| Server IP : 180.180.241.3 / Your IP : 216.73.216.252 Web Server : Microsoft-IIS/7.5 System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586 User : IUSR ( 0) PHP Version : 5.3.28 Disable Function : NONE MySQL : ON | cURL : ON | WGET : OFF | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /Windows/Help/Windows/en-US/ |
Upload File : |
MZ����������������������������������������������������������@���PE��L��������������!
��������������������������@�����������������������0�����
��@����������������������������������������������������������������������������������������������������������������������������������������������������.rsrc��������������������������@��@.its�������� ��������������������@��@��������������������������������������������������������������������������������������������������������������������������������������������������������������0����������������� ��H���X��|����������|4���V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�������������������������������������������������������S�t�r�i�n�g�F�i�l�e�I�n�f�o������0�4�0�9�0�4�b�0���b�!��F�i�l�e�V�e�r�s�i�o�n�����1�.�0�0�.�0�0� � � � � � � � � � � � � � � � � � � � � � � � � �����l�"��F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�����C�o�m�p�i�l�e�d� �M�i�c�r�o�s�o�f�t� �H�e�l�p� �2�.�0� �T�i�t�l�e���B���F�i�l�e�S�t�a�m�p�����C�3�5�F�F�F�D�6�0�1�C�A�0�4�1�F���4�����J���C�o�m�p�i�l�e�r�V�e�r�s�i�o�n�����2�.�5�.�7�1�2�1�0�.�0���8�5�7�9�����V���C�o�m�p�i�l�e�D�a�t�e�����2�0�0�9�-�0�7�-�1�4�T�0�1�:�0�9�:�4�0��� � � � � � �����>���T�o�p�i�c�C�o�u�n�t���1�6�6���0�0�0�0�0�0�0�0�0�0�0�0������A��L�e�g�a�l�C�o�p�y�r�i�g�h�t���� �2�0�0�5� �M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.���C�C�C�C�C�C�C�C�C�C�C�C�C�����D����V�a�r�F�i�l�e�I�n�f�o�����$����T�r�a�n�s�l�a�t�i�o�n����� ��������������������������������������������ti����_����[C.ITOLITLS���(���������X쌡^�
V`������������������� ������������ ������x��������������������������������������������������������� ���������������������������������������������������������������������������������������������CAOL���P���HH��C��� �����������������������ITSF��� ������#������d ��������{
�������������-Y쌡^�
VY쌡^�
VIFCM����������������AOLL�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������IFCM���� ������������AOLL�������������������������/���/$FXFtiAttribute/���/$FXFtiAttribute/BTREEf/$FXFtiAttribute/DATA��/$FXFtiAttribute/PROPERTY~N
/$FXFtiMain/���/$FXFtiMain/BTREEi/$FXFtiMain/DATA/$FXFtiMain/PROPERTYN/$Index/$ATTRNAME<\/$Index/$PROPBAGB/$Index/$STRINGSpd/$Index/$SYSTEMzH
/$Index/$TOC/���/$Index/$TOC/$radius�^/$Index/$TOPICATTRLp/$Index/$TOPICS
p/$Index/$URLSTRT/$Index/$URLTBLZ0/$Index/$VTAIDXH/$Index/AssetId/���/$Index/AssetId/$BL0`�
/$Index/AssetId/$LEAF_COUNTS`/$Index/AssetId/$LEAVESp� /$OBJINST^
/assets/���0/assets/08ce0e6b-93f2-43b5-b1cf-8e2454cd5272.xml�tk0/assets/09e250cb-7d83-4f2e-bf98-1c6a54654f77.xml�_.0/assets/13a5e651-d090-407f-a995-3e8509cf9a8e.xml�
K0/assets/141ae7ad-a32d-4d29-9bbd-0e50cfc9164d.xml�X60/assets/1abd93f7-d617-4377-9cc7-c6bb35b0243b.xml�.0/assets/21bb6dd6-f462-4715-89cd-e94636557945.xml�<c0/assets/25b886ed-75e9-4f49-8ca0-c90991dfc20e.xml� N0/assets/287a5491-9f3e-4e7e-97de-02ace47d018e.xml�m00/assets/2a1b783d-cd88-445f-9397-3ed385a9f733.xml�
'0/assets/36720df9-0b4a-4725-bdd7-c7e12d5c535b.xml�Ds0/assets/36aa0cab-5ffe-4c18-95e4-b345ec0a67c6.xml�7~0/assets/396c8b17-fdc0-43dc-8419-31311f8ac665.xml�5-0/assets/418638e1-e88e-4b59-853d-ae16fc589bd9.xml�bW0/assets/41f058fe-70c8-4269-bd08-efd98acf5fe3.xml�90/assets/499cfc22-34ea-4f71-9c44-d7ffbb838e00.xml�@0/assets/4cd859ba-2651-42a3-83fe-95197ce38a5c.xml�Y(0/assets/4e4f927d-3273-40b5-a33b-f550be1587e2.xml�G0/assets/50b75202-0103-4285-80ac-c1234c3b5e9c.xml�Hs0/assets/50d16bcb-06c3-4073-bca9-621701c55cf1.xml�;
0/assets/5220ca1e-409e-4841-b43e-837b4edd2cb6.xml�F0/assets/541cef62-a77e-483c-a847-27aacc68625d.xml�_E0/assets/58cb0d00-d084-47c0-9fe7-b8f4b0166a4c.xml�$
0/assets/58ec6857-153e-417f-b63c-40fd6addd216.xml�/S0/assets/592105a8-de1a-454d-94c7-fa770cafdf76.xml�G0/assets/5ba4dfa8-674d-43fe-9196-93fc599ee94d.xml�I0/assets/5d00958c-4ffa-4b58-b84e-bcecfd40d61c.xml�c0/assets/5d57d701-429e-4389-8d03-6ff0b13ac488.xml�y\0/assets/5e653bce-7b3b-48c8-b784-020e133c6bcc.xml�U0/assets/62aa0ab9-ce1c-4afc-831c-69325ec9fe1d.xml�c[0/assets/689390e0-760d-42e8-a894-78749558a626.xml�>#0/assets/6a4a5454-26bd-495f-a57c-a62493c91ac9.xml�a(0/assets/6aadc218-2112-4781-8b20-05d591066840.xml� 0/assets/72747f28-80c0-45bf-8fcb-50938808b5b6.xml�$0/assets/74b6dbef-a26e-48ef-a26d-fb33e4e7730c.xml�>'0/assets/77f4d1e3-4766-430e-9f78-82364b35d225.xml�e:0/assets/78f2b506-66a2-45d8-a17e-c83203b7e9d6.xml� ,0/assets/7a04cacb-8df7-4187-94ce-0410170cde1f.xml�K^0/assets/7a2cb3e1-d6de-44d8-8f8e-7309acb68383.xml�)C0/assets/7a3cc667-cc49-4bd2-b117-62f573751748.xml�l0/assets/7f441bba-13e0-4676-bf8a-bb410c50d91e.xml�} 0/assets/88497044-c5b1-46a8-acc8-3be04052b6cf.xml�
]0/assets/88ec0246-a5e1-425d-9dda-9bfc61249726.xml�y-0/assets/89328686-ac05-4f04-a2cb-51c30c4d6796.xml�&w0/assets/912212d0-b52c-4f64-ace4-41fc01cfc5aa.xml�
0/assets/92ed06a5-f36b-4256-ab81-229fa7af9fc6.xml�;30/assets/9383c523-af71-4513-a942-e4458692f457.xml�nT0/assets/94c797c3-1efa-4a62-946b-a6923e0ee036.xml�#0/assets/94efe111-f74e-442a-b7f2-b545bed1107d.xml�<|0/assets/9561f22e-2bab-453c-a4de-36e4466850df.xml�8g0/assets/972043b0-0233-4ea1-8ddb-e1de1cbb9c57.xml� E0/assets/9d3f798f-0854-4602-adce-0b888e8c00ef.xml�d20/assets/9d851c01-7896-4074-b3dd-2e7ee422a477.xml�j0/assets/a1210cf7-7995-428a-8f25-246f1b5d11da.xml��
0/assets/a1ac8d7e-3479-46b4-932b-ab43362e021b.xml�
e0/assets/a66e6bd0-d710-4668-a9f0-f44222ea10fd.xml�pR0/assets/addbacc4-32a5-4dca-b12e-771bcba85733.xml�Bd0/assets/b607dabd-8eca-41ab-9953-ea2941a90154.xml�&-0/assets/c23d0c91-d9d4-47d4-9542-e373040764fc.xml�Sz0/assets/c29cb16a-4263-47d9-8bbe-0d5db799ca7c.xml�M0/assets/c3c405fc-099d-497d-857d-be93314c4db6.xml�_L0/assets/ca7d5422-1a5c-4472-b5e3-f6996f7a4084.xml�+50/assets/ceee0372-2286-4205-9c43-f3f242c07b60.xml�`0/assets/cfa37f4c-8133-4df8-9db8-657a0784ffd5.xml�p 0/assets/cfdc3bc3-82ff-4b71-90e8-57c8029501e5.xml�yK0/assets/d1c27e22-914b-4191-ba02-371f5fba137d.xml�Da0/assets/d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27.xml�%
0/assets/d80d8fd1-388f-49e1-8b32-855cf8fda137.xml�Bj0/assets/d82f6c3d-52d2-489a-b21e-cba7dd6850f5.xml�,&0/assets/d90e87a7-0a9b-4d61-9355-14887f112754.xml�RE0/assets/d994b6fb-7936-4b4c-b8ad-d4b75801c70d.xml�h0/assets/de982522-df50-465d-b221-656bc3b39468.xml�]0/assets/e4b41164-2fac-418e-ab9b-bc26baed1d11.xml�\)0/assets/e7b2e1e2-9da4-4a68-a1db-6a0886f7e028.xml�80/assets/e853adba-c8b8-4d19-8626-89a09a76a8c0.xml�=S0/assets/f1ef3288-9cae-4ba5-b55c-caa2f4f8967d.xml�0/assets/f3ebb128-d942-4251-b3fb-de6f78cd5f97.xml�Zv0/assets/f4522491-921b-4ca9-974c-a41b90883ca7.xml�P$0/assets/f45775a5-af6b-4b71-97fb-8fafd5277b30.xml�tS0/assets/f55c57a1-6c80-43a4-837c-260ea3e68027.xml�G?0/assets/fabff996-c60c-4dce-8a9d-39b705042901.xml�T0/assets/ff35a554-2006-442d-a8e6-bf05d33ff1a7.xml�ZF
/radius.h1c� x
/radius.H1F�k
/radius.H1T�rc
/radius.H1V�o/radius_AssetId.H1K�Uk/radius_BestBet.H1K�@k/radius_LinkTerm.H1K�+l/radius_SubjectTerm.H1K�o/relatedAssets/���7/relatedAssets/168d7bbd-0b7a-4371-b0a2-25a737a3e4ef.gif�
=7/relatedAssets/6abe5f5f-c467-44c9-b3fd-55b8cb7e16a3.gif�7/relatedAssets/b19e0940-c0e4-4e7a-bba7-7d9495e71453.gif�Ba::DataSpace/NameList��<(::DataSpace/Storage/MSCompressed/Content�2,::DataSpace/Storage/MSCompressed/ControlData�T )::DataSpace/Storage/MSCompressed/SpanInfo�L/::DataSpace/Storage/MSCompressed/Transform/List�<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/���i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTable�8x3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������rOiI6#
ubO;(ES�q��
��
�U�n�c�o�m�p�r�e�s�s�e�d���
�M�S�C�o�m�p�r�e�s�s�e�d���FX쌡^�
VD��������LZXC����������������HH��<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Configure Network Access Protection (NAP)</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Access Protection information is available in the Networking section of the Windows Server® 2008 and Windows Server® 2008 R2 Technical Library on the Web. For more information, see <maml:navigationLink><maml:linkText>Networking</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=139900"></maml:uri></maml:navigationLink> at http://go.microsoft.com/fwlink/?LinkId=139900.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Wireless Clients running Windows XP for EAP-TLS Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure an Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) wireless configuration profiles for wireless computers running Windows XP and Windows Server 2003.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure an EAP-TLS wireless profile for computers running Windows XP</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the <maml:ui>Windows XP Wireless Network (IEEE 802.11) Policies Properties</maml:ui> dialog box. </maml:para>
<maml:para>On the <maml:ui>General</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>In <maml:ui>XP Policy</maml:ui> <maml:ui>Name</maml:ui>, type a name for your wireless policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Description</maml:ui>, type a description of the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Networks to access</maml:ui>, select either <maml:ui>Any available network (access point preferred)</maml:ui> or <maml:ui>Access Point (infrastructure) network only</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Select <maml:ui>Use Windows to configure wireless network settings for clients</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Preferred Networks</maml:ui> tab, click <maml:ui>Add</maml:ui>, and then select <maml:ui>Infrastructure</maml:ui>. On the <maml:ui>Network Properties</maml:ui> tab, configure the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>In <maml:ui>Network Name (SSID)</maml:ui>, type the service set identifier (SSID) for your network.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The value you enter in this field must match the value configured on the access points you have deployed on your network.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Description</maml:ui>, enter a description for the <maml:ui>New Preferred Setting Properties</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Select the security methods for this network</maml:ui>, in <maml:ui>Authentication</maml:ui>, select either <maml:ui>WPA2</maml:ui> (preferred), or <maml:ui>WPA</maml:ui>. In <maml:ui>Encryption</maml:ui>, specify either <maml:ui>AES</maml:ui> or <maml:ui>TKIP</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>In Windows XP Wireless Network (IEEE 802.11) Policies, <maml:ui>WPA2</maml:ui> and <maml:ui>WPA</maml:ui> correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies <maml:ui>WPA2-Enterprise</maml:ui> and <maml:ui>WPA-Enterprise</maml:ui> settings, respectively.</maml:para>
</maml:alertSet>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.</maml:para>
</maml:alertSet>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>IEEE 802.1X</maml:ui> tab. In <maml:ui>EAP type</maml:ui>, select <maml:ui>Smart Card or other Certificate</maml:ui>.</maml:para>
<maml:para>The remaining default settings on the IEEE 802.1X tab are typically sufficient for wireless deployments.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Settings</maml:ui>. In the <maml:ui>Smart Card or other Certificate Properties</maml:ui> dialog box, do the following:</maml:para></maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>When connecting</maml:ui>, select either <maml:ui>Use my smart card</maml:ui>, or select both <maml:ui>Use a certificate on this computer</maml:ui> and <maml:ui>Use simple certificate selection (Recommended)</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Verify that <maml:ui>Validate Server certificate</maml:ui> is selected.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para> This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that clients use an alternate name for the access attempt, select <maml:ui>Use a different user name for the connection</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>. </maml:para></maml:section></maml:sections></maml:step></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> two times. The EAP-TLS profile is listed under <maml:ui>Networks</maml:ui>. Click <maml:ui>OK</maml:ui>, and then close the Group Policy Management Console.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>EAP Overview</maml:title><maml:introduction>
<maml:para>Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP provides authentication methods that use security devices, such as smart cards, token cards, and crypto calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>EAP and NPS</maml:title><maml:introduction>
<maml:para>Using EAP, you can support additional authentication schemes, known as <maml:newTerm>EAP types</maml:newTerm>. These schemes include token cards, one-time passwords, public key authentication using smart cards, and certificates. EAP, in conjunction with strong EAP types, is a critical technology component for secure virtual private network (VPN) connections, 802.1X wired connections, and 802.1X wireless connections. Both the network access client and the authenticator, such as the server running Network Policy Server (NPS), must support the same EAP type for successful authentication to occur.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Strong EAP types, such as those based on certificates, offer better security against brute-force or dictionary attacks and password guessing than password-based authentication protocols, such as Challenge Handshake Authentication Protocol (CHAP) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).</maml:para>
</maml:alertSet>
<maml:para>With EAP, an arbitrary authentication mechanism authenticates a remote access connection. The authentication scheme to be used is negotiated by the remote access client and the authenticator (either the network access server or the Remote Authentication Dial-In User Service [RADIUS] server). Routing and Remote Access includes support for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and PEAP-MS-CHAP v2 by default. You can plug in other EAP modules to the server running Routing and Remote Access to provide other EAP methods.</maml:para>
<maml:para>EAP allows for an open-ended conversation between the remote access client and the authenticator. The conversation consists of authenticator requests for authentication information and the responses by the remote access client. For example, when EAP is used with security token cards, the authenticator can separately query the remote access client for a name, PIN, and token card value. As each query is asked and answered, the remote access client passes through another level of authentication. When all questions have been answered satisfactorily, the remote access client is authenticated.</maml:para>
<maml:para>Windows Server® 2008 includes an EAP infrastructure, two EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS).</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>EAP infrastructure</maml:title><maml:introduction>
<maml:para>EAP is a set of internal components that provide architectural support for any EAP type in the form of a plug-in module. For successful authentication, both the remote access client and authenticator must have the same EAP authentication module installed. You can also install additional EAP types. The components for an EAP type must be installed on every network access client and every authenticator.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The Windows Server 2003 operating systems provide two EAP types: MD5-Challenge and EAP-TLS. MD5-Challenge is not supported in Windows Server 2008.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section>
<maml:title>EAP-TLS</maml:title><maml:introduction>
<maml:para>EAP-TLS is an EAP type that is used in certificate-based security environments. If you are using smart cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the remote access client and the authenticator. EAP-TLS provides the strongest authentication and key determination method.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>During the EAP-TLS authentication process, shared secret encryption keys for Microsoft Point-to-Point Encryption (MPPE) are generated.</maml:para>
</maml:alertSet>
<maml:para>EAP-TLS is supported only on servers that are running Routing and Remote Access, that are configured to use Windows Authentication or Remote Authentication Dial-In User Service (RADIUS), and that are members of a domain. A network access server running as a stand-alone server or as a member of a workgroup does not support EAP-TLS.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Using RADIUS as a transport for EAP</maml:title><maml:introduction>
<maml:para>Using RADIUS as a transport for EAP is the passing of EAP messages of any EAP type by a RADIUS client to a RADIUS server for authentication. For example, for a network access server that is configured for RADIUS authentication, the EAP messages sent between the remote access client and network access server are encapsulated and formatted as RADIUS messages between the network access server and the RADIUS server. When you use EAP over RADIUS, it is called EAP-RADIUS.</maml:para>
<maml:para>EAP-RADIUS is used in environments where RADIUS is used as the authentication provider. An advantage of using EAP-RADIUS is that EAP types do not need to be installed at each network access server, only at the RADIUS server. In the case of an NPS server, you only need to install EAP types on the NPS server.</maml:para>
<maml:para>In a typical use of EAP-RADIUS, a server running Routing and Remote Access is configured to use EAP and to use an NPS server for authentication. When a connection is made, the remote access client negotiates the use of EAP with the network access server. When the client sends an EAP message to the network access server, the network access server encapsulates the EAP message as a RADIUS message and sends it to its configured NPS server. The NPS server processes the EAP message and sends a RADIUS-encapsulated EAP message back to the network access server. The network access server then forwards the EAP message to the remote access client. In this configuration, the network access server is only a pass-through device. All processing of EAP messages occurs at the remote access client and the NPS server.</maml:para>
<maml:para>Routing and Remote Access can be configured to authenticate locally, or to a RADIUS server. If Routing and Remote Access is configured to authenticate locally, all EAP methods will be authenticated locally. If Routing and Remote Access is configured to authenticate to a RADIUS server, all EAP messages will be forwarded to the RADIUS server with EAP-RADIUS.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:procedure><maml:title>To enable EAP authentication</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enable EAP as an authentication protocol on the network access server. For more information, see your network access server documentation.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enable EAP and, if needed, configure the EAP type in the constraints of the appropriate network policy.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enable and configure EAP on the remote access client. For more information, see your access client documentation.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Remediation Server Groups</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>A <maml:newTerm>remediation server group</maml:newTerm> is a list of servers on the restricted network that provide resources required to bring noncompliant Network Access Protection (NAP)-capable clients into compliance with administrator-defined client health policy.</maml:para>
<maml:para>A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers into compliance with health policy, as defined in Network Policy Server (NPS). For example, a remediation server can host antivirus signatures. If health policy requires that client computers have the latest antivirus definitions installed, an antivirus system health agent (SHA), an antivirus system health validator (SHV), an antivirus policy server, and the remediation server used to host the antivirus signatures work together to update noncompliant computers.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NAP Enforcement Methods</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Policy Server (NPS) enforces Network Access Protection (NAP) health policies for the following network technologies:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>802.1X port-based wired and wireless network access control. For more information, see <maml:navigationLink><maml:linkText>NAP Enforcement for 802.1X</maml:linkText><maml:uri href="mshelp://windows/?id=21bb6dd6-f462-4715-89cd-e94636557945"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Dynamic Host Configuration Protocol (DHCP) Internet Protocol version 4 (IPv4) address lease and renewal. For more information, see <maml:navigationLink><maml:linkText>NAP Enforcement for DHCP</maml:linkText><maml:uri href="mshelp://windows/?id=d1c27e22-914b-4191-ba02-371f5fba137d"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Internet Protocol security (IPsec) policies for Windows Firewall on client computers. For NAP IPsec enforcement, the IPsec enforcement client must be installed on client computers. For more information, see <maml:navigationLink><maml:linkText>NAP Enforcement for IPsec Communications</maml:linkText><maml:uri href="mshelp://windows/?id=94efe111-f74e-442a-b7f2-b545bed1107d"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Remote Desktop Gateway connections by using Remote Desktop Services, which in previous product versions was named Terminal Services. For more information, see <maml:navigationLink><maml:linkText>NAP Enforcement for Remote Desktop Gateway</maml:linkText><maml:uri href="mshelp://windows/?id=36aa0cab-5ffe-4c18-95e4-b345ec0a67c6"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Virtual private networks (VPN) with Routing and Remote Access. For more information, see <maml:navigationLink><maml:linkText>NAP Enforcement for VPN</maml:linkText><maml:uri href="mshelp://windows/?id=41f058fe-70c8-4269-bd08-efd98acf5fe3"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Using multiple enforcement methods</maml:title><maml:introduction>
<maml:para>Each of these NAP enforcement methods has strengths and weaknesses. By combining enforcement methods, you can eliminate most of the weaknesses of your NAP deployment. Deploying multiple NAP enforcement methods, however, can make your NAP implementation more complex to manage.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NAP Enforcement for 802.1X</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Access Protection (NAP) enforcement for 802.1X port-based network access control is deployed by using a server running Network Policy Server (NPS) and an Extensible Authentication Protocol (EAP) host enforcement client component. With 802.1X port-based enforcement, the NPS server instructs an 802.1X authenticating switch or an 802.1X-compliant wireless access point to place noncompliant 802.1X clients on a remediation network. The NPS server limits network access by the client to the remediation network by applying IP filters or a virtual LAN identifier to the connection. 802.1X enforcement provides strong network restriction for all computers accessing the network by using 802.1X-capable network access servers.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Requirements for 802.1X wired</maml:title><maml:introduction>
<maml:para>To deploy NAP with 802.1X wired, you must configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the <maml:ui>New Network Access Protection</maml:ui> wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Install and configure 802.1X authenticating switches.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are using Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server certificates with either AD CS or purchase server certificates from another trusted root certification authority (CA).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Requirements for 802.1X wireless</maml:title><maml:introduction>
<maml:para>To deploy NAP with 802.1X wireless, you must configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the <maml:ui>New Network Access Protection</maml:ui> wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Install and configure 802.1X wireless access points.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the WSHV or install and configure other SHAs and SHVs, depending on your NAP deployment.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Deploy User Certificates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for user certificates that are enrolled to members of the domain users group.</maml:para>
<maml:para>Membership in both the <maml:computerOutputInline>Enterprise Admins</maml:computerOutputInline> group and the <maml:computerOutputInline>Domain Admins</maml:computerOutputInline> group of the root domain is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure the certificate template and autoenrollment</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the computer where Active Directory Certificate Services is installed, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>mmc</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File </maml:ui>menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. The <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certification Authority</maml:ui>. Select the certification authority (CA) that you want to manage, and then click <maml:ui>Finish</maml:ui>. The <maml:ui>Certification Authority</maml:ui> dialog box closes, returning to the <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certificate Templates</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificate Templates</maml:ui>. All of the certificate templates are displayed in the details pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the <maml:ui>User</maml:ui> template.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Duplicate Template</maml:ui>. The <maml:ui>Duplicate Template</maml:ui> dialog box opens. Select the template version appropriate for your deployment, and then click <maml:ui>OK</maml:ui>. The new template properties dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General </maml:ui>tab, in <maml:ui>Display Name</maml:ui>, type a new name for the certificate template or keep the default name.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security</maml:ui> tab. In <maml:ui>Group or user names</maml:ui>, click <maml:ui>Domain Users</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Permissions for Domain Users</maml:ui>, under <maml:ui>Allow</maml:ui>, select the <maml:ui>Enroll</maml:ui> and <maml:ui>Autoenroll</maml:ui> permission check boxes, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certification Authority</maml:ui>, double-click the CA name, and then click <maml:ui>Certificate Templates</maml:ui>. On the <maml:ui>Action </maml:ui>menu, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Certificate Template to Issue</maml:ui>. The <maml:ui>Enable Certificate Templates</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the name of the certificate template you just configured, and then click <maml:ui>OK</maml:ui>. For example, if you did not change the default certificate template name, click <maml:ui>Copy of User</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the computer where Active Directory Domain Services (AD DS) is installed, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>mmc</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File </maml:ui>menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. The <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box, in <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Group Policy Management Editor</maml:ui>. The <maml:ui>Select Group Policy Object</maml:ui> wizard opens. Click <maml:ui>Browse</maml:ui>, and then select <maml:ui>Default Domain Policy</maml:ui>. Click <maml:ui>OK</maml:ui>, click <maml:ui>Finish</maml:ui>, and then click <maml:ui>OK</maml:ui> again.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Default Domain Policy</maml:ui>. Open <maml:ui>User Configuration</maml:ui>, then <maml:ui>Policies</maml:ui>, then <maml:ui>Windows Settings</maml:ui>, then <maml:ui>Security Settings</maml:ui>, and then <maml:ui>Public Key Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click <maml:ui>Certificate Services Client - Auto-Enrollment</maml:ui>. The <maml:ui>Certificate Services Client - Auto-Enrollment Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Certificate Services Client - Auto-Enrollment Properties</maml:ui> dialog box, in <maml:ui>Configuration Model</maml:ui>, select <maml:ui>Enabled</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Renew expired certificates, update pending certificates, and remove revoked certificates</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Update certificates that use certificate templates</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:para>After you complete this procedure, domain users automatically enroll a user certificate when Group Policy is refreshed. To refresh Group Policy, restart the client computer or, at the command prompt, run <maml:computerOutputInline>gpupdate</maml:computerOutputInline>.</maml:para>
<maml:para>Ensure that all appropriate domain system containers are configured for autoenrollment of user certificates either through the inheriting of Group Policy settings of a parent system container or through explicit configuration.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure 802.1X Wired Access Clients for PEAP-MS-CHAP v2 Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure a Protected Extensible Authentication Protocol–Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) profile for client authentication by using secured passwords.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a profile for PEAP-MS-CHAP v2 wired connections</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>In <maml:ui>Policy Name</maml:ui>, type a name for the wired network policy. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Description</maml:ui>, type a brief description of the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Ensure that <maml:ui>Use Windows Wired Auto Config service for clients</maml:ui> is selected.</maml:para></maml:listItem>
<maml:listItem><maml:para>To permit users with computers running Windows 7 to enter and store their domain credentials (username and password), which the computer can then use to log on to the network (even though the user is not actively logged on), in <maml:ui>Windows 7 Policy Settings</maml:ui>, select <maml:ui>Enable Explicit Credentials</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify the duration for which computers running Windows 7 are prohibited from making auto connection attempts to the network, select <maml:ui>Enable Block Period</maml:ui>, and then in <maml:ui>Block Period (minutes)</maml:ui>, specify the number of minutes for which you want the block period to apply. The valid range of minutes is 1–60.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>For more information about the settings on any tab, press F1 while viewing that tab.</maml:para></maml:alertSet>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Security</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Select <maml:ui>Enable use of IEEE 802.1X authentication for network access</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Select a network authentication method</maml:ui>, select <maml:ui>Microsoft: Protected EAP (PEAP)</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Authentication mode</maml:ui>, select from the following, depending on your needs: <maml:ui>User or Computer authentication</maml:ui> (recommended), <maml:ui>Computer authentication</maml:ui>, <maml:ui>User authentication</maml:ui>, <maml:ui>Guest authentication</maml:ui>. By default, <maml:ui>User or Computer authentication</maml:ui> is selected.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Max Authentication Failures</maml:ui>, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. By default, the value is set to “1.”</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To specify that user credentials are held in cache, select <maml:ui>Cache user information for subsequent connections to this network</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To configure Single Sign On or advanced 802.1X settings, click <maml:ui>Advanced</maml:ui>. On the <maml:ui>Advanced</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>To configure advanced 802.1X settings, select <maml:ui>Enforce advanced 802.1X settings</maml:ui>, and then modify — only as necessary — the settings for: <maml:ui>Max Eapol-Start Msgs</maml:ui>, <maml:ui>Held Period</maml:ui>, <maml:ui>Start Period</maml:ui>, <maml:ui>Auth Period</maml:ui>, <maml:ui>Eapol-Start Message</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To configure Single Sign On, select<maml:ui> Enable Single Sign On for this network</maml:ui>, and then modify — as necessary — the settings for:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:ui>Perform Immediately before User Logon</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Perform Immediately after User Logon</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Max delay for connectivity</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Allow additional dialogs to be displayed during Single Sign On</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>This network uses different VLAN for authentication with machine and user credentials</maml:ui></maml:para></maml:listItem>
