Network policies identify which users and computers are allowed to connect to the remote access server. Use the Network Policy Server console to configure network policies.
- Define conditions to identify which network policies apply to incoming connections. Common conditions include group membership, day and time, operating system, IP address, and authentication method used.
- Configure constraints to specify additional connection characteristics that must be matched before the connection is granted. Constraints include many of the same criteria that can be defined for conditions, and include the authentication method, idle and session timeout, called station ID, day and time, and port type.
- Configure permissions to allow or deny the connection. Permissions can be controlled through the network policy or the Active Directory user account setting.
- Configure settings to identify connection configuration parameters that are applied if the connection is granted. Settings include configuration parameters that are sent to the client, NAP enforcement settings (i.e. whether the client has unlimited or restricted access), bandwidth consumption limits, IP filters, encryption settings, and IP addressing information.
The following process is used for authentication when a remote access connection is requested:
- The remote client establishes the connection and supplies authentication information to the remote access server.
- The remote access server contacts the Network Policy Server to determine whether access is allowed.
- The Network Policy Server checks the parameters of the remote access connection and compares those to the conditions defined in the first network policy.
If the connection matches all of the conditions in a network policy, the constraints in that policy are then checked.
- If all of the conditions in the policy are not met, the server checks the next network policy in the list.
- If the connection does not match all of the conditions in any policy, the connection is denied.
- If all of the conditions in the policy are met, then the constraints and permissions in that policy are checked. No other policies will be checked after a match is found, even if the matching policy eventually denies the connection.
If the connection matches all constraints, the permissions are checked.
- If all of the constraints are not met, the connection is refused. The system will not check any other network policies (i.e. the conditions of other policies are not checked).
If the permissions deny access, then no other network policies are checked.
If the permissions allow access, then settings are applied to the connection.
- If the policy is configured to ignore the user account settings, the policy setting is used to allow or deny access.
- If the policy is configured to use the user account settings, the connection is allowed or denied based on the user account setting. However, if the user account setting is configured to use the network policy, the connection is allowed or denied based on the permission in the policy.