enables users to easily configure certificates on any device, eliminating IT support issues.

Contact us to explore how SecureW2 can empower your organization’s journey to cloud-based identity management.

При обслуживании больших сетей системные администраторы часто сталкиваются с проблемами аутентификации на сетевом оборудовании. В частности, довольно сложно организовать нормальную работу нескольких сетевых администраторов под индивидуальными учетными записями на большом количестве оборудования (приходится вести и поддерживать в актуальном состоянии базу локальных учетных записей на каждом устройстве). Логичным решение было бы использовать для авторизации уже существующей базы учетных записей — Active Directory. В этой статье мы разберемся, как настроить доменную (Active Directory) аутентификацию на активном сетевом оборудовании (коммутаторы, маршрутизаторы).

Не все сетевое оборудование популярных вендоров (CISCO, HP, Huawei) поддерживает функционал для непосредственного обращения к каталогу LDAP, и такое решение не будет универсальным. Для решения нашей задачи подойдет протокол AAA (Authentication Authorization and Accounting), фактически ставший стандартом де-факто для сетевого оборудования. Клиент AAA (сетевое устройство) отправляет данные авторизующегося пользователя на сервер RADIUS и на основе его ответа принимает решение о предоставлении / отказе доступа.

Протокол Remote Authentication Dial In User Service (RADIUS) в Windows Server 2012 R2 включен в роль NPS (Network Policy Server). В первой части статьи мы установим и настроим роль Network Policy Server, а во второй покажем типовые конфигурации сетевого устройств с поддержкой RADUIS на примере коммутаторов HP Procurve и оборудования Cisco.

Установка и настройка сервера с ролью Network Policy Server

Как правило, сервер с ролью NPS рекомендуется устанавливать на выделенном сервере (не рекомендуется размещать эту роль на контроллере домена). В данном примере роль NPS мы будем устанавливать на сервере с Windows Server 2012 R2.

Откройте консоль Server Manager и установите роль Network Policy Server (находится в разделе Network Policy and Access Services).

Картинка с сайта: winitpro.ru

После окончания установки запустите mmc-консоль управления Network Policy Server. Нас интересуют три следующих раздела консоли:

1. RADIUS Clients — содержит список устройств, которые могут аутентифицироваться на сервере
2. Connection Request Policies – определяет типы устройств, которые могут аутентифицироваться
3. Network Polices – правила аутентификации

Картинка с сайта: winitpro.ru

Добавим нового клиента RADIUS (это будет коммутатор HP ProCurve Switch 5400zl), щелкнув ПКМ по разделу RADIUS Clients и выбрав New. Укажем:

• Friendly Name:sw-HP-5400-1
• Address (IP or DNS): 10.10.10.2
• Shared secret (пароль/секретный ключ): пароль можно указать вручную (он должен быть достаточно сложным), либо сгенерировать с помощью специальной кнопки (сгенерированный пароль необходимо скопировать, т.к. в дальнейшем его придется указать на сетевом устройстве).

Отключим стандартную политику (Use Windows authentication for all users) в разделе Connection Request Policies, щелкнув по ней ПКМ и выбрав Disable.

Создадим новую политику с именем Network-Switches-AAA и нажимаем далее. В разделе Сondition создадим новое условие. Ищем раздел RADIUS Client Properites и выбираем Client Friendly Name.

Картинка с сайта: winitpro.ru

В качестве значения укажем sw-?. Т.е. условие будет применяться для всех клиентов RADIUS, начинающийся с символов :”sw-“. Жмем Next->Next-> Next, соглашаясь со всеми стандартными настройками.

Далее в разделе Network Policies создадим новую политику аутентификации. Укажите ее имя, например Network Switch Auth Policy for Network Admins. Создадим два условия: в первом условии Windows Groups, укажем доменную группу, члены которой могут аутентифицироваться (учетные записи сетевых администраторов в нашем примере включены в группу AD Network Admins) Второе условие Authentication Type, выбрав в качестве протокола аутентификации PAP.

Картинка с сайта: winitpro.ru

Далее в окне Configure Authentication Methods снимаем галки со всех типов аутентификации, кроме Unencrypted authentication (PAP. SPAP).

В окне Configure Settings изменим значение атрибута Service-Type на Administrative.

Картинка с сайта: winitpro.ru

В остальных случаях соглашаемся со стандартными настройками и завершаем работу с мастером.

И, напоследок, переместим новую политику на первое место в списке политик.