</maml:list>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>. The <maml:ui>Advanced Security Settings</maml:ui> dialog box closes, returning you to the <maml:ui>Security</maml:ui> tab. On the <maml:ui>Security</maml:ui> tab, click <maml:ui>Properties</maml:ui>. The <maml:ui>Protected EAP Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Protected EAP Properties</maml:ui> dialog box, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Select <maml:ui>Validate server certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names. </maml:para></maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store. </maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Select Authentication Method</maml:ui>, select <maml:ui>Secured Password (EAP-MSCHAP v2)</maml:ui>.</maml:para></maml:listItem>
<maml:listItem>
<maml:para>To specify that PEAP Fast Reconnect is enabled, select <maml:ui>Enable Fast Reconnect</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select <maml:ui>Enforce Network Access Protection</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To require cryptobinding Type-Length-Value (TLV), select <maml:ui>Disconnect if server does not present cryptobinding TLV</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To configure your clients so that they do not send their identity in plaintext before the client has authenticated the RADIUS server, select <maml:ui>Enable Identity Privacy</maml:ui>, and in <maml:ui>Anonymous Identity</maml:ui>, type a name or value, or leave the field empty. </maml:para>
<maml:para>For example, if <maml:ui>Enable Identity Privacy</maml:ui> is enabled, and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select <maml:ui>Enable Identity Privacy</maml:ui> but do not provide an anonymous identity value, the identity response is @realm.</maml:para></maml:listItem>
<maml:listItem>
<maml:para>Click <maml:ui>OK</maml:ui>, to save the <maml:ui>Protected EAP Properties</maml:ui> settings, and then click <maml:ui>OK</maml:ui> again to save the policy.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS Accounting</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>There are three types of logging for Network Policy Server (NPS):</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Event logging.</maml:para>
<maml:para>Used primarily for auditing and troubleshooting connection attempts. You can configure NPS event logging by obtaining the NPS server properties in the NPS console.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Logging user authentication and accounting requests to a local file.</maml:para>
<maml:para>Used primarily for connection analysis and billing purposes. Also useful as a security investigation tool because it provides you with a method of tracking the activity of a malicious user after an attack. You can configure local file logging using the Accounting Configuration wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Logging user authentication and accounting requests to a Microsoft® SQL Server™ XML-compliant database.</maml:para>
<maml:para>Used to allow multiple servers running NPS to have one data source. Also provides the advantages of using a relational database. You can configure SQL Server logging by using the Accounting Configuration wizard.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections><maml:section><maml:title>Accounting Configuration wizard</maml:title><maml:introduction>
<maml:para>By using the Accounting Configuration wizard in the NPS console, you can configure the following four accounting settings:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:phrase>SQL logging only</maml:phrase>. By using this setting, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL server. In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL server logging.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:phrase>Text logging only</maml:phrase>. By using this setting, you can configure NPS to log accounting data to a text file.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:phrase>Parallel logging</maml:phrase>. By using this setting, you can configure the SQL Server data link and database. You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database. </maml:para></maml:listItem>
<maml:listItem><maml:para><maml:phrase>SQL logging with backup</maml:phrase>. By using this setting, you can configure the SQL Server data link and database. In addition, you can configure text file logging that NPS uses if SQL Server logging fails.</maml:para></maml:listItem>
</maml:list>
<maml:para>In addition to these settings, both SQL Server logging and text logging allow you to specify whether NPS continues to process connection requests if logging fails. You can specify this <maml:ui>Failover setting</maml:ui> in local file logging properties, in SQL Server logging properties, and while you are running the Accounting Configuration wizard.</maml:para>
</maml:introduction></maml:section></maml:sections>
</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Configure Log File Properties</maml:linkText><maml:uri href="mshelp://windows/?id=50d16bcb-06c3-4073-bca9-621701c55cf1"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Configure SQL Server Logging in NPS</maml:linkText><maml:uri href="mshelp://windows/?id=5d57d701-429e-4389-8d03-6ff0b13ac488"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>System Health Validators</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>System health validators (SHVs) are server software counterparts to system health agents (SHAs). Each SHA on the client has a corresponding SHV in Network Policy Server (NPS). SHVs allow NPS to verify the statement of health (SoH) that is made by its corresponding SHA on the client computer.</maml:para>
<maml:para>SHVs contain the details of the required configuration settings on client computers. For example, the Windows Security Health Validator (WSHV) is the counterpart to the Windows Security Health Agent (WSHA) on client computers. WSHV allows you to create a policy for the way in which settings on Network Access Protection (NAP)-capable client computers must be configured. If the settings on the client computer as reported in the SoH do not match the settings in the SHV on the server running NPS, the client computer is not compliant with health policy.</maml:para>
<maml:para>To extend this example, if you configure the WSHV to use the setting <maml:ui>A firewall is enabled for all network connections</maml:ui>, the firewall software that is running on the client computer must be Windows Firewall software or other firewall software that is compatible with Windows Security Center. If the client computer is not running Windows Firewall or other firewall software that is compatible with Windows Security Center, the NAP agent on the client computer sends a SoH to NPS that reports this fact. NPS compares the SoH to the configuration of the WSHV in NPS; NPS then determines that the client computer is not compliant with health policy.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NAP Enforcement for Remote Desktop Gateway</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Remote Desktop Gateway (RD Gateway) is a role service of the Remote Desktop Services server role that is available in Windows Server® 2008 R2. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>In Windows Server 2008 R2, Remote Desktop Services replaces Terminal Services in Windows Server® 2008.</maml:para></maml:alertSet>
<maml:para>By using RD Gateway, authorized users can connect from any Internet-connected device to terminal servers and remote desktops on your organization network. In addition, the health state of client computers that are Remote Desktop clients can be enforced and monitored with Network Access Protection (NAP).</maml:para>
<maml:para>NAP enforcement for RD Gateway is deployed with a server running Network Policy Server (NPS) and a RD Gateway server.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Requirements</maml:title><maml:introduction>
<maml:para>To deploy NAP with RD Gateway, you must configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Install and configure RD Gateway. When you run the Add Roles Wizard to install the RD Gateway role service, you must select <maml:ui>Remote Desktop</maml:ui>. Later, on the <maml:ui>Select Role Services</maml:ui> page, you can select the RD Gateway role service for installation.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the <maml:ui>New Network Access Protection</maml:ui> wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are using Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable NAP health policy checks on the RD Gateway server using the RD Gateway Manager snap-in.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the NAP RD Gateway enforcement client, the EAP enforcement client, and the NAP service on NAP-capable client computers.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>System Health Validator Settings</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>System health validator (SHV) settings allow you to configure the system health requirements for Network Access Protection (NAP) client computers. If an SHV is designed to work with a health requirement server, you might configure some or all SHV settings on this server. To configure SHV settings on Network Policy Server (NPS), click <maml:ui>Configure</maml:ui> in the SHV properties window to open the SHV configuration dialog box.</maml:para>
<maml:para>If an SHV supports the storing of multiple configurations, you can create additional SHV settings for use with your health policies.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>System Health Validator Error Codes</maml:linkText><maml:uri href="mshelp://windows/?id=499cfc22-34ea-4f71-9c44-d7ffbb838e00"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Connection Request Policies</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para><maml:newTerm>Connection request policies</maml:newTerm> are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>When you deploy Network Access Protection (NAP) by using the virtual private network (VPN) or 802.1X enforcement methods with Protected Extensible Authentication Protocol (PEAP) authentication, you must configure PEAP authentication in the connection request policy even when connection requests are processed locally.</maml:para>
</maml:alertSet>
<maml:para>You can create connection request policies so that some RADIUS request messages sent from RADIUS clients are processed locally (NPS is being used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (NPS is being used as a RADIUS proxy).</maml:para>
<maml:para>With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on factors such as the following: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The time of day and day of the week</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The realm name in the connection request</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The type of connection being requested</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The IP address of the RADIUS client</maml:para>
</maml:listItem>
</maml:list>
<maml:para>RADIUS Access-Request messages are processed or forwarded by NPS only if the settings of the incoming message match at least one of the connection request policies configured on the NPS server. If the policy settings match and the policy requires that the NPS server process the message, NPS acts as a RADIUS server, authenticating and authorizing the connection request. If the policy settings match and the policy requires that the NPS server forwards the message, NPS acts as a RADIUS proxy and forwards the connection request to a remote RADIUS server for processing.</maml:para>
<maml:para>If the settings of an incoming RADIUS Access-Request message do not match at least one of the connection request policies, an Access-Reject message is sent to the RADIUS client and the user or computer attempting to connect to the network is denied access.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Configuration examples</maml:title><maml:introduction>
<maml:para>The following configuration examples demonstrate how connection request policies can be used:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>NPS as a RADIUS server</maml:para>
<maml:para>The default connection request policy is the only configured policy. In this example, NPS is configured as a RADIUS server and all connection requests are processed by the local NPS server. The NPS server can authenticate and authorize users whose accounts are in the domain of the NPS server domain and in trusted domains.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>NPS as a RADIUS proxy</maml:para>
<maml:para>The default connection request policy is deleted, and two new connection request policies are created to forward requests to two different domains. In this example, NPS is configured as a RADIUS proxy. NPS does not process any connection requests on the local server. Instead, it forwards connection requests to NPS or other RADIUS servers that are configured as members of remote RADIUS server groups.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>NPS as both RADIUS server and RADIUS proxy</maml:para>
<maml:para>In addition to the default connection request policy, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. In this example, the proxy policy appears first in the ordered list of policies. If the connection request matches the proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. If the connection request does not match the proxy policy but does match the default connection request policy, NPS processes the connection request on the local server. If the connection request does not match either policy, it is discarded.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>NPS as RADIUS server with remote accounting servers</maml:para>
<maml:para>In this example, the local NPS server is not configured to perform accounting and the default connection request policy is revised so that RADIUS accounting messages are forwarded to an NPS or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the local NPS server performs these functions for the local domain and all trusted domains.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>NPS with Remote RADIUS to Windows User Mapping</maml:para>
<maml:para>In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. This configuration is implemented by configuring the <maml:ui>Remote RADIUS to Windows User Mapping</maml:ui> attribute as a condition of the connection request policy. (In addition, a user account must be created locally that has the same name as the remote user account against which authentication is performed by the remote RADIUS server.)</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Conditions</maml:title><maml:introduction>
<maml:para><maml:newTerm>Connection request policy conditions</maml:newTerm> are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS Access-Request message. If there are multiple conditions, then all of the conditions in the connection request message and in the connection request policy must match in order for the policy to be enforced by NPS.</maml:para>
<maml:para>Following are the available condition attributes that you can configure in connection request policies.</maml:para>
<maml:para>The <maml:ui>Connection Properties</maml:ui> attribute group contains the following attributes.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Framed Protocol</maml:ui>. Used to designate the type of framing for incoming packets. Examples are Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Frame Relay, and X.25.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Service Type</maml:ui>. Used to designate the type of service being requested. Examples include framed (for example, PPP connections) and login (for example, Telnet connections). For more information about RADIUS service types, see RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)."</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Tunnel Type</maml:ui>. Used to designate the type of tunnel that is being created by the requesting client. Tunnel types include the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol (L2TP).</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The <maml:ui>Day and Time Restrictions</maml:ui> attribute group contains the <maml:ui>Day and Time Restrictions</maml:ui> attribute. With this attribute, you can designate the day of the week and the time of day of the connection attempt. The day and time is relative to the day and time of the NPS server.</maml:para>
<maml:para>The <maml:ui>Gateway</maml:ui> attribute group contains the following attributes.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Called Station ID</maml:ui>. Used to designate the phone number of the network access server. This attribute is a character string. You can use pattern-matching syntax to specify area codes.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>NAS Identifier</maml:ui>. Used to designate the name of the network access server. This attribute is a character string. You can use pattern-matching syntax to specify NAS identifiers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>NAS IPv4 Address</maml:ui>. Used to designate the Internet Protocol version 4 (IPv4) address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>NAS IPv6 Address</maml:ui>. Used to designate the Internet Protocol version 6 (IPv6) address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>NAS Port Type</maml:ui>. Used to designate the type of media used by the access client. Examples are analog phone lines (known as <maml:newTerm>async</maml:newTerm>), Integrated Services Digital Network (ISDN), tunnels or virtual private networks (VPNs), IEEE 802.11 wireless, and Ethernet switches.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The <maml:ui>Machine Identity</maml:ui> attribute group contains the <maml:ui>Machine Identity</maml:ui> attribute. By using this attribute, you can specify the method with which clients are identified in the policy.</maml:para>
<maml:para>The <maml:ui>RADIUS Client Properties</maml:ui> attribute group contains the following attributes.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Calling Station ID</maml:ui>. Used to designate the phone number used by the caller (the access client). This attribute is a character string. You can use pattern-matching syntax to specify area codes.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Client Friendly Name</maml:ui>. Used to designate the name of the RADIUS client computer that is requesting authentication. This attribute is a character string. You can use pattern-matching syntax to specify client names.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Client IPv4 Address</maml:ui>. Used to designate the IPv4 address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Client IPv6 Address</maml:ui>. Used to designate the IPv6 address of the network access server (the RADIUS client). This attribute is a character string. You can use pattern-matching syntax to specify IP networks.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Client Vendor</maml:ui>. Used to designate the vendor of the network access server that is requesting authentication. A computer running the Routing and Remote Access service is the Microsoft NAS manufacturer. You can use this attribute to configure separate policies for different NAS manufacturers. This attribute is a character string. You can use pattern-matching syntax.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The <maml:ui>User Name</maml:ui> attribute group contains the <maml:ui>User Name</maml:ui> attribute. By using this attribute, you can designate the user name, or a portion of the user name, that must match the user name supplied by the access client in the RADIUS message. This attribute is a character string that typically contains a realm name and a user account name. You can use pattern-matching syntax to specify user names.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Settings</maml:title><maml:introduction>
<maml:para>Connection request policy settings are a set of properties that are applied to an incoming RADIUS message. Settings consist of the following groups of properties:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Authentication</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Accounting</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Attribute manipulation</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Advanced</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Authentication</maml:title><maml:introduction>
<maml:para>By using this setting, you can override the authentication settings that are configured in all network policies and you can designate the authentication methods and types that are required to connect to your network.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If you configure an authentication method in connection request policy that is less secure than the authentication method you configure in network policy, the more secure authentication method that you configure in network policy will be overridden. For example, if you have one network policy that requires the use of Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), which is a password-based authentication method for secure wireless, and you also configure a connection request policy to allow unauthenticated access, no clients are required to authenticate by using PEAP-MS-CHAP v2. In this example, all clients connecting to your network are granted unauthenticated access.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Accounting</maml:title><maml:introduction>
<maml:para>By using this setting, you can configure connection request policy to forward accounting information to an NPS or other RADIUS server in a remote RADIUS server group so that the remote RADIUS server group performs accounting.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you have multiple RADIUS servers and you want accounting information for all servers stored in one central RADIUS accounting database, you can use the connection request policy accounting setting in a policy on each RADIUS server to forward accounting data from all of the servers to one NPS or other RADIUS server that is designated as an accounting server.</maml:para>
</maml:alertSet>
<maml:para>Connection request policy accounting settings function independent of the accounting configuration of the local NPS server. In other words, if you configure the local NPS server to log RADIUS accounting information to a local file or to a Microsoft® SQL Server™ database, it will do so regardless of whether you configure a connection request policy to forward accounting messages to a remote RADIUS server group.</maml:para>
<maml:para>If you want accounting information logged remotely but not locally, you must configure the local NPS server to not perform accounting, while also configuring accounting in a connection request policy to forward accounting data to a remote RADIUS server group.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Attribute manipulation</maml:title><maml:introduction>
<maml:para>You can configure a set of find-and-replace rules that manipulate the text strings of one of the following attributes:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User Name</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Called Station ID</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Calling Station ID</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Find-and-replace rule processing occurs for one of the preceding attributes before the RADIUS message is subject to authentication and accounting settings. Attribute manipulation rules apply only to a single attribute. You cannot configure attribute manipulation rules for each attribute. In addition, the list of attributes that you can manipulate is a static list; you cannot add to the list of attributes available for manipulation.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you are using the MS-CHAP v2 authentication protocol, you cannot manipulate the <maml:ui>User Name</maml:ui> attribute if the connection request policy is used to forward the RADIUS message. The only exception occurs when a backslash (\) character is used and the manipulation only affects the information to the left of it. A backslash character is typically used to indicate a domain name (the information to the left of the backslash character) and a user account name within the domain (the information to the right of the backslash character). In this case, only attribute manipulation rules that modify or replace the domain name are allowed.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Forwarding request</maml:title><maml:introduction>
<maml:para>You can set the following forwarding request options that are used for RADIUS Access-Request messages:</maml:para>
<maml:para><maml:ui>Authenticate requests on this server</maml:ui>. By using this setting, NPS uses a Windows NT 4.0 domain, Active Directory, or the local Security Accounts Manager (SAM) user accounts database to authenticate the connection request. This setting also specifies that the matching network policy configured in NPS, along with the dial-in properties of the user account, are used by NPS to authorize the connection request. In this case, the NPS server is configured to perform as a RADIUS server.</maml:para>
<maml:para><maml:ui>Forward requests to the following remote RADIUS server group</maml:ui>. By using this setting, NPS forwards connection requests to the remote RADIUS server group that you specify. If the NPS server receives a valid Access-Accept message that corresponds to the Access-Request message, the connection attempt is considered authenticated and authorized. In this case, the NPS server acts as a RADIUS proxy.</maml:para>
<maml:para><maml:ui>Accept users without validating credentials</maml:ui>. By using this setting, NPS does not verify the identity of the user attempting to connect to the network and NPS does not attempt to verify that the user or computer has the right to connect to the network. When NPS is configured to allow unauthenticated access and it receives a connection request, NPS immediately sends an Access-Accept message to the RADIUS client and the user or computer is granted network access. This setting is used for some types of compulsory tunneling where the access client is tunneled before user credentials are authenticated.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This authentication option cannot be used when the authentication protocol of the access client is MS-CHAP v2 or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), both of which provide mutual authentication. In mutual authentication, the access client proves that it is a valid access client to the authenticating server (the NPS server), and the authenticating server proves that it is a valid authenticating server to the access client. When this authentication option is used, the Access-Accept message is returned. However, the authenticating server does not provide validation to the access client and mutual authentication fails.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Advanced</maml:title><maml:introduction>
<maml:para>You can set advanced properties to specify the series of RADIUS attributes that are:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Added to the RADIUS response message when the NPS server is being used as a RADIUS authentication or accounting server.</maml:para>
<maml:para>When there are attributes specified on both a network policy and the connection request policy, the attributes that are sent in the RADIUS response message are the combination of the two sets of attributes.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Added to the RADIUS message when the NPS server is being used as a RADIUS authentication or accounting proxy. If the attribute already exists in the message that is forwarded, it is replaced with the value of the attribute specified in the connection request policy.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>In addition, some attributes that are available for configuration on the connection request policy <maml:ui>Settings</maml:ui> tab in the <maml:ui>Advanced</maml:ui> category provide specialized functionality. For example, you can configure the <maml:ui>Remote RADIUS to Windows User Mapping</maml:ui> attribute when you want to split the authentication and authorization of a connection request between two user accounts databases.</maml:para>
<maml:para>The <maml:ui>Remote RADIUS to Windows User Mapping</maml:ui> attribute specifies that Windows authorization occurs for users who are authenticated by a remote RADIUS server. In other words, a remote RADIUS server performs authentication against a user account in a remote user accounts database, but the local NPS server authorizes the connection request against a user account in a local user accounts database. This is useful when you want to allow visitors access to your network.</maml:para>
<maml:para>For example, visitors from partner organizations can be authenticated by their own partner organization RADIUS server, and then use a Windows user account at your organization to access a guest local area network (LAN) on your network.</maml:para>
<maml:para>Other attributes that provide specialized functionality are:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout</maml:ui>. These attributes are used when you deploy Network Access Quarantine Control (NAQC) with your Routing and Remote Access VPN deployment.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Passport-User-Mapping-UPN-Suffix</maml:ui>. This attribute allows you to authenticate connection requests with Windows Live™ ID user account credentials.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Tunnel-Tag</maml:ui>. This attribute designates the VLAN ID number to which the connection should be assigned by the NAS when you deploy virtual local area networks (VLANs).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Default connection request policy</maml:title><maml:introduction>
<maml:para>A default connection request policy is created when you install NPS. This policy has the following configuration:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Authentication</maml:ui> is not configured.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Accounting</maml:ui> is not configured to forward accounting information to a remote RADIUS server group.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Attribute</maml:ui> is not configured with attribute manipulation rules that forward connection requests to remote RADIUS server groups.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Forwarding Request</maml:ui> is configured so that connection requests are authenticated and authorized on the local NPS server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Advanced</maml:ui> attributes are not configured.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The default connection request policy uses NPS as a RADIUS server. To configure a server running NPS to act as a RADIUS proxy, you must also configure a remote RADIUS server group. You can create a new remote RADIUS server group while you are creating a new connection request policy by using the New Connection Request Policy Wizard. You can either delete the default connection request policy or verify that the default connection request policy is the last policy processed.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If NPS and the Routing and Remote Access service are installed on the same computer, and the Routing and Remote Access service is configured for Windows authentication and accounting, it is possible for Routing and Remote Access authentication and accounting requests to be forwarded to a RADIUS server. This can occur when Routing and Remote Access authentication and accounting requests match a connection request policy that is configured to forward them to a remote RADIUS server group.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NAP Enforcement for VPN</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Access Protection (NAP) enforcement for virtual private networking (VPN) is deployed by using a VPN enforcement server component and a VPN enforcement client component. By using this enforcement method, VPN servers can enforce health policy when client computers attempt to connect to the network by using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network by using a VPN connection.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>VPN enforcement is different from Network Access Quarantine Control, which is a feature in Windows Server® 2003 and Internet Security and Acceleration (ISA) Server 2004.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Requirements</maml:title><maml:introduction>
