Prepping for 70-411 here, and I have a few questions that I need some help answering.
- I have 2 2012 R2 servers, installed with the NPS role. Server B is also configured as a VPN server.
- A connection request policy has been created on Server B (RADIUS client), which forwards authentication and authorisation requests to Server A, which is acting as the RADIUS server. No network policies are in place on Server B.
- I have tested a few VPN configurations, and all traffic flows correctly, depending on whether conditions match as defined in a network policy on Server A.
- First question - aside from the default connection request policy 'Use Windows Authentication for all users' policy on Server A, is there anything to gain from having an addtional connection request policy on Server A? The instruction to forward all authentication and authorisation traffic from Server B to Server A is enough, and works!
Moving onto NAP, and specifically NAP enforcement through a VPN server, I understand that PEAP authentication must be used, and must be defined at the connection request policy level, as opposed to within a network policy.
- Second question - is the PEAP authentication dialled into the connection request policy on Server B (RADIUS client and VPN server), or on Server A (RADIUS server)?
I may have answered this myself. On Server B, I edited my one and only connection request policy, and under the 'Settings' tab, I attempted to check the 'Override network policy authentication settings' checkbox, in order to dial the PEAP authentication in, but - this checkbox is greyed out. Is this because of the fact that Server B is the RADIUS client?
Many thanks in advance.