In this chapter, we’ll set up an often overlooked role: network access control. Microsoft offers this role to give you control over which devices can access your network resources.
Install Network Policy and Access Services
The network access server (NAS) role is installed via Network Policy and Access Services.
Known by the name NPS (Network Policy Server), these services ensure controlled access to your network. This server acts as a RADIUS (Remote Authentication Dial-In User Service) server. It’s possible to check a client’s identity and permissions and provide them with a service (such as network access) if they have the correct permissions with this protocol.
Install the role (you shouldn’t need to restart your server) and select your server. I’ve named my server SRVNACS01: it’s a server (SRV) for controlling network access (NAC – network access control), and it’s the first server (01) located in Seattle (S). Search for NPS server, and open the application:
Before diving into implementing network access control, you need to understand some terminology and how RADIUS operates (the same for all access protocols).
Review the Access Control Basics
First of all, you must identify the clients and have one in charge of the RADIUS protocol. You’ll find native clients for each server role; the advantage when using Microsoft technologies.
A Windows 10 Professional computer can query a RADIUS server. Except that the client computer will not be the RADIUS client. It will not directly ask the access server if it can access the network. Instead, it will have to rely on a third party who will consult the RADIUS server.
Here’s a diagram of how Microsoft’s network access role works:
The client computer will be a supplicant (RADIUS terminology). The RADIUS client is the device that will provide network access. This could be a switch, a WI-FI access point, a remote or VPN server.
You’re going to learn how it works by using Packet Tracer and not by implementing it in Windows (so you don’t have to invest in any hardware). Packet Tracer is a free Cisco tool you can use to understand how RADIUS works.
Model Network Access Control
Launch Packet Tracer and set up four devices:
A generic server.
A 2960 switch.
A portable PC.
A Wi-Fi access point WRT300N.
Connect your server (FastEthernet0) to the switch (any port), then the internet port from the access point to this same switch.
There are a few more steps:
Configure the IP layer on the AP (Wi-Fi access point) and on the server.
Configure the RADIUS server section on the server.
Configure the RADIUS client on the access point.
Put a Wi-Fi card on the laptop PC.
Let’s start with the server, which is the easiest bit:
Next, the Wi-Fi access point, entering the following network configuration:
Now that the IP configurations are operational on both devices, let’s move on to configuring the server and RADIUS client.
Configuring the RADIUS client is simple: specify the IP address of the RADIUS server and define a secret (you’ll secure Wi-Fi access under the Wireless section):
Now let’s configure the RADIUS server (simplified in Packet Tracer). Go to the Services section, and then AAA.
First, enter the information on the RADIUS client: a name, its IP, and the secret that you entered on the client:
Next, set up your users in the User Setup section. Then we’ll move on to configuring the supplicant (in this case, the laptop PC).
Add a Wi-Fi card.
Now all that remains is to configure the credentials you previously set up and wait for the authentication. After just a few seconds, you should see the following:
Thanks to this quick simulation, you know how the RADIUS protocol operates. You can now move into Simulation mode on Packet Tracer. Restart the server and the Wi-Fi client to observe the data "envelopes" and different exchanges linked to access control:
The next step is to replicate your model on your Windows Server.
If you have devices compatible with RADIUS, try creating a similar model. Options will be different depending on your equipment; you’ll have to look for the menus. As you can see, the configuration section for a RADIUS client is simple.
Replicate Your Model onto Windows Server
The configuration page for a RADIUS client on Windows is the same as Packet Tracer. To find it, go to the NPS Manager (NPS in administration tools) and add a RADIUS client by right-clicking on RADIUS Clients and then New:
With NPS on Windows Server, you can take this mechanism further, especially when identifying verification options for the client seeking network access. You’ll find this on Windows under Policies:
With these policies, you can specify which types of supplicants can make legitimate network access requests.
You can find all of these options under the Settings tab in policy properties:
Next, network policies let you specify the access granted to the requester. Here, I’m authorizing access to the Users group members from the NPS server. In a real-world setting, users would be members of an AD group.
And there you have it! You know everything (or almost everything) there is to know about the network access role. You are free to adapt this based on the resources below.
Additional Resources
Let’s Recap!
Windows Server lets you create a RADIUS server through the network access role called NPS server.
RADIUS is a protocol that is part of the AAA protocols family, enabling authentication, authorization, and access/auditing.
With the NPS server from Windows, you can use several identity verification options for devices requesting network access, letting you authenticate access requests.
Types of network access can be conditional on other options set in network policies, which you can use to restrict bandwidth, timetables, or accessible services.
In the next part, you’ll learn all you need to know to install advanced network services, such as deployment or Windows update.