NPS RADIUS Server Message Processing
Applies To: Windows Server 2008, Windows Server 2008 R2
This section provides information about how Network Policy Server (NPS) processes an incoming Access-Request message when NPS is configured as a Remote Authentication Dial-In User Service (RADIUS) server.
When you configure NPS as a RADIUS server, Access-Request messages are processed locally. In this process, NPS does the following:
Validates the RADIUS message. The incoming Access-Request message is validated for source IP address, the digital signature, valid attributes, and so on. If the RADIUS message is not valid, an event is logged in the system event log and the RADIUS Access-Request message is discarded. An Access-Reject message is not sent.
Checks for Auto Reject. Auto Reject, also called Ping User-Name for the corresponding registry entry, is used to send an immediate Access-Reject message when the User-Name attribute in the Access-Request message matches the registry entry value.
Some RADIUS clients (RADIUS proxy servers and network access servers) periodically send artificial authentication and accounting requests, called ping requests, to verify that the NPS server is present on the network. These ping requests include fictional user names and do not represent an actual connection request by a real user or computer. When NPS processes these requests, the event and accounting logs become filled with access reject records, making it difficult to keep track of records for valid connection attempts by real users. When you configure a registry entry for Ping User-Name, NPS matches the registry entry value against the value of the User-Name attribute in ping requests that other servers make. If the registry entry and the user name value match, NPS automatically rejects the request and does not create an event or accounting log entry.
Performs connection request policy evaluation. If no connection request policies are matched, an event is logged in the system event log and the RADIUS Access-Request message is discarded.
Applies realm stripping rules. NPS determines or defines the domain name and the user identity for the Access-Request message. If the User-Name attribute in the Access-Request message is not the Auto Reject name, then the user identity is determined. User identity is how NPS identifies the user for the purposes of authentication and authorization. Typically, the user identity is the string value of the User-Name RADIUS attribute. If the User-Name attribute is not present, the user identity is set to the Guest account or the account specified by the Default User Identity registry entry.
NPS can use any RADIUS attribute to identify the user. The RADIUS attribute that NPS uses to identify the user is configurable by setting the User Identity Attribute registry entry.
Determines authentication server. NPS determines whether to authenticate locally or forward to a remote RADIUS server group (When NPS is configured as a RADIUS server, the message is authenticated locally and is not forwarded.)
Performs name cracking. Name cracking is the resolution of the user identity to a user account by using user principal names (UPNs), Lightweight Directory Access Protocol (LDAP), distinguished names (DNAs), canonical names, and so on. If a user principal name is encountered by NPS, NPS performs a query to the Active Directory Domain Services (AD DS) global catalog in an attempt to resolve the name. To speed up this process, a copy of the global catalog must be located on a domain controller within the same site as the NPS server.
When the user identity does not contain a domain name, NPS supplies a domain name. By default, the NPS-supplied domain name is the domain for which the NPS server is a member. You can specify the NPS-supplied domain by means of the DefaultDomain registry entry.
Checks for authentication plug-ins. Authentication plug-ins are optional components created by using the NPS software development kit (SDK); each plug-in can return Accept, Reject, or Continue. If an authentication plug-in returns an Accept, the user is authenticated and the account is validated. If the authentication plug-in returns a Reject, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authentication plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user still needs to be authenticated.
The authentication plug-in can also return RADIUS attributes to be included in the Access-Accept message.
Checks for remote access account lockout. The registry on the NPS server is read for remote access account lockout entry for the user account. If the account is locked out, NPS sends an Access-Reject message and logs an authentication event. For more information, see Network Policy Server Tools and Settings.
Checks for PAP, CHAP, MS-CHAP. If Password Authentication Protocol (PAP), CHAP, Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1), or MS-CHAP v2 are used to authenticate the remote access client, NPS consults an authentication sub-module based on the authentication protocol to perform the authentication. The user credentials (user name and password) are authenticated against the user name and password of the accounts database (either a domain or the local accounts database), and the group membership of the user account is determined. The exact method of authentication varies depending on the authentication protocol.
If the authentication of the credentials is not successful, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.
If either Extensible Authentication Protocol (EAP) or unauthenticated access is being used, then the user authentication process is bypassed. EAP authentication takes place later in this process. For unauthenticated access, no user authentication is performed.
Validates user account. Based on the user or computer account determined by name cracking, the user account is validated to discover whether the account is locked out (which is not the same as remote access account lockout), whether the account is disabled, and whether the user account password has expired. If the user account is not valid, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.
Performs network policy evaluation. Network policies configured on the NPS server are evaluated to find a policy that matches the parameters of the connection. If a matching policy is not found, an Access-Reject message is sent and an event is logged.
Checks user properties and network policy properties. If the Ignore-User-Dialin-Properties attribute is set to 0, the dial-in properties of the user account and the properties of the matching network policy are evaluated against the parameters of the connection attempt to ensure that the connection attempt is allowed. If the Ignore-User-Dialin-Properties attribute is set to 1, the properties from the matching network policy become the set of properties for the connection.
If the connection attempt is not allowed, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.
Checks for EAP authentication. If EAP is the authentication protocol used for the connection attempt, EAP authentication takes place. The initial negotiation for EAP consists of selecting EAP as the authentication protocol and negotiating an EAP type with the access client. Based on the EAP type, the settings for the matching network policy are checked to ensure that the EAP type is allowed. If the EAP type is not allowed, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS accounting log, depending on the configured logging settings.
If the EAP type is allowed by network policy settings, EAP authentication for the EAP type occurs. NPS sends an EAP challenge to the NAS requesting it to start EAP negotiation. Communications between EAP modules on a RADIUS client and server are tunneled using the RADIUS protocol. After negotiation is complete, an EAP provider can return attributes that are sent back to the NAS in the Access-Accept message. If EAP authentication fails, an Access-Reject message is sent, and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.
Checks for authorization plug-ins. Authorization plug-ins are optional components created by using the NPS software development kit (SDK). Each plug-in can return either Reject or Continue. If the authorization plug-in returns a Reject, an Access-Reject message is sent and the authentication failure event is logged in the system event log or the NPS authentication log, depending on the configured logging settings. If the authorization plug-in returns a Continue, the next plug-in is checked. If there are no more plug-ins, the user is authorized.
The authorization plug-in can also return RADIUS attributes to be included in the Access-Accept message.
Sends an Access-Accept. If the dial-in properties of the user account, the properties of the matching network policy, and the conditions imposed by authorization plug-ins allow the connection attempt, an Access-Accept message is sent back to the NAS. Included with the Access-Accept message is the set of RADIUS attributes for the restrictions on the connection. In addition, an authentication success event is logged in the system event log or the NPS authentication log, depending on the configured logging settings.
After NPS sends the Access-Accept message, the NAS completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged in Internet Authentication Service (IAS) format, database-compatible format, or to a SQL Server database. The NPS server then sends an Accounting-Response to the NAS to verify that it has received and recorded accounting data for the connection.
Note
The NAS also sends Accounting-Request messages when the connection is being established, when the NAS connection is closed, and when the access server is started and stopped.
RRAS authentication and authorization
The authentication and authorization process for the Routing and Remote Access service (RRAS), when configured for Windows authentication, requires steps 6 through 15 of this process. The authentication and authorization success and failure are the return values of functions called by the Routing and Remote Access service. Local event or authentication logging depends on the configured logging settings of the Routing and Remote Access service.