Friday, January 29, 2010

Windows 2008 RADIUS Server - NPS/NPAS Checklist & Usage Recommendations

Here is a quick fact checklist and usage guidelines from our experience of implementing new Windows 2008 RADIUS server called NPS which is part of NPAS role

- Windows 2008 Standards (50 clients only), Windows 2008 EE/DC (unlimited).
- You can backup config using 'netsh nps export' commands
- It support multiple EAP types adn SHVs but there are certain limitations.
- You can configure clients using GPs (Same to W2k3)
- Support for EAP-TLS and PEAP-TLS, MS-CHAPv2 but using Certificates only.
- NPS Microsoft Management Console (MMC)
- Event logging for NPS, Logging user authentication and accounting requests.Logging can be sent to log files, db files, stored procedures on SQL2k, SQL2k5, or SQL2k8.
- Should turn on logging (initially) for both authentication and accounting records.
- Install NPS on either a global catalog server or a server that is on the same subnet.
- Disable NAS Notification Forwarding
- Create several universal group for all users if too many.
- Use a user principal name in network policies to refer to users whenever possible
- Increasing the number of concurrent authentications between NPS and the domain controller
- To effectively balance the load of either a large number of authorizations or a large volume of RADIUS authentication traffic (such as a large wireless implementation using certificate-based authentication), install NPS as a RADIUS server on all of your domain controllers. Next, configure two or more NPS proxies to forward the authentication requests between the access servers and the RADIUS servers. Next, configure your access servers to use the NPS proxies as RADIUS servers.
- Use NPS and NPS Accounting for complete AAA services.

This information is based on following Technet articles:

No comments:

Post a Comment