NPS Remote Authentication Server Test

NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When NPS is used as a RADIUS server, it provides a central authentication and authorization service for all access requests that are sent by RADIUS clients. NPS uses a Microsoft Windows NT Server 4.0 domain, an Active Directory Domain Services (AD DS) domain, or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts.

The authenticating and authorization process is as follows:

  1. Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients.
  2. The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server.
  3. The NPS server evaluates the Access-Request message.
  4. If required, the NPS server sends an Access-Challenge message to the access server. The access server processes the challenge and sends an updated Access-Request to the NPS server.
  5. The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.
  6. The connection attempt is authorized with both the dial-in properties of the user account and network policies.
  7. If the connection attempt is both authenticated and authorized, the NPS server sends an Access-Accept message to the access server.
  8. If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server.

If NPS challenges access requests frequently or rejects requests very often, administrators need to be instantly notified of this, so that they can look into these aberrations and uncover their reasons. Likewise, administrators should also rapidly capture any unusual delay in request authentication by NPS, so that they can swiftly determine and fix the reason for the delay. For this, administrators should periodically run the NPS Remote Authentication Server test. This test tracks the Access-Request messages sent by every access server configured to use NPS for authentication, and reports the rate at which these access requests are challenged/rejected by NPS. In addition, the test reveals the time taken by NPS to authenticate requests to every server, thus proactively alerting administrators to potential slowdowns in authentication. The rate at which access requests to a server are enqueued on NPS pending processing is also revealed, so that administrators are informed of bottlenecks in authentication.

Target of the test : An NPS server

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every access server that is configured to use NPS for authentication

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The host for which the test is to be configured.

Port

The port at which the NPS server listens. The default is NULL.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Access-Accepts

Indicates the rate at which RADIUS Access-Accept packets were received by this server from NPS.

Accepts/Sec

This is a good indicator of how frequently access requests from clients to a server are authenticated and authorized by NPS.

Access-Challenges

Indicates the rate at which RADIUS Access-Challenge packets were sent by NPS to this server.

Challenges/Sec

A low value is desired for this measure.

A high value indicates that NPS challenged many access requests, forcing the access server to send an updated Access-Request to NPS. In such cases, access clients are bound to experience delays in accessing the server.

Access-Rejects

Indicates the rate at which RADIUS Access-Reject packets were sent by NPS to this server.

Rejects/Sec

Ideally, the value of this measure should be 0 or very low.

A high value indicates too many or too frequent request rejections, which in turn may cause access clients to be denied access to the server.

Access-Requests

Indicates the rate at which Access-Request packets were sent by this server to NPS.

Reqs/Sec

This is a good indicator of the load on NPS.

Bad authenticators

Indicates the rate at which this server sent access requests containing an invalid Message Authenticator attribute to NPS.

Reqs/Sec

Ideally, the value of this measure should be 0.

Packets dropped

Indicates the rate at which request packets sent by this server were silently discarded by NPS for a reason other than "malformed," "invalid Message Authenticator," or "unknown type".

Packets/Sec

Ideally, the value of this measure should be 0.

FullAccess-Decisions

Indicates the rate at which Full-access decisions were received from this server.

Decisions/Sec

NPS grants an access client full access if the client meets the defined health policies.

Malformed packets

Indicates the rate at which NPS received malformed packets from this server.

Packets/Sec

Ideally, the value of this measure should be 0.

Packets received

Indicates the rate at which requests packets were received from this server.

Packets/Sec

Probation-Decisions

Indicates the rate at which probation-decisions were received from this server.

Decisions/Sec

If NPS grants an access client full access but for a limited period only, the client is said to be on probation. This can happen if NPS finds that the client did not fulfill certain health policy requirements.

Quarantine-Decisions

Indicates the rate at which quarantine decisions were sent by this server.

Decisions/Sec

When a remote access client dials in or connects via VPN to an access server, by default only the user’s credentials (account name and password) are checked to determine whether access is granted. This means a computer that does not meet the network’s policy requirements could still connect to the server and the network from a remote location. When quarantine control is deployed, after the user’s credentials are authenticated the connection is “quarantined.” In quarantine mode, the computer has an IP address and has limited access to some network resources (called quarantine resources) such as a DNS server and perhaps a file server or web server from which it can download files necessary to comply with the policies or where the user can get more information, but cannot access the rest of the network.

Request timeouts

Indicates the rate at which requests to this server timed out.

Reqs/Sec

A high value indicates frequent timeouts.

Under such circumstances, you may want to consider changing the timeout setting for requests, so that timeouts are kept at a minimum.

Retransmissions

Indicates the rate at which requests were retransmitted to this server.

Reqs/Sec

Retransmits can increase the number of requests to NPS, thus overloading it. It is hence good practice to keep the rate of retransmissions minimal.

One of the reasons for a high rate of retransmissions is a low Timeout setting on NPS.

If the value of this measure is very high, you may want to change the timeout setting to reduce retransmits.

Unknown type

Indicates the average number of unknown type (non-RADIUS) packets received by this server per second.

Packets/Sec

Last round-trip time

Indicates the interval (in hundredths of a second) between the most recent request to a remote NPS server and its response.

Secs

Ideally, the value of this measure should be very low. A high value indicates that that NPS is taking too long to authenticate requests.

Pending requests

Indicates the rate of requests destined for this server that have not yet timed out or received a response.

Reqs/Sec

A high value could either indicate a processing bottleneck on NPS or a high timeout setting. In the case of the latter, you may want to consider modifying the timeout setting to minimize the number of pending requests.