<maml:para>To deploy NAP with VPN, you must configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Install and configure the Routing and Remote Access service as a VPN server. Configure your server running Network Policy Server (NPS) as the primary Remote Authentication Dial-In User Service (RADIUS) server in Routing and Remote Access.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In NPS, configure VPN servers as RADIUS clients. Also configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the <maml:ui>New Network Access Protection</maml:ui> wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the NAP Remote Access and EAP enforcement clients on NAP-capable client computers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the NAP service on NAP-capable client computers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are using Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:para>If you deploy the NAP VPN enforcement method and you have configured NAP enforcement with the <maml:ui>Allow full network access for a limited time</maml:ui> option, VPN clients that are connected to the network when the expiration time is reached are automatically disconnected whether they are compliant or noncompliant with health policy.</maml:para>
<maml:para>After the expiration date and time, VPN clients that attempt to connect to the network are placed on a restricted network if they are noncompliant with health policy, while compliant clients are allowed full network access.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>System Health Validator Error Codes</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>System health validator (SHV) error codes can be returned for an SHV when the associated system health agent (SHA) on a Network Access Protection (NAP) client computer requests access to the network. If an error code is returned, you can choose whether to evaluate the NAP client computer as compliant or noncompliant with health requirements. By default, all error codes are set to noncompliant.</maml:para>
<maml:para>The following is a description of available error codes:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>SHV unable to contact required services</maml:phrase>. This error can occur if Network Policy Server (NPS) loses connectivity to a health requirement server, such as an antivirus signature server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>SHA unable to contact required services</maml:phrase>. This error can occur if the SHA is unable to successfully read the client configuration.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>SHA not responding to NAP Client</maml:phrase>. This error can occur if an SHA is not properly initialized and registered.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>SHV not responding</maml:phrase>. This error can occur if the performance of an SHV is degraded (for example, if NPS is out of memory).</maml:para>
</maml:listItem><maml:listItem>
<maml:para><maml:phrase>Vendor specific error code received</maml:phrase>. This error can occur if NPS receives an error code that is unique to the SHA or SHV vendor. Some vendors might return this code when NPS is unable to contact a health requirement server.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>System Health Validator Settings</maml:linkText><maml:uri href="mshelp://windows/?id=396c8b17-fdc0-43dc-8419-31311f8ac665"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Configure NPS for Dial-Up and VPN Access</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>This checklist provides the tasks required to deploy dial-up and virtual private network (VPN) servers with Network Policy Server (NPS).</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Install and configure dial-up and VPN servers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Server for Dial-Up or VPN Connections</maml:linkText><maml:uri href="mshelp://windows/?id=912212d0-b52c-4f64-ace4-41fc01cfc5aa"></maml:uri></maml:navigationLink> and your hardware documentation</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Determine the authentication method that you want to use.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Server for Dial-Up or VPN Connections</maml:linkText><maml:uri href="mshelp://windows/?id=912212d0-b52c-4f64-ace4-41fc01cfc5aa"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>Certificate Requirements for PEAP and EAP</maml:linkText><maml:uri href="mshelp://windows/?id=a1ac8d7e-3479-46b4-932b-ab43362e021b"></maml:uri></maml:navigationLink>; and your hardware documentation</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Autoenroll a server certificate to servers running NPS or, if you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) only, purchase a server certificate.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Deploy a CA and NPS Server Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=58ec6857-153e-417f-b63c-40fd6addd216"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=33675"></maml:uri></maml:navigationLink> on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=33675 </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>If you are using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or PEAP-TLS without smart cards, autoenroll user certificates, computer certificates, or both user and computer certificates, to domain users and domain member client computers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Deploy Client Computer Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=9d3f798f-0854-4602-adce-0b888e8c00ef"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Deploy User Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=25b886ed-75e9-4f49-8ca0-c90991dfc20e"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure dial-up and VPN servers as Remote Authentication Dial-In User Service (RADIUS) clients in NPS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a New RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the VPN servers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Create a Group for a Network Policy</maml:linkText><maml:uri href="mshelp://windows/?id=c29cb16a-4263-47d9-8bbe-0d5db799ca7c"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>In NPS, configure one or more network policies for dial-up and VPN servers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a Network Policy</maml:linkText><maml:uri href="mshelp://windows/?id=f4522491-921b-4ca9-974c-a41b90883ca7"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>Create Policies for Dial-Up or VPN with a Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=cfa37f4c-8133-4df8-9db8-657a0784ffd5"></maml:uri></maml:navigationLink>; and <maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NPS Server Certificate: Configure the Template and Autoenrollment</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for server certificates that are enrolled to servers running Network Policy Server (NPS).</maml:para>
<maml:para>Membership in both the <maml:computerOutputInline>Enterprise Admins</maml:computerOutputInline> and the <maml:computerOutputInline>Domain Admins</maml:computerOutputInline> group of the root domain is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure the certificate template and auto-enrollment</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the computer where Active Directory Certificate Services is installed, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>mmc</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File </maml:ui>menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. The <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certification Authority</maml:ui>. Select the CA that you want to manage, and then click <maml:ui>Finish</maml:ui>. The <maml:ui>Certification Authority</maml:ui> dialog box closes, returning to the <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certificate Templates</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificate Templates</maml:ui>. All of the certificate templates are displayed in the details pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the <maml:ui>RAS and IAS Server</maml:ui> template.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Duplicate Template</maml:ui>. In the <maml:ui>Duplicate Template</maml:ui> dialog box, select the template version appropriate for your deployment, and then click <maml:ui>OK</maml:ui>. The new template properties dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General </maml:ui>tab, in <maml:ui>Display Name</maml:ui>, type a new name for the certificate template or keep the default name.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security </maml:ui>tab. In <maml:ui>Group or user names</maml:ui>, click <maml:ui>RAS and IAS Servers</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Permissions for RAS and IAS servers</maml:ui>, under <maml:ui>Allow</maml:ui>, select the <maml:ui>Enroll</maml:ui> and <maml:ui>Autoenroll</maml:ui> permission check boxes, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certification Authority</maml:ui>, double-click the CA name, and then click <maml:ui>Certificate Templates</maml:ui>. On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Certificate Template to Issue</maml:ui>. The <maml:ui>Enable Certificate Templates</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Enable Certificate Templates</maml:ui>, click the name of the certificate template you just configured, and then click <maml:ui>OK</maml:ui>. For example, if you did not change the default certificate template name, click <maml:ui>Copy of RAS and IAS Servers</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the computer where Active Directory Domain Services (AD DS) is installed, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>mmc</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File </maml:ui>menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. The <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Group Policy Management Editor</maml:ui>. The <maml:ui>Select Group Policy Object</maml:ui> wizard opens. Click <maml:ui>Browse</maml:ui>, and then select the <maml:ui>Default Domain Policy</maml:ui>. Click <maml:ui>OK</maml:ui>, click <maml:ui>Finish</maml:ui>, and then click <maml:ui>OK</maml:ui> again.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Default Domain Policy</maml:ui>. Open <maml:ui>Computer Configuration</maml:ui>, <maml:ui>Policies</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then select <maml:ui>Public Key Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click <maml:ui>Certificate Services Client - Auto-Enrollment</maml:ui>. The <maml:ui>Certificate Services Client - Auto-Enrollment Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Certificate Services Client - Auto-Enrollment Properties</maml:ui> dialog box, in <maml:ui>Configuration Model</maml:ui>, select <maml:ui>Enabled</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Renew expired certificates, update pending certificates, and remove revoked certificates</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Update certificates that use certificate templates</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:para>After you complete this procedure, servers running NPS automatically enroll a server certificate when Group Policy is refreshed. To refresh Group Policy, restart the server or, at the command prompt, run <maml:computerOutputInline>gpupdate</maml:computerOutputInline>.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>NPS Server Certificate: CA Installation</maml:linkText><maml:uri href="mshelp://windows/?id=7a2cb3e1-d6de-44d8-8f8e-7309acb68383"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure 802.1X Wireless Access Clients running Windows 7 and Windows Vista</maml:title><maml:introduction>
<maml:para>Use the procedures in this section to configure the New Wireless Network Policy for client computers running Windows® 7 and Windows Vista® that connect to your wireless network by using 802.1X-capable wireless access points (APs).</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete these procedures. </maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-MS-CHAP v2 Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=58cb0d00-d084-47c0-9fe7-b8f4b0166a4c"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-TLS Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=a66e6bd0-d710-4668-a9f0-f44222ea10fd"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=d82f6c3d-52d2-489a-b21e-cba7dd6850f5"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure Network Permissions and Connection Preferences</maml:linkText><maml:uri href="mshelp://windows/?id=88497044-c5b1-46a8-acc8-3be04052b6cf"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Log File Properties</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can configure Network Policy Server (NPS) to perform Remote Authentication Dial-In User Service (RADIUS) accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. You can use this procedure to configure the log files in which you want to store the accounting data.</maml:para>
<maml:para>To prevent the log files from filling the hard drive, it is strongly recommended that you keep them on a partition that is separate from the system partition. The following provides more information about configuring accounting for NPS:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To send the log file data for collection by another process, you can configure NPS to write to a named pipe. To use named pipes, set the log file folder to <maml:computerOutputInline>\\.\pipe</maml:computerOutputInline> or <maml:computerOutputInline>\\</maml:computerOutputInline><maml:replaceable>ComputerName</maml:replaceable><maml:computerOutputInline>\pipe</maml:computerOutputInline>. The named pipe server program creates a named pipe called <maml:computerOutputInline>\\.\pipe\iaslog.log</maml:computerOutputInline> to accept the data. In the <maml:ui>Local file properties</maml:ui> dialog box, in <maml:ui>Create a new log file</maml:ui>, select <maml:ui>Never (unlimited file size)</maml:ui> when you use named pipes.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The log file directory can be created by using system environment variables (instead of user variables), such as %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs\).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Switching log file formats does not cause a new log to be created. If you change log file formats, the file that is active at the time of the change will contain a mixture of the two formats (records at the start of the log will have the previous format, and records at the end of the log will have the new format).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If RADIUS accounting fails due to a full hard disk drive or other causes, NPS stops processing connection requests, preventing users from accessing network resources.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>NPS provides the ability to log to a Microsoft® SQL Server™ database in addition to, or instead of, logging to a local file.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Membership in the <maml:computerOutputInline>Domain Admins</maml:computerOutputInline> group is the minimum required to perform this procedure.</maml:para>
<maml:procedure><maml:title>To configure NPS log file properties </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Accounting</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, in <maml:ui>Log File Properties</maml:ui>, click <maml:ui>Change Log File Properties</maml:ui>. The <maml:ui>Log File Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Log File Properties</maml:ui>, on the <maml:ui>Settings</maml:ui> tab, in <maml:ui>Log the following information</maml:ui>, ensure that you choose to log enough information to achieve your accounting goals. For example, if your logs need to accomplish session correlation, select all check boxes.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Logging failure action</maml:ui>, select <maml:ui>If logging fails, discard connection requests</maml:ui> if you want NPS to stop processing Access-Request messages when log files are full or unavailable for some reason. If you want NPS to continue processing connection requests if logging fails, do not select this check box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Log File Properties</maml:ui> dialog box, click the <maml:ui>Log File</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Log File</maml:ui> tab, in <maml:ui>Directory</maml:ui>, type the location where you want to store NPS log files. The default location is the <maml:replaceable>systemroot</maml:replaceable>\System32\LogFiles folder.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you do not supply a full path statement in <maml:ui>Log File Directory</maml:ui>, the default path is used. For example, if you type <maml:userInput>NPSLogFile</maml:userInput> in <maml:ui>Log File Directory</maml:ui>, the file is located at %systemroot%\System32\NPSLogFile.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Format</maml:ui>, click <maml:ui>DTS Compliant</maml:ui>. If you prefer, you can instead select a legacy file format, such as <maml:ui>ODBC (Legacy)</maml:ui> or <maml:ui>IAS (Legacy)</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Create a new log file</maml:ui>, to configure NPS to start new log files at specified intervals, click the interval that you want to use:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>For heavy transaction volume and logging activity, click <maml:ui>Daily</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For lesser transaction volumes and logging activity, click <maml:ui>Weekly</maml:ui> or <maml:ui>Monthly</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To store all transactions in one log file, click <maml:ui>Never (unlimited file size)</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To limit the size of each log file, click <maml:ui>When log file reaches this size</maml:ui>, and then type a file size, after which a new log is created. The default size is 10 megabytes (MB).</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you want NPS to delete old log files to create disk space for new log files when the hard disk is near capacity, ensure that <maml:ui>When disk is full delete older log files</maml:ui> is selected. This option is not available, however, if the value of <maml:ui>Create a new log file</maml:ui> is <maml:ui>Never (unlimited file size)</maml:ui>. Also, if the oldest log file is the current log file, it is not deleted.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure 802.1X Wireless Access Clients by using Group Policy Management</maml:title><maml:introduction>
<maml:para>You can use the procedures in this section to configure Wireless Network (IEEE 802.11) Policies for client computers running Windows® 7, Windows Vista®, and Windows XP with Service Pack 3 (SP3) that connect to your wireless network by using 802.1X-capable wireless access points (APs).</maml:para>
<maml:para>By default, you can use the two wireless Group Policy Management extensions — Windows Vista New Wireless Network (IEEE 802.11) Policies and Wireless XP Network (IEEE 802.11) Policies — to configure the following 802.1X authentication:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), for authentication using smart cards or other certificates.</maml:para></maml:listItem>
<maml:listItem><maml:para>Protected EAP-TLS (PEAP–TLS), for authentication using smart cards or other certificates. </maml:para></maml:listItem>
<maml:listItem><maml:para>PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), for authentication using secure passwords.</maml:para></maml:listItem>
</maml:list>
<maml:para>You can configure computers running Windows 7, and Windows Vista by using the New Wireless Network Policy. You can use the New XP Wireless Policy to configure computers running Windows XP. Because there are separate policies for configuring computers running Windows XP and for computers running Windows Vista and later versions of Windows, the procedures to configure 802.1X authentication for 802.1X wireless access clients by using Group Policy Management are separated into two sections:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wireless Access Clients running Windows 7 and Windows Vista</maml:linkText><maml:uri href="mshelp://windows/?id=50b75202-0103-4285-80ac-c1234c3b5e9c"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wireless Access Clients running Windows XP</maml:linkText><maml:uri href="mshelp://windows/?id=72747f28-80c0-45bf-8fcb-50938808b5b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>For information about activating or opening the Wireless Network (IEEE 802.11) Policies, see <maml:navigationLink><maml:linkText>Access Group Policy Extensions for 802.1X Wired and Wireless</maml:linkText><maml:uri href="mshelp://windows/?id=e7b2e1e2-9da4-4a68-a1db-6a0886f7e028"></maml:uri></maml:navigationLink>.</maml:para></maml:alertSet>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Create policies for 802.1X Wired or Wireless with a Wizard</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use this procedure to create the connection request policies and network policies required to deploy either 802.1X authenticating switches or 802.1X wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients to the Network Policy Server (NPS) RADIUS server.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. </maml:para>
</maml:alertSet>
<maml:para>This procedure explains how to start the <maml:ui>New IEEE 802.1X Secure Wired and Wireless Connections</maml:ui> wizard in NPS.</maml:para>
<maml:para>After you run the wizard, the following policies are created:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>One connection request policy</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>One network policy</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Running the <maml:ui>New IEEE 802.1X Secure Wired and Wireless Connections</maml:ui> wizard is not the only step required to deploy 802.1X authenticating switches and wireless access points as RADIUS clients to the NPS server. Both network access methods require that you deploy additional hardware and software components.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can run the <maml:ui>New IEEE 802.1X Secure Wired and Wireless Connections</maml:ui> wizard every time you need to create new policies for 802.1X access.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To create policies for 802.1X wired or wireless with a wizard</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console. If it is not already selected, click <maml:ui>NPS (Local)</maml:ui>. If you are running the NPS MMC snap-in and want to create policies on a remote NPS server, select the server.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Getting Started</maml:ui> and <maml:ui>Standard Configuration</maml:ui>, select <maml:ui>RADIUS server for 802.1X Wireless or Wired Connections</maml:ui>. The text and links below the text change to reflect your selection.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Configure 802.1X using a wizard</maml:ui>. The <maml:ui>New IEEE 802.1X Secure Wired and Wireless Connections</maml:ui> wizard opens.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-MS-CHAP v2 Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure a Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) wireless profile.</maml:para>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a PEAP-MS-CHAP v2 wireless profile for computers running Windows 7 and Windows Vista </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open the New Wireless Network (IEEE 802.11) Policies Properties dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>General</maml:ui> tab, in <maml:ui>Policy Name</maml:ui>, type a new name for your policy, or leave the default.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Description</maml:ui>, type a description of your policy.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select <maml:ui>Use Windows to configure wireless network settings for clients</maml:ui> to specify that WLAN AutoConfig is used to configure wireless network adapter settings.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, do one of the following: </maml:para>
</maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To add and configure a new profile, click <maml:ui>Add</maml:ui>, and then select <maml:ui>Infrastructure</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To edit an existing profile, select the profile you want to modify, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Connection</maml:ui> tab, in <maml:ui>Profile Name</maml:ui>, if you are adding a new profile, type a name for the profile. If you are editing a profile that is already added, use the existing profile name, or modify the name as needed. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Network Name(s) (SSID)</maml:ui>, type the service set identifier (SSID) for your wireless APs, and then click <maml:ui>Add</maml:ui>. </maml:para>
<maml:para>If your deployment uses multiple SSIDs and each wireless AP uses the same wireless security settings, repeat this step to add the SSID for each wireless AP to which you want this profile to apply. </maml:para>
<maml:para>If your deployment uses multiple SSIDs and the security settings for each SSID do not match, configure a separate profile for each group of SSIDs that use the same security settings. For example, if you have one group of wireless APs configured to use WPA2-Enterprise and AES, and another group of wireless APs to use WPA-Enterprise and TKIP, configure a profile for each group of wireless APs.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless clients automatically connect to wireless APs for which the SSID is specified in <maml:ui>Network Name(s) (SSID)</maml:ui>, select <maml:ui>Connect automatically when this network is in range</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless clients connect to networks in order of preference, select <maml:ui>Connect to a more preferred network if available</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you deployed wireless access points that are configured to suppress the broadcast beacon, select <maml:ui>Connect even if the network is not broadcasting</maml:ui>. </maml:para>
<maml:alertSet class="security"><maml:title>Security Note </maml:title><maml:para>Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled. </maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click the <maml:ui>Security</maml:ui> tab. In <maml:ui>Select the security methods for this network</maml:ui>, in <maml:ui>Authentication</maml:ui>, select <maml:ui>WPA2-Enterprise</maml:ui> if it is supported by your wireless AP and wireless client network adapters. Otherwise, select <maml:ui>WPA-Enterprise</maml:ui>. </maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Selecting WPA2 exposes settings for Fast Roaming that are not displayed if WPA is selected. The default settings for Fast Roaming are sufficient for most wireless deployments.</maml:para></maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Encryption</maml:ui>, select <maml:ui>AES</maml:ui>, if it is supported by your wireless AP and wireless client network adapters. Otherwise, select <maml:ui>TKIP</maml:ui>. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The settings for both <maml:ui>Authentication</maml:ui> and <maml:ui>Encryption</maml:ui> must match the settings configured on your wireless AP. </maml:para></maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Select a network authentication method</maml:ui>, select <maml:ui>Microsoft: Protected EAP (PEAP)</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Authentication mode</maml:ui>, select from the following, depending on your needs: <maml:ui>User or Computer authentication</maml:ui>, <maml:ui>Computer authentication</maml:ui>, <maml:ui>User authentication</maml:ui>, <maml:ui>Guest authentication</maml:ui>. By default, <maml:ui>User or Computer authentication</maml:ui> is selected.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Max Authentication Failures</maml:ui>, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. By default, the value is set to “1.”</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that user credentials are held in cache, select <maml:ui>Cache user information for subsequent connections to this network</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para> Click <maml:ui>Advanced</maml:ui>, and then configure the following: </maml:para>
</maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To configure advanced 802.1X settings, in <maml:ui>IEEE 802.1X</maml:ui>, select <maml:ui>Enforce advanced 802.1X settings</maml:ui>, and then configure the following settings, depending on your needs: <maml:ui>Max Eapol-Start Msgs</maml:ui>, <maml:ui>Held Period</maml:ui>, <maml:ui>Start Period</maml:ui>, and <maml:ui>Auth Period</maml:ui>. </maml:para><maml:para>When the advanced 802.1X settings are enforced, the default values are sufficient for most wireless deployments. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable Single Sign On, select <maml:ui>Enable Single Sign On for this network</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify when Single Sign On occurs, select either <maml:ui>Perform immediately before User Logon</maml:ui> or <maml:ui>Perform immediately after User Logon</maml:ui>, depending on your needs.</maml:para>
<maml:para>The remaining default values in <maml:ui>Single Sign On</maml:ui> are sufficient for typical wireless deployments. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify the maximum amount of time, in seconds, in which 802.1X authentication must complete and authorize network access, in <maml:ui>Max delay for connectivity (seconds)</maml:ui>, enter a value, depending on your needs.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To allow dialogs during Single Sing On, select <maml:ui>Allow additional dialogs to be displayed during Single Sign On</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless computers are placed on one virtual local area network (VLAN) at startup, and then transitioned to a different network after the user logs on to the computer, select <maml:ui>This network uses different VLAN for authentication with machine and user credentials</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable Fast Roaming, in <maml:ui>Fast Roaming</maml:ui>, select <maml:ui>Enable Pairwise Master Key (PMK) Caching</maml:ui>. The default values for <maml:ui>PMK Time to Live (minutes)</maml:ui> and <maml:ui>Number of entries in PMK Cache</maml:ui> are typically sufficient for Fast Roaming.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select <maml:ui>This network uses pre-authentication</maml:ui>, if your wireless AP is configured for pre-authentication. The default value of 3 is typically sufficient for <maml:ui>Maximum Pre-authentication attempts</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that cryptography adheres to the FIPS 140-2 certified mode, select <maml:ui>Perform cryptography in FIPS 140-2 certified mode</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save your settings and return to the <maml:ui>Security</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Properties</maml:ui>. The <maml:ui>Protected EAP Properties</maml:ui> dialog box opens.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Protected EAP Properties</maml:ui>, verify that <maml:ui>Validate server certificate</maml:ui> is selected. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS). </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>This setting limits the trusted root CAs that clients trust to the selected CAs. If no trusted root CAs are selected, then clients trust all root CAs listed in their trusted root certification authority store. </maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Select Authentication Method</maml:ui>, select <maml:ui>Secured Password (EAP-MS-CHAP v2)</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable PEAP Fast Reconnect, select <maml:ui>Enable Fast Reconnect</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select <maml:ui>Enforce Network Access Protection</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To require cryptobinding Type-Length-Value (TLV), select <maml:ui>Disconnect if server does not present cryptobinding TLV</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To configure your clients so that they will not send their identity in plaintext before the client has authenticated the RADIUS server, select <maml:ui>Enable Identity Privacy</maml:ui>, and then in <maml:ui>Anonymous Identity</maml:ui>, type a name or value, or leave the field empty.</maml:para>
<maml:para>For example, if <maml:ui>Enable Identity Privacy</maml:ui> is enabled and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select <maml:ui>Enable Identity Privacy</maml:ui> but do not provide an anonymous identity value, the identity response is @realm.
