• 12 hours
  • Medium

Free online content available in this course.

course.header.alt.is_video

course.header.alt.is_certifying

Got it!

Last updated on 6/1/22

Install a Network Access Server

In this chapter, we’ll set up an often overlooked role: network access control. Microsoft offers this role to give you control over which devices can access your network resources.

Install Network Policy and Access Services

The network access server (NAS) role is installed via Network Policy and Access Services.

Network Policy and Access Services Wizard
Network Policy and Access Services Wizard

Known by the name NPS (Network Policy Server), these services ensure controlled access to your network. This server acts as a RADIUS (Remote Authentication Dial-In User Service) server. It’s possible to check a client’s identity and permissions and provide them with a service (such as network access) if they have the correct permissions with this protocol. 

Network policy and access services installed
Network policy and access services installed

Install the role (you shouldn’t need to restart your server) and select your server. I’ve named my server SRVNACS01: it’s a server (SRV) for controlling network access (NAC – network access control), and it’s the first server (01) located in Seattle (S). Search for NPS server, and open the application:

NPS Server Manager console
NPS Server Manager console

Before diving into implementing network access control, you need to understand some terminology and how RADIUS operates (the same for all access protocols).

Review the Access Control Basics

First of all, you must identify the clients and have one in charge of the RADIUS protocol. You’ll find native clients for each server role; the advantage when using Microsoft technologies.

A Windows 10 Professional computer can query a RADIUS server. Except that the client computer will not be the RADIUS client. It will not directly ask the access server if it can access the network. Instead, it will have to rely on a third party who will consult the RADIUS server.

Here’s a diagram of how Microsoft’s network access role works:

Diagram (taken from Microsoft’s website) of how RADIUS works through the Windows Server NPS server
Diagram (taken from Microsoft’s website) of how RADIUS works through the Windows Server NPS server

The client computer will be a supplicant (RADIUS terminology). The RADIUS client is the device that will provide network access. This could be a switch, a WI-FI access point, a remote or VPN server.

You’re going to learn how it works by using Packet Tracer and not by implementing it in Windows (so you don’t have to invest in any hardware). Packet Tracer is a free Cisco tool you can use to understand how RADIUS works.

Model Network Access Control 

Launch Packet Tracer and set up four devices:

  • A generic server.

  • A 2960 switch.

  • A portable PC.

  • A Wi-Fi access point WRT300N.

Connect your server (FastEthernet0) to the switch (any port), then the internet port from the access point to this same switch.

There are a few more steps:

  • Configure the IP layer on the AP (Wi-Fi access point) and on the server.

  • Configure the RADIUS server section on the server.

  • Configure the RADIUS client on the access point.

  • Put a Wi-Fi card on the laptop PC.

Let’s start with the server, which is the easiest bit:

Simulated RADIUS architecture
Simulated RADIUS architecture

Next, the Wi-Fi access point, entering the following network configuration:

IP Server configuration
IP Server configuration

Now that the IP configurations are operational on both devices, let’s move on to configuring the server and RADIUS client.

Configuring the RADIUS client is simple: specify the IP address of the RADIUS server and define a secret (you’ll secure Wi-Fi access under the Wireless section):

RADIUS client configuration
RADIUS client configuration

Now let’s configure the RADIUS server (simplified in Packet Tracer). Go to the Services section, and then AAA.

First, enter the information on the RADIUS client: a name, its IP, and the secret that you entered on the client:

RADIUS server configuration
RADIUS server configuration

 Next, set up your users in the User Setup section. Then we’ll move on to configuring the supplicant (in this case, the laptop PC).

Add a Wi-Fi card.

Now all that remains is to configure the credentials you previously set up and wait for the authentication. After just a few seconds, you should see the following:

Wi-Fi client authorized to connect to the network using RADIUS protocol
Wi-Fi client authorized to connect to the network using RADIUS protocol

Thanks to this quick simulation, you know how the RADIUS protocol operates. You can now move into Simulation mode on Packet Tracer. Restart the server and the Wi-Fi client to observe the data "envelopes" and different exchanges linked to access control:

RADIUS exchanges preceding network access authorization for the Wi-Fi client
RADIUS exchanges preceding network access authorization for the Wi-Fi client

The next step is to replicate your model on your Windows Server.

If you have devices compatible with RADIUS, try creating a similar model. Options will be different depending on your equipment; you’ll have to look for the menus. As you can see, the configuration section for a RADIUS client is simple.

Replicate Your Model onto Windows Server

The configuration page for a RADIUS client on Windows is the same as Packet Tracer. To find it, go to the NPS Manager (NPS in administration tools) and add a RADIUS client by right-clicking on RADIUS Clients and then New:

RADIUS client configuration
RADIUS client configuration

With NPS on Windows Server, you can take this mechanism further, especially when identifying verification options for the client seeking network access. You’ll find this on Windows under Policies:

Connection request policies
Connection request policies

With these policies, you can specify which types of supplicants can make legitimate network access requests.

You can find all of these options under the Settings tab in policy properties:

Network access request policy properties
Network access request policy properties

Next, network policies let you specify the access granted to the requester. Here, I’m authorizing access to the Users group members from the NPS server. In a real-world setting, users would be members of an AD group. 

And there you have it! You know everything (or almost everything) there is to know about the network access role. You are free to adapt this based on the resources below.

Additional Resources

Let’s Recap!

  • Windows Server lets you create a RADIUS server through the network access role called NPS server.

  • RADIUS is a protocol that is part of the AAA protocols family, enabling authentication, authorization, and access/auditing. 

  • With the NPS server from Windows, you can use several identity verification options for devices requesting network access, letting you authenticate access requests.

  • Types of network access can be conditional on other options set in network policies, which you can use to restrict bandwidth, timetables, or accessible services.

In the next part, you’ll learn all you need to know to install advanced network services, such as deployment or Windows update.

Example of certificate of achievement
Example of certificate of achievement