Your network contains an Active Directory domain named contoso.com. The domain
contains a server named NPS1 that has the Network Policy Server server role installed. All
servers run Windows Server 2012 R2.
You install the Remote Access server role on 10 servers.
You need to ensure that all of the Remote Access servers use the same network policies.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Configure each Remote Access server to use the Routing and Remote Access service
(RRAS) to authenticate connection requests.
B.
On NPS1, create a remote RADIUS server group. Add all of the Remote Access servers
to the remote RADIUS server group.
C.
On NPS1, create a new connection request policy and add a Tunnel-Type and a ServiceType condition.
D.
Configure each Remote Access server to use a RADIUS server named NPS1.
E.
On NPS1, create a RADIUS client template and use the template to create RADIUS
clients.
Explanation:
Connection request policies are sets of conditions and settings that allow network
administrators to designate which RADIUS servers perform the authentication and
authorization of connection requests that the server running Network Policy Server (NPS)
receives from RADIUS clients. Connection request policies can be configured to designate
which RADIUS servers are used for RADIUS accounting.
When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User
Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers
that are capable of processing the connection requests because they can perform
authentication and authorization in the domain where the user or computer account is
located. For example, if you want to forward connection requests to one or more RADIUS
servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the
requests to the remote RADIUS servers in the untrusted domain.
To configure NPS as a RADIUS proxy, you must create a connection request policy that
contains all of the information required for NPS to evaluate which messages to forward and
where to send the messages.
Ref: http://technet.microsoft.com/en-us/library/cc730866(v=ws.10).aspx
B C D are true.
You also need on NPS1 to tell the Radius Clients that are going to access.
So B is also true.
This is a messy question…
C is NOT an option for this Question. (You do NOT have to fill in which policies)
The question is in fact “How to guard the same network policies.”
This is accomplished by making sure the servers point to each other.
Answer is B AND D.
Sorry for this miss information.
If you want this to work you require:
On NPS1:
C-Ensure that you have a connection request policy. Connection request policy is used for VPN and 802.1X
D-Of course we need to ensure that each VPN server has NPS1 configured has it’s Radius server.
B is used if we want our NPS1 to forward the requests to other NPS Server.
I’ve tried to use E to configure the VPN clientes… but that is not used for this. It would be used to configure other radius servers.
correct answer should be D and E.. that is only way they can ave the same config on all servers
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html
http://msdn.microsoft.com/en-us/library/cc753603.aspx
It’s C and D. NPS templates wouldn’t make sure that all RADIUS clients have the same network policies
hmm, why is C necessary? I think the default should work.
You definately need to configure RADIUS clients…templates are not mandatory but clients definately :-/
NPS Radius client template is used to create 10 similar radius clients (RRAS servers)on NPS1 with minimal typing of shared password.
There is only one Radius server in question (NPS1).Question does not state that RRAS servers have the NPS role installed. Creating a connection request policy on NPS1 to forward to another radius server is not required.
If all RRAS servers are configured to use NPS1 as Radius server, These RRAS servers need to be configured as Radius clients on NPS1.
Answer: B,D
Remote RADIUS Server groups are only necessary if you are creating a RADIUS proxy, which we are not.
you are both wrong!
@OSA: you always get NPS component when installing RRAS even if you do not have checked it as an active role, if you do not believe, set it up and take a look in Administrative Tools, you will find it and you have to use it.
@Akoachi: the solution you have to provide from what the question states IS in fact a RADIUS proxy setup
I setup a lab and verified it:
– you need NPS1 configured with RADIUS clients (the 10 servers)
– you need to configure all of your RADIUS clients (acting as proxy) configured with NPS1 as (single) server of a Remote RADIUS Server Group
so, right answers:
D
E
B and C
The opinions are all over the place. Anyone have any input/thoughts?
First off you need to lab this.
Since we are creating 10 Radius Clients we are assuming that the shared secret and vendor option is going to be the same.
So create your template with a shared secret(record the shared secret, we will need it for the RRAS server). That is done with E.
Next we go to each of our VPN Servers. Enable RRAS and setup the VPN option. We are provided with doing local authentication or using a RADIUS Server. Select the RADIUS server and input the host name. We supply the shared secret.
Now here is the kicker: The RRAS wizard CREATES a connection request policy on the target NPS server AUTOMATICALLY. It asks you to check and make sure the CRP doesn’t conflict with any other policies. So C isn’t the answer.
D isn’t needed NPS1 is the endpoint device for Network Policies. NPS1 determines the level of network access. Remember Proxy = Intermediary
I agree with Mark.
E is definitely needed. You need to configure your RRAS servers as RADIUS clients in order to communicate with the NPS server.
I also say D and E