Information Technology Reference
In-Depth Information
NPS has two sets of policies for all VPNs: connection request policies and network policies.
Additionally, if configured to use them, NPS can apply health policies as well (these policies
are covered in Objective 4.3).
Connection request policies define which connections are processed on the NPS server and
which are processed on remote RADIUS servers. Network policies define who is allowed to connect
to the network, how they are authenticated, and what network access is permitted. When you con-
figure the NPS RADIUS server for a VPN connection, the wizard creates both a connection request
policy and a network policy. But that default network policy can be further configured, and you can
create additional new VPN network policies. Network policies are processed in the processing order
defined in the network policies details pane of the NPS server.
policy processing
When a connection request is processed, the policy conditions must all be met for the policy
to succeed. If a condition is not met, NPS processes the next policy in the ordered list of poli-
cies. If all the conditions of that policy are met, the policy succeeds. If all the conditions of the
second policy are not met, the third policy is processed, and so on until all policies have been
processed or a policy succeeds. When a policy succeeds, it either grants access or denies ac-
cess, based on the setting in the policy. If no policy succeeds, access is denied.
Configuring an existing policy
To configure an existing network policy, follow these steps:
In the Network Policy Server console, expand Policies and then click Network Policies.
1.
2.
In the details pane, double-click the policy you want to configure.
On the Overview tab, you can configure the following settings:
■
Policy Name
Sets the name of the policy.
■
Policy Enabled
When selected, the policy is processed and evaluated while
authorizing. When disabled, the policy is not evaluated.
■
Grant Access/Deny Access
When set to Grant Access, access is granted if the
policy matches the connection request. When set to Deny Access, the connection
request is denied if it matches the policy.
■
Ignore User Account Dial-in Properties
When selected, the RADIUS network
and connection properties control access regardless of what the dial-in setting is for
the user account.
■
Type of Network Access Server
Typically set to Remote Access Server (VPN-Dial
up) for VPN connections.
3.
