Network Policies and Authorization
Applies To: Windows Server 2008, Windows Server 2008 R2
A network policy is an ordered set of rules that defines how connections are either authorized or rejected. For each rule, there are one or more conditions that must match the connection request for the policy to apply. In addition, each network policy contains constraints, settings, and an Access Permission property.
Note
If Network Policy Server (NPS) authorizes a connection, restrictions specified in the dial-in properties of the user or computer account override the network policy constraints, where applicable.
Network policies validate several connection settings before authorizing the connection, including the following:
Access permission
Group membership
Type of connection
Time of day
Authentication methods
Access server identity
Access client phone number or media access control (MAC) address
Whether account dial-in properties are ignored
Whether unauthenticated access is allowed
After the connection is authorized, network policies can also be used to specify connection settings, including the following:
Idle time-out time
Maximum session time
Encryption strength
IP packet filters
IP address for PPP connections
Static routes
The following settings can also affect connection restrictions:
Group membership
Type of connection
Time of day
Authentication methods
Identity of the access server
Access client phone number or MAC address
It is important to remember that connection requests are accepted only if the properties of the connection request matches all of the conditions and constraints of at least one of the configured network policies (subject to the conditions of the dial-in properties of the account). If the connection request does not match at least one of the network policies, the connection attempt is rejected regardless of the dial-in properties of the user account.
Note
Network policies are administered in the NPS snap-in or the Routing and Remote Access snap-in (when RRAS is configured for Windows authentication).
For more information, see Network Policies.
Network policy configuration issues
Following are several issues that might impact your configuration of NPS, depending on your network and needs:
Some elements of a network policy correspond to RADIUS attributes that are used during RADIUS-based authentication. For network policies on an NPS server, verify that the network access servers (NASs) used are sending RADIUS attributes that correspond to the configured network policy conditions and settings. If a NAS does not send a RADIUS attribute that corresponds to a network policy condition or setting, then all RADIUS authentication requests from that NAS are denied.
You can only use the Generate-Session-Time-out attribute if your user account database is a Security Accounts Manager (SAM) database or is the user account database for an Active Directory Domain Services (AD DS) domain. If the value of Generate-Session-Time-out is set to True, make sure the ForceLogoff value for a SAM database is set to 0. In the Local Security Settings console, ForceLogoff is changed to zero when Network security: Force logoff when logon hours expire is enabled.
If you are using Wired Equivalent Privacy (WEP) encryption, you can configure wireless connection policy so that wireless clients using WEP periodically reauthenticate. This ensures that the client WEP encryption keys are changed often enough to provide adequate security for the wireless connection. To configure reauthentication, set the session time-out in your network policy or connection request policy for wireless connections (by using the Session-Time-out attribute) to the required interval (for example, 10 minutes). Additionally, configure the value of the Termination-Action attribute to RADIUS-Request. If the Termination-Action attribute is not set to RADIUS-Request, wireless APs might end the connection during reauthentication. For more information, see your hardware documentation.
Important
It is recommended that you use Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access 2 (WPA2) rather than WEP for wireless deployments.