Картинка с сайта: winitpro.ru

Настройка сетевого оборудования для работы с сервером RADUIS

Осталось настроить наше сетевое оборудование для работы с сервером Radius. Подключимся к нашему коммутатору HP ProCurve Switch 5400 и внесем следующе изменение в его конфигурацию (измените ip адрес сервера Raduis и пароль на свои).

aaa authentication console enable radius local

aaa authentication telnet login radius local

 aaa authentication telnet enable radius local

aaa authentication ssh login radius local

aaa authentication ssh enable radius local

aaa authentication login privilege-mode

radius-server key YOUR-SECRET-KEY

radius-server host 10.10.10.44 YOUR-SECRET-KEY auth-port 1645 acct-port 1646

radius-server host 10.10.10.44 auth-port 1645

radius-server host 10.10.10.44 acct-port 1646

aaa authentication telnet login radius local

aaa authentication telnet enable radius local

Не закрывая консольное окно коммутатора (это важно!, иначе, если что-то пойдет не так, вы более не сможете подключиться к своему коммутатору), откройте вторую telnet-сессию. Должно появиться новое окно авторизации, в котором будет предложено указать имя и пароль учетной записи. Попробуйте указать данные своей учетной записи в AD (она должна входить в группу Network Admins ). Если подключение установлено – вы все сделали правильно!

Картинка с сайта: winitpro.ru

Для коммутатора Cisco конфигурация, предполагающая использование доменных учетных записей для аутентификации и авторизации, может выглядеть так:

Примечание. В зависимости от модели сетевого оборудования Cisco и версии IOS конфигурация может несколько отличаться.

aaa new-model
radius-server host 10.10.10.44 auth-port 1645 acct-port 1646 key YOUR-SECRET-KEY
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface Vlan421
line con 0
line vty 0 4
line vty 5 15

Примечание. В такой конфигурации для аутентификации сначала используется сервер RADIUS, а если он не доступен – локальная учетная запись.

Для Cisco ASA конфигурация будет выглядеть так:

aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.10.10.44 key YOUR-SECRET-KEY
radius-common-pw YOUR-SECRET-KEY
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL

Хотя я был знаком со всеми понятиями и терминами касаемо технологий защиты доступа к сети (Microsoft Network Access Protection (NAP)) и Cisco NAC, я решил рассмотреть новый Windows Server 2008 Network Policy Server, потому что он не связан с этими двумя технологиями. Меня заинтересовала в Windows 2008 Network Policy Server (NPS) возможность использования RADIUS на системах Windows 2008 System. Если говорить точнее, я хотел использовать Windows 2008 Server с тем, чтобы аутентифицировать ПК, использующие 802.1x, и пользователей, входящих в такие устройства сети, как маршрутизаторы Cisco.

Обычно, если я хотел выполнить одну из этих задач в Windows 2000 или 2003 Server, я использовал службу Интернет аутентификации (Internet Authentication Service) (IAS). В прошлом, WindowsNetworking.com предложил несколько статей по использованию IAS. Например, Беспроводные сети в Windows 2003 и Настройка Windows 2000 RADIUS для аутентификации беспроводных 802.1x клиентов. Однако в Windows Server 2008, вы быстро обнаружите, что IAS была заменена на Network Policy Server (NPS).

Так что же такое NPS и как он может помочь мне?

Что такое Windows Server 2008 Network Policy Server?

NPS – это не просто замена для IAS, он делает то же что и IAS, и гораздо больше. Хотя многие из нас будут делать то же, что делали с IAS в Windows 2003, когда установят NPS, но все же с NPS перед нами открываются абсолютно новые функциональные возможности.

Вот те же функции NPS, которыми обладала IAS:

• Маршрутизация LAN и WAN трафика.
• Открытие доступа через ВЧС и dial-up соединения.
• Создание и внедрение доступа к сети через ВЧС или dial-up соединения.

Например, NPS может обеспечить следующие функции:

• Службы ВЧС (VPN Services)
• Службы Dial-up
• 802.11 защищенный доступ
• Маршрутизация & Удаленный доступ (Remote Access (RRAS))
• Предлагает аутентификацию через активную директорию (Windows Active Directory)
• Управление доступом к сети с помощью политик

NPS обладает новыми функциями, связанными с Защитой Доступа к Сети (Network Access Protection (NAP)). Например, System Health Validators, Remediation Server Groups, Health Polices, и т.д.

Как установить NPS?

NPS является компонентом Windows 2008 Server. Это означает, что вы устанавливаете его путем добавления компонента, как показано на рисунке 1:

Картинка с сайта: www.cyberguru.ru

Рисунок 1: Добавление NPS компонента

Затем выбираете политику сети и сервисы доступа (Network Policy and Access Services):

Картинка с сайта: www.cyberguru.ru

Рисунок 2: Выбор роли NPS

У вас появится окно с полным обзором информации о NPS, как на рисунке 3:

Картинка с сайта: www.cyberguru.ru

Рисунок 3: Информационное окно NPS

Теперь выбираем сервисы для этой роли, которые мы хотим установить. Обратите внимание, что если вы захотите установить протоколы Health Registration Authority или Host Credential Authorization, вам будет предложено установить больше ролей для вашего сервера (например, IIS веб-сервер). Оба этих сервиса связаны либо с Microsoft NAP, либо с Cisco NAC.

