none
NPS proxy pointing another NPS proxy

    Question

  • Hello,

    We have a very complicated network structure and I am trying to make NPS proxy function to jump from one NPS proxy to another then to regular NPS server.

    The communication flow is going to be:

    Radius client --> NPS proxy01 --> NPS proxy02 --> NPS server

    Radius client: any regular Radius protocol aware end device

    NPS proxy01 (domain x): Radius client has access to this server only and does not have access to NPS proxy02

    NPS proxy02 (domain x): Only NPS proxy01 has access to this server and Radius client machine cannot directly access this server

    NPS server: Main AD joined NPS server which will process LDAP authentication

    Note: between NPS proxy01, NPS proxy02 and NPS server there are firewalls restricting ports.

    So my question: Is it possible for NPS proxy to point to another NPS proxy then to NPS main authentication server?

    Thank you,

    David

    Monday, June 17, 2013 4:30 PM

Answers

  • Hi,

    Base on my research, the Radius hierarchy be defined like this:

    Proxy
    With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy.  A common use for proxy RADIUS is roaming.  Roaming permits two or more administrative entities to allow each other's users to dial in to either entity's network for service

    Quote from RFC 2865
    http://www.hjp.at/doc/rfc/rfc2865.txt

    Therefore, I suggest you to keep the RFC hierarchy(Access device-->Radius proxy-->Radius Server).

    Thanks.


    Alex Lv



    Thursday, June 20, 2013 3:48 AM
    Moderator

All replies

  • Hi dckim:

    As a RADIUS proxy, NPS provides the routing of RADIUS messages between RADIUS clients (access servers), other RADIUS proxies, and the RADIUS servers that perform AAAA for the connection attempt. When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow.

    When you deploy NPS as a RADIUS server, NPS receives connection requests from network access servers, and then processes the requests. NPS performs centralized connection authentication, authorization, and accounting for many types of network access.

    Quote from:
    NPS as a RADIUS Server and Proxy
    http://technet.microsoft.com/en-us/library/dd197447(v=ws.10).aspx


    You must attention to the large number of connection requests.

    You want to process a large number of connection requests. In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers and increases the processing of large numbers of RADIUS clients and authentications per second.

    Quote from:
    RADIUS Proxy
    http://technet.microsoft.com/en-us/library/cc731320.aspx

    NPS acts as a RADIUS client when you configure it as a RADIUS proxy to forward Access-Request messages to other RADIUS servers for processing.

    Quote from:
    RADIUS Clients
    http://technet.microsoft.com/en-us/library/cc754033(v=ws.10).aspx


    Hope this helps.


    Wednesday, June 19, 2013 2:16 AM
    Moderator
  • Alex,

    Thank you for your reply.

    Actually I have already looked through those online docs from Microsoft.

    But it does not cover the possibility of NPS proxy passing Radius authentication to another NPS proxy.

    I am able to make one NPS proxy work but as soon as I introduce another NPS proxy server (in another domain) trying to pass Radius authentication to exiting NPS proxy, i get time out error.  So i was just wondering NPS proxy to another NPS proxy is supported or not.

    Wednesday, June 19, 2013 3:59 PM
  • Hi,

    Base on my research, the Radius hierarchy be defined like this:

    Proxy
    With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy.  A common use for proxy RADIUS is roaming.  Roaming permits two or more administrative entities to allow each other's users to dial in to either entity's network for service

    Quote from RFC 2865
    http://www.hjp.at/doc/rfc/rfc2865.txt

    Therefore, I suggest you to keep the RFC hierarchy(Access device-->Radius proxy-->Radius Server).

    Thanks.


    Alex Lv



    Thursday, June 20, 2013 3:48 AM
    Moderator
  • Hi dckim,

    Is there any update? I would like to check if you need further assistance.

    Thanks


    Alex Lv

    Monday, June 24, 2013 3:02 AM
    Moderator