Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
50 Cards in this Set
- Front
- Back
is a set of permissions or restrictions that are used by remote access authenticating servers that determine who, when ,and how a client can connect to a network
|
NPS policy
|
|
A policy that establishes sets of conditions and settings that specify which Radius Servers perform the authentication, authorization, and the accounting of radius messages(connection request) received by the NPS server from its Radius Clients, and it can also be used to designate which Radius Servers are used for Authenticating and Accounting.
|
Connection Request Policy
|
|
A policy that establishes sets of conditions, constraints, and settings that specify who is authorized to connect to the network and the circumstances under which they can or cannot connect.
|
Network Policies
|
|
A policy that establishes one or more system health validators and other settings that enable you to define client computer configuration requirements for the Network Access Policy(NAP)-capable computers that attempt to connect to your network.
|
Health Policies
|
|
These policies are applied to NPS as a RADIUS server or RADIUS proxy.
|
Connection Request Polices
Based on: .Time of the day and week .The realm name(user condition) .The type of connection requested .The IP address of the Radius Client |
|
When you create connection request policies, what parameters do I define?
|
.Type of network access server such as RAS(VPN)
.Condition that specifies who or what can connect to the network based on one or more Radius Attributes .Settings that are applied to an incoming RADIUS message, such as authentication, accounting, and attribute manipulation. |
|
these are processed or forwarded by NPS only if the settings of the incoming message match at least one of the connection request polices configured on the NPS server(RADIUS server)
|
RADIUS Access-Request messages
|
|
these conditions are on or more RADIUS attributes that are compared to the attributes of the incoming RADIUS-Access Request message
|
Connection request policy of the RADIUS server
|
|
CONDITIONS USED IN CONNECTION REQUEST POLICIES.
|
1.Username(Group)/Username(Attribute): Designates the user name(realm/domain name) that is used by the access client.
2.Connection Properties(Group) /Access Client Ipv4 Address(Attribute):address of the access client that request access from the Radius Client. 3.Day & Time Restriction(Group) /Day&Time Restriction(Attribute) 4.Identitiy Type(Group)/Identity Type(Attribute):Used to restrict policy to only clients that can be identified through NAP, and give a statement of heald(SOH) 5.RADIUS Client Properties(Group) /Calling Station ID(Attribute):Designates the phone number used by the caller etc..etc...etc |
|
A nps policy evaluates remote connections based on what 3 components?
|
1.Condition
2.Constratints 3.Settings |
|
These allow you to control which packets are allowed through a network connection based on IP address.
|
IP Filters
|
|
What are the six NPS templates that are available in Template Management?
|
1.Radius Clients
2.Remote Radius Server Group 3.Remediation Servers 4.IP Filters 5.Shared Secrets 6.Health Policies |
|
This encryption is used with a 40-bit key
|
Basic Encryption(MPPE 40-Bit)
|
|
This encryption is used with a 56-bit key
|
Strong Encryption(MPPE 56-bit)
|
|
This encryption is used with a 128-bit key
|
Strongest Encryption(MPPE 128 bit)
|
|
To stop a NPS server from acting as a radius server(performing authentication on its on)?
|
Delete the default connection request policy
|
|
To configure a server running NPS to act as a RADIUS PROXY and forward connection request to other RADIUS servers?
|
1.Configure a Remote Radius Server Group
2.Add a New Connection Request Policy that specifies the conditions that must match the radius servers. |
|
What are connection request policies' remote connections based on
|
1.Conditions
2.Settings |
|
This condition designates the user name(realm name/domain name) and a user account that is used by the access client in the RADIUS message
|
User Name attribute
Group:Username |
|
This condition designates the ipv4 address of the Access client the request access from the RADIUS client
|
Access Client IPv4 Address
Group: Connection Properties |
|
This condition designates the ipv6 address...
