Which two actions should you perform?

Your network contains an Active Directory domain named contoso.com. The domain contains a server named NPS1 that has the Network Policy Server server role installed. All server run Windows Server 2012 R2.
You install the Remote Access server role on 10 servers.
You need to ensure that all of the Remote Access servers use the same network policies.
Which two actions should you perform?

Your network contains an Active Directory domain named contoso.com. The domain contains a server named NPS1 that has the Network Policy Server server role installed. All server run Windows Server 2012 R2.
You install the Remote Access server role on 10 servers.
You need to ensure that all of the Remote Access servers use the same network policies.
Which two actions should you perform?

A.
On NPS1, create a new connection request policy and add a Tunnel-Type and a Service-Type condition.

B.
On NPS1, create a RADIUS client template and use the template to create RADIUS clients.

C.
Configure each Remote Access server to use the Routing and Remote Access service (RRAS) to authenticate connection requests.

D.
Configure each Remote Access server to use a RADIUS server named NPS1.

E.
On NPS1, create a remote RADIUS server group. Add all of the Remote Access servers to the remote RADIUS server group.



Leave a Reply 18

Your email address will not be published. Required fields are marked *


Zed

Zed

B and D.

RRAS servers are RADIUS clients. They will forward authentication requests to NPS1

Peter Korterink

Peter Korterink

When you configure a remote RADIUS server group in NPS and you configure a connection request policy with the group, you are designating the location where NPS is to forward connection requests.

So, A and E

adam

adam

B and D.

NPS1 is the RADIUS Server. The 10 Remote Access Servers are RADIUS clients. The 10 Remote Access Servers forward all requests to the one RADIUS Server – NPS1 – which has a centralised Network Policy.

The RADIUS template that is created on NPS1 (answer B) is applied to the 10 RRAS servers. The template specifies the Remote RADIUS Server – NPS1 (answer D).

santi

santi

I agree with B and D. But you cannot specify the radius server in the template. I think it is because you can check RADIUS CLIENT IS NAP-CAPABLE in advanced tab

adam

adam

Answer B is open to interpretation.

I’m not sure if its meaning that you literally create a “RADIUS Clients” template (i.e. under the Templates Management node) OR if you are creating a template FOR the radius clients. The former would be wrong as you would be specifying RADIUS clients for the actual radius clients…which is pointless. In the latter, you would be creating a “Remote Radius Servers” template for the RADIUS clients which specifies in it the RADIUS Server details including shared secret etc, which I think makes sense.

tombleton

tombleton

C. Configure each Remote Access server to use the Routing and Remote Access service (RRAS) to authenticate connection requests.

YES. If you set this up yourselves and go to your REMOTE ACCESS server, but open NPS ON YOUR REMOTE ACCESS SERVER (NOT ON YOUR NPS SERVER [RADIUS SERVER] BUT ON YOUR RAS SERVER [RADIUS CLIENT]) – That’s right, open the NPS console on your Remote Access server, your edge server. If you’ve used the wizard to configure this RADIUS client RAS server, you’ll already have a CONNECTION REQUEST POLICY called MICROSOFT ROUTING AND REMOTE ACCESS SERVICE POLICY which will be enabled. It is this policy that will dictate that authentication requests will be FORWARDED TO YOUR ACTUAL NPS [RADIUS SERVER] SERVER!!! So this is what needs to be set up for Remote Access servers to use a RADIUS/NPS server, and this is what is set up by default if you just use the wizard when setting up RRAS… If you OPEN THIS POLICY which is created during that wizard, you’ll see under the SETTINGS > AUTHENTICATION it is set to “Forward requewsts to the following remote RADIUS server group for authentication” and under that “Microsoft Routing and Remote Access Service Authentication Servers” will be selected!!!

D. Configure each Remote Access server to use a RADIUS server named NPS1.

YEP. This is done in the RRAS management console, right-click your server node from the console, go to PROPERTIES (so your RRAS server properties), Security tab, and then under AUTHENTICATION PROVIDER hit CONFIGURE, here you can CONFIGURE your REMOTE ACCESS CLIENT to use a particular RADIUS SERVER (NPS Server!!) to AUTHENTICATE your clients!!!

ALL OF THE OTHER ANSWERS ARE WRONG OKAY 🙂

den

den

this question and all the comments makes me mad…let’s rate every single answer:

A – new connection request policy with tunnel- and service-type => sounds OK for me, why not…but it’s not mandatory as the default connection policy should do also IMHO, because it does not restrict anything but allow everything!

B – create RADIUS clients => you definately have to create RADIUS clients on NPS1 for the RAS servers to act as RADIUS proxy, otherwise they are not able to forward the requests to a “single instance network policy processor”. BUT: it’s not mandatory to use templates…so, maybe OK, maybe not…

C – “Configure each Remote Access server to use the Routing and Remote Access service (RRAS) to authenticate connection requests” => when you configure RAS then the connection request policy was already setup automatically by default. BUT: you have to reconfigure it to forward the requests as the RAS servers do not authenticate anything but NPS1 does! So, doesn’t sound good to me :-/

D – “Configure each Remote Access server to use a RADIUS server named NPS1” => sounds logical as requests have to be forwarded, BUT the exact description is more like: you configure the connection policy by using a RADIUS server group (wich only contains NPS1). So I’m not sure about this as it’s more like an abstract wording to me!

E – NPS1 does definately not need a RADIUS server group to accomplish this task, so no option to me

Now I have 3x maybe…and the winner is: B and D!
Why? Because you don’t need A! And C and E are definately wrong…
more ideas?

Mark

Mark

When you install RRAS and the setup wizard asks if you are going to use a Policy Server and you input the FQDN or IP address the RADIUS Client list is AUTOMATICALLY populated folks.

You don’t need to perform step B. Lab it out:

Setup two virtual machines. Install Server 2012. Make one server the DC and another a member server. On the DC install NPS, on the member server install RRAS. Setup a VPN on the RRAS server. Enter in the FQDN of the DC when prompted. After that has finished look in the radius clients on the DC. You will see the name of the member server now listed.

Mark

Mark

It’s A & D

Vlad

Vlad

Started with A and D, finished with A and D. Answer A and D.

カルティエ 6連リング

カルティエ 6連リング

日本超人気S品N品コピーブランド時計激安通販専門店
2017年最高品質時計コピー、国際ブランド腕時計コピー、
業界唯一無二.世界一流の高品質ブランドコピー時計。