1. Trang chủ
  2. » Công Nghệ Thông Tin

Lecture Configuring and troubleshooting a Windows Server 2008 Network Infrastructure - Module 7

38 79 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 38
Dung lượng 2,47 MB

Nội dung

Module 7: Installing, configuring, and troubleshooting the network policy server role service. This module explains how to install, configure, and troubleshoot the network policy server role service. Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.

Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-1 Module Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Contents: Lesson 1: Installing and Configuring a Network Policy Server 7-3 Lesson 2: Configuring RADIUS Clients and Servers 7-9 Lesson 3: NPS Authentication Methods 7-16 Lesson 4: Monitoring and Troubleshooting a Network Policy Server 7-22 Lab: Configuring and Managing Network Policy Server 7-27 7-2 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Module Overview This module explains how to install, configure, and troubleshoot the Network Policy Server Role Service Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server® 2008 NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Lesson Installing and Configuring a Network Policy Server NPS allows you to configure and manage network policies centrally with the following three features: RADIUS server, RADIUS proxy, and NAP policy server 7-3 7-4 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service What is a Network Policy Server? NPS allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization You also can use NPS as a RADIUS proxy to forward connection requests to NPS or other RADIUS servers that you configure in remote RADIUS server groups Additional Reading • Network Policy Server Help: Network Policy Server Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-5 Network Policy Usage Scenarios You can use NPS in Windows Server 2008 as either a RADIUS server or proxy • As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up and VPN remote access, and router-torouter connections • As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers Additional Reading • Network Policy Server Help: Network Policy Server Overview 7-6 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Demonstration: How to Install the Network Policy Server Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-7 Tools Used for Managing a Network Policy Server The following tools enable you to manage the Network Policy and Access Services server role: • NPS MMC snap-in Use the NPS MMC to configure a RADIUS server, RADIUS proxy, or NAP technology • Netsh commands for NPS The netsh commands for NPS provide a command set that is fully equivalent to all configuration settings that are available through the NPS MMC snap-in Additional Reading • Network Policy Server Help: Network Policy Server Overview 7-8 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Demonstration: Configuring General NPS Settings Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-9 Lesson Configuring RADIUS Clients and Servers RADIUS is an industry-standard protocol described in RFC 2865, “Remote Authentication Dial-in User Service (RADIUS),” and RFC 2866, “RADIUS Accounting.” RADIUS provides network authentication, authorization, and accounting services The following components are part of the RADIUS authentication, authorization, and accounting infrastructure: • Access clients • Access servers (RADIUS clients) • RADIUS proxies • RADIUS servers • User account databases 7-10 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service What is a RADIUS Client? A network access server (NAS) is a device that provides some level of access to a larger network A NAS using a RADIUS infrastructure also is a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting Additional Reading • Network Policy Server Help: RADIUS Clients 7-24 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Configuring Log File Properties You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates Additional Reading • Help Topic: Configure Log File Properties • Help Topic: NPS Best Practices Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-25 Configure SQL Server Logging You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates You can use this procedure to configure logging properties and the connection to the server running SQL Server that stores your accounting data The SQL Server database can be on the local computer or on a remote server Additional Reading • Help Topic: Configure SQL Logging in NPS 7-26 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Configuring NPS Events to Record in the Event Viewer You can configure NPS event logging to record connection-request failure and success events in the Event Viewer system log Additional Reading • Help Topic: NPS Events and Event Viewer • Help Topic: Configure NPS Event Logging Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-27 Lab: Configuring and Managing Network Policy Server Objectives: After completing this lab, you will be able to: • Install the Network Policy Server role service and configure Network Policy Server settings • Configure a RADIUS client • Configure certificate auto-enrollment 7-28 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Scenario Woodgrove Bank is expanding its remote-access solution to all its branch office employees This will require multiple Routing and Remote Access servers located at different points to provide connectivity