none
VPN/NPS theory questions

    Question

  • Hello!

    I've been using Windows RRAS for a number of companies for many years, and before deploying it with a new Windows Server version I used to re-learn what I already knew about RRAS using a new MS official curriculums. All MS guides I've read so far left me with a feeling that there was something I didn't understand in RRAS/NPS - now when I have a new MCSA2016 guide at hand I'd like to ask a couple of questions regarding RRAS/NPS which I've never seen explained so far.

    Suppose you are a system administrator that configures RRAS for the first time. First of all an administrator should determine whether he/she would use a RADIUS server or VPN server for the authentication/accounting purposes:


     

    Having read this an administrator should know that he/she can use either RADIUS (which is called NPS in Windows) or VPN server for user authentication. Suppose then that an administrator decided NOT to use RADIUS and use instead VPN authentication - it means that he/she should NOT install MS RADIUS server (NPS Role Service) and configure Connection request policies and network policies because RADIUS infrastructure is NOT required (Note: To enable a RADIUS infrastructure, install the Network Policy and Access Services server role.).

    So an administrator is going to have to install only one role service - Remote Access:

    As you can see NPS is not required - and is NOT added! - during Remote Access installation.

    But as soon as  Remote Access installation is completed NPS is here:

    Q1) Neither an administrator nor Remote Access installation wizards were to add NPS - why have NPS got installed along with Remote Access?

    As an administrator decided to use VPN authentication he/she should choose Windows Authentication in RRAS properties:

    When I see the Authentication providers on the RRAS properties' Security tab I always think (and I suppose any administrator may think the same way after reading MS guides like one above) that RADIUS Authentication would use MS RADIUS server (NPS) and Windows Authentication would use either VPN server local user database or AD - in any case there's no ground to suggest that NPS service (that is MS RADIUS SERVER) will be used even when Windows Authentication is chosen:

    No remote clients will be able to connect to this VPN server until any permissive network policy is created (or the default one is changed from Deny to Allow). But the aforementioned MCSA 2016 curriculum mentioned network policies (as well as connection policies) only in terms of the MS RADIUS server - NPS service.

    I've never seen any documentation (for example Network Policy Server) indicating this configuration is possible so

    Q2) Is it by design that NPS is used by default with Windows Authentication?

    Q3) If the answer to Q2 is yes why doesn't it get explained in MS official guides (at least in MCSA 2012 and MCSA 2016) and in many msdn articles describing NPS (Network Policy Server Overview, Network Policy Server and etc.)?

    Thank you in advance,

    Michael




    • Edited by MF47 Thursday, March 16, 2017 6:55 AM typo
    Tuesday, March 14, 2017 2:38 PM

Answers

  • Hi MF47,

    From my point of view, when we use "Windows authentication", RRAS will create a standard(default) policy in NPS server, in this way, when we install RRAS, we'll also install NPS role automatically, since the authentication of RRAS still use NPS's components or let's say source code at the bottom. Wildly guess, most authentication function of windows server role will use NPS components (Just guess! Thinking of RDG).

    With windows authentication, we do no need to do additional configurations for the polices, and it only provide simple authentication. With MS RADIUS authentication, we may also use other NPS server and create more complex policies.

    Welcome to feedback your thoughts :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by MF47 Monday, March 20, 2017 3:35 PM
    Friday, March 17, 2017 9:16 AM

All replies

  • Hi MF47,

    I'm testing "Windows Authentication" without NPS and trying to provide an explanation of your questions, I'll feedback as soon as I get any update.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 15, 2017 6:57 AM
  • Hi Anne,

    Thank you!

    Wednesday, March 15, 2017 9:36 AM
  • Hi MF47,

    Tested in my lab and the result is below:

    >Q1) Neither an administrator nor Remote Access installation wizards were to add NPS - why have NPS got installed along with Remote Access?

    Yes, on server 2016, when installing Remote Access role, the NPS role is also installed automatically.

    This behavior is also exits on Remote Desktop Gateway role.

    As far as I'm concerned, this may due to the authenticate of RRAS itself still use the components of NPS, in another word, basically, the authentication integrated with RRAS and RDG still use NPS's method.

    >Q2) Is it by design that NPS is used by default with Windows Authentication?

    I think so. The test result is that when disable the default policy in NPS for VPN connection, I have no way to connect to VPN

    Client unable to connect:

    Event log in Remote Access:

    As soon as I enable the policies, I can use the same account to connect to VPN:

    >Q3) If the answer to Q2 is yes why doesn't it get explained in MS official guides (at least in MCSA 2012 and MCSA 2016) and in many msdn articles describing NPS (Network Policy Server Overview, Network Policy Server and etc.)?

    This is hard to explain at our level.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, March 17, 2017 9:07 AM
  • Hi MF47,

    From my point of view, when we use "Windows authentication", RRAS will create a standard(default) policy in NPS server, in this way, when we install RRAS, we'll also install NPS role automatically, since the authentication of RRAS still use NPS's components or let's say source code at the bottom. Wildly guess, most authentication function of windows server role will use NPS components (Just guess! Thinking of RDG).

    With windows authentication, we do no need to do additional configurations for the polices, and it only provide simple authentication. With MS RADIUS authentication, we may also use other NPS server and create more complex policies.

    Welcome to feedback your thoughts :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by MF47 Monday, March 20, 2017 3:35 PM
    Friday, March 17, 2017 9:16 AM
  • Hi Anne,

    First of all thank you very much for your tests - your results are exactly the same as mine.

    "From my point of view, when we use "Windows authentication", RRAS will create a standard(default) policy in NPS server, in this way, when we install RRAS, we'll also install NPS role automatically, since the authentication of RRAS still use NPS's components or let's say source code at the bottom." - I also think it's true, and this contradicts all MS official documentation stating, for example, that

    Note: To enable a RADIUS infrastructure, install the Network Policy and Access Services server role. The NPS can act as either a RADIUS proxy or a RADIUS server.

    ...because the configuration we've just tested does NOT use NPS  as RADIUS SERVER (the VPN server is NOT registered as the RADIUS client in the NPS console!!!) or RADIUS PROXY - it uses NPS as some other underlying authentication layer, and this usage scenario HAS NEVER BEEN EXPLAINED in MS official documentation (at least in MCSA 2012-2016) - this is the most weird thing to me...

    Thank you once again for your help, Anne!

    Regards,

    Michael



    • Edited by MF47 Monday, March 20, 2017 3:36 PM
    Monday, March 20, 2017 3:35 PM
  • Hi MF47,

    You are welcome :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 21, 2017 1:41 AM