</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Configure</maml:ui>. In the <maml:ui>EAP MSCHAPv2 Properties</maml:ui> dialog box, verify <maml:ui>Automatically use my Windows logon name and password (and domain if any)</maml:ui> is selected, click <maml:ui>OK</maml:ui>, and then click <maml:ui>OK</maml:ui> to close <maml:ui>Protected EAP Properties</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> to save your settings and close the <maml:ui>Security</maml:ui> tab, and then click <maml:ui>OK</maml:ui> again to close Vista Wireless Network Policy.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Deploy a CA and NPS Server Certificate</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use these procedures to install Active Directory® Certificate Services (AD CS) and enroll a server certificate to servers running Network Policy Server (NPS). If you deploy certificate-based authentication, servers running NPS must have a server certificate. During the authentication process, these servers send their server certificate to client computers as proof of identity.</maml:para>
<maml:para>The process of configuring NPS server certificate enrollment occurs in three stages:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para><maml:phrase>Install the AD CS server role</maml:phrase>. This step is required only if you have not already deployed a certification authority (CA) on your network.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Configure a server certificate template and autoenrollment</maml:phrase>. The CA issues certificates based on a certificate template, so you must configure the template for the NPS server certificate before the CA can issue a certificate. When you configure autoenrollment, all servers running NPS on your network will automatically receive a server certificate when Group Policy on the server running NPS is refreshed. If you add more servers later, they will automatically receive a server certificate, too.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Refresh Group Policy on servers running NPS</maml:phrase>. When Group Policy is refreshed, the servers running NPS receive two certificates. One certificate is the server certificate based on the template that you configured in the previous step. This certificate is used by NPS to prove its identity to client computers that attempt to connect to your network. The other certificate is the issuing CA certificate, which is automatically installed on the servers running NPS in the Trusted Root Certification Authorities certificate store. NPS uses this certificate to determine whether to trust certificates it receives from other computers. For example, if you deploy Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), client computers use a certificate to prove their identities to the server running NPS. When the server receives a certificate from a client computer, trust for the certificate is established because the server running NPS finds the issuing CA certificate in its own Trusted Root Certification Authorities certificate store.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Rather than autoenrolling an NPS server certificate, you might want to enroll the certificate by using one of the following methods:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Manually import an NPS server certificate from floppy disk or compact disc into the NPS certificate store.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Use the Certificate Services Web enrollment tool to obtain the NPS server certificate.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Because the NPS server certificate is a computer certificate, you must import the certificate into the certificate store for the Local Computer rather than for the Current User.</maml:para>
<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>If the NPS server certificate is erroneously installed in the Current User certificate store, NPS cannot use the certificate for EAP or Protected EAP (PEAP) authentication because the private keys of the certificate have an incorrectly configured access control list (ACL) that prevents key access by the local system. You can verify the location of the NPS server certificate by using the Certificates Microsoft Management Console (MMC) snap-in. If the NPS server certificate is in the incorrect location, do not attempt to drag and drop the certificate from the Current User to the Local Computer certificate store. The private keys for the certificate will still have an incorrectly configured ACL. Instead, revoke the certificate using AD CS and issue a new server certificate to the server running NPS.</maml:para>
</maml:alertSet>
<maml:para>To deploy a CA and autoenroll NPS server certificates, perform the following procedures:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>NPS Server Certificate: CA Installation</maml:linkText><maml:uri href="mshelp://windows/?id=7a2cb3e1-d6de-44d8-8f8e-7309acb68383"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>NPS Server Certificate: Configure the Template and Autoenrollment</maml:linkText><maml:uri href="mshelp://windows/?id=4e4f927d-3273-40b5-a33b-f550be1587e2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a Remote RADIUS Server Group</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use this procedure to add a new remote RADIUS server group in the Network Policy Server (NPS) snap-in.</maml:para>
<maml:para>When you configure NPS as a RADIUS proxy, you create a new connection request policy that NPS uses to determine which connection requests to forward to other RADIUS servers. In addition, the connection request policy is configured by specifying a remote RADIUS server group that contains one or more RADIUS servers, which tells NPS where to send the connection requests that match the connection request policy.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can also configure a new remote RADIUS server group during the process of creating a new connection request policy.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To add a remote RADIUS server group </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>RADIUS Clients and Servers</maml:ui>, right-click <maml:ui>Remote RADIUS Server Groups</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>The <maml:ui>New Remote RADIUS Server Group</maml:ui> dialog box opens. In <maml:ui>Group name</maml:ui>, type a name for the remote RADIUS server group.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>RADIUS Servers</maml:ui>, click <maml:ui>Add</maml:ui>. The <maml:ui>Add RADIUS Servers</maml:ui> dialog box opens. Type the IP address of the RADIUS server that you want to add to the group, or type the Fully Qualified Domain Name (FQDN) of the RADIUS server, and then click <maml:ui>Verify</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Add RADIUS Servers</maml:ui>, click the <maml:ui>Authentication/Accounting</maml:ui> tab. In <maml:ui>Shared secret</maml:ui> and <maml:ui>Confirm shared secret</maml:ui>, type the shared secret. You must use the same shared secret when you configure the local computer as a RADIUS client on the remote RADIUS server.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are not using Extensible Authentication Protocol (EAP) for authentication, click <maml:ui>Request must contain the message authenticator attribute</maml:ui>. EAP uses the Message-Authenticator attribute by default.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the authentication and accounting port numbers are correct for your deployment.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you use a different shared secret for accounting, in <maml:ui>Accounting</maml:ui>, clear the <maml:ui>Use the same shared secret for authentication and accounting</maml:ui> check box, and then type the accounting shared secret in <maml:ui>Shared secret</maml:ui> and <maml:ui>Confirm shared secret</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you do not want to forward network access server start and stop messages to the remote RADIUS server, clear the <maml:ui>Forward network access server start and stop notifications to this server</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS Client</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.</maml:para>
</maml:alertSet>
<maml:para>To deploy NPS as a RADIUS server, a RADIUS proxy, or a Network Access Protection (NAP) policy server, you must configure RADIUS clients in NPS.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>RADIUS client examples</maml:title><maml:introduction>
<maml:para>Examples of network access servers are:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running the Windows Server® 2008 operating system and the Routing and Remote Access service that provides either traditional dial-up or virtual private network (VPN) remote access services to an organization intranet.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Wireless access points that provide physical layer access to an organization network using wireless-based transmission and reception technologies.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Switches that provide physical layer access to an organization's network, using traditional LAN technologies, such as Ethernet.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that is configured on the RADIUS proxy.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>RADIUS Access-Request messages</maml:title><maml:introduction>
<maml:para>RADIUS clients either create RADIUS Access-Request messages and forward them to a RADIUS proxy or RADIUS server, or they forward Access-Request messages to a RADIUS server that they have received from another RADIUS client but have not created themselves.</maml:para>
<maml:para>RADIUS clients do not process Access-Request messages by performing authentication, authorization, and accounting. Only RADIUS servers perform these functions.</maml:para>
<maml:para>NPS, however, can be configured as both a RADIUS proxy and a RADIUS server simultaneously, so that it processes some Access-Request messages and forwards other messages.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>NPS as a RADIUS client</maml:title><maml:introduction>
<maml:para>NPS acts as a RADIUS client when you configure it as a RADIUS proxy to forward Access-Request messages to other RADIUS servers for processing. When you use NPS as a RADIUS proxy, the following general configuration steps are required:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Network access servers, such as wireless access points and VPN servers, are configured with the IP address of the NPS proxy as the designated RADIUS server or authenticating server. This allows the network access servers, which create Access-Request messages based on information they receive from access clients, to forward messages to the NPS proxy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NPS proxy is configured by adding each network access server as a RADIUS client. This configuration step allows the NPS proxy to receive messages from the network access servers and to communicate with them throughout authentication. In addition, connection request policies on the NPS proxy are configured to specify which Access-Request messages to forward to one or more RADIUS servers. These policies are also configured with a remote RADIUS server group, which tells NPS where to send the messages it receives from the network access servers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NPS or other RADIUS servers that are members of the remote RADIUS server group on the NPS proxy are configured to receive messages from the NPS proxy. This is accomplished by configuring the NPS proxy as a RADIUS client.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>RADIUS client properties</maml:title><maml:introduction>
<maml:para>When you add a RADIUS client to the NPS configuration through the NPS snap-in or through the use of the netsh commands for NPS, you are configuring NPS to receive RADIUS Access-Request messages from either a network access server or a RADIUS proxy.</maml:para>
<maml:para>When you configure a RADIUS client in NPS, you can designate the following properties:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Client name</maml:para>
<maml:para>A friendly name for the RADIUS client, which makes it easier to identify when using the NPS snap-in or netsh commands for NPS.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>IP address</maml:para>
<maml:para>The Internet Protocol version 4 (IPv4) address or the Domain Name System (DNS) name of the RADIUS client.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Client-Vendor</maml:para>
<maml:para>The vendor of the RADIUS client. Otherwise, you can use the RADIUS standard value for Client-Vendor.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Shared secret</maml:para>
<maml:para>A text string that is used as a password between RADIUS clients, RADIUS servers, and RADIUS proxies. When the Message Authenticator attribute is used, the shared secret is also used as the key to encrypt RADIUS messages. This string must be configured on the RADIUS client and in the NPS snap-in.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Message Authenticator attribute</maml:para>
<maml:para>Described in RFC 2869, "RADIUS Extensions," a Message Digest 5 (MD5) hash of the entire RADIUS message. If the RADIUS Message Authenticator attribute is present, it is verified. If it fails verification, the RADIUS message is discarded. If the client settings require the Message Authenticator attribute and it is not present, the RADIUS message is discarded. Use of the Message Authenticator attribute is recommended.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The Message Authenticator attribute is required and enabled by default when you use EAP authentication. </maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para>Client is NAP-capable</maml:para>
<maml:para>A designation that the RADIUS client is compatible with Network Access Protection (NAP), and NPS sends NAP attributes to the RADIUS client in the Access-Accept message.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Network Policies</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para><maml:newTerm>Network policies</maml:newTerm> are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. When you deploy Network Access Protection (NAP), health policy is added to the network policy configuration so that Network Policy Server (NPS) performs client health checks during the authorization process.</maml:para>
<maml:para>When processing connection requests as a Remote Authentication Dial-In User Service (RADIUS) server, NPS performs both authentication and authorization for the connection request. During the authentication process, NPS verifies the identity of the user or computer that is connecting to the network. During the authorization process, NPS determines whether the user or computer is allowed to access the network.</maml:para>
<maml:para>To make this determination, NPS uses network policies that are configured in the NPS Microsoft Management Console (MMC) snap-in. NPS also examines the dial-in properties of the user account in Active Directory® Domain Services (AD DS) to perform authorization.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>In Internet Authentication Service (IAS) in the Windows Server® 2003 operating systems, network policies were called <maml:newTerm>remote access policies</maml:newTerm>.</maml:para>
</maml:alertSet>
<maml:para>Network policies can be viewed as rules. Each rule has a set of conditions and settings. NPS compares the conditions of the rule to the properties of connection requests. If a match occurs between the rule and the connection request, the settings defined in the rule are applied to the connection.</maml:para>
<maml:para>When multiple network policies are configured in NPS, they are an ordered set of rules. NPS checks each connection request against the first rule in the list, then the second, and so on, until a match is found.</maml:para>
<maml:para>Each network policy has a <maml:ui>Policy State</maml:ui> setting that allows you to enable or disable the policy. When you disable a network policy, NPS does not evaluate the policy when authorizing connection requests.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If you want NPS to evaluate a network policy when performing authorization for connection requests, you must configure the <maml:ui>Policy State</maml:ui> setting by selecting the <maml:ui>Policy enabled </maml:ui>check box.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section>
<maml:title>Network policy properties</maml:title><maml:introduction>
<maml:para>There are four categories of properties for each network policy:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Overview</maml:para>
<maml:para>These properties allow you to specify whether the policy is enabled, whether the policy grants or denies access, and whether a specific network connection method, or type of network access server (NAS), is required for connection requests. Overview properties also allow you to specify whether the dial-in properties of user accounts in AD DS are ignored. If you select this option, only the settings in the network policy are used by NPS to determine whether the connection is authorized.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Conditions</maml:para>
<maml:para>These properties allow you to specify the conditions that the connection request must have in order to match the network policy; if the conditions configured in the policy match the connection request, NPS applies the settings designated in the network policy to the connection. For example, if you specify the NAS IPv4 address as a condition of the network policy and NPS receives a connection request from a NAS that has the specified IP address, the condition in the policy matches the connection request. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Constraints</maml:para>
<maml:para>Constraints are additional parameters of the network policy that are required to match the connection request. If a constraint is not matched by the connection request, NPS automatically rejects the request. Unlike the NPS response to unmatched conditions in the network policy, if a constraint is not matched, NPS denies the connection request without evaluating additional network policies.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Settings</maml:para>
<maml:para>These properties allow you to specify the settings that NPS applies to the connection request if all of the network policy conditions for the policy are matched.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>When you add a new network policy by using the NPS snap-in, you must use the New Network Policy Wizard. After you have created a network policy by using the wizard, you can customize the policy by double-clicking the policy in the NPS snap-in to obtain the policy properties.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure SQL Server Logging in NPS</maml:title><maml:introduction>
<maml:para>Use this procedure to log Remote Authentication Dial-In User Service (RADIUS) accounting data to a local or remote database running Microsoft® SQL Server™.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can configure Network Policy Server (NPS) to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. You can use this procedure to configure logging properties and the connection to the server running SQL Server that stores your accounting data.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>NPS formats accounting data as an XML document that it sends to the <maml:computerOutputInline>report_event</maml:computerOutputInline> stored procedure in the SQL Server database that you designate in NPS. For SQL Server logging to function properly, you must have a stored procedure named <maml:computerOutputInline>report_event</maml:computerOutputInline> in the SQL Server database that can receive and parse the XML documents from NPS.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure SQL Server logging in NPS</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Accounting</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, in <maml:ui>SQL Server Logging Properties</maml:ui>, click <maml:ui>Change SQL Server Logging Properties</maml:ui>. The <maml:ui>SQL Server Logging Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Log the following information</maml:ui>, select the information that you want to log: </maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>To log all accounting requests, click <maml:ui>Accounting requests</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To log authentication requests, click <maml:ui>Authentication requests</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To log periodic accounting status, click <maml:ui>Periodic accounting status</maml:ui>.</maml:para></maml:listItem>
<maml:listItem>
<maml:para>To log periodic status, such as interim accounting requests, click <maml:ui>Periodic status</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To configure the number of concurrent sessions allowed between the server running NPS and the SQL Server, type a number in <maml:ui>Maximum number of concurrent sessions</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To configure the SQL Server data source, in <maml:ui>SQL Server Logging</maml:ui>, click <maml:ui>Configure</maml:ui>. The <maml:ui>Data Link Properties</maml:ui> dialog box opens. On the <maml:ui>Connection</maml:ui> tab, specify the following: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To specify the name of the server on which the database is stored, type or select a name in <maml:ui>Select or enter a server name</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To specify the authentication method with which to log on to the server, click <maml:ui>Use Windows NT integrated security</maml:ui>. Or, click <maml:ui>Use a specific user name and password</maml:ui>, and then type credentials in <maml:ui>User name</maml:ui> and <maml:ui>Password</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To allow a blank password, click <maml:ui>Blank password</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To store the password, click <maml:ui>Allow saving password</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To specify which database to connect to on the computer running SQL Server, click <maml:ui>Select the database on the server</maml:ui>, and then select a database name from the list.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To test the connection between NPS and SQL Server, click <maml:ui>Test Connection</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>PEAP Overview</maml:title><maml:introduction>
<maml:para>Protected Extensible Authentication Protocol (PEAP) is part of the Extensible Authentication Protocol (EAP) protocols.</maml:para>
<maml:para>PEAP uses Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running Network Policy Server (NPS) or other Remote Authentication Dial-In User Service (RADIUS) server.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>PEAP and NPS</maml:title><maml:introduction>
<maml:para>PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients connecting to your organization network through the following types of network access servers:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>802.1X wireless access points</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>802.1X authenticating switches</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Virtual private network (VPN) servers running Windows Server® 2008 or Windows Server® 2008 R2 and the Routing and Remote Access service </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Computers running Windows Server 2008 and Terminal Services Gateway (TS Gateway) or Windows Server® 2008 R2 and Remote Desktop Gateway (RD Gateway).</maml:para>
</maml:listItem>
</maml:list>
<maml:para>To enhance both the EAP protocols and network security, PEAP provides:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>A TLS channel that provides protection for the EAP method negotiation that occurs between client and server. This TLS channel helps prevent an attacker from injecting packets between the client and the network access server to cause the negotiation of a less secure EAP type. The encrypted TLS channel also helps prevent denial-of-service attacks against the NPS server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this functionality.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Clients with the ability to authenticate the NPS server or other RADIUS server. Because the server also authenticates the client, mutual authentication occurs.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Protection against the deployment of an unauthorized wireless access point at the moment when the EAP client authenticates the certificate provided by the NPS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the NPS or other RADIUS server. PEAP fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The following table lists the strengths of PEAP-MS-CHAP v2 and compares it to MS-CHAP v2.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Feature/function</maml:para>
</maml:entry>
<maml:entry>
<maml:para>MS-CHAP v2</maml:para>
</maml:entry>
<maml:entry>
<maml:para>PEAP-MS-CHAP v2</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Provides client authentication using passwords.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Ensures that the server has access to credentials.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Authenticates the server.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Prevents wireless access point spoofing.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Prevents an unauthorized server from negotiating the least secure authentication method.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Uses TLS keys generated with a public key.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Provides end-to-end encryption.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Prevents dictionary or brute force attacks.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Prevents replay attacks.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Allows chaining of authentication methods.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Requires client trust of certificates provided by the server.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section><maml:section>
<maml:title>PEAP authentication process</maml:title><maml:introduction>
<maml:para>There are two stages in the PEAP authentication process between the PEAP client and the authenticator. The first stage establishes a secure channel between the PEAP client and the authenticating server. The second stage provides EAP authentication between the PEAP client and authenticator.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>TLS encrypted channel</maml:title><maml:introduction>
<maml:para>In the first stage of PEAP authentication, the TLS channel is created between the PEAP client and the NPS server. The following steps illustrate how this TLS channel is created for wireless PEAP clients.</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>The PEAP client associates with a wireless access point that is configured as a RADIUS client to a server running NPS. An IEEE 802.11-based association provides an Open System or Shared Key Authentication before a secure association is created between the PEAP client and the access point.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>After the IEEE 802.11-based association is successfully established between the client and access point, the TLS session is negotiated with the access point.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>After computer-level authentication is successfully completed between the wireless PEAP client and the NPS server, the TLS session is negotiated between them. The key that is derived during this negotiation is used to encrypt all subsequent communication, including network access authentication that allows the user to connect to the organization network.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>EAP-authenticated communication</maml:title><maml:introduction>
<maml:para>Complete EAP communication, including EAP negotiation, occurs through the TLS channel and is the second stage of PEAP authentication. The following steps extend the previous example and illustrate how wireless clients complete authentication with the NPS server using PEAP.</maml:para>
<maml:para>After the TLS channel is created between the NPS server and the PEAP client, the client passes the credentials (user name and password or a user or computer certificate) to the NPS server through the encrypted channel.</maml:para>
<maml:para>The access point only forwards messages between wireless client and RADIUS server; the access point (or a person monitoring it) cannot decrypt these messages because it is not the TLS endpoint.</maml:para>
<maml:para>The NPS server authenticates the user and client computer with the authentication type that is selected for use with PEAP. The authentication type can be either EAP-TLS (smart card or other certificate) or EAP-MS-CHAP v2 (secure password).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can configure PEAP as the authentication method in NPS network policy.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>EAP types</maml:title><maml:introduction>
<maml:para>You can choose between two EAP types, also called <maml:newTerm>authentication types</maml:newTerm>, for use with PEAP: EAP-MS-CHAP v2 or EAP-TLS. EAP-MS-CHAP v2 uses password-based credentials (user name and password) for user authentication, and a certificate in the server computer certificate store for server authentication. EAP-TLS uses either certificates installed in the client computer certificate store or a smart card for user and client computer authentication, and a certificate in the server computer certificate store for server authentication.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>PEAP with EAP-MS-CHAP v2</maml:title><maml:introduction>
<maml:para>PEAP with EAP-MS-CHAPv2 (PEAP-MS-CHAP v2) is easier to deploy than EAP-TLS because user authentication is accomplished by using password-based credentials (user name and password) instead of certificates or smart cards. Only the NPS server or other RADIUS server is required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.</maml:para>
<maml:para>Successful PEAP-MS-CHAP v2 authentication requires that the client trust the NPS server after examining the server certificate. For the client to trust the NPS server, the certification authority (CA) that issued the server certificate must have its own different certificate in the Trusted Root Certification Authorities certificate store on client computers.</maml:para>
<maml:para>The server certificate used by NPS can be issued by either the trusted root CA of your organization or by a public CA, such as VeriSign or Thawte, that is already trusted by the client computer. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>PEAP-MS-CHAP v2 provides greatly improved security over MS-CHAP v2 by providing key generation with TLS and by using mutual authentication, which prevents an unauthorized server from negotiating the least secure authentication method with the PEAP client.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section>
<maml:title>PEAP with EAP-TLS</maml:title><maml:introduction>
<maml:para>When you deploy a public key infrastructure (PKI) with Active Directory Certificate Services (AD CS), you can use PEAP with EAP-TLS (PEAP-TLS). Certificates provide a much stronger authentication method than the methods that use password-based credentials. PEAP-TLS uses certificates for server authentication and either smart cards, which contain an embedded certificate, or certificates enrolled to client computers that are stored on the local computer in the certificate store, for user and client computer authentication. To use PEAP-TLS, you must deploy a PKI.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>PEAP fast reconnect</maml:title><maml:introduction>
<maml:para>PEAP fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new access point.</maml:para>
<maml:para>Wireless access points are configured as RADIUS clients to RADIUS servers. If a wireless client roams between access points that are configured as clients to the same RADIUS server, the client is not required to be authenticated with each new association. When a client moves to an access point that is configured as a RADIUS client to a different RADIUS server, although the client is reauthenticated, this process occurs much more efficiently and quickly.</maml:para>
<maml:para>PEAP fast reconnect reduces the response time for authentication between client and authenticator because the authentication request is forwarded from the new access point to the NPS server that originally performed authentication and authorization for the client connection request. Because both the PEAP client and NPS server use previously cached TLS connection properties (the collection of which is named the <maml:newTerm>TLS handle</maml:newTerm>), the NPS server can quickly determine that the client connection is a reconnect.</maml:para>
<maml:para>The client can cache TLS handles for multiple PEAP authenticators. If the original NPS server is unavailable, full authentication must occur between the client and the new authenticator. The TLS handle for the new PEAP authenticator is cached by the client. For smart cards or PEAP-MS-CHAP v2 authentication, the user is asked to supply the PIN or credentials, respectively.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>With PEAP-MS-CHAP v2 authentication:</maml:title><maml:introduction>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>When the new access point is a client to the same RADIUS server</maml:para>
</maml:entry>
<maml:entry>
<maml:para>When the new access point is a client to a new RADIUS server</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>The user is not prompted for credentials each time the client computer associates with a new access point.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The user is prompted for credentials on this initial association. The next time the client computer associates with an access point that is a client to this server, user credentials are not required. </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>The RADIUS server is not required to provide a certificate.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The RADIUS server provides a certificate on this initial association so that the wireless client can authenticate to the RADIUS server. The next time the client computer associates with an access point that is a client to this server, the server is not required to be reauthenticated.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section>
<maml:section>
<maml:title>With PEAP-TLS authentication:</maml:title><maml:introduction>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>When the new access point is a client to the same RADIUS server </maml:para>
</maml:entry>
<maml:entry>
<maml:para>When the new access point is a client to a new RADIUS server </maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>The client and server are not required to exchange certificates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The client and server exchange certificates on this initial association. The next time the client computer associates with an access point that is a client to this server, certificates are not exchanged.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>The user is not prompted for a smart card personal identification number (PIN) each time the client computer associates with a new access point.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The user is prompted for a smart card PIN on this initial association. The next time the client computer associates with an access point that is a client to this server, the user is not prompted for the PIN.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para>To enable PEAP fast reconnect:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Both the PEAP client (802.11 wireless client) and PEAP authenticator (RADIUS server) must have fast reconnect enabled.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>All access points to which the PEAP client roams must be configured as RADIUS clients to a RADIUS server (the PEAP authenticator) for which PEAP is configured as the authentication method for wireless connections.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>All access points to which the PEAP client associates must be configured to prefer the same RADIUS server (PEAP authenticator) to avoid being prompted for credentials from every RADIUS server. If the access point cannot be configured to prefer a RADIUS server, you can configure an NPS RADIUS proxy with a preferred RADIUS server.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional information</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>PEAP does not support guest authentication.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP-TLS, do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type creates a security vulnerability.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NPS Templates</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Policy Server (NPS) templates allow you to create configuration elements, such as Remote Authentication Dial-In User Service (RADIUS) clients or shared secrets, that you can reuse on the local NPS server and export for use on other NPS servers.</maml:para>
<maml:para>NPS templates are designed to reduce the amount of time and cost that it takes to configure NPS on one or more servers. The following NPS template types are available for configuration in Templates Management:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Shared Secrets</maml:para></maml:listItem>
<maml:listItem><maml:para>RADIUS Clients</maml:para></maml:listItem>
<maml:listItem><maml:para>Remote RADIUS Servers</maml:para></maml:listItem>
<maml:listItem><maml:para>IP Filters</maml:para></maml:listItem>
<maml:listItem><maml:para>Health Policies</maml:para></maml:listItem>
<maml:listItem><maml:para>Remediation Server Groups</maml:para></maml:listItem>
</maml:list>
<maml:para>Configuring a template is different than configuring the NPS server directly. Creating a template does not affect the NPS server's functionality. It is only when you select the template in the appropriate location in the NPS console that the template affects the NPS server functionality. </maml:para>
<maml:para>For example, if you configure a RADIUS client in the NPS console under <maml:ui>RADIUS Clients and Servers</maml:ui>, you have altered the NPS server configuration and taken one step in configuring NPS to communicate with one of your network access servers. (The next step would be to configure the NAS to communicate with NPS.) However, if you configure a new RADIUS Clients template in the NPS console under <maml:ui>Templates Management</maml:ui> rather than creating a new RADIUS client under <maml:ui>RADIUS Clients and Servers</maml:ui>, you have created a template, but you have not altered the NPS server functionality yet. To alter the NPS server functionality, you must select the template from the correct location in the NPS console.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Creating templates</maml:title><maml:introduction>
<maml:para>To create a template, right-click a template type, such as IP Filters, and then click <maml:ui>New</maml:ui>. A new template properties dialog box opens that allows you to configure your template.</maml:para>
</maml:introduction></maml:section>
<maml:section><maml:title>Using templates locally</maml:title><maml:introduction>
<maml:para>You can use a template that you've created in <maml:ui>Templates Management</maml:ui> by navigating to a location in the NPS console where the template can be applied. For example, if you create a new Shared Secrets template that you want to apply to a RADIUS client configuration, in <maml:ui>RADIUS Clients and Servers</maml:ui> and <maml:ui>RADIUS Clients</maml:ui>, open the RADIUS client properties, and then in <maml:ui>Select an existing Shared Secrets template</maml:ui>, select the template you created from the list of templates.</maml:para>
</maml:introduction></maml:section>
</maml:sections></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Remote RADIUS Server Groups</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the connection requests because they can perform authentication and authorization in the domain where the user or computer account is located. For example, if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain.</maml:para>
<maml:para>To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages.</maml:para>
<maml:para>When you configure a remote RADIUS server group in NPS and you configure a connection request policy with the group, you are designating the location where NPS is to forward connection requests.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Configuring RADIUS servers for a group</maml:title><maml:introduction>
<maml:para>A <maml:newTerm>remote RADIUS server group</maml:newTerm> is a named group that contains one or more RADIUS servers. If you configure more than one server, you can specify load balancing settings to either determine the order in which the servers are used by the proxy or to distribute the flow of RADIUS messages across all servers in the group to prevent overloading one or more servers with too many connection requests.</maml:para>
<maml:para>Each server in the group has the following settings:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Name or address</maml:para>
<maml:para>Each group member must have a unique name within the group. The name can be an IP address or a name that can be resolved to its IP address.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Authentication and accounting</maml:para>
<maml:para>You can forward authentication requests, accounting requests, or both to each remote RADIUS server group member.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Load balancing</maml:para>
<maml:para>A priority setting is used to indicate which member of the group is the primary server (the priority is set to 1). For group members that have the same priority, a weight setting is used to calculate how often RADIUS messages are sent to each server. You can use additional settings to configure the way in which the NPS server detects when a group member first becomes unavailable and when it becomes available after it has been determined to be unavailable.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>After a remote RADIUS server group is configured, it can be specified in the authentication and accounting settings of a connection request policy. Because of this, you can configure a remote RADIUS server group first. Next, you can configure the connection request policy to use the newly configured remote RADIUS server group. Alternatively, you can use the New Connection Request Policy Wizard to create a new remote RADIUS server group while you are creating the connection request policy.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Remote RADIUS server groups are unrelated to and separate from Windows groups and Network Access Protection (NAP) remediation server groups.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Deploying Certificates for PEAP and EAP</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use the following sections to deploy your own certification authority (CA) with Active Directory® Certificate Services (AD CS) and to automatically enroll certificates to servers running Network Policy Server (NPS), domain member client computers, and domain users.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Deploy Client Computer Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=9d3f798f-0854-4602-adce-0b888e8c00ef"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Deploy User Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=25b886ed-75e9-4f49-8ca0-c90991dfc20e"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Deploy a CA and NPS Server Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=58ec6857-153e-417f-b63c-40fd6addd216"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Network Access Protection in NPS</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista®, Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2. By using NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network.</maml:para>
<maml:para>NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are noncompliant with health policy, and remediating noncompliant client computers to bring them into compliance with health policy before they are granted full network access. NAP enforces health policies on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a client computer is connected to a network.</maml:para>