|
Access Client Ipv6 Address
Group: Connection Properties |
|
This condition designates the type of framing for incoming packets, such as Point-To-Point Protocol, serial line...etc
|
Framed Protocol
Group: Connection Properties |
|
This condition designates the type of service requested
|
Service Type
Group: Connection Properties |
|
Designates the type of VPN to use
|
Tunnel Type
Group: Connection Properties |
|
Designates the day of the week and time a connection can be made
|
Day & Time Restriction
Group: Day & Time Restriction |
|
Used to restrict policy to only clients that can be identified through the special mechanism, such a NAP , and give a statement of health (SOH)
|
Identity Type
Group: Identity Type |
|
This condition designates the phone number used by the caller(the access client)
|
Calling Station ID
Group: RADIUS Client Properties |
|
Designates the name of the RADIUS Client computer that request authentication.
|
Client Friendly Name
Group: RADIUS Client Properties |
|
Specifies the ipv4 or ipv6 address of the RADIUS client that forwarded the connection request to NPS.
|
Client IPV6 or Client IPV4 Address
Group: RADIUS Client Properties |
|
Specifies the name of the vendor of the RADIUS client that sends connection request to NPS
|
Client Vendor
Group: RADIUS Client Properties |
|
Specifies a character string that is the telephone number of the network access server
|
Called Station ID
Group: Gateway |
|
Specifies a character string that is the name of the NAS
|
NAS Identifier
Group: Gateway |
|
Designates the IPv4 or IPv6 address for the network access server(Radius Client)
|
NAS IPV4 Address
Group: Gateway |
|
NAS Port Type condition specifies the type of media used by the access client, such as analog phone lines, ISDN, VPN connection, IEEE 802.11 wireless, and Ethernet switches
|
NAS Port Type
|
|
is Microsoft's software for controlling network access for computers based on the health of the host
|
NAP
|
|
This enforcement method uses DHCP configuration information to ensure that NAP clients remain in compliance
|
DHCP Enforcement
weakest form, because it can be bypassed with static ip addresses or adding a route to the table |
|
This enforcement method has been secured by specially configured PKI certificates know as health certificates, which are issued to clients that meet the defined health standards.
|
IPSEC ENFORCEMENT
|
|
This enforcement method restricts the level of network access that a remote access client can obtain based on the health information that client computer presents when the VPN connection is made
|
VPN ENFORCEMENT
|
|
This enforcement method has aware network access points, such as network switches, or wireless access points(Deals with a supplicant, authenticator, and authentication server)
|
802.1x ENFORCEMENT
|
|
This enforcement method allows authorized remote users to connect to resources from any Internet connecting device
|
RD GATEWAY ENFORCEMENT
|
|
What 3 Things must be configured on the client to execute NAP correctly?
|
1.Nap Agent Service
2.Enforcement group policy 3.Security Center |
|
What must be configure on the DHCP that is going to be used with NAP
|
Install the NPS server and configure a connection request policy to the remote radius group
Enable NAP on all scopes |
|
How do you configure NAP ENFORCEMENT FOR VPN?
|
1.Install NPS on the VPN Server
2.Configure the VPN server and have it use PEAP-based authentication(MS-chap or peap-tls) 3.Configure the SHV, Health Policy, Network Policy, buy running the nap wizard; Define the computer or user groups, shared secret, radius client(vpn server), remediation servers, and the nap-non capable computers. 4.Enable the DHCP Quarantine Enforcement Client in Group Policy, enable the NAP service and Security Center for the nap-capable clients |
|
What do remediation servers typically consist of?
|
1. DHCP server
2.AD RODC/DNS Server 3.WSUS/AV Server OPTIONAL: 4.Internet Proxy Servers so none compliant clients can access the Internet 5.HRA to issue health certificate |
|
To verify a client is running the NAP agent service?
|
cmd: netsh nap client show state
|
|
What is the strongest enforcement type?
|
IPSEC ENFORCEMENT
|
|
What is Window's built in SHA?
|
Windows Security Center
|
|
What defines the requirements for client computers to connect to a network that is connected?
|
SHV(System Health Validator)
|
|
Which server is used as the Health policy server?
|
NPS
|
|
Requirements for HRA automatic discovery?
|
1.Client Computers must be running Vista SP1 or XPsp3
2.HRA server must be configured with a SSL Certificate 3.Enable discovery registry key must be on nap client computers 4.DNS SRV records be configured 5.Trusted server group configuration in group policy must be cleared |