What are two policies found within the framework of the NPS that governs whether or not a client gets access to the network?
Connection Request Policies and Network Policies
What does RADIUS stand for?
Remote Access Dial-In User Service.
What is the difference between Connection Request Policies and Network Policies?
Connection Request Policies determine where a client’s authentication takes place, e.g., RADIUS server or locally.
Network Policies provides authorization to allow the VPN traffic.
Even if the Network Policy Server role is not installed, a “lite” version of the NPS is installed with Remote Access. True or False?
True.
Within the Connection Request Policies, the processing order is determined numerically starting with the lowest numbers. True or False?
True.
Using the Routing and Remote Access tool, which policy can be configured?
Network policies.
Which tab within the properties of a Connection Request policy, configures where authentication will take place for VPN clients?
Settings tab.
When viewing the Connection Request Policy properties, which tab provides the option to enable or disable the policy?
Overview tab.
Once a network policy is matched, no other network policies are considered. True or False?
True.
How do you alter the order of Network Policies within the Network Policies list?
Right click on the policy and select “Move Up or Move Down”.
Within a user’s account, what are their Dial-In properties set to by default?
Control access through NPS Network Policy
A Network Policy can override a user’s Dial-In permissions if the proper box is checked within the Network Policies Overview tab. True or False?
True.
Which role installs the Network Policy Server tool and turns a server into a NPS server?
Network Policy Server.
How do you configure a RADIUS server?
- Install the Network Policy and Access Services role
- Within the NPS tool, utilize the Getting Started screen and choose, from the drop down list, what your going to be using the RADIUS server for (VPN, wireless, or wired connections).
- For VPN connections, you’ll use the Configure VPN or Dial-Up Wizard.
As a result of the wizard, you’ll have created both Connection Request Policies and Network Policies for that connection (VPN/Dial-Up).
How do you configure a RAS server to forward authentication requests to a centralized RADIUS server?
- Navigate to: RAS server > NPS tool > Connection Request Polices > R-Click on policy > Settings tab > Authentication
- Click on “New” (to create a new Security group for our RADIUS servers) and add each RADIUS server to the group.
- Select the “Forward requests to the following remote RADIUS server group for authentication” radio button.
What filter in Wireshark will only show RADIUS packets?
RADIUS (for the RADIUS protocol)
The Network Access Server (NAS) or Remote Access Server (RAS) can forward authentication requests over to a centralized RADIUS server through a properly configured Connection Request Policy. True or False?
True.
When using a connection request policy to forward authentication requests to a remote RADIUS server group, the RADIUS server will be used for the network policy for that connection. True or False?
True.
What is a RADIUS proxy?
The middleman between the RADIUS server and the client.
From the perspective of a device using a RADIUS proxy, the proxy appears as a RADIUS server. True or False?
True.
By inserting a RADIUS proxy between the clients and the servers, it could help with a more even distribution of authentication requests to the actual servers. True or False?
True.
RADIUS servers see the RADIUS proxies as _____.
Clients.
How do we configure RADIUS proxies?
- On the backend RADIUS server, navigate to NPS tool > RADIUS clients. Configure the RADIUS server to listen only for the IPs of the servers acting as RADIUS proxies.
- On the RADIUS proxy, navigate to NPS tool > RADIUS Clients. Add the RADIUS client to the list by inputting their IP Address and the shared password.
- Still within the NPS tool, add the RADIUS server group containing the RADIUS servers to the list in “Remote RADIUS Server Groups”. Each server will need to have the shared secret, IP Address, and optional load balancing settings configured to be added to the group.
- On the proxy, configure it to forward authentication requests to the RADIUS server group by creating/editing a Connection Request Policy and, within the Authentication setting of the Settings tab, select the “Forward requests to the following remote RADIUS server group for authentication” radio button.
- On the RADIUS client, navigate to the NPS tool > Remote RADIUS Server Groups > Add/Edit a RADIUS server group to point to the IP Address of the RADIUS proxy.
What is the difference between Authentication, Authorization, and Accounting?
Authentication is defining who someone is.
Authorization is about what their authorized to do.
Accounting defines what they did.