<maml:para>NAP is an extensible platform that provides an infrastructure and an application programming interface (API) set. By using the NAP API set, you can add components to NAP clients and to servers running Network Policy Server (NPS) that check computer health, enforce network health policy, and remediate noncompliant computers to bring them into compliance with health policy.</maml:para>
<maml:para>By itself, NAP does not provide components to verify or remediate computer health. Other components, known as <maml:newTerm>system health agents (SHAs)</maml:newTerm> and <maml:newTerm>system health validators (SHVs)</maml:newTerm>, provide client computer health state inspection and reporting, validation of client computer health state compared to health policy, and configuration settings to help the client computer become compliant with health policy.</maml:para>
<maml:para>The Windows Security Health Agent (WSHA) is included in Windows Vista and Windows 7 as part of the operating system. The corresponding Windows Security Health Validator (WSHV) is included in Windows Server 2008 and Windows Server 2008 R2 as part of the operating system. By using the NAP API set, other products can also implement SHAs and SHVs to integrate with NAP. For example, an antivirus software vendor can use the API set to create a custom SHA and SHV. These components can then be integrated into the NAP solutions deployed by customers of the software vendor.</maml:para>
<maml:para>If you are a network or system administrator planning to deploy NAP, you can deploy NAP with the WSHA and WSHV that are included with the operating system. You can also check with other software vendors to find out if they provide SHAs and SHVs for their products.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>NAP overview</maml:title><maml:introduction>
<maml:para>Most organizations create network policies that dictate the type of hardware and software that can be deployed on the organization network. These policies frequently include rules for how client computers can be configured before connecting to the network. For example, many organizations require that client computers run antivirus software with recent antivirus updates installed, and that client computers have a software firewall installed and enabled before connecting to the organization network. A client computer that is configured according to the organization network policy can be viewed as compliant with policy, while a computer that is not configured according to the organization network policy can be viewed as noncompliant with policy.</maml:para>
<maml:para>NAP allows you to use NPS to create policies that define client computer health. NAP also allows you to enforce the client health policies you create, and to automatically update, or remediate, NAP-capable client computers to bring them into compliance with client health policy. NAP provides continuous detection of client computer health to guard against cases in which a client computer is compliant when it connects to the organization network but becomes noncompliant while connected.</maml:para>
<maml:para>NAP provides complementary client computer and organization network protection by ensuring that computers connecting to the network comply with organization network and client health policies. This protects the network from harmful elements introduced by client computers, such as computer viruses, and it also protects client computers from harmful elements that could be introduced by the network to which it is connecting.</maml:para>
<maml:para>In addition, NAP autoremediation reduces the amount of time that noncompliant client computers are prevented from accessing organization network resources. When autoremediation is configured and clients are in a noncompliant state, NAP client components can rapidly update the computer by using resources you supply on a remediation network, allowing the now-compliant client to be more quickly authorized by NPS to connect to the network.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>NPS and NAP</maml:title><maml:introduction>
<maml:para>NPS can act as a NAP policy server for all NAP enforcement methods.</maml:para>
<maml:para>When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. You can configure NAP policies in NPS that allow client computers to update their configuration to become compliant with your organization network policy.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Client computer health</maml:title><maml:introduction>
<maml:para><maml:newTerm>Health</maml:newTerm> is defined as information about a client computer that NAP uses to determine whether to allow or deny client access to a network. An assessment of client computer health status represents the configuration state of a client computer in comparison to the state that is required by health policy.</maml:para>
<maml:para>Example measurements of health include:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The operational status of Windows Firewall. Is the firewall enabled or disabled?</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The update status of antivirus signatures. Are the antivirus signatures the most recent ones available?</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The installation status of security updates. Are the most recent security updates installed on the client?</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The health status of the client computer is encapsulated in an SoH, which is issued by NAP client components. NAP client components send the SoH to NAP server components for evaluation to determine whether the client is compliant and can be granted full network access.</maml:para>
<maml:para>In NAP terminology, verifying that a computer meets your defined health requirements is called <maml:newTerm>health policy validation</maml:newTerm>. NPS performs health policy validation for NAP.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>How NAP enforcement works</maml:title><maml:introduction>
<maml:para>NAP enforces health policies by using client-side components that inspect and assess the health of client computers, server-side components that restrict network access when client computers are deemed noncompliant, and both client-side and server-side components that assist in remediating noncompliant client computers for full network access.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Key processes of NAP</maml:title><maml:introduction>
<maml:para>To help protect network access, NAP relies on three processes: policy validation, NAP enforcement and network restriction, and remediation and ongoing compliance.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Policy validation</maml:title><maml:introduction>
<maml:para>By using NPS, you can create client health policies using SHVs that allow NAP to detect, enforce, and remediate client computer configurations.</maml:para>
<maml:para>WSHA and WSHV provide the following functionality for NAP-capable computers:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The client computer has firewall software installed and enabled.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The client computer has antivirus software installed and running.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The client computer has current antivirus updates installed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The client computer has antispyware software installed and running.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The client computer has current antispyware updates installed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Microsoft Update Services is enabled on the client computer.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>In addition, if NAP-capable client computers are running Windows Update Agent and are registered with a Windows Server Update Service (WSUS) server, NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC).</maml:para>
<maml:para>When you create policies that define the client computer health status, policies are validated by NPS. The NAP client-side components send a SoH to the NPS server during the network connection process. NPS examines the SoH and compares it to health policies.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>NAP enforcement and network restriction</maml:title><maml:introduction>
<maml:para>NAP denies noncompliant client computers access to the network or allows them access only to a special restricted network called a <maml:newTerm>remediation network</maml:newTerm>. A remediation network provides client computers with access to remediation servers, which provide software updates, and other key NAP services, such as Health Registration Authority (HRA) servers, that are required to bring noncompliant NAP clients into compliance with health policy.</maml:para>
<maml:para>The NAP enforcement setting in NPS network policy allows you to use NAP to limit the network access or observe the state of NAP-capable client computers that do not comply with your network health policy.</maml:para>
<maml:para>You can choose to restrict access, defer restriction of access, or allow access with network policy settings.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Remediation</maml:title><maml:introduction>
<maml:para>Noncompliant client computers that are put into a restricted network might undergo remediation. <maml:newTerm>Remediation</maml:newTerm> is the process of automatically updating a client computer so that it meets current health policies. For example, a restricted network might contain a File Transfer Protocol (FTP) server that automatically updates the virus signatures of noncompliant client computers that have outdated signatures.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Ongoing compliance</maml:title><maml:introduction>
<maml:para>NAP can enforce health compliance on client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies change and the health of client computers change. For example, NAP determines that the client computer is in a noncompliant state if a health policy requires that Windows Firewall is turned on and an administrator inadvertently turns the firewall off on a client computer. NAP will then disconnect the client computer from the organization network and connect the client computer to the remediation network until Windows Firewall is turned back on.</maml:para>
<maml:para>You can use NAP settings in NPS network policies to configure autoremediation so that NAP client components automatically attempt to update the client computer when it is not compliant. As with NAP enforcement settings, autoremediation is configured in network policy settings.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure 802.1X Wireless Access Clients running Windows XP</maml:title><maml:introduction>
<maml:para>The procedures in this section provide the steps to use the New Windows XP Wireless Network Policy to configure wireless profiles that wireless clients running Windows XP will use to connect to your wireless network.</maml:para>
<maml:para>Similar to the New Wireless Network Policy for computers running Windows Vista, you can use the New XP Wireless Network Policy to configure and prioritize multiple profiles by using the wireless network policy for computers running Windows XP. However, unlike the wireless policy for Windows Vista, the wireless policy for Windows XP requires each profile to specify a unique
service set identifier (SSID).</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete these procedures. </maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure Wireless Clients running Windows XP for PEAP-MS-CHAP v2 Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=7a3cc667-cc49-4bd2-b117-62f573751748"></maml:uri></maml:navigationLink> </maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure Wireless Clients running Windows XP for PEAP-TLS Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=fabff996-c60c-4dce-8a9d-39b705042901"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure Wireless Clients running Windows XP for EAP-TLS Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=09e250cb-7d83-4f2e-bf98-1c6a54654f77"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Configure NPS for Secure Wireless Access</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>This checklist provides the tasks required to deploy 802.1X wireless access points with Network Policy Server (NPS).</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Install and configure 802.1X wireless access points on your network.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Server for 802.1X Wireless or Wired Connections</maml:linkText><maml:uri href="mshelp://windows/?id=addbacc4-32a5-4dca-b12e-771bcba85733"></maml:uri></maml:navigationLink> and your hardware documentation</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Determine the authentication method you want to use.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Server for 802.1X Wireless or Wired Connections</maml:linkText><maml:uri href="mshelp://windows/?id=addbacc4-32a5-4dca-b12e-771bcba85733"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>Certificate Requirements for PEAP and EAP</maml:linkText><maml:uri href="mshelp://windows/?id=a1ac8d7e-3479-46b4-932b-ab43362e021b"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>EAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=13a5e651-d090-407f-a995-3e8509cf9a8e"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>PEAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=5e653bce-7b3b-48c8-b784-020e133c6bcc"></maml:uri></maml:navigationLink>; and your hardware documentation</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Autoenroll a server certificate to servers running NPS or purchase a server certificate.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Deploy a CA and NPS Server Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=58ec6857-153e-417f-b63c-40fd6addd216"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=33675"></maml:uri></maml:navigationLink> on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=33675 </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>If you are using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) without smart cards, autoenroll client or computer certificates to domain member client computers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Deploy Client Computer Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=9d3f798f-0854-4602-adce-0b888e8c00ef"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Deploy User Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=25b886ed-75e9-4f49-8ca0-c90991dfc20e"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure 802.1X wireless access clients by using the Group Policy Management extension, Wireless Network (IEEE 802.11) Policies.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wireless Access Clients by using Group Policy Management</maml:linkText><maml:uri href="mshelp://windows/?id=5220ca1e-409e-4841-b43e-837b4edd2cb6"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure 802.1X wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients in NPS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a New RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the wireless access points.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Create a Group for a Network Policy</maml:linkText><maml:uri href="mshelp://windows/?id=c29cb16a-4263-47d9-8bbe-0d5db799ca7c"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>In NPS, configure one or more network policies for 802.1X wireless access.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a Network Policy</maml:linkText><maml:uri href="mshelp://windows/?id=f4522491-921b-4ca9-974c-a41b90883ca7"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>Create policies for 802.1X Wired or Wireless with a Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=541cef62-a77e-483c-a847-27aacc68625d"></maml:uri></maml:navigationLink>; and <maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Open Wired or Wireless Network Policies for Editing</maml:title><maml:introduction>
<maml:para>You can use this procedure to open activated policies by using the Wireless Network (IEEE 802.11) Policies extension of Group Policy Management.</maml:para>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:para></maml:para>
<maml:procedure><maml:title>To open an activated policy by using Wireless Network (IEEE 802.11) Policies </maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction><maml:para>The wired and wireless network policies are not necessarily named <maml:ui>New Wired Network Policy</maml:ui>, <maml:ui>New Wireless Network Policy</maml:ui> or <maml:ui>New XP Wireless Network Policy</maml:ui> in the details pane of the Group Policy Management Editor. If the default policy name was previously changed to another name, the name change is reflected in the Group Policy Management Editor details pane. However, Wireless Network (IEEE 802.11) policies are differentiated with the <maml:ui>Type</maml:ui> specified as either <maml:ui>Vista</maml:ui> or <maml:ui>XP</maml:ui>.</maml:para></maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On your domain controller running Windows Server 2008 do one of the following: </maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>If Group Policy Management Editor is already open, proceed to step 2.</maml:para></maml:listItem>
<maml:listItem><maml:para>If Group Policy Management Editor is not already open, do the following: </maml:para><maml:list class="ordered">
<maml:listItem><maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. Group Policy Management opens.</maml:para></maml:listItem>
<maml:listItem><maml:para>In the left pane, double-click your forest. For example, double-click <maml:phrase>Forest: example.com</maml:phrase>.</maml:para></maml:listItem>
<maml:listItem><maml:para>In the left pane, double-click <maml:ui>Domains</maml:ui>, and then double-click the domain that contains the Group Policy object (GPO) you want to manage. For example, double-click <maml:phrase>example.com</maml:phrase>.</maml:para></maml:listItem>
<maml:listItem><maml:para>Right-click the GPO you want to manage, and then click <maml:ui>Edit</maml:ui>. For example, right-click <maml:ui>Default Domain Policy</maml:ui>, and then click <maml:ui>Edit</maml:ui>. Group Policy Management Editor opens. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The GPO that you select must be the same GPO that you specified when you activated the Wireless Network (IEEE 802.11) Policies. </maml:para></maml:alertSet></maml:listItem>
</maml:list></maml:listItem></maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In Group Policy Management Editor, in the left pane, open <maml:ui>Computer Configuration</maml:ui>, open <maml:ui>Policies</maml:ui>, open <maml:ui>Windows Settings</maml:ui>, open <maml:ui>Security Settings</maml:ui>, and then select either <maml:ui>Wired Network (IEEE 802.3) Policies</maml:ui> or <maml:ui>Wireless Network (IEEE 802.11) Policies</maml:ui>, depending on which policies you want to configure. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the details pane, right-click one of the following, and then click <maml:ui>Properties</maml:ui>: </maml:para><maml:list class="unordered">
<maml:listItem><maml:para><maml:ui>New Wired Network Policy</maml:ui> for computers running Windows 7, Windows Vista, or Windows XP with Service Pack 3 that use 802.1X authenticated wired connections on your network.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>New Wireless Network Policy</maml:ui> for computers running Windows 7 or Windows Vista that use 802.1X authenticated wireless connections on your network.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>New XP Wireless Network Policy</maml:ui> for computers running Windows XP that use 802.1X authenticated wireless connections on your network.</maml:para></maml:listItem></maml:list>
<maml:para>The properties dialog box for the policy you selected opens.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Network Policy Server Overview</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Policy Server (NPS) allows you to centrally configure and manage network policies with the following three features: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>RADIUS server and proxy</maml:title><maml:introduction>
<maml:para>NPS can be used as a RADIUS server, a RADIUS proxy, or both.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>RADIUS server</maml:title><maml:introduction>
<maml:para>NPS is the Microsoft implementation of the RADIUS standard specified by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866. As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up and virtual private network (VPN) remote access, and router-to-router connections.</maml:para>
<maml:para>NPS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment. You can use NPS with the Routing and Remote Access service, which is available in Microsoft Windows 2000, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.</maml:para>
<maml:para>When a server running NPS is a member of an Active Directory® Domain Services (AD DS) domain, NPS uses the directory service as its user account database and is part of a single sign-on solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network) and to log on to an AD DS domain.</maml:para>
<maml:para>Internet service providers (ISPs) and organizations that maintain network access have the increased challenge of managing all types of network access from a single point of administration, regardless of the type of network access equipment used. The RADIUS standard supports this functionality in both homogeneous and heterogeneous environments. RADIUS is a client-server protocol that enables network access equipment (used as RADIUS clients) to submit authentication and accounting requests to a RADIUS server.</maml:para>
<maml:para>A RADIUS server has access to user account information and can check network access authentication credentials. If user credentials are authenticated and the connection attempt is authorized, the RADIUS server authorizes user access on the basis of specified conditions, and then logs the network access connection in an accounting log. The use of RADIUS allows the network access user authentication, authorization, and accounting data to be collected and maintained in a central location, rather than on each access server.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>RADIUS Server</maml:linkText><maml:uri href="mshelp://windows/?id=f3ebb128-d942-4251-b3fb-de6f78cd5f97"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>RADIUS proxy</maml:title><maml:introduction>
<maml:para>As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. </maml:para>
<maml:para>With NPS, organizations can also outsource remote access infrastructure to a service provider while retaining control over user authentication, authorization, and accounting.</maml:para>
<maml:para> NPS configurations can be created for the following scenarios:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Wireless access</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Organization dial-up or virtual private network (VPN) remote access</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Outsourced dial-up or wireless access</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Internet access</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Authenticated access to extranet resources for business partners</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>RADIUS Proxy</maml:linkText><maml:uri href="mshelp://windows/?id=94c797c3-1efa-4a62-946b-a6923e0ee036"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>RADIUS server and RADIUS proxy configuration examples</maml:title><maml:introduction>
<maml:para>The following configuration examples demonstrate how you can configure NPS as a RADIUS server and a RADIUS proxy.</maml:para>
<maml:para><maml:computerOutputInline>NPS as a RADIUS server</maml:computerOutputInline>. In this example, NPS is configured as a RADIUS server, the default connection request policy is the only configured policy, and all connection requests are processed by the local NPS server. The NPS server can authenticate and authorize users whose accounts are in the domain of the NPS server and in trusted domains.</maml:para>
<maml:para><maml:computerOutputInline>NPS as a RADIUS proxy</maml:computerOutputInline>. In this example, the NPS server is configured as a RADIUS proxy that forwards connection requests to remote RADIUS server groups in two untrusted domains. The default connection request policy is deleted, and two new connection request policies are created to forward requests to each of the two untrusted domains. In this example, NPS does not process any connection requests on the local server. </maml:para>
<maml:para><maml:computerOutputInline>NPS as both RADIUS server and RADIUS proxy</maml:computerOutputInline>. In addition to the default connection request policy, which designates that connection requests are processed locally, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. This second policy is named the <maml:ui>Proxy</maml:ui> policy. In this example, the Proxy policy appears first in the ordered list of policies. If the connection request matches the Proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. If the connection request does not match the Proxy policy but does match the default connection request policy, NPS processes the connection request on the local server. If the connection request does not match either policy, it is discarded.</maml:para>
<maml:para><maml:computerOutputInline>NPS as a RADIUS server with remote accounting servers</maml:computerOutputInline>. In this example, the local NPS server is not configured to perform accounting and the default connection request policy is revised so that RADIUS accounting messages are forwarded to an NPS server or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the local NPS server performs these functions for the local domain and all trusted domains.</maml:para>
<maml:para><maml:computerOutputInline>NPS with remote RADIUS to Windows user mapping</maml:computerOutputInline>. In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. This configuration is implemented by configuring the <maml:ui>Remote RADIUS to Windows User Mapping</maml:ui> attribute as a condition of the connection request policy. (In addition, a user account must be created locally on the RADIUS server that has the same name as the remote user account against which authentication is performed by the remote RADIUS server.)</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>NAP policy server</maml:title><maml:introduction>
<maml:para>NAP is included in Windows Vista®, Windows® 7, Windows Server® 2008, and Windows Server® 2008 R2, and helps protect access to private networks by ensuring that client computers are configured in accordance with organization network health policies before they are allowed to connect to network resources. In addition, client computer compliance with health policy is monitored by NAP while the computer is connected to the network. By using NAP autoremediation, noncompliant computers can be automatically updated to bring them into compliance with health policy so that they can connect to the network.</maml:para>
<maml:para>System administrators define network health policies and create these policies by using NAP components that are provided in NPS and, depending on your NAP deployment, by other companies.</maml:para>
<maml:para>Health policies can include such things as software requirements, security update requirements, and required configuration settings. NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are deemed unhealthy, and remediating unhealthy client computers for full network access. </maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Network Access Protection in NPS</maml:linkText><maml:uri href="mshelp://windows/?id=6aadc218-2112-4781-8b20-05d591066840"></maml:uri></maml:navigationLink>. </maml:para>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>RADIUS Accounting</maml:linkText><maml:uri href="mshelp://windows/?id=2a1b783d-cd88-445f-9397-3ed385a9f733"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure NPS on a Multihomed Computer</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>When you use multiple network adapters in a server running Network Policy Server (NPS), you can configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The network adapters that do and do not send and receive Remote Authentication Dial-In User Service (RADIUS) traffic.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>On a per-network adapter basis, whether NPS monitors RADIUS traffic on Internet Protocol version 4 (IPv4), IPv6, or both IPv4 and IPv6.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The UDP port numbers over which RADIUS traffic is sent and received on a per-protocol (IPv4 or IPv6), per-network adapter basis.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both IPv6 and IPv4 for all installed network adapters. Because NPS automatically uses all network adapters for RADIUS traffic, you only need to specify the network adapters that you want NPS to use for RADIUS traffic when you want to prevent NPS from using a specific network adapter. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS traffic for the uninstalled protocol.</maml:para>
</maml:alertSet>
<maml:para>On an NPS server that has multiple network adapters installed, you might want to configure NPS to send and receive RADIUS traffic only on the adapters you specify.</maml:para>
<maml:para>For example, one network adapter installed in the NPS server might lead to a network segment that does not contain RADIUS clients, while a second network adapter provides NPS with a network path to its configured RADIUS clients. In this scenario, it is important to direct NPS to use the second network adapter for all RADIUS traffic.</maml:para>
<maml:para>In another example, if your NPS server has three network adapters installed, but you only want NPS to use two of the adapters for RADIUS traffic, configure port information for the two adapters only. By excluding port configuration for the third adapter, you prevent NPS from using the adapter for RADIUS traffic.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Using a network adapter</maml:title><maml:introduction>
<maml:para>To configure NPS to listen for and send RADIUS traffic on a network adapter, use the following syntax on the <maml:ui>Properties</maml:ui> dialog box of Network Policy Server in the <maml:ui>NPS</maml:ui> console:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>IPv4 traffic syntax: <maml:replaceable>IPAddress:UDPport</maml:replaceable>, where <maml:replaceable>IPAddress</maml:replaceable> is the IPv4 address that is configured on the network adapter over which you want to send RADIUS traffic, and <maml:replaceable>UDPport</maml:replaceable> is the RADIUS port number that you want to use for RADIUS authentication or accounting traffic. </maml:para></maml:listItem>
<maml:listItem><maml:para>IPv6 traffic syntax: <maml:computerOutputInline>[</maml:computerOutputInline><maml:replaceable>IPv6Address</maml:replaceable><maml:computerOutputInline>]</maml:computerOutputInline>:<maml:replaceable>UDPport</maml:replaceable>, where the brackets around <maml:replaceable>IPv6Address</maml:replaceable> are required, <maml:replaceable>IPv6Address</maml:replaceable> is the IPv6 address that is configured on the network adapter over which you want to send RADIUS traffic, and <maml:replaceable>UDPport</maml:replaceable> is the RADIUS port number that you want to use for RADIUS authentication or accounting traffic.</maml:para></maml:listItem>
</maml:list>
<maml:para>The following characters can be used as delimiters for configuring IP address and UDP port information:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Address/port delimiter: colon (:)</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Port delimiter: comma (,)</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Interface delimiter: semicolon (;)</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Configuring network access servers</maml:title><maml:introduction>
<maml:para>Make sure that your network access servers are configured with the same RADIUS UDP port numbers that you configure on your NPS servers. The RADIUS standard UDP ports defined in RFCs 2865 and 2866 are 1812 for authentication and 1813 for accounting; however, some access servers are configured by default to use UDP port 1645 for authentication requests and UDP port 1646 for accounting requests.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports. For more information, see <maml:navigationLink><maml:linkText>NPS and Firewalls</maml:linkText><maml:uri href="mshelp://windows/?id=cfdc3bc3-82ff-4b71-90e8-57c8029501e5"></maml:uri></maml:navigationLink>.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To specify the network adapter and UDP ports that NPS uses for RADIUS traffic</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Network Policy Server</maml:ui>, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Ports</maml:ui> tab, and prepend the IP address for the network adapter you want to use for RADIUS traffic to the existing port numbers. For example, if you want to use the IP address 192.168.1.2 and RADIUS ports 1812 and 1645 for authentication requests, change the port setting from <maml:userInput>1812,1645</maml:userInput> to <maml:userInput>192.168.1.2:1812,1645</maml:userInput>.</maml:para>
<maml:para>If your RADIUS authentication and RADIUS accounting UDP ports are different from the default values, change the port settings accordingly.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To use multiple port settings for authentication or accounting requests, separate the port numbers with commas.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Configure NPS UDP Port Information</maml:linkText><maml:uri href="mshelp://windows/?id=9383c523-af71-4513-a942-e4458692f457"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NPS Server Certificate: CA Installation</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use this procedure to install Active Directory® Certificate Services (AD CS) so that you can enroll a server certificate to servers running Network Policy Server (NPS). If you deploy certificate-based authentication, NPS servers must have a server certificate. During the authentication process, NPS servers send their server certificate to client computers as proof of identity.</maml:para>
<maml:para>Membership in both the <maml:computerOutputInline>Enterprise Admins</maml:computerOutputInline> group and the <maml:computerOutputInline>Domain Admins</maml:computerOutputInline> group of the root domain is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To install Active Directory Certificate Services</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Log on as a member of both the Enterprise Admins group and the root domain Domain Admins group.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Server Manager</maml:ui>. The Server Manager console opens. In the left pane, click <maml:ui>Roles</maml:ui>, and then in the details pane, click <maml:ui>Add roles</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>The <maml:ui>Add Roles</maml:ui> wizard opens. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Server Roles</maml:ui> page, in <maml:ui>Roles</maml:ui>, select <maml:ui>Active Directory Certificate Services</maml:ui>, and then click <maml:ui>Next</maml:ui> twice.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Role Services</maml:ui> page, in <maml:ui>Role services</maml:ui>, click <maml:ui>Certification Authority</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Introduction to Active Directory Certificate Services</maml:ui> page, review the provided information, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Role Services</maml:ui> page, ensure that <maml:ui>Certification Authority</maml:ui> is selected, select any additional role services that you require, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify Setup Type</maml:ui> page, ensure that <maml:ui>Enterprise</maml:ui> is selected, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify CA Type</maml:ui> page, click <maml:ui>Root CA</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Set Up Private Key</maml:ui> page, ensure that <maml:ui>Create a new private key</maml:ui> is selected, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure Cryptography for CA</maml:ui> page, keep the default settings or change them according to your requirements. Note that the default <maml:ui>Key character length</maml:ui> is 2048, which is twice as large as previous default key character lengths of 1024. Depending on your network size and traffic, you might want to adjust the size of the key character length. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure CA Name</maml:ui> page, keep the suggested common name for the CA or change the name according to your requirements, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Set Validity Period</maml:ui> page, in <maml:ui>Select validity period for the certificate generated for this CA</maml:ui>, type the number and select the time value (years, months, weeks, or days) that determines the date upon which certificates issued by the CA will expire. The default setting of five years is recommended. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure Certificate Database</maml:ui> page, in <maml:ui>Certificate database location</maml:ui> and <maml:ui>Certificate database log location</maml:ui>, specify the folder location for these items. If you specify locations other than the default locations, ensure that the folders are secured by using access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click <maml:ui>Next</maml:ui>, and then click <maml:ui>Finish</maml:ui> or continue with the installation of any additional role services you selected.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Wireless Clients running Windows XP for PEAP-MS-CHAP v2 Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure a Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) wireless configuration profile for wireless computers running Windows XP and Windows Server 2003.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a PEAP-MS-CHAP v2 wireless profile for computers running Windows XP</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open <maml:ui>Windows XP Wireless Network (IEEE 802.11) Policies Properties</maml:ui> dialog box. </maml:para>
<maml:para>On the <maml:ui>General</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>In <maml:ui>XP Policy Name</maml:ui>, type a name for your wireless policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Description</maml:ui>, type a description of the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Networks to access</maml:ui>, select either <maml:ui>Any available network (access point preferred)</maml:ui> or <maml:ui> Access point (infrastructure) networks only</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Select <maml:ui>Use Windows WLAN AutoConfig service for clients</maml:ui>.</maml:para></maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Preferred Networks</maml:ui> tab, click <maml:ui>Add</maml:ui>, and then select <maml:ui>Infrastructure</maml:ui>. On the <maml:ui>Network Properties</maml:ui> tab, configure the following:</maml:para>
<maml:list class="ordered">
<maml:listItem><maml:para>In <maml:ui>Network Name (SSID)</maml:ui>, type the service set identifier (SSID) for your network.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The value you enter in this field must match the value configured on the access points you have deployed on your network.</maml:para></maml:alertSet></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Description</maml:ui>, enter a description for the <maml:ui>New Preferred Setting Properties</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>If you deployed wireless access points that are configured to suppress the broadcast beacon, select <maml:ui>Connect even if the network is not broadcasting</maml:ui>. </maml:para><maml:alertSet class="security"><maml:title>Security Note </maml:title><maml:para>Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.</maml:para></maml:alertSet></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Select the security methods for this network</maml:ui>, in <maml:ui>Authentication</maml:ui>, select either <maml:ui>WPA2</maml:ui> (preferred), or <maml:ui>WPA</maml:ui>. In <maml:ui>Encryption</maml:ui>, specify either <maml:ui>AES</maml:ui> or <maml:ui>TKIP</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>In Windows XP Wireless Network (IEEE 802.11) Policies, <maml:ui>WPA2</maml:ui> and <maml:ui>WPA</maml:ui> correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies <maml:ui>WPA2-Enterprise</maml:ui> and <maml:ui>WPA-Enterprise</maml:ui> settings, respectively. WPA-PSK and WPA2-PSK are for networks that do not use 802.1X authentication. Do not use them for 802.1X authenticated wireless access deployments.</maml:para>
</maml:alertSet>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Selecting WPA2 exposes settings for Fast Roaming that are not displayed if WPA is selected. The default settings for Fast Roaming are sufficient for most wireless deployments.</maml:para></maml:alertSet>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>IEEE 802.1X</maml:ui> tab. In <maml:ui>EAP type</maml:ui>, by default, <maml:ui>Protected EAP (PEAP)</maml:ui> is selected.</maml:para>
<maml:para>The remaining default settings on the IEEE 802.1X tab are sufficient for most wireless deployments.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Settings</maml:ui>. In the <maml:ui>Protected EAP Properties</maml:ui> dialog box, do the following:</maml:para>
<maml:list class="ordered"><maml:listItem><maml:para>Select <maml:ui>Validate server certificate</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names. </maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store.</maml:para></maml:alertSet></maml:listItem>
<maml:listItem><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Select Authentication Method</maml:ui>, select <maml:ui>Secured Password (EAP-MSCHAP v2)</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To enable PEAP Fast Reconnect, select <maml:ui>Enable Fast Reconnect</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select <maml:ui>Enforce Network Access Protection</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To require cryptobinding Type-Length-Value (TLV), select <maml:ui>Disconnect if server does not present cryptobinding TLV</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To configure your clients so that they will not send their identity in plaintext before the client has authenticated the RADIUS server, select <maml:ui>Enable Identity Privacy</maml:ui>, and then in <maml:ui>Anonymous Identity</maml:ui>, type a name or value, or leave the field empty.</maml:para>
<maml:para>For example, if <maml:ui>Enable Identity Privacy</maml:ui> is enabled and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select <maml:ui>Enable Identity Privacy</maml:ui> but do not provide an anonymous identity value, the identity response is @realm.</maml:para>
</maml:listItem>
</maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save the <maml:ui>Protected EAP Properties</maml:ui> settings, and then click <maml:ui>OK</maml:ui> again to save the policy.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Activate Default Wired or Wireless Network Policies</maml:title><maml:introduction>
<maml:para>Use this procedure to activate default Wired Network (IEEE 802.3) Policies or Wireless Network (IEEE 802.11) Policies by using the Group Policy Management Editor (GPME).</maml:para>
<maml:para>You do not need to follow this procedure for wired or wireless network policies that are already activated.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>After you activate a wired or wireless policy, it is only accessible in the details pane of the GPME when you select the corresponding wired or wireless policy node. This state remains until the wired or wireless policy is deleted, at which time it returns to its inactive state. </maml:para></maml:alertSet>
<maml:para>Membership in <maml:ui>Domain Admins</maml:ui>, or equivalent, is the minimum required to perform this procedure.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To activate default wired or wireless network policies</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On your domain controller running Windows Server 2008, do one of the following:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>If Group Policy Management Editor is already open, proceed to step 2.