for its employees You will use RADIUS to centralize authentication and accounting for the remote-access solution The Windows Infrastructure Services Technology Specialist has been tasked with installing and configuring Network Policy Server into an existing infrastructure to be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy Lab Setup For this lab, you will use the available virtual machine environment Before you begin the lab, you must: Start the NYC-DC1 and NYC-SVR1 virtual machines Log on to the NYC-SVR1 and NYC-DC1 virtual machines with the user name administrator and the password Pa$$w0rd Close the Initial Configuration Tasks window that appears after you log on Close the Server Manager window Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-29 Exercise 1: Installing and Configuring the Network Policy Server Role Service Exercise Overview In this exercise, you will install and configure the Network Policy Server role The main tasks are as follows: Ensure that you have completed the steps in the Lab Setup Open the Server Manager tool on 6421A-NYC-DC1 Install the Network Policy and Access Services role Register NPS in Active Directory Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up or VPN connections f Task 1: Ensure that you have completed the steps in the Lab Setup • Review the Lab Setup section and ensure you have completed the steps before you continue with this lab f Task 2: Open the Server Manager tool on 6421A-NYC-DC1 • On 6421A-NYC-DC1, open Server Manager from the Administrative Tools menu f Task 3: Install the Network Policy and Access Services role In the Server Manager list pane, right-click Roles and then click Add Roles Install the Network Policy Server role service from the Network Policy and Access Services role On the Installation Results page, verify Installation succeeded appears in the details pane and then click Close The Network Policy Server role is installed on 6421A-NYC-DC1 Do not log off or shut down the virtual PCs at this point 7-30 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service f Task 4: Register NPS in Active Directory Open Network Policy Server from the Administrative Tools menu Using the NPS tool, register NPS in Active Directory The Network Policy server is registered in Active Directory f Task 5: Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up or VPN connections In the Network Policy Server management tool list pane, click NPS (Local) In the details pane under Standard Configuration, click RADIUS server for Dial-Up or VPN Connections Under Radius server for Dial-Up or VPN Connections, click Configure VPN or Dial-Up and specify Virtual Private Network (VPN) Connections, and accept the default name In the RADIUS clients dialog box, add NYC-SVR1 as a RADIUS client with an address of 10.10.0.24 In the New RADIUS Client dialog box, specify and confirm the shared secret of Pa$$w0rd and then click OK In the Specify Dial-Up or VPN Server dialog box, accept the default setting In the Configure Authentication Methods dialog box, select Extensible Authentication Protocol and MS-CHAPv2 On the Specify User Groups page, accept the default settings On the Specify IP Filters page, accept the default settings 10 On the Specify Encryption Settings page, deselect Basic encryption and Strong encryption 11 On the Specify a Realm Name page, accept the default settings and finish the wizard 12 Close the Network Policy Server administrative tool Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-31 Exercise 2: Configuring a RADIUS Client Exercise Overview In this exercise, you will configure 6421A-NYC-SVR1 to host Routing and Remote Access Services and configure 6421A-NYC-SVR1 as a RADIUS client The main tasks are as follows: Open the Server Manager tool on 6421A-NYC-SVR1 Install the Routing and Remote Access Services role Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for Remote Access clients and specify RADIUS authentication and accounting f Task 1: Open the Server Manager tool on 6421A-NYC-SVR1 • On 6421A-NYC-SVR1, open Server Manager from the Administrative Tools menu f Task 2: Install the Routing and Remote Access Services role on 6421ANYC-SVR1 Using Server Manager, install the Network Policy and Access Services role with the role service of Routing and Remote Access On the Installation Results page, verify Installation succeeded appears in the details pane, and then click Close The Routing and Remote Access Services role is installed on 6421A-NYCSVR1 Do not log off or shut down the virtual PCs at this point 7-32 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service f Task 3: Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for Remote Access clients and specify RADIUS authentication and accounting Open the Routing and Remote Access Services administrative tool and click Configure and Enable Routing and Remote Access Configure the default Remote Access (dial-up or VPN), and on the Remote Access page, select the VPN option On the VPN Connection page, select the Local Area Connection interface On the IP Address Assignment page, select From a specified range of addresses Use the range of 192.168.1.100 with 75 available addresses for the static pool On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server, and then click Next Configure the following settings: • Primary RADIUS server: NYC-DC1 • Shared secret for the RADIUS server: Pa$$w0rd • Accept the default settings for the remainder of the configuration process Close