NPS Authorization Process
Applies To: Windows Server 2008, Windows Server 2008 R2
In this section
Network Policy Server (NPS) grants or denies network access authorization on the basis of the following configurable items:
The dial-in properties of Security Accounts Manager (SAM) database or Active Directory Domain Services (AD DS) user and computer accounts
NPS network policies
Note
For convenience in this document, in discussions of authorization, the dial-in properties of user and computer accounts are frequently referred to only as user accounts.
Network policies allow you to grant or deny network access for users and computers that are members of Windows groups; this authorization management method is called Authorization by Group.
Alternately, the Network Access Permission setting on the dial-in properties of each user and computer account in AD DS allows you to grant or deny network access for individual users and computers. This authorization management method is called Authorization by User.
Important
By using the Network Access Permission setting Control access through NPS Network Policy, AD DS also allows you to designate that network access permission is granted based solely on network policy settings.
When NPS receives a connection request from a Remote Authentication Dial-In User Service (RADIUS) client, NPS accepts or rejects the connection request based on the following:
The first policy in the ordered list of network policies is checked. If there are no network policies configured in NPS, the connection request is rejected.
If all the conditions of the policy do not match the connection request, NPS moves on to and evaluates the next policy. If there are no more policies, NPS rejects the connection request.
If all the conditions of the policy match the connection request, NPS checks the value of the Ignore-User-Dialin-Properties attribute (which is configurable as a property on the Overview tab) of the network policy.
If the Ignore-User-Dialin-Properties attribute is set to False, NPS checks the Network Access Permission setting in user account dial-in properties for the user attempting the connection:
If Deny access is selected, NPS rejects the connection request.
If Allow access is selected, NPS applies the user account properties and network policy constraints:
If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request.
If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request.
If Network Access Permission is not set to Allow access or Deny access, the network access permission is set to Control access through NPS Network Policy. In that case, NPS evaluates the Access Permission setting (which is configurable as a property on the Overview tab) of the network policy:
If Deny access is selected, NPS rejects the connection request.
If Grant access is selected, NPS applies the user account properties and network policy constraints:
If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request.
If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request.
If the Ignore-User-Dialin-Properties attribute is set to True, NPS checks the Access Permission setting of the network policy:
If Deny access is selected, reject the connection request.
If Grant access is selected, NPS applies the network policy constraints:
If the connection request does not match the settings of the network policy constraints, NPS rejects the connection request.
If the connection request matches the network policy constraints, NPS accepts the connection request.