locked
Network Policy Server options RRS feed

  • Question

  • Hello,

    I have 2 2008R2 VMs that are candidates for the roles of NPS. I would like to use NPS to authenticate my Sonicwall SSL VPN users who are using NetExtender. I also have a Meraki AP that need to be set up to query the RADIUS server (NPS). This AP will be handling all of my front office connections guest and employees. I would like an opinion if it is better to install the NPS role on a Domain Controller or just a member server.

    • I would like to do this in order to also make my wireless authentication certificate based.
    • Pairing this with a group policy that points to the certificate so that a PSK is no longer needed.
    • Certificate services for AD have not bee installed yet.

    The biggest priorities are making this work with the Sonicwall VPN and the wireless clients. I have not installed the role on a server yet. I have not used NPS before with 2008R2 or 2008 for that matter. I was just wondering if there were any minefields I could be stepping into by enabling this role and setting it up. Wired 802.1x port security could be set up at a later time. I would like all the printers to keep working :)

    Any help or experience shared is appreciated.

    Thanks.


    Thanks, Jeff Newbill

    Friday, February 1, 2013 1:37 PM

Answers

  • Hi,

    Since it doesn't matter if you install NPS on a standalone server, it should not matter if the DC doesn't hold the FSMO role. I haven't experimented with this, but I'm almost certain it won't make any difference.

    As far as choosing which kind of authentication uses NPS, this is relatively simple. Policies are designed so that if a connection request matches certain conditions, then the policy settings are applied. If the request doesn't match those conditions, it moves on to the next policy in the processing order. In this way, you can create custom authentication settings for multiple types of connections.  You can have a policy for wireless clients, one for VPN clients, and one for wired clients.

    Also keep in mind that the access point must have a RADIUS entry and if the wired 802.1X access point doesn't have a RADIUS configuration it won't even attempt to contact NPS. If you don't want to authenticate 802.1X wired connections, you can control this by either leaving out the RADIUS settings on your network access device, or by configuring the policy on NPS to allow any connection for 802.1X requests.

    Let me know if this isn't clear.

    Thanks,

    -Greg


    Thursday, February 7, 2013 5:41 AM

All replies

  • Hi Jeff,

    There is not a huge preference but typically installing NPS on a domain controller is a good idea. This way, NPS can contact AD quickly to authenticate domain users.

    -Greg

    • Proposed as answer by Aiden_Cao Wednesday, February 6, 2013 8:17 AM
    Tuesday, February 5, 2013 7:37 AM
  • Hi,

    I agree with Greg. You can install NPS on a domain controller.

    Quote from the following article:

    To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.

    Best Practices for NPS

    http://technet.microsoft.com/en-us/library/cc771746(v=ws.10)

    Best Regards,

    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Wednesday, February 6, 2013 8:16 AM
  • There are a few additional questions I have. 

    • What are the caveats if any for installing the role on a 2008 R2 DC that doesn't hold the FSMO roles? Does this matter?
    • Will I be able to activate this service for authenticating 802.11 clients from an AP (Meraki) on the network that supports it as well as VPN connections through a TZ210 that supports it while at the same time not utilizing it for 802.1x port authentication as I am not read to deploy this yet? Is NPS able to be configured down to this level by selectively enforcing certain aspects such as these? 

    Thanks for the responses. I will be installing it on a DC as it should be an authentication role so this makes sense for uniformity. 

    Jeff


    Thanks, Jeff Newbill

    Thursday, February 7, 2013 2:20 AM
  • Hi,

    Since it doesn't matter if you install NPS on a standalone server, it should not matter if the DC doesn't hold the FSMO role. I haven't experimented with this, but I'm almost certain it won't make any difference.

    As far as choosing which kind of authentication uses NPS, this is relatively simple. Policies are designed so that if a connection request matches certain conditions, then the policy settings are applied. If the request doesn't match those conditions, it moves on to the next policy in the processing order. In this way, you can create custom authentication settings for multiple types of connections.  You can have a policy for wireless clients, one for VPN clients, and one for wired clients.

    Also keep in mind that the access point must have a RADIUS entry and if the wired 802.1X access point doesn't have a RADIUS configuration it won't even attempt to contact NPS. If you don't want to authenticate 802.1X wired connections, you can control this by either leaving out the RADIUS settings on your network access device, or by configuring the policy on NPS to allow any connection for 802.1X requests.

    Let me know if this isn't clear.

    Thanks,

    -Greg


    Thursday, February 7, 2013 5:41 AM