locked
Multiple NPS/NAP Servers? RRS feed

  • Question

  • Hi,

    Firstly I should by start by saying I am a newbie to Server 2008 and NPS/NAP, so any help would be much appreciated.

    We are currently in the planning stages of rolling out NPS and NAP along with HP ProCurve switches using 802.1X. We are also planning on using the NPS servers to authenticate dial-in users via the Cisco VPN client.

    The question is, do I need to install NAP on both NPS (RADIUS) servers or can I pass all the NAP traffic onto one server? Or what is the Microsoft preferred way?

    As a secondary question is it possible to check for certain applications or Executables on machine using NAP? If possible where do you set this variables?

    Many Thanks
    Paul
    Thursday, December 4, 2008 2:48 PM

Answers

  • Hi Paul,

    You can pass all traffic to one NPS, or you can split it between two. The decision depends on your redundancy needs. I think you can configure the switch to send traffic to a primary and secondary RADIUS server for redundancy. Of course this will require that you sync the policies between the two servers.

    Another option is to have the switch send traffic to just one server which then forwards the request to the second server. To do this, you set up a remote RADIUS server group and configure connection request policy to foward authentication requests to the remote group (do this on server A). The other server (server B) will then have your authentication and authorization policies (called connection request and network polices on NPS) and it will also have a RADIUS client entry configured for server A. I don't think either way is preferred.

    I'm not aware of a SHA that is currently available for checking files on the client hard drive. Someone else might have heard of one.

    -Greg
    Tuesday, December 9, 2008 3:44 AM