4.2.1 Configure connection request policies
When receiving an Access-Request message, connection policies are considered.
Overview - Enable policy, Choose Access server type or vendor specific.
Conditions -
to match for this policy to be processed
HCAP Location Groups
User Name
Access Server IPV4 address - (on behalf of client)
Access Server IPv6 address
Framing Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor Name
Called Station ID(of the NAS server)
NAS id
NAS ipv4
NAS ipv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Settings -
Authentication Methods. - Can be used to override the network policy authentication settings
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Authentication - Used to determine whether requests are handled locally, forwarded to radius group, or accepting without credentials.
Accounting - determine if Accounting requests are forwarded to a radius group
Attribute - Manipulate attributes : Called-Station-ID, Calling-Station-ID, User-Name
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
4.2.2 configure network policies for VPN clients (multilink and bandwith allocation, IP filters, encryption, IP addressing)
Overview
Policy name
Enabled
Grant or Deny access.
"Ignore user account dial-in properties"
Access server type or vendor specific
Conditions for processing this policy
Windows Groups
Machine Groups
User Groups
HCAP Location Groups
HCAP User Groups
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
MS-Service Class - Must use a defined DHCP scope
Health Policies - meets a health policy criteria
NAP-Capable Computers
Operating System - OS version, SP, OS role, Architecture, OS Build
Policy Expiration
Access Client IPv4
Access Client IPv6
Authentication Type- Includes CHAP, EAP, Ext, MS-Chap v1/CPW, v2/CPW, PAP, PEAP, unauthenticated.
Allowed EAP types - Smart Card, PEAP-Smart card, PEAP-MSCHAP-V2, EAP-MSCHAP-v2
Framed Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor name
MS-RAS Vendor -
Called Station ID
NAS ID
NAS Ipv4
NAS IPv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Constraints - If these aren't matched, connection is denied.
Authentication Methods - unless overridden by Connection Policy
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2,
MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Idle Timeout
Session Timeout
Called Station ID
Day and time restrictions
NAS Port Type
Settings - Settings applied if Condition and Constraints match
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
NAP Enforcement - Full network, Full network time restricted, limited access (Remediation Group). Enabled auto-remediation for computers that do not meet health requirements
Extended State - Transistional, Infected, Unknown
Multilink BAP - how to handle multilink connections. BAP usage settings - drop connections in the multilink if they use less than percentage over a period of time (ie 50% over 2 mins default). Require BAP for dynamic multilink
IP filters
Encryption - Basic MPPE 40 bit(56 bit DES), MPPE 56(56 bit DES), MPPE 128(168 bit DES), No Encryption
IP Settings - Server must supply IP, Client request IP, Server settings determine IP, Assign static IP.
4.2.3 import and export NPS policies
netsh nps export filename="c:\nps.xml" exportPSK=yes
export-npsconfiguration -path c:\nps.xml
netsh nps import filename="c:\nps.xml"
import-npsconfiguration -path c:\nps.xml
No comments:
Post a Comment