Продвигаясь дальше по этому списку, сервис Network Policy Service представляет собой RADIUS сервер, который встречался в IAS. Сервисы RRAS – это вторая часть, которая традиционно была включена в IAS. Когда эти элементы отсутствуют, вы можете избирательно устанавливать выбранные компоненты.

Картинка с сайта: www.cyberguru.ru

Рисунок 4: Выбор установочных опций NPS

После того как вы определились с выбором и нажали Далее, у вас появится последнее окно подтверждения, где нужно нажать Установить.

Картинка с сайта: www.cyberguru.ru

Рисунок 5: Окно подтверждения установки NPS

По окончании установки должно появиться окно, как показано на рисунке 6:

Картинка с сайта: www.cyberguru.ru

Рисунок 6: Установка NPS завершена

Теперь давайте рассмотрим то, как управлять новым Network Policy Server’

Как управлять NPS?

Если вы хотите использовать традиционные функции IAS, самый простой способ управления службами вашего нового сервера NPS заключается в использовании Windows 2008 Server Manager. В Server Manager вы найдете пункт роли (Roles), а в этом пункте вы найдете Network Policy and Access Services, как показано на рисунке 7:

Картинка с сайта: www.cyberguru.ru

Рисунок 7: Сервисы NPS в Server Manager

Как вы видите, есть три сервиса, ассоциируемых с NPS, сервер политики сети (network policy server (с названием IAS)), менеджер соединений удаленного доступа (remote access connection manager (RasMan)) и служба маршрутизации и удаленного доступа (routing and remote access service (RemoteAccess)). Тем, кто использует IAS, эти названия покажутся знакомыми.

Для конфигурирования и управления отдельными службами Network Policy Server (NPS) в Windows 2008 Server есть новый административный инструмент под названием Network Policy Server.

Рисунок 8: Запуск инструмента управления NPS

Когда он загружен, он выглядит примерно так:

Картинка с сайта: www.cyberguru.ru

Рисунок 9: Инструмент управления NPS

Как вы видите, секция клиентов и серверов RADIUS довольно знакома, как и секция политик. По-новому выглядит IAS ‘Remote Access Logging’, переименованная в ‘Accounting’, а также есть новая папка Network Access Protection.

И все же это не просто измененный интерфейс и переименованные элементы IAS, принципиальная разница заключается в функциональных возможностях в области защиты доступа к сети, которыми обладает NPS.

Архитектура сервера Network Policy Server

Есть несколько частей в архитектуре сервера Network Policy Server. Ниже представлена схема, изначально опубликованная на Microsoft TechNet в статье с названием’Инфраструктура Network Policy Server’.

Рисунок 10: Архитектура NPS (источник: Microsoft)

Как видно на схеме, сервер NPS, который мы установили в этой статье, является лишь частью большой инфраструктуры NPS. Не все эти части являются обязательными. Выбор частей этой инфраструктуры, зависит от той функции, которую вы собираетесь выполнять.

Например во введении я говорил о том, что хочу использовать NPS для аутентификации сетевых устройств Cisco, использующих RADIUS. Для этого мне потребуется лишь сервер NPS RADIUS и Network Policy Server (NPS). Маршрутизатор Cisco (или другое сетевое устройство) будет клиентом NPS RADIUS. Сервер NPS RADIUS – это то, что принимает запросы на аутентификацию сертификатов пользователя из сетевого устройства. Сервер NPS RADIUS обычно связывается с Network Policy Server с тем, чтобы убедится, что последний принимает запросы аутентификации от клиента RADIUS, что политика соответствует, что мандаты отправлены (обычно в активную директорию Windows) на подтверждение. Если они подтверждены, принятый запрос аутентификации отправляется обратно клиенту NPS RADIUS (сетевому устройству, в моем примере, маршрутизатору Cisco).

Заключение

В сочетании с клиентом Microsoft NAP, Microsoft называет Network Policy Server ‘платформой внедрения безопасной политики системы’. Но я все же воспринимаю NPS, как AAA сервер (аутентификация, авторизация и учетные данные — authentication, authorization, and accounting). Если вам нужен традиционный сервер RADIUS, вы не заметите большой разницы при использовании NPS. Однако я советую вам тщательнее присмотреться к тому, как NPS может помочь вам в решении проблем вашей компании в области защиты доступа к сети (NAP). Открывая доступ только тем компьютерам, на которых имеются обновленные патчи, антивирусное ПО и настройки брандмауэра для доступа к вашей сети, вы тем самым делаете сети вашей компании более надежными и безопасными.

Дэвид Дэвис (David Davis)