</maml:para></maml:listItem>
<maml:listItem><maml:para>If GPME is not already open, do the following:</maml:para><maml:list class="ordered">
<maml:listItem><maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. The Group Policy Management Microsoft Management Console (MMC) opens.</maml:para></maml:listItem>
<maml:listItem><maml:para>In the left pane, double-click your forest. For example, double-click <maml:phrase>Forest: example.com</maml:phrase>.</maml:para></maml:listItem>
<maml:listItem><maml:para>In the left pane, double-click <maml:ui>Domains</maml:ui>, and then double-click the domain that contains the Group Policy object (GPO) you want to manage. For example, double-click <maml:phrase>example.com</maml:phrase>.</maml:para></maml:listItem>
<maml:listItem><maml:para>Right-click the domain-level GPO you want to manage, and then click <maml:ui>Edit</maml:ui>. Group Policy Management Editor opens.
</maml:para></maml:listItem>
</maml:list></maml:listItem>
</maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In Group Policy Management Editor, in the left pane, double-click <maml:ui>Computer Configuration</maml:ui>, double-click <maml:ui>Windows Settings</maml:ui>, and then double-click <maml:ui>Security Settings</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Security Settings</maml:ui>, right-click either <maml:ui>Wired Network (IEEE 802.3) Policies</maml:ui> or <maml:ui>Wireless Network (IEEE 802.11) Policies</maml:ui>, and then click the appropriate option from the following list:</maml:para><maml:list class="unordered">
<maml:listItem><maml:para>For Wired Network (IEEE 802.3) Policies, click <maml:ui>Create a New Wired Network Policy for Windows Vista and Later Releases</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>For Wireless Network (IEEE 802.11) Policies for computers running Windows® 7 and Windows Vista®, click <maml:ui>Create a New Wireless Network Policy for Windows Vista and Later Releases</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>For Wireless Network (IEEE 802.11) Policies for computers running Windows XP, click <maml:ui>Create a new XP Wireless Policy</maml:ui>.</maml:para></maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>The <maml:ui>Properties</maml:ui> dialog box for the policy you selected opens. Click <maml:ui>OK</maml:ui>. The default policy you selected is activated and listed in the details pane of Group Policy Management Editor.
</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>To access the properties of a policy, in the details pane, right-click the policy that you want, and then click <maml:ui>Properties</maml:ui>. </maml:para>
</maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Network Permissions and Connection Preferences</maml:title><maml:introduction>
<maml:para>You can use this procedure to specify the following: </maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>To configure the preferred order in which wireless computers running Windows® 7 and Windows Vista try to connect to wireless networks.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify by name wireless networks to which wireless computers running Windows 7 and Windows Vista allowed or denied connections.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify whether users with computers running Windows 7 or Windows Vista can view wireless networks that are enumerated in the deny list.</maml:para></maml:listItem>
<maml:listItem><maml:para>To configure Windows 7 specific wireless settings for Hosted Network and Explicit Credentials. </maml:para></maml:listItem>
</maml:list>
<maml:para>Membership in Domain Admins, or equivalent, is the minimum requirement to complete these procedures. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure network permissions</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the <maml:ui>Windows Vista Wireless Network (IEEE 802.11) Policies Properties</maml:ui>. </maml:para>
<maml:para>On the <maml:ui>General</maml:ui> tab, in <maml:ui>Connect to available networks in the order of profiles listed below</maml:ui>, select any profile, and then click the <maml:ui>up arrow</maml:ui> or the <maml:ui>down arrow</maml:ui> to move the profile to the location you want in the list.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Windows Vista Wireless Policy.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Network Permissions</maml:ui> tab, click <maml:ui>Add</maml:ui>. The <maml:ui>New Permissions Entry</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>New Permission Entry</maml:ui> dialog box, configure the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>In <maml:ui>Network Name (SSID)</maml:ui>, type the service set identifier (SSID) of a wireless network.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Network Type</maml:ui>, select <maml:ui>Infrastructure</maml:ui> or <maml:ui>Ad-hoc</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you are unsure whether the broadcasting network is an infrastructure or ad hoc network, you can configure a network permission entry for both types.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Permission</maml:ui>, select either <maml:ui>Allow</maml:ui> or <maml:ui>Deny</maml:ui>, and then click <maml:ui>OK</maml:ui>. The <maml:ui>New Permissions Entry</maml:ui> dialog box closes, returning you to the <maml:ui>Network Permissions</maml:ui> tab.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Network Permissions</maml:ui> tab, to allow or prevent wireless clients from connecting to ad-hoc networks, either clear or select <maml:ui>Prevent connections to ad-hoc networks</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To allow or prevent wireless clients from connecting to infrastructure networks, either clear or select <maml:ui>Prevent connections to infrastructure networks</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable or prevent wireless networks from displaying in the <maml:ui>Connect to a network</maml:ui> dialog box, either select or clear <maml:ui>Allow user to view denied networks</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To allow users to create wireless profiles, select <maml:ui>Allow everyone to create all user profiles</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that only wireless profiles that are created by using Group Policy Management can be used to connect to allowed networks, select <maml:ui>Only use Group Policy profiles for allowed networks</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To block users from hosting a wireless network on computers running Windows 7 that are equipped with wireless network adapters support the Soft Access Point and Virtual Wi-Fi capability, select <maml:ui>Disallow Hosted Network</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To permit users with computers running Windows 7 to enter and store their domain credentials (username and password), which the computer can then use to log on to the network (even though the user is not actively logged on), in <maml:ui>Windows 7 Policy Settings</maml:ui>, select <maml:ui>Enable Explicit Credentials</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify the duration for which computers running Windows 7 are prohibited from making auto connection attempts to the network, select <maml:ui>Enable Block Period</maml:ui>, and in <maml:ui>Block Period (minutes)</maml:ui>, specify the number of minutes for which you want the block period to apply. The valid range of minutes is 1-60.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>For more information about the settings on any tab, press F1 while viewing that tab.</maml:para></maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save the settings, and close the <maml:ui>Network Permissions</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS</maml:title><maml:introduction>
<maml:para>This section contains the following topics:</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>RADIUS Accounting</maml:linkText><maml:uri href="mshelp://windows/?id=2a1b783d-cd88-445f-9397-3ed385a9f733"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>RADIUS Clients and Servers</maml:linkText><maml:uri href="mshelp://windows/?id=ceee0372-2286-4205-9c43-f3f242c07b60"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>RADIUS Proxy</maml:linkText><maml:uri href="mshelp://windows/?id=94c797c3-1efa-4a62-946b-a6923e0ee036"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>RADIUS Server</maml:linkText><maml:uri href="mshelp://windows/?id=f3ebb128-d942-4251-b3fb-de6f78cd5f97"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure a Network Policy to Grant or Deny Access</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network policies are used by Network Policy Server (NPS) and the Routing and Remote Access service to authorize connection requests.</maml:para>
<maml:para>Network policies contain overview properties that designate how the policy is to be used and interpreted. <maml:ui>Access Permission</maml:ui> allows you to configure whether user account dial-in properties in Active Directory® Domain Services (AD DS) are used to perform authorization. It also provides two possible network access values:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Grant access</maml:ui>. If selected, connection requests whose properties match the conditions and constraints of the network policy are granted.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Deny access</maml:ui>. If selected, connection requests whose properties match the conditions of the network policy are denied.</maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>By default, network policies created with the New Network Policy wizard are configured to deny access. Therefore, <maml:ui>Access Permission</maml:ui> must be changed after running the wizard in order for the policy to grant access rather than deny access to the network.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure a network policy to grant or deny access</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console, double-click <maml:ui>Policies</maml:ui>, and then double-click <maml:ui>Network Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click the network policy that you want to configure.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the network policy <maml:ui>Properties</maml:ui> dialog box, on the <maml:ui>Overview</maml:ui> tab, change <maml:ui>Access Permission</maml:ui> to either <maml:ui>Grant access</maml:ui> or <maml:ui>Deny access</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Access Permission</maml:linkText><maml:uri href="mshelp://windows/?id=e853adba-c8b8-4d19-8626-89a09a76a8c0"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS Server for Dial-Up or VPN Connections</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>When you deploy dial-up or virtual private network (VPN) connections with Network Policy Server (NPS) as a RADIUS server, you must take the following steps:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Install and configure network access servers (NASs) as RADIUS clients.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Deploy components for authentication methods.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure NPS as a RADIUS server.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Install and configure network access servers (RADIUS clients)</maml:title><maml:introduction>
<maml:para>To deploy dial-up access, you must install and configure Routing and Remote Access as a dial-up server. To deploy VPN access, you must install and configure Routing and Remote Access as a VPN server.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.</maml:para>
</maml:alertSet>
<maml:para>You can install Routing and Remote Access on the local NPS server or on a remote computer.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Deploy components for authentication methods</maml:title><maml:introduction>
<maml:para>For VPN, you can use the following authentication methods:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), known as EAP-TLS.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), known as PEAP-MS-CHAP v2.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>PEAP with Transport Layer Security (TLS), known as PEAP-TLS.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For EAP-TLS and PEAP-TLS, you must deploy a public key infrastructure (PKI) by installing and configuring Active Directory® Certificate Services (AD CS) to issue certificates to domain member client computers and NPS servers. These certificates are used during the authentication process as proof of identity by both clients and NPS servers. If preferred, you can deploy smart cards rather than using client computer certificates. In this case, you must issue smart cards and smart card readers to organization employees.</maml:para>
<maml:para>For PEAP-MS-CHAP v2, you can deploy your own certification authority (CA) with AD CS to issue certificates to NPS servers or you can purchase server certificates from a public trusted root CA that clients trust, such as VeriSign.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>EAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=13a5e651-d090-407f-a995-3e8509cf9a8e"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>PEAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=5e653bce-7b3b-48c8-b784-020e133c6bcc"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure NPS as a RADIUS server</maml:title><maml:introduction>
<maml:para>When you configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Configure RADIUS clients</maml:title><maml:introduction>
<maml:para>There are two stages to configuring RADIUS clients:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Configure the physical RADIUS client, such as the VPN server or dial-up server, with information that allows the network access server to communicate with NPS servers. This information includes configuring your NPS server IP address and the shared secret in the user interface of the VPN server or dial-up server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In NPS, add a new RADIUS client. On the NPS server, add each VPN server or dial-up server as a RADIUS client. NPS allows you to provide a friendly name for each RADIUS client, as well as the IP address of the RADIUS client and the shared secret. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Add a New RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure network policies</maml:title><maml:introduction>
<maml:para>Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can connect.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure RADIUS accounting</maml:title><maml:introduction>
<maml:para>RADIUS accounting allows you to record user authentication and accounting requests in a local log file or to a Microsoft® SQL Server® database on the local computer or on a remote computer.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure 802.1X Wired Access Clients by using Group Policy Management</maml:title><maml:introduction>
<maml:para>You can use the procedures in this section to configure Wired Network (IEEE 802.3) Policies for client computers running Windows® 7, Windows Vista®, and Windows XP with Service Pack 3 that connect to your wired Ethernet network by using 802.1X authenticating switches.</maml:para>
<maml:para>By default, you can use Wired Network (IEEE 802.3) Policies, which is a Group Policy extension, to configure the following 802.1X authentication on your wired access client computers:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), for authentication using smart cards or other certificates.</maml:para></maml:listItem>
<maml:listItem><maml:para>Protected EAP (PEAP)–TLS, for authentication using smart cards or other certificates. </maml:para></maml:listItem>
<maml:listItem><maml:para>PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), for authentication using secure passwords.</maml:para></maml:listItem>
</maml:list>
<maml:para>The following sections provide procedures about how to configure Wired Network (IEEE 802.3) Policies for computers running Windows® 7, Windows Vista®, and Windows XP with Service Pack 3:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wired Access Clients for PEAP-MS-CHAP v2 Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=287a5491-9f3e-4e7e-97de-02ace47d018e"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wired Access Clients for PEAP-TLS Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=de982522-df50-465d-b221-656bc3b39468"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wired Access Clients for EAP-TLS Authentication</maml:linkText><maml:uri href="mshelp://windows/?id=c3c405fc-099d-497d-857d-be93314c4db6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete these procedures. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>For information about activating or opening Wired Network (IEEE 802.3) Policies, see <maml:navigationLink><maml:linkText>Access Group Policy Extensions for 802.1X Wired and Wireless</maml:linkText><maml:uri href="mshelp://windows/?id=e7b2e1e2-9da4-4a68-a1db-6a0886f7e028"></maml:uri></maml:navigationLink>.</maml:para></maml:alertSet>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure NPS UDP Port Information</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use the following procedure to configure the ports that Network Policy Server (NPS) uses for Remote Authentication Dial-In User Service (RADIUS) authentication and accounting traffic.</maml:para>
<maml:para>By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you uninstall either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS traffic for the uninstalled protocol.</maml:para>
</maml:alertSet>
<maml:para>The port values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866. However, by default, many access servers use ports 1645 for authentication requests and 1646 for accounting requests. No matter which port numbers you decide to use, make sure that NPS and your access server are configured to use the same ones.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports. For more information, see <maml:navigationLink><maml:linkText>NPS and Firewalls</maml:linkText><maml:uri href="mshelp://windows/?id=cfdc3bc3-82ff-4b71-90e8-57c8029501e5"></maml:uri></maml:navigationLink>.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure NPS UDP port information </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Network Policy Server</maml:ui>, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Ports</maml:ui> tab, and then examine the settings for ports. If your RADIUS authentication and RADIUS accounting UDP ports vary from the default values provided (1812 and 1645 for authentication, and 1813 and 1646 for accounting), type your port settings in <maml:ui>Authentication</maml:ui> and <maml:ui>Accounting</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To use multiple port settings for authentication or accounting requests, separate the port numbers with commas.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Configure NPS on a Multihomed Computer</maml:linkText><maml:uri href="mshelp://windows/?id=7a04cacb-8df7-4187-94ce-0410170cde1f"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual>GIF89ap��,������� �0�448<
<<@
@@DD@@@DHH
H LPY$P(P�a$U(U�],U
aUUUi0Y�e0]�q8]0ai8a�u8a<a@e�}q<i�Diu
uHm�Hq yLqPqDu }$}�PuUu�Uy�0Yy4HY}}}8aaea@i@i
$qLquUy04yy8}]}qځ@a}΅iL҉ҡ֍ґUum}a֕ځ֝֝ځqޡuyުޕުޅʺ�
H*\#J(Ë3jȱǏ C
Iɓ(S()0cʄIj͛8sɳϟ@9JrѣH*]ʴ)NJJի)bʵׯ`qj
KٳhM˶۷pGKݻhrtXKx)cfW@(^8bѣ_|gZ@d~@MH6w>j=@@
zAϕ^^YΔߕt
'hKB
)
`gv/l,s =;Q f]
`rhLAӍd
0Q;X(X�1Sv,8rB 8*8
"�&\spƕ5
Lڗ*M=OƜ6
l3(Cp5QqO61<Lj)>EJi'T"�3h+:8 =−I&S+ff>s
G@,4̒9yUO42 I5B8p71@: +KDsO%��y&F7:A
@ht> =r
;(D4Aql0rKlSO3K=Ă6032y6lU:Gl&K{M]:
36n=`ی?XFGJOңf5E?D��0%oGٍ0"=`
hJD$WL*;
9L4",-
**U{8^r3(
kKl7!d7Cgc|
'gXG\,Sc;>߰r1(a/56GepO8f5!j#
pw6y7\z|n߁?@B1o,0BU*=@
A Y:7
#6~PDtJTg7-U>?];*
BP$yrCp ?G
XrQv"`3.xO�f`KnH`+*0 @%O#CRP
HV#P`n.#JK$62V
Ѹ1$
N`u]!;<ܢ&
]
ܱhh<Ї@!yXP%1b̘Db
*vnA?HG"B p>X(4*!??эcBxA}ܣ~T
P@ۇ>DB`D`.hN&
LIBPd O8=@81[:y, C
<,qI]~gDi6Ә"_ D PCGZ/@C2@M3#q@ A
o
6�SXN4V.OJM$0CPvTD!\&sRGHVl#e-
X T(,
.+l
mZwm1 u@ʀ2Ne
9
!
YmՁ¶-,GJ^%W�u+()ZV4lJ椤aeJzl c
M=D,HnhOҷ-aS3]$5pzw-Ȃ,U~z 4W ύ|Z;po
Q`%cSRX$͈z
i}Akn*6\` 38-` 2a,?6ȊO\s/v
qp7�͈<]첸xƅ@xఀ>i�NLiEb @x@+5AA@P%1E7a/h
|eOԤleWJ 3lJh
i4K&D>a?�`2Jp##>4|k `G4u$!#`1i_w
~i
lc1!ҏ9
H}Q^^\ h"e(`Yn>Ƒ$@MsDۘ[B
])q*Р0
A
4/
Ux
dP\o'w|C Pz|RC0
/Ns
@_F
ŷ@oc
{ #j+$@8:j{U,D
,0;GQ=4�`B-Hö㼗3yxq'xn8&Q"
/_ARM0zȽ<Anqm
BJiw|!|65-
x
y'-
9G�}az#bpYmzzvz=m{?!R@{
aDvv&|`@'\w
}b=sdW}v~
GW2~Ga
~D
W,vA
G7a([yP="
vp0{;h
A7qGR;.A8zP w`R{KR
X8Y"Kvc-P1F}}hvvh':߷Khp
xHV�wwKKm�GP]
rHh}N?p~h8)
n{xm>
KGG �و#n ''a}W&1@$
p*
^&x
% EX+0k
yC� ON0
^ bRhwp
!�a
I](
W+C*DdXBt^@{x52
P8:9*<@u$qjY8C
ndbc &�`A1;`kF!*y 'p
Dy
P}% @ C
bfmq`) � P
TiF0
ZiS])
5ReKtK' ϐYp EY;6�F�T0 ܠs99F:([ )`
'�
^3gX
@
݅9 96РQ�8{0I)闱Y"43/QF`6U
CmH3X!
!aW0nh ]p
��\
`6
V)P*08
pt
Y-
JipF@shzzHq
hب.\]9OWFiop3q2Ya<c>j^5i0
Ih;{
&ᨐ
@٥_*
|dp 03 QqD"8J 2p1*o4w1S6az)ZPP
c<П %QY
XT
jR4X@Zŕ`2P�ʣКn
5RWp
pQLyܺ @۔�ey
h
7��
+�7@!Dj
+в6R[
T+µAg( Wp
MJQKPAIP
r
h`@PZ!]Kg#k!�D A"[PI1G2 ЛK+;rP"\
0
ͳ$k)aKA!a;,#[=ދdFѾ<k(;a
7`7
p1
=_a2*a
e4,J;A,^2�Na
Y]P>�1#A5|:8%H0* a%lIQ!3U
(9RA �UA<FL9Al
H PB$PnJ8aȹ+NG6Q1M\M�z||
/{)qF{,I6ʅ
h
6E+
A
0"4t KQ:qʓ*5ljw
@\'P9�]9ͽ)߬
FcL
`53|9'MA.@ qG fP00VЩGA},]]GB5" P2.`f +(agl(/m1M3
�P1FP!`]D˦Q<`)#?ՙpk|B-"`ĨȐkd]j=gք&?A0*<PF0-hx|Gm$لR-J}
*`
�f +�^=.QQfHٝN
chfX
#{cf:q۷۰
X!Qf@t�.0�, e`
-- q
?`˝*-%>P S
KQ~Н;ֽ
]ܩڌ&[PC 4n
pt e@e <!h#t@ɽmAFu"Å]=-,^=
S]X^bh@;`僬 =sNlqa)},�P+
GN-w>鵜K"@5| 鰾Nda+�pQrvK}jmԶn^}nA0t6)V+^ɾ<:+q�n'a$9}d>T 5�>W~:LN
Li!aQ ꗈ@7e�4= 2b
'?<Q!V?> >@=& JQ`� e00?l
�4[ #*O6R;9
TqjQ
Ymoq/7A
aSa$@1cPX6�|+P~
O7O/+aSq�|uL
1)
`L� iAaΏ 5U
P O O[ '1M �qh
cp�!@@r
DPB
>xp PQƌH)%MDRI 5$RfF|۔IN=}6ϝ}cp9Siʉ
/.ZeȑQ^ŚԗU.}'
edU;l
BaӍO]}[qߓ ➱xBch2o
egEC6A�y]M�gbΨvJM
G1/q{J'Pq+ꦮٽް;uE'z|zD g8~n�'[/j AS@ /T,Nw\AA 4DC_Ń\�q,xf2( \#2˫QA6%Ot(e4F% /EKat
6!{09.
XG >t*DNEBt?Tϟi` B2TFO+G b'Vى}K,QC<d=uI(:ge
uŵNh+g^Ƭh}M-PمphT:MlD�uM깆RDbEU]WN&>S
Lg
qu
pه6Y�5F̅=k8av_.-a`^�T@ hbA:hBP_ӂ*zEa7
uF[ @
AT=
4r־kO/ !VXAO-z!m
@a۴
Y+
C
EH
Vg XH
7,+Yfc`p肫
woǵkS4wo?!?^.wOv?:P}c_ҥ.o?{Ha
�^ac$ l� ,\ o
;`<xtX!|H
t` /[!
B02\)&2hD&�
d T�C#G;"BAT(
&�&A
G86
BFa
RT|pޙёِF^2Tm@)?'2ҍ"@Tnf,%'OJzeh^iM2L_&y]>)0Q(LeB~L42ywi^St
.ylfg f6r3*<9::5x
p@@:P
x*6&
:DaI S ӑ$D:RtJ?#σГHHE:�BYDI8�:(C <
.*t h54Ξ4[gGu^,5hӋ+.!0aTf;У@@υ0L$geiQp
>LAEd5Q+O}V%b
5@DFؔq
P耾7^Mjv6Sf[u0bE4Y<-vEH9`tC
h=(b]J
$.`Cz.-h6>+%�`~_x6:1Q
}VT/d
#g1y)&d$mVו Djq3djm_�X
y]N6lQY6!},`0~] $aKiu4"Fȑ.[r~<f
y2
j
{eG%R{B1c!Z�`pJ#g/
wL`@
E&G
Ea6ChDE]hNDf&�:g=,�e8!B
~c0/#Z
D=<a69
iSxa&' itqmjm
D&u{cXt"nv{cucys{PHx5c6HǶNwmohsmu]F W;k;or)Sr5:
<.5NonY% #Rn[- {-j-e l
�GPQh.29�Aq_
8wӄ )#m|C~6>jd-Fw}�>wLFcڊ'N';Nu$:r\fԣ]~1;CҾs^n5ME
,xYba
9F~e5Ӝ\
٪g}5㕯8`� !D
тԷ?ʿ}/dԷ^߉6
,hF %Ȅ+>C{z>5
o[h+K Hmv0>+ Acs[ӽX2p[Z1|
(6 l?%$>7qsA62ck;FӿRK̳%q ,@A!B~#%x[A
B C%Q.!!R*\DD/T:
@1;pCvx":܆zr`.LE̎-qPel B
xPAL{wX^0
L
�J
Kl,T76PAMT24C6T<kà#$SB@E:u`Vfa
պlJ^,D`G{z;<yTpՐDD:%#ȀЃL`.h?o
P$GCQ̊'vDGo ,(|8~ȗPA,HYĐrBE
dcp
xtKԁ3b�IX:
9
pI@v@
v?˝`06@zS89`D:}UTHD
Pi`_H̀#4kx˫PGX=KTL`3x$aLۃq"0J|ME8$wBd؇&Pa+H�lȱ@Kɝpox���Ѐ*v M <|x3BH+Hz̆x+N_t}(8IM\ּ/R0
+͈K<G�НPBo=5; �/ȳSDXP/[K%2@:OHfOx@'BDr�ሴ\K$qc˄A�E@{
Dè2CǿPG_7Sͼ4/
G۴44G�!(-m,=jHMLP]ɧUQ]
W`wSa{�yÿ̷̼
TB=hCnE(FG]!$GO8C/LԣR@q|y]C'=G�UR7C[RblR{U2|=�@؇youɌ{i�;OtTIUIiBBM=aU60omOKcC,W MKuu"}WPل+<i T-գ\]
q0l0k@$EBwbrp1r
Ä́ Obp" xhO`i%A0p-q?TPGh^Tx(RxZ2{[Ã`ں�ڧ$=,Z[XK]�Tb�eABЇ{ [e%&)
6Fʻ[Br \X)='TCWU?=Da\
%
2$<)و܄ѝUD\m{YU X}0(rHPӇNhq;j8etX
^(
>A-l
P�6l`
7T];3Tҕh
u4\ͪ'�E̥هz Y l~wx�%1L̋ń{H3XB@\ˈ.Ye8]܆,?aM`oX�S=
(b8Rec`K?k{UH0zbX 0cAMccU�
06͠h]W㥀I78x =Cn?D6-( QXpxH.J&KL)�,؇u`VI5[s؇<(zp9@Ρ46(F0lnk4Pd
} Kx N(ofbЄo
�
炴{x�sk
I1 v y6wXkނy >
#Bc
D+S(HO$[jf>7خHBy @$N0ɴ-ց
whijXaW>
>BD"P`F SHYP_ޮ}LpkDboX(
! 5}w0(v3n7A!XMjjl0zS,.;8(VԞRn)~
X`
l̂<hfzvBKrOnbMSY(o8oP@,bpb0
y%ٖWgoeovPUnb]b+&L%ɚIÆ7.fܓY3+,+
ĔZJ/\y.Sx`]X*#ECC9@gӠ1k1%
k+-}p9'(8PY
(UrOPuPwr.txRu8 :,2wb6ru�\Etu^gccTXueQgTh
ތfuRpoj苻PIk
R豒5t
nw
lk
yaV
x{Yn #sW`C?x1uY 6air
w1)K
iw 2I
a/yיw'xPxY
Y*
i7zwA~;GyYϥw
?z
)[Pxw?WX,rE,a
e
vZ{D/)|j2oj|bz|%|fk|:|e|j
}ߩ 9aJfZ}g$)}
}`}eh}}§Ca}Q}"}/3:~`J~b旐ϥϥ駬o%%-o%o%WW"G%0,h
2lP�'Rh"B0rhJ@"G
$ɔ*X%̎cҬR͑ C$JB%
j4̣0P)P6tUUET:qװM2)c,ڴjײm>Lѭk.vAbҿ
f0X3UpBj`2̚7s9G;4
^lյ뫅e|zC{7.'N�x^c^1ϣC/ѶηJ4
/֧^߸] �^>S:ub
dE_~ *DA)`B醞A
q
`Az8 XXU,rdj
8#%ɸ|5t#XP=# )Mw9)9U?Qj
_t%dYy^ZkJw_iGimGD|V_sަ'~~6D%Gimg^bPm)P5:*s ]*:+z+JBĄ
;,XwaH;- w`,z) �骻l6kJ(pIa#+0KP
I0
<J><P
KZ&{R""3p
Eڻ5W 3h!lΆތZA#wm44H4U
J-3Y{-_']}-$667
mwl6y8
}
~/߃+wxF3.3s01kιa}NI8 uzϩO.s}S{OSW~|3RKSR+s/Rw
ޓQ~_Q>/Q{Pm:
0hl`A!(L.v3R�A=p�Pd`
PcA
br
l7Pb6 _hA=<%2Nd")ؐ dFbH->QX\
b~t+
H � .