the Routing and Remote Access Services administrative tool Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-33 Exercise 3: Configuring Certificate Auto-Enrollment Exercise Overview In this exercise, you will configure Certificate Auto-Enrollment for computers to use advanced authentication The main tasks are as follows: Install and configure Certificate Services on NYC-DC1 Open the Group Policy Management tool on 6421A-NYC-DC1 and configure automatic certificate enrollment Close all virtual machines and delete changes f Task 1: Install and Configure Certificate services on NYC-DC1 On NYC-DC1, start Server Manager from the Administrative Tools menu Install the Active Directory Certificate Services role using the defaults except for the following: • CA Name = WoodGroveBank-CA On the Installation Results page, click Close From the Administrative Tools menu, open the Certification Authority management tool Right-click Certificate Templates, and then select Manage from the context menu Change the security on the Computer template to allow Authenticated Users the Enroll permission Close the Certificate Template and certsrv management consoles 7-34 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service f Task 2: Open the Group Policy Management tool on 6421A-NYC-DC1 and configure automatic certificate enrollment On 6421A-NYC-DC1, open Group Policy Management from the Administrative Tools menu In the Group Policy Management tool, expand Forest: WoodgroveBank.com, expand Domains and expand WoodgroveBank.com Right-click Default Domain Policy, and then click Edit Expand Computer Configuration, expand Window Settings, expand Security Settings, and then expand Public Key Policies Right-click Automatic Certificate Request Settings, click New and then click Automatic Certificate Request Accept the default settings throughout the wizard Close the Group Policy Management Editor Close the Group Policy Management tool Automatic certificate enrollment now is configured for the WoodgroveBank domain’s computers Start 6421A-NYC-CL1 and log on as Administrator with the password of Pa$$w0rd 10 Create a new MMC console with the Certificates snap-in Focus the snap-in to the Computer Account 11 In the MMC console, verify that the computer account has enrolled the certificate from WoodGroveBank-CA f Task 3: Close all virtual machines and discard undo disks On the host computer, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Website Under Navigation, click Master Status For each virtual machine that is running, click the virtual machine name, and in the context menu, click Turn off Virtual Machine and Discard Undo Disks Click OK Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-35 Module Review and Takeaways Review Questions Why must you register the NPS server in Active Directory? How can you make the most effective use of the NPS logging features? What are the default authentication and accounting ports for RADIUS? What is the procedure for configuring NPS UDP port information using the Windows interface? What other considerations are there if you choose to use a nonstandard port assignment for RADIUS traffic? 7-36 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Best Practices Perform the following tasks before installing NPS: • Install and test each of your network access servers using local authentication methods before you make them RADIUS clients • After you install and configure NPS, save the configuration with the netsh nps show config > path\file.txt command Save the NPS configuration with the netsh nps show config > path\file.txt command each time a change is made • Do not install Windows Server 2008, Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition on the same partition as Windows 2000 Server • Do not configure a server running NPS or Routing and Remote Access as a member of a Windows NT Server 4.0 domain if your user accounts database is stored on a Windows Server 2008 or Windows Server 2003 domain controller in another domain Security Issues We recommend two methods for remote administration of NPS servers: • Use Terminal Services to access the NPS server (remote desktop) • Use Internet Protocol security (IPSEC) to encrypt confidential data Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7-37 Tools The following describes the tools that you can use to configure, manage, monitor and troubleshoot NPS Tool Use For Where to find it Network Policy Server Managing and creating Network Policy Network Policy Server on the Administrative Tools menu Netsh commandline tool Creating administrative scripts for configuring and managing the Network Policy Server role From a command window, type netsh nps to administer from a command environment Event Viewer Viewing logged information from application, system, and security events Event Viewer on the Administrative Tools menu ... credentials Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 7- 1 7 Password-Based Authentication Methods Each authentication method has advantages and disadvantages... and server certificates have additional requirements Additional Reading • Help Topic: Certificates and NPS • Help Topic: EAP and NPS • Help Topic: PEAP and NPS 7- 2 2 Installing, Configuring, and. .. Routing and Remote Access Services and configure 642 1A- NYC-SVR1 as a RADIUS client The main tasks are as follows: Open the Server Manager tool on 642 1A- NYC-SVR1 Install the Routing and Remote Access

Ngày đăng: 30/01/2020, 19:09

TỪ KHÓA LIÊN QUAN