D-)Z %
hA~$2crhG2HBRj
Rh@TP[fA},2
p@6Dq)sY3YZNyI>2Q.1a
٤�:)Cˀ ͍�0+Jҙ
.NCRrId!LUF\'>B2,@|tM+A1X|f
*Q1B!CH9 {N4C=*R
\�B:ҕ
eh
s=6=>J
øG f:wݴU
+Q\d"X=t*
D
{^uj4ޱHժf͏)@ >c_}k&>A}(g+wzM:#WcAfcx=Xl
~W
(
E,fP,
d
vL62Z@B�G,BB-jd"YBTȷզIylCpmoB+zk
if`!{`s3zV-B
ŷ`MOVJZ㗗!o|^v6p/;/vR\+A�8,bf^
S\$/x7b/+
D4z8ҠK]/$*
zxA7[~b
<,F-~0w6=
β ȿ=
ޞ!
1µ̈́xD
8W~~4A@xG\A옲WۜG>^tI
Q#DҞ157N!�gFԶ
Q
sۜHTAь>odSc@
u0k ,d
j-Z٤fv@V>}F~@ag>vhx
"@4=PSS1م,&\FS٭=~#xM!b
OX
VL3,3c6Ǖ`<E?eIA`D
|A}pL؝wL Љ =Зuݨ']SD$W
jxя݂r
ym)+iډ -DzѥۂB
\}E243|yol/�1CΑS>_37Y[[
᠆\jכc
;mxO<*G"}ڙ|Q�;q
s,!!1sb
<?6R�8h_Sp4?�`!�6](K-;hXGY(DPPB@
%+i@<&
+(
JSM}:"e\;DRDY)(
S
Fe̠YF
q1yp"|
\UeAeAx!
"-Y
Ɵ$rQb*
^e`AСeUA\ӌ $8�A1^
f$!"^1Y! /]
L]^D'Ae!A!#GdFa
#Aa/ *Y
�
A)@$BYLE
Y$G�!B\`.b; Bxc#c>ecBl9v"
!5 ;;PApcB#=5:9#Ap:$>d#BA)*:AB DJE6d<A*D#ESG*C
Dd==V$HGdFK6dBd$"콤IƤ>OʐO
PP$QQ~C&F$G>T$UdP6$B
e uRR^S%VNVx%S2e9%Ze2ZjO]b[2LVdM`.fQ
cb"bS}qua&"deeSߍ}UDg>f
Nu%c*ҁ
~fJ&fd
Yfim
n]]oReT%B`m&ӉW'qrRsȦ@@�L.]WY$Fl'&TJ&t
yg.y
ٗn E'%ug
}|D}ZfnKf^BwgV>'`&Dcf:9|N(BT5Jr(}'@(j(p??x(�: hh%H.B"^*DԎg{^(sw%ZU&k"sr\)fn)R.)
"p)`f@D.i))(i*&.f<<
~uWA@a)v
v~*vj$jNBè*E"
\ٗDh<j@|<
I֙EdL*W
ƇfM(+0bj_>ꦤX!
JB6R&ǹ
F2ͺf"IEzN<M
ϾżͿgRVͳEhBNÚNMĺv\W<l6M
*
:ǮNʾNM,ĬQP«.Lv# ˰˖ 2*zF#hB`^-:.GpGҊNDD؊FvNDrF.jNmޮFbfND.F>NDF>2N"mNFM""n-"~,2Rnn.MDBFzMBn
F*MD
EMDE
Mbnof.ND&Vl&Ŧn�oGb2p /ހY Fi@emtAQK|'iofv',
OF8]pfT~Xewr+d0Nw5S|< H0-
C
n&
GZs
�Ns1jTb
m@:G[q;e<n0 c1
_v|}m!OFexS~$sh8s$Rp11
/]ɇ,r#q|T oG/r)Wd0"/#2w_$sl2J
1GђȰ|�1s3Fr8T6o'3839s,\$ET~`&A8o$
س|e,�HY
0A4O=
P3R3AC?LQg8C%Q QZ=/�
L=�?WZ@ce(,H@˴5VN{N v8/+�0ݳD=
Y*JU4DPetTQ\tMVSmQcL{X5=|Y4G3WP{tz}U.̃T
@*OTRV,C7<uU=�VS->TB@PgAz
1kqX{zuĵM\l5?TI[:X5{"@c)[
+dw6`B=
lN
pU.1L5]˖`т,6__(C>(�
Ep/1%L3gdV,-@1plrv]+-�;Lu7C~+|CiqvT_
twk7CDyV.(d.J\aGvh`EW}#7L?W0
dB6pCܖ/!/<``}3[X 4g[|@@AJL
새7pxXC+uU*|4�Y8I\lnC R&4;܁-=7d80ܖ{6
ÜS5C۶�`C=l}B6CVC6M5<B=4C9;܁ X%Ձ?
C=¬W?縄i=:c'CWyC٦[�%&$ש}HC$A$p_m0C!@պ:I,Csz1oYXx>D;%#N>صK�C$7C=ȺW<d;0B
ęoW<\Cgg8(UK{U,Sykl{X ?;MQ+)<#}R|U?
6|5~
f{>zċXЫ=;l0мQQX}úq}a
X>4Ɲ͛c7 {}ݽP0{,{Qg"y$ú!]N
Ap~wL~ƍP~/~J>#<,d\=Ä3
^>o^>6{mwK|>@8p
sSaC!FBZK `G8dI'QTe˓y&d
q蒧2"ACS
`'OK`"U*v,bBSFXi<+ˉBó1@"ջoߔ0e&GHͺuk U> RpҥK>Cly$Xq/9{ B#>Xữq֝$<xw4\2
59Fâ/4]fu[
6<9}{#{{ɨqyCcq.
h0
-j/ Ď
9̮$ID"??*㪽"K+< )2\#,'"
214z1i20-Q
$2-
lͦʬ|J!I縬mL0,|
RH
4G!E)Κ+)Z4O,20]̣
O4Ac3Wamh*R;3(rnK2+0SqJ94lX}u֠j$jWzX!=u5DUUG:Uʺ.C
vbK-\UYvMxݲo[u3~AwrU3Lt]"U
^ό%7c=FHͬTy=i&9a"l,+sߙ
.fs!$8Eճ]賋K>NtLӧq-ߎBN+APH}vq(@!M29y�
kzӁ8Ǒ[A=*oBqv'(pH #=sB*W\i0q~nNA�,dwcdCbrg"{@
HYa\w}/aX4t7>`P&qXѠ
d݆ �~3^ѷYІR
#
=t㲁q&
`
w$c{$]00|%|O �CE
'B'4c_.P7-
ͱ )V@
_\AT,;G$&)Y<A0QՀpUl;<xFQ{@ q!ô�r"$T(xBQ*C"b\9BKIA3f1
<qoFr
@7L|(9\ X:ӗ4]
A3!e!n0(^Tr?۲,jxC W474\0Z]?Ջ2
&FK|[Gc!D(uG
3axKqS=OTE5QT.MuSU�U@CfU!VU֯zէ[ŪXJִ~UaUT0]m]V5/f=[JV}ի[W6|k{خFvMkaBv\f3{ؼxe,fBZV
mb
v|cڱwllYۊ
luvv1-mekZҰUgQPWr
ֹ
e
]Zz)z5]/m]p_z7MIV\+UoŻھ
د.j
w]p{M-y!L.E0{k]5ePثC2̒
{z
">llUr`=dx8o/b$R^1qZ\xm/hLY~5/ur
hAЅ6hE/эv!
iIOzn3j ˵ͪ[Jsz
lM<K9kNsLSZ;>
QϞ-=U#/]
&fxq;ǬV[v]}Y8vC~̰.wenldڟ6s{ fO
qq�~k
6!i 6/eW\$fkXVY3>j)Ϸqs=ρ
t�;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS Proxy</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Policy Server (NPS) can be used as a RADIUS proxy to provide the routing of RADIUS messages between RADIUS clients access servers and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt. When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow. NPS records information in an accounting log about the messages that are forwarded.</maml:para>
<maml:para>The following illustration shows NPS as a RADIUS proxy between RADIUS clients (access servers) and either RADIUS servers or another RADIUS proxy.</maml:para>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=b19e0940-c0e4-4e7a-bba7-7d9495e71453" mimeType="image/gif"><maml:summary>NPS as a RADIUS proxy</maml:summary></maml:objectUri></maml:embedObject></maml:para>
<maml:para>When NPS is used as a RADIUS proxy between a RADIUS client and a RADIUS server, RADIUS messages for network access connection attempts are forwarded in the following way:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Access servers, such as dial-up network access servers, virtual private network (VPN) servers, and wireless access points, receive connection requests from access clients.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server that is being used as the NPS RADIUS proxy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NPS RADIUS proxy receives the Access-Request message and, based on the locally configured connection request policies, determines where to forward the Access-Request message.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NPS RADIUS proxy forwards the Access-Request message to the appropriate RADIUS server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The RADIUS server evaluates the Access-Request message.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If required, the RADIUS server sends an Access-Challenge message to the NPS RADIUS proxy, where it is forwarded to the access server. The access server processes the challenge with the access client and sends an updated Access-Request to the NPS RADIUS proxy, where it is forwarded to the RADIUS server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The RADIUS server authenticates and authorizes the connection attempt.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the connection attempt is both authenticated and authorized, the RADIUS server sends an Access-Accept message to the NPS RADIUS proxy, where it is forwarded to the access server.</maml:para>
<maml:para>If the connection attempt is either not authenticated or not authorized, the RADIUS server sends an Access-Reject message to the NPS RADIUS proxy, where it is forwarded to the access server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS RADIUS proxy. The NPS RADIUS proxy logs the accounting data and forwards the message to the RADIUS server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The RADIUS server sends an Accounting-Response to the NPS RADIUS proxy, where it is forwarded to the access server.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You can use NPS as a RADIUS proxy when:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>You are a service provider who offers outsourced dial-up, VPN, or wireless network access services to multiple customers. Your NASs send connection requests to the NPS RADIUS proxy. Based on the realm portion of the user name in the connection request, the NPS RADIUS proxy forwards the connection request to a RADIUS server that is maintained by the customer and can authenticate and authorize the connection attempt.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You want to provide authentication and authorization for user accounts that are not members of either the domain in which the NPS server is a member or another domain that has a two-way trust with the domain in which the NPS server is a member. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm name portion of the user name and forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be authenticated for NASs in another domain or forest.</maml:para></maml:listItem>
<maml:listItem>
<maml:para>You want to perform authentication and authorization by using a database that is not a Windows account database. In this case, connection requests that match a specified realm name are forwarded to a RADIUS server, which has access to a different database of user accounts and authorization data. Examples of other user databases include Novell Directory Services (NDS) and Structured Query Language (SQL) databases.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You want to process a large number of connection requests. In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers and increases the processing of large numbers of RADIUS clients and authentications per second.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You want to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration. An intranet firewall is between your perimeter network (the network between your intranet and the Internet) and intranet. By placing an NPS server on your perimeter network, the firewall between your perimeter network and intranet must allow traffic to flow between the NPS server and multiple domain controllers. By replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow between the NPS proxy and one or multiple NPS servers within your intranet.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NAP Enforcement for IPsec Communications</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Access Protection (NAP) enforcement for Internet Protocol security (IPsec) policies for Windows Firewall is deployed by using a health certificate server, a Health Registration Authority (HRA) server, a server running Network Policy Server (NPS), and an IPsec enforcement client. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec communications with other NAP clients on an intranet.</maml:para>
<maml:para>IPsec enforcement confines the communication on your network to compliant clients, and provides the strongest implementation of NAP. Because this enforcement method uses IPsec, you can define requirements for secure communications on a per-IP address or per-TCP/UDP port number basis.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Requirements</maml:title><maml:introduction>
<maml:para>To deploy NAP with IPsec and HRA, you must configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the <maml:ui>New Network Access Protection</maml:ui> wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the NAP IPsec enforcement client and the NAP service on NAP-capable client computers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Install HRA on the local computer or on a remote computer.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Install and configure Active Directory® Certificate Services (AD CS) and Certificate Templates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure Group Policy and any other settings required for your deployment.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>If HRA is not installed on the local computer, you must also configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Install NPS on the computer that is running HRA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure NPS on the remote HRA NPS server as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to the local NPS server.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For more information about HRA, open the HRA console, and then press F1 to access the HRA Help content.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Health Policies</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para><maml:newTerm>Health policies</maml:newTerm> consist of one or more system health validators (SHVs) and other settings that allow you to define client computer configuration requirements for the Network Access Protection (NAP)-capable computers that attempt to connect to your network.</maml:para>
<maml:para>When NAP-capable clients attempt to connect to the network, the client computer sends a statement of health (SoH) to Network Policy Server (NPS). The SoH is a report of the client configuration state, and NPS compares the SoH to the requirements defined in health policy. If the client configuration state does not match the requirements defined in health policy, NPS takes one of the following actions, depending on how NAP is configured:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The connection request by the NAP client is rejected.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NAP client is placed on a restricted network where it can receive updates from remediation servers that bring the client into compliance with health policy. After the client is compliant with health policy, it is allowed to connect.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NAP client is allowed to connect to the network despite being noncompliant with health policy.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You can define client health policies in NPS by adding one or more SHVs to the health policy.</maml:para>
<maml:para>After a health policy is configured with one or more SHVs, you can add the health policy to the Health Policies condition of a network policy that you want to use to enforce NAP when client computers connect to your network.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Using multiple SHVs in a health policy</maml:title><maml:introduction>
<maml:para>The Windows Security Health Validator (WSHV) is included by default in NPS. Other companies might also provide additional SHV and system health agent (SHA) pairs for their NAP-compatible products.</maml:para>
<maml:para>If you want to use a NAP-compatible product, you can follow the documentation for that product about how to install the SHA on NAP-capable client computers, and then install the SHV on the server running NPS. After you have installed the SHV on the NPS server, you can configure the SHV and then add the SHV to a health policy.</maml:para>
<maml:para>After your health policy is configured with the SHVs you want to use, you can add the health policy to the settings of a network policy.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a Connection Request Policy</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients.</maml:para>
<maml:para>The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally.</maml:para>
<maml:para>To configure a server running NPS to act as a RADIUS proxy and forward connection requests to other NPS or RADIUS servers, you must configure a remote RADIUS server group in addition to adding a new connection request policy that specifies conditions and settings that the connection requests must match.</maml:para>
<maml:para>You can create a new remote RADIUS server group while you are creating a new connection request policy with the New Connection Request Policy Wizard.</maml:para>
<maml:para>If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy.</maml:para>
<maml:para>If you want the NPS server to act as both a RADIUS server, processing connection requests locally, and as a RADIUS proxy, forwarding some connection requests to a remote RADIUS server group, add a new policy using the following procedure and then verify that the default connection request policy is the last policy processed.</maml:para>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To add a new connection request policy </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console, and then double-click <maml:ui>Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Connection Request Policies</maml:ui>, and then click <maml:ui>New Connection Request Policy</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Use the New Connection Request Policy Wizard to configure your connection request policy and, if not previously configured, a remote RADIUS server group.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Deploy Client Computer Certificates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for computer certificates that are enrolled to domain member client computers.</maml:para>
<maml:para>Membership in both the <maml:computerOutputInline>Enterprise Admins</maml:computerOutputInline> group and the <maml:computerOutputInline>Domain Admins</maml:computerOutputInline> group of the root domain is the minimum required to complete this procedure.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>If you have already deployed server certificates using the steps provided in <maml:navigationLink><maml:linkText>NPS Server Certificate: Configure the Template and Autoenrollment</maml:linkText><maml:uri href="mshelp://windows/?id=4e4f927d-3273-40b5-a33b-f550be1587e2"></maml:uri></maml:navigationLink>, you do not need to perform steps 13 through 20 of this procedure. These steps are used to configure computer certificate autoenrollment, and they are the same steps found in the aforementioned topic.</maml:para></maml:alertSet>
<maml:procedure><maml:title>To configure the certificate template and autoenrollment</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the computer where Active Directory Certificate Services is installed, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>mmc</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File </maml:ui>menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. The <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certification Authority</maml:ui>. Select the certification authority (CA) that you want to manage by using the snap-in, and then click <maml:ui>Finish</maml:ui>. The <maml:ui>Certification Authority</maml:ui> dialog box closes, returning to the <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certificate Templates</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificate Templates</maml:ui>. All of the certificate templates are displayed in the details pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the <maml:ui>Workstation Authentication</maml:ui> template.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Duplicate Template</maml:ui>. The <maml:ui>Duplicate Template</maml:ui> dialog box opens. Select the template version appropriate for your deployment, and then click <maml:ui>OK</maml:ui>. The new template properties dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General </maml:ui>tab, in <maml:ui>Display Name</maml:ui>, type a new name for the certificate template or keep the default name.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security </maml:ui>tab. In <maml:ui>Group or user names</maml:ui>, click <maml:ui>Domain Computers</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Permissions for Domain Computers</maml:ui>, under <maml:ui>Allow</maml:ui>, select the <maml:ui>Enroll</maml:ui> and <maml:ui>Autoenroll</maml:ui> permission check boxes, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certification Authority</maml:ui>, double-click the CA name, and then click <maml:ui>Certificate Templates</maml:ui>. On the <maml:ui>Action </maml:ui>menu, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Certificate Template to Issue</maml:ui>. The <maml:ui>Enable Certificate Templates</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the name of the certificate template you just configured, and then click <maml:ui>OK</maml:ui>. For example, if you did not change the default certificate template name, click <maml:ui>Copy of Workstation Authentication</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the computer where Active Directory Domain Services (AD DS) is installed, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>mmc</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File </maml:ui>menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. The <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Add or Remove Snap-ins</maml:ui> dialog box, in <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Group Policy Management Editor</maml:ui>. The <maml:ui>Select Group Policy Object</maml:ui> wizard opens. Click <maml:ui>Browse</maml:ui>, and then select <maml:ui>Default Domain Policy</maml:ui>. Click <maml:ui>OK</maml:ui>, click <maml:ui>Finish</maml:ui>, and then click <maml:ui>OK</maml:ui> again.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Default Domain Policy</maml:ui>. Open <maml:ui>Computer Configuration</maml:ui>, then <maml:ui>Policies</maml:ui>, then <maml:ui>Windows Settings</maml:ui>, then <maml:ui>Security Settings</maml:ui>, and then <maml:ui>Public Key Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click <maml:ui>Certificate Services Client - Auto-Enrollment</maml:ui>. The <maml:ui>Certificate Services Client - Auto-Enrollment Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Certificate Services Client - Auto-Enrollment Properties</maml:ui> dialog box, in <maml:ui>Configuration Model</maml:ui>, select <maml:ui>Enabled</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Renew expired certificates, update pending certificates, and remove revoked certificates</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Update certificates that use certificate templates</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:para>After you complete this procedure, domain member client computers automatically enroll a client computer certificate when Group Policy is refreshed. To refresh Group Policy, restart the client computer or, at the command prompt, run <maml:computerOutputInline>gpupdate</maml:computerOutputInline>.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Windows Security Health Validator</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>The Windows Security Health Validator (WSHV) provides settings that you can configure based on the requirements of your deployment.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>WSHV settings</maml:title><maml:introduction>
<maml:para>You can configure the following WSHV settings for your policy.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Firewall</maml:title><maml:introduction>
<maml:para>To use the setting <maml:ui>A firewall is enabled for all network connections</maml:ui>, the firewall software that is running on the client computer must be Windows Firewall software or other firewall software that is compatible with Windows Security Center.</maml:para>
<maml:para>Firewall software that is not compatible with Windows Security Center cannot be managed or detected by Windows Security Health Agent (WSHA) on the client computer.</maml:para>
<maml:para>If you select <maml:ui>A firewall is enabled for all network connections</maml:ui>, WSHA on the client computer checks if firewall software is running on the client computer, and then takes the following actions:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the client computer is not running firewall software, the client computer is restricted to a remediation network until firewall software is installed and running.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the only firewall software running on the client computer is a firewall that is not compliant with Windows Security Center, WSHA reports to the Network Access Protection (NAP) service that no firewall is enabled, and the client computer is restricted to a remediation network.</maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If you select <maml:ui>A firewall is enabled for all network connections</maml:ui> and client computers are not running Windows Firewall or other Windows Security Center-compliant firewall software, client computers cannot connect to your network.</maml:para>
</maml:alertSet>
<maml:para>If you do not select <maml:ui>A firewall is enabled for all network connections</maml:ui>, WSHA on the client computer performs no checks, and client computers that are not running firewall software are not prevented from connecting to your network.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Autoremediation</maml:title><maml:introduction>
<maml:para>If you select <maml:ui>A firewall is enabled for all network connections</maml:ui>, you enable NAP autoremediation, and WSHA on the client computer reports that no firewall is enabled, then WSHV directs WSHA on the client computer to turn on Windows Firewall.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If autoremediation is enabled and client computers are running firewall software that is not compliant with Windows Security Center, and then it is not detected by WSHA, WSHA on the client computer turns on Windows Firewall on the client computer, resulting in the client computer running two different firewalls simultaneously. Any exceptions configured on the noncompliant firewall that are not configured in Windows Firewall can cause a loss of functionality on the client computer. For this reason, it is not recommended for client computers to run two different firewalls simultaneously.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
<maml:section>
<maml:title>Virus protection</maml:title><maml:introduction>
<maml:para>If you select <maml:ui>An antivirus application is on</maml:ui>, WSHA on the client computer verifies that antivirus software is running on the client computer. If the client computer is not running antivirus software, the client computer is restricted to a remediation network until antivirus software is installed and running.</maml:para>
<maml:para>The antivirus software that is running on the client computer must be compatible with Windows Security Center. Antivirus software that is not compatible with Windows Security Center cannot be managed or detected by WSHA on the client computer. If the only antivirus software running on the client computer is an antivirus application that is not compliant with Windows Security Center, WSHA reports to WSHV that no antivirus is enabled, and the client computer is restricted to a remediation network.</maml:para>
<maml:para>If you select <maml:ui>Antivirus is up to date</maml:ui>, WSHA on the client computer verifies that the antivirus definitions for your antivirus applications are the most current versions and are up-to-date.</maml:para>
<maml:para>To verify that antivirus software is running and that antivirus definitions are the most recent updates available, you must select both <maml:ui>An antivirus application is on</maml:ui> and <maml:ui>Antivirus is up to date</maml:ui>.</maml:para>
<maml:para>If you do not select <maml:ui>An antivirus application is on</maml:ui>, WSHA on the client computer performs no checks, and client computers that are not running antivirus software are not prevented from connecting to your network.</maml:para>
<maml:para>If you do not select both <maml:ui>An antivirus application is on</maml:ui> and <maml:ui>Antivirus is up to date</maml:ui>, WSHA on the client computer performs no checks, and client computers that are not running antivirus software or that are running antivirus software with out-of-date antivirus definitions are not prevented from connecting to your network.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Spyware protection</maml:title><maml:introduction>
<maml:para>If you select <maml:ui>An antispyware application is on</maml:ui>, WSHA on the client computer verifies that antispyware software is running on the client computer. If the client computer is not running antispyware software, the client computer is restricted to a remediation network until antispyware software is installed and running.</maml:para>
<maml:para>The antispyware software that is running on the client computer must be Windows Defender or other antispyware software that is compatible with Windows Security Center.</maml:para>
<maml:para>Antispyware software that is not compatible with Windows Security Center cannot be managed or detected by WSHA on the client computer. If the only antispyware software running on the client computer is an antispyware application that is not compatible with Windows Security Center, the WSHA reports to WSHV that no antispyware is enabled, and the client computer is restricted to a remediation network.</maml:para>
<maml:para>If you select <maml:ui>Antispyware is up to date</maml:ui>, WSHA on the client computer verifies that the antispyware definitions for your antispyware applications are the most current versions and are up-to-date.</maml:para>
<maml:para>To verify that antispyware software is running and that antispyware definitions are the most recent updates available, you must select both <maml:ui>An antispyware application is on</maml:ui> and <maml:ui>Antispyware is up to date</maml:ui>.</maml:para>
<maml:para>If you do not select <maml:ui>An antispyware application is on</maml:ui>, WSHA on the client computer performs no checks, and client computers that are not running antispyware software are not prevented from connecting to your network.</maml:para>
<maml:para>If you do not select both <maml:ui>An antispyware application is on</maml:ui> and <maml:ui>Antispyware is up to date</maml:ui>, WSHA on the client computer performs no checks, and client computers that are not running antispyware software or that are running antispyware software with out-of-date antispyware definitions are not prevented from connecting to your network.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Autoremediation</maml:title><maml:introduction>
<maml:para>If you select <maml:ui>An antispyware application is on</maml:ui>, you enable NAP autoremediation, and WSHA on the client computer reports that no antispyware is enabled, then WSHV directs WSHA on the client computer to turn on Windows Defender.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If autoremediation is enabled and client computers are running antispyware software that is not compliant with Windows Security Center, and then the antispyware is not detected by WSHA, WSHA on the client computer turns on Windows Defender on the client computer, resulting in the client computer running two different antispyware applications simultaneously.</maml:para>
</maml:alertSet>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can configure autoremediation by using the NAP Client Management Microsoft Management Console (MMC) snap-in.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
<maml:section>
<maml:title>Automatic updating</maml:title><maml:introduction>
<maml:para>If you select <maml:ui>Automatic Updating is on</maml:ui>, and Microsoft Update Services is not enabled on the client computer, WSHA restricts the client computer to a remediation network until Microsoft Update Services is enabled.</maml:para>
<maml:para>Microsoft Update Services is enabled when one of the following settings is selected on the client computer:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Install updates automatically (recommended)</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Download updates, but let me choose whether to install them</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Check for updates, but let me choose whether to download and install them</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Autoremediation</maml:title><maml:introduction>
<maml:para>If you select <maml:ui>Automatic updates are enabled</maml:ui>, you enable NAP autoremediation, and WSHA on the client computer reports that Microsoft Update Services is not enabled, then WSHV directs WSHA on the client computer to enable Microsoft Update Services and to configure Microsoft Update Services to automatically download and install updates.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can configure autoremediation by using the NAP Client Management MMC snap-in.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
<maml:section>
<maml:title>Security update protection</maml:title><maml:introduction>
<maml:para>Do not configure Security Update Protection in your WSHV policy unless client computers on your network are running Windows Update Agent. In addition, client computers that are running Windows Update Agent must be registered with a server running Windows Server Update Service (WSUS).</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If these conditions are not met and you configure Security Update Protection in your WSHV policy, the policy cannot be enforced by WSHA on the client computer, WSHA restricts client computers to a remediation network, and the clients cannot connect to your network.</maml:para>
</maml:alertSet>
<maml:para>If client computers are running Windows Update Agent and are registered with a WSUS server, you can configure Security Update Protection for your WSHV policy.</maml:para>
<maml:para>In that case, if you select <maml:ui>Enforce quarantine for missing security updates</maml:ui> and the most recent security updates are not installed, WSHA restricts the client computer to a remediation network until the most recent software security updates are installed.</maml:para>
<maml:para>You can configure Security Update Protection with several possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). These values are:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Critical only</maml:ui>. If selected, client computers are required to have all security updates with an MSRC severity rating of Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Important and above</maml:ui>. This is the default setting. If selected, client computers are required to have all security updates with an MSRC severity rating of Important or Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Moderate and above</maml:ui>. If selected, client computers are required to have all security updates with an MSRC severity rating of Moderate, Important, or Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Low and above</maml:ui>. If selected, client computers are required to have all security updates with an MSRC severity rating of Low, Moderate, Important, or Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>All</maml:ui>. If selected, client computers are required to have all security updates, regardless of their severity rating by the MSRC. If a client computer does not have the most recent updates, it is restricted to a remediation network until the updates are downloaded and installed.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>After you configure the security update severity rating level, you can specify the minimum number of hours allowed since the client has checked the WSUS server for new security updates. The default value for the minimum synchronization time is 22 hours.</maml:para>
<maml:para>When a client computer first attempts to connect to a NAP-enabled network and the Security Update Protection setting is configured in the WSHV policy, WSHA determines whether to restrict the client computer to a remediation network based on the most recent time that the client computer checked the WSUS server for security updates. WSHA determines whether to restrict the client to a remediation network in the following way:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the client check for updates occurred at an interval greater than the WSHV-configured minimum number of hours allowed between checks, the client computer is restricted to a remediation network. After the client checks for updates and downloads and installs any recent updates, the client is allowed full network access.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the client check for updates occurred at an interval that is equal to or less than the WSHV-configured minimum number of hours allowed between checks, the client computer is not restricted to a remediation network.</maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>WSHA on the client computer only performs this check at the time that the client computer attempts to connect to the network. If the client computer remains connected to the network for longer than the configured minimum synchronization time, WSHA does not trigger a check for security updates, does not trigger download of updates, and does not restrict the client computer to a remediation network.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Autoremediation</maml:title><maml:introduction>
<maml:para>For autoremediation to work with the Security Update Protection setting enabled and configured in your WSHV policy, the following must be true:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Client computers on your network are running Windows Update Agent.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Client computers that are running Windows Update Agent are registered with a WSUS server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Autoremediation is configured and enabled.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>If these conditions are met, WSHA on the client computer checks with the WSUS server to discover the most recent security updates. If WSHA discovers that the most recent security updates of the configured MSRC severity rating are not installed on the client computer, WSHA downloads and installs the most recent security updates.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Client Computer Configuration</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Client Computer Configuration</maml:title><maml:introduction>
<maml:para>The following topics provide information about configuring access clients for use with Network Policy Server (NPS).</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>802.1X Client Configuration with Group Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Deploy Client Computer Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=9d3f798f-0854-4602-adce-0b888e8c00ef"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Requirements for PEAP and EAP</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), and PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) must meet the requirements for X.509 certificates and work for connections that use Secure Socket Layer/Transport Level Security (SSL/TLS). Both client and server certificates have additional requirements.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Minimum server certificate requirements</maml:title><maml:introduction>
<maml:para>With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the NPS server must use a server certificate that meets the minimum server certificate requirements. </maml:para>
<maml:para>Client computers can be configured to validate server certificates by using the <maml:ui>Validate server certificate</maml:ui> option on the client computer or in Group Policy. </maml:para>
<maml:para>The client computer accepts the authentication attempt of the server when the server certificate meets the following requirements:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The Subject name contains a value. If you issue a certificate to your server running Network Policy Server (NPS) that has a blank Subject name, the certificate is not available to authenticate your NPS server. To configure the certificate template with a Subject name:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Open Certificate Templates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Click the <maml:ui>Subject Name</maml:ui> tab, and then click <maml:ui>Build from this Active Directory information</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Subject name format</maml:ui>, select a value other than <maml:ui>None</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
<maml:listItem>
<maml:para>The computer certificate on the server chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The computer certificate for the NPS server or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.)</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The server certificate is configured with a required algorithm value of <maml:ui>RSA</maml:ui>. To configure the required cryptography setting:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Open Certificate Templates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Click the <maml:ui>Cryptography</maml:ui> tab. In <maml:ui>Algorithm name</maml:ui>, click <maml:ui>RSA</maml:ui>. Ensure that <maml:ui>Minimum key size</maml:ui> is set to 2048.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
<maml:listItem>
<maml:para>The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server. To configure the certificate template with the Domain Name System (DNS) name of the enrolling server: </maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Open Certificate Templates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Click the <maml:ui>Subject Name</maml:ui> tab, and then click <maml:ui>Build from this Active Directory information</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Include this information in alternate subject name</maml:ui>, select <maml:ui>DNS name</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
</maml:list>
<maml:para>When using PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate store, with the following exceptions:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Certificates that do not contain the Server Authentication purpose in EKU extensions are not displayed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificates that do not contain a Subject name are not displayed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Registry-based and smart card-logon certificates are not displayed.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Minimum client certificate requirements</maml:title><maml:introduction>
<maml:para>With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory® Domain Services (AD DS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy nor the Certificate object identifier checks that are specified in IAS remote access policy or NPS network policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN). To configure the UPN in a certificate template:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Open Certificate Templates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Click the <maml:ui>Subject Name</maml:ui> tab, and then click <maml:ui>Build from this Active Directory information</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Include this information in alternate subject name</maml:ui>, select <maml:ui>User principal name (UPN)</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
<maml:listItem>
<maml:para>For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the fully qualified domain name (FQDN) of the client, which is also called the <maml:newTerm>DNS name</maml:newTerm>. To configure this name in the certificate template:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Open Certificate Templates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Click the <maml:ui>Subject Name</maml:ui> tab, and then click <maml:ui>Build from this Active Directory information</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Include this information in alternate subject name</maml:ui>, select <maml:ui>DNS name</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
</maml:list>
<maml:para>With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Wireless clients do not display registry-based and smart card-logon certificates. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Wireless clients and VPN clients do not display password-protected certificates. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-TLS Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure a Protected Extensible Authentication Protocol–Transport Layer Security (TLS) profile for authentication using smart cards or other certificates.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a PEAP-TLS wireless profile for computers running Windows 7 and Windows Vista</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open the New Wireless Network (IEEE 802.11) Policies Properties dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>General</maml:ui> tab, in <maml:ui>Policy Name</maml:ui>, type a new name for your policy, or leave the default.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Description</maml:ui>, type a description of your policy.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select <maml:ui>Use Windows to configure wireless network settings for clients</maml:ui> to specify that WLAN AutoConfig is used to configure wireless network adapter settings.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, do one of the following: </maml:para>
</maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To add and configure a new profile, click <maml:ui>Add</maml:ui>, and then select <maml:ui>Infrastructure</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To edit an existing profile, select the profile you want to modify, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Connection</maml:ui> tab, in <maml:ui>Profile Name</maml:ui>, if you are adding a new profile, type a name for the profile. If you are editing a profile that is already added, use the existing profile name, or modify the name as needed. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Network Name(s) (SSID)</maml:ui>, type the service set identifier (SSID) for your wireless APs, and then click <maml:ui>Add</maml:ui>. </maml:para>
<maml:para>If your deployment uses multiple SSIDs and each wireless AP uses the same wireless security settings, repeat this step to add the SSID for each wireless AP to which you want this profile to apply. </maml:para>
<maml:para>If your deployment uses multiple SSIDs and the security settings for each SSID do not match, configure a separate profile for each group of SSIDs that use the same security settings. For example, if you have one group of wireless APs configured to use WPA2-Enterprise and AES, and another group of wireless APs to use WPA-Enterprise and TKIP, configure a profile for each group of wireless APs.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless clients automatically connect to wireless APs for which the SSID is specified in <maml:ui>Network Name(s) (SSID)</maml:ui>, select <maml:ui>Connect automatically when this network is in range</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless clients connect to networks in order of preference, select <maml:ui>Connect to a more preferred network if available</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you deployed wireless access points that are configured to suppress the broadcast beacon, select <maml:ui>Connect even if the network is not broadcasting</maml:ui>. </maml:para>
<maml:alertSet class="security"><maml:title>Security Note </maml:title><maml:para>Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled. </maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click the <maml:ui>Security</maml:ui> tab. In <maml:ui>Select the security methods for this network</maml:ui>, in <maml:ui>Authentication</maml:ui>, select <maml:ui>WPA2-Enterprise</maml:ui> if it is supported by your wireless AP and wireless client network adapters. Otherwise, select <maml:ui>WPA-Enterprise</maml:ui>. </maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Selecting WPA2 exposes settings for Fast Roaming that are not displayed if WPA is selected. The default settings for Fast Roaming are sufficient for most wireless deployments.</maml:para></maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Encryption</maml:ui>, select <maml:ui>AES</maml:ui>, if it is supported by your wireless AP and wireless client network adapters. Otherwise, select <maml:ui>TKIP</maml:ui>. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The settings for both <maml:ui>Authentication</maml:ui> and <maml:ui>Encryption</maml:ui> must match the settings configured on your wireless AP. </maml:para></maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Select a network authentication method</maml:ui>, select <maml:ui>Microsoft: Protected EAP (PEAP)</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Authentication mode</maml:ui>, select from the following, depending on your needs: <maml:ui>User or Computer authentication</maml:ui>, <maml:ui>Computer authentication</maml:ui>, <maml:ui>User authentication</maml:ui>, <maml:ui>Guest authentication</maml:ui>. By default, <maml:ui>User or Computer authentication</maml:ui> is selected.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Max Authentication Failures</maml:ui>, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. By default, this value is set to “1.”</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that user credentials are held in cache, select <maml:ui>Cache user information for subsequent connections to this network</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Advanced</maml:ui>, and then configure the following: </maml:para>
</maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To configure advanced 802.1X settings, in <maml:ui>IEEE 802.1X</maml:ui>, select <maml:ui>Enforce advanced 802.1X settings</maml:ui>, and then configure the following settings, depending on your needs: <maml:ui>Max Eapol-Start Msgs</maml:ui>, <maml:ui>Held Period</maml:ui>, <maml:ui>Start Period</maml:ui>, and <maml:ui>Auth Period</maml:ui>. </maml:para><maml:para>When the advanced 802.1X settings are enforced, the default values are sufficient for most wireless deployments. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable Single Sign On, select <maml:ui>Enable Single Sign On for this network</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify when Single Sign On occurs, select either <maml:ui>Perform immediately before User Logon</maml:ui> or <maml:ui>Perform immediately after User Logon</maml:ui>, depending on your needs.</maml:para>
<maml:para>The remaining default values in <maml:ui>Single Sign On</maml:ui> are sufficient for typical wireless deployments. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify the maximum amount of time, in seconds, in which 802.1X authentication must complete and authorize network access, in <maml:ui>Max delay for connectivity (seconds)</maml:ui>, enter a value, depending on your needs.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To allow dialogs during Single Sing On, select <maml:ui>Allow additional dialogs to be displayed during Single Sign On</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless computers are placed on one virtual local area network (VLAN) at startup, and then transitioned to a different network after the user logs on to the computer, select <maml:ui>This network uses different VLAN for authentication with machine and user credentials</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable Fast Roaming, in <maml:ui>Fast Roaming</maml:ui>, select <maml:ui>Enable Pairwise Master Key (PMK) Caching</maml:ui>. The default values for <maml:ui>PMK Time to Live (minutes)</maml:ui> and <maml:ui>Number of entries in PMK Cache</maml:ui> are typically sufficient for Fast Roaming.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select <maml:ui>This network uses pre-authentication</maml:ui>, if your wireless AP is configured for pre-authentication. The default value of 3 is typically sufficient for <maml:ui>Maximum Pre-authentication attempts</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that cryptography adheres to the FIPS 140-2 certified mode, select <maml:ui>Perform cryptography in FIPS 140-2 certified mode</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save your settings and return to the <maml:ui>Security</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Properties</maml:ui>. The <maml:ui>Protected EAP Properties</maml:ui> dialog box opens.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Protected EAP Properties</maml:ui>, verify that <maml:ui>Validate server certificate</maml:ui> is selected. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS). </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>This setting limits the trusted root CAs that clients trust to the selected CAs. If no trusted root CAs are selected, then clients trust all root CAs listed in their trusted root certification authority store. </maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Select Authentication Method</maml:ui>, select <maml:ui>Smart Card or other certificate</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable PEAP Fast Reconnect, select <maml:ui>Enable Fast Reconnect</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select <maml:ui>Enforce Network Access Protection</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To require cryptobinding Type-Length-Value (TLV), select <maml:ui>Disconnect if server does not present cryptobinding TLV</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To configure your clients so that they will not send their identity in plaintext before the client has authenticated the RADIUS server, select <maml:ui>Enable Identity Privacy</maml:ui>, and then in <maml:ui>Anonymous Identity</maml:ui>, type a name or value, or leave the field empty.</maml:para>
<maml:para>For example, if <maml:ui>Enable Identity Privacy</maml:ui> is enabled and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select <maml:ui>Enable Identity Privacy</maml:ui> but do not provide an anonymous identity value, the identity response is @realm.
</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Configure</maml:ui>. In the <maml:ui>Smart Card or other Certificate Properties</maml:ui> dialog box, in <maml:ui>When connecting</maml:ui>, select either <maml:ui>Use my smart card</maml:ui> or select both <maml:ui>Use a certificate on this computer</maml:ui> and <maml:ui>Use simple certificate selection (Recommended)</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To require that access clients validate the NPS server certificate, select <maml:ui>Validate server certificate</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify which RADIUS servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUUS server names.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the CA that issued certificates to your NPS servers.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that clients use an alternate name for the access attempt, select <maml:ui>Use a different user name for the connection</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To prevent users from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>. (Recommended)</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to close the <maml:ui>Smart card or other Certificate Properties</maml:ui> dialog box, and then click <maml:ui>OK</maml:ui> again to close the <maml:ui>Protected EAP (PEAP) Properties</maml:ui> dialog box, returning you to <maml:ui>New Wireless Network Policy Properties</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS Server for 802.1X Wireless or Wired Connections</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>When you deploy 802.1X wired or wireless access with Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server, you must take the following steps:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Install and configure network access servers (NASs) as RADIUS clients.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Deploy components for authentication methods.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure NPS as a RADIUS server.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Install and configure network access servers (RADIUS clients)</maml:title><maml:introduction>
<maml:para>To deploy 802.1X wireless access, you must install and configure wireless access points. To deploy 802.1X wired access, you must install and configure 802.1X authenticating switches.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.</maml:para>
</maml:alertSet>
<maml:para>In both cases, these network access servers must meet the following requirements:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Support for Institute of Electrical and Electronics Engineers (IEEE) standard 802.1X authentication</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Support for RADIUS authentication and RADIUS accounting</maml:para>
</maml:listItem>
</maml:list>
<maml:para>If you use billing or accounting applications that require session correlation, the following are required:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Support for the Class attribute as defined by the Internet Engineering Task Force (IETF) in RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)," to allow session correlation for RADIUS authentication and accounting records. For session correlation, when you configure RADIUS accounting at your NPS server or proxy, you must log all accounting data that allow applications (such as billing applications) to query the database, correlate related fields, and return a cohesive view of each session in the query results. At a minimum, to provide session correlation, you must log the following NPS accounting data: NAS-IP-Address; NAS-Identifier (you need both NAS-IP-Address and NAS-Identifier because the access server can send either attribute); Class; Acct-Session-Id; Acct-Multi-Session-Id; Packet-Type; Acct-Status-Type; Acct-Interim-Interval; NAS-Port; and Event-Timestamp.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Support for accounting interim requests, which are sent periodically by some network access servers (NASs) during a user session, that can be logged. This type of request can be used when the Acct-Interim-Interval RADIUS attribute is configured to support periodic requests in the remote access profile on the NPS server. The NAS must support the use of accounting interim requests if you want the interim requests to be logged on the NPS server.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>If you use virtual local area networks (VLANs), the NASs must support VLANs.</maml:para>
<maml:para>For wide area network (WAN) environments, network access servers should provide the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Support for dynamic retransmit timeout (RTO) estimation or exponential backoff to handle congestion and delays in a WAN environment.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>In addition, there are filtering features that the network access servers should support to provide enhanced security for the network. These filtering options include:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>DHCP filtering</maml:phrase>. The NASs must filter on IP ports to prevent the transmission of Dynamic Host Configuration Protocol (DHCP) broadcast messages if the client is a DHCP server. The network access servers must block the client from sending IP packets from port 68 to the network.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>DNS filtering</maml:phrase>. The NASs must filter on IP ports to prevent a client from performing as a DNS server. The NASs must block the client from sending IP packets from port 53 to the network.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>If you are deploying wireless access points, support for Wi-Fi Protected Access (WPA) is preferred. WPA is supported by Windows Vista® and Windows XP with Service Pack 2. To deploy WPA, also use wireless network adapters that support WPA.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Deploy components for authentication methods</maml:title><maml:introduction>
<maml:para>For 802.1X wireless and wired, you can use the following authentication methods:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), also called EAP-TLS.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), also called PEAP-MS-CHAP v2.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>PEAP with EAP-TLS, also called PEAP-TLS.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For EAP-TLS and PEAP-TLS, you must deploy a public key infrastructure (PKI) by installing and configuring Active Directory® Certificate Services (AD CS) to issue certificates to domain member client computers and NPS servers. These certificates are used during the authentication process as proof of identity by both clients and NPS servers. If preferred, you can deploy smart cards rather than using client computer certificates. In this case, you must issue smart cards and smart card readers to organization employees.</maml:para>
<maml:para>For PEAP-MS-CHAP v2, you can deploy your own certification authority (CA) with AD CS to issue certificates to NPS servers or you can purchase server certificates from a public trusted root CA that clients trust, such as VeriSign.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>EAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=13a5e651-d090-407f-a995-3e8509cf9a8e"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>PEAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=5e653bce-7b3b-48c8-b784-020e133c6bcc"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure NPS as a RADIUS server</maml:title><maml:introduction>
<maml:para>When you configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Configure RADIUS clients</maml:title><maml:introduction>
<maml:para>There are two stages to configuring RADIUS clients:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Configure the physical RADIUS client, such as the wireless access point or authenticating switch, with information that allows the network access server to communicate with NPS servers. This information includes configuring the IP address of your NPS server and the shared secret in the access point or switch user interface.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In NPS, add a new RADIUS client. On the NPS server, add each access point or authenticating switch as a RADIUS client. NPS allows you to provide a friendly name for each RADIUS client, as well as the IP address of the RADIUS client and the shared secret.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Add a New RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure network policies</maml:title><maml:introduction>
<maml:para>Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can connect.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure RADIUS accounting</maml:title><maml:introduction>
<maml:para>RADIUS accounting allows you to record user authentication and accounting requests in a local log file or to a Microsoft® SQL Server® database on the local computer or a remote computer.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>RADIUS Accounting</maml:linkText><maml:uri href="mshelp://windows/?id=2a1b783d-cd88-445f-9397-3ed385a9f733"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>RADIUS Accounting</maml:linkText><maml:uri href="mshelp://windows/?id=2a1b783d-cd88-445f-9397-3ed385a9f733"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Configure NPS for 802.1X Authenticating Switch Access</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>This checklist provides the tasks required to deploy 802.1X authenticating switches with Network Policy Server (NPS).</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Install and configure 802.1X authenticating switches on your network.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Server for 802.1X Wireless or Wired Connections</maml:linkText><maml:uri href="mshelp://windows/?id=addbacc4-32a5-4dca-b12e-771bcba85733"></maml:uri></maml:navigationLink> and your hardware documentation</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Determine the authentication method you want to use.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Server for 802.1X Wireless or Wired Connections</maml:linkText><maml:uri href="mshelp://windows/?id=addbacc4-32a5-4dca-b12e-771bcba85733"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>Certificate Requirements for PEAP and EAP</maml:linkText><maml:uri href="mshelp://windows/?id=a1ac8d7e-3479-46b4-932b-ab43362e021b"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>EAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=13a5e651-d090-407f-a995-3e8509cf9a8e"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>PEAP Overview</maml:linkText><maml:uri href="mshelp://windows/?id=5e653bce-7b3b-48c8-b784-020e133c6bcc"></maml:uri></maml:navigationLink>; and your hardware documentation</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Autoenroll a server certificate to servers running NPS or, if you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) only, optionally purchase a server certificate rather than deploying your own CA.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Deploy a CA and NPS Server Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=58ec6857-153e-417f-b63c-40fd6addd216"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=33675"></maml:uri></maml:navigationLink> on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=33675.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>If you are using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or PEAP-TLS without smart cards, autoenroll user certificates, computer certificates, or both user and computer certificates, to domain member client computers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Deploy Client Computer Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=9d3f798f-0854-4602-adce-0b888e8c00ef"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>Deploy User Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=25b886ed-75e9-4f49-8ca0-c90991dfc20e"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure 802.1X wired access clients by using the Group Policy Management extension, Wired Network (IEEE 802.3) Policies.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wired Access Clients by using Group Policy Management</maml:linkText><maml:uri href="mshelp://windows/?id=92ed06a5-f36b-4256-ab81-229fa7af9fc6"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure 802.1X authenticating switches as Remote Authentication Dial-In User Service (RADIUS) clients in NPS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a New RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the switches.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Create a Group for a Network Policy</maml:linkText><maml:uri href="mshelp://windows/?id=c29cb16a-4263-47d9-8bbe-0d5db799ca7c"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>In NPS, configure one or more network policies for 802.1X switch access.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a Network Policy</maml:linkText><maml:uri href="mshelp://windows/?id=f4522491-921b-4ca9-974c-a41b90883ca7"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>Create policies for 802.1X Wired or Wireless with a Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=541cef62-a77e-483c-a847-27aacc68625d"></maml:uri></maml:navigationLink>; and <maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Network Policies</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>The following topics demonstrate how to configure network policies in NPS.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add a Network Policy</maml:linkText><maml:uri href="mshelp://windows/?id=f4522491-921b-4ca9-974c-a41b90883ca7"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure a Network Policy to Grant or Deny Access</maml:linkText><maml:uri href="mshelp://windows/?id=89328686-ac05-4f04-a2cb-51c30c4d6796"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Create Policies for Dial-Up or VPN with a Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=cfa37f4c-8133-4df8-9db8-657a0784ffd5"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Create policies for 802.1X Wired or Wireless with a Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=541cef62-a77e-483c-a847-27aacc68625d"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Create a Group for a Network Policy</maml:title><maml:introduction>
<maml:para>You can use this procedure to create a user or computer group in Active Directory® Domain Services (AD DS) and then add the group as a condition in a Network Policy Server (NPS) network policy.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:procedure><maml:title>To create a group for a network policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and then click the domain where you want to create a group.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one of the following: </maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>To create a group whose members are computers, in the details pane, right-click <maml:ui>Computers</maml:ui>, click <maml:ui>New</maml:ui>, and then click <maml:ui>Group</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To create a group whose members are users, in the details pane, right-click <maml:ui>Users</maml:ui>, click <maml:ui>New</maml:ui>, and then click <maml:ui>Group</maml:ui>.</maml:para></maml:listItem>
</maml:list>
<maml:para>The <maml:ui>New Object - Group</maml:ui> dialog box opens.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>New Object - Group</maml:ui>, in <maml:ui>Group name</maml:ui>, type a name for the group.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Group scope</maml:ui>, select <maml:ui>Domain local</maml:ui>, <maml:ui>Global</maml:ui>, or <maml:ui>Universal</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Group type</maml:ui>, ensure that <maml:ui>Security</maml:ui> is selected, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click either <maml:ui>Computers</maml:ui> or <maml:ui>Users</maml:ui>, depending on where you created your group, and then double-click the group you created to open group properties.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In group properties, click the <maml:ui>Members</maml:ui> tab, and then click <maml:ui>Add</maml:ui>. The <maml:ui>Select Users, Contacts, Computers, or Groups</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Select Users, Contacts, Computers, or Groups</maml:ui>, in <maml:ui>Enter the object names to select</maml:ui>, type the object names that you want to add to the group, and then click <maml:ui>OK</maml:ui> twice.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console, and then double-click <maml:ui>Policies</maml:ui>. Right-click <maml:ui>Network Policies</maml:ui>, and then click <maml:ui>New</maml:ui>. The <maml:ui>New Network Policy</maml:ui> wizard opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Run the wizard, making selections appropriate to your deployment, until you reach the <maml:ui>Specify Conditions</maml:ui> page.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Specify Conditions</maml:ui>, click <maml:ui>Add</maml:ui>. The <maml:ui>Select condition</maml:ui> dialog box opens. If you created a group of computers, click <maml:ui>Machine Groups</maml:ui>. If you created a group of users, click <maml:ui>User Groups</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui>. The <maml:ui>Windows Groups</maml:ui> dialog box opens. Click <maml:ui>Add Groups</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>The <maml:ui>Select Group</maml:ui> dialog box opens. In <maml:ui>Enter the object name to select</maml:ui>, type the name of the group that you created in AD DS, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Configure additional conditions for your deployment as needed, and then continue running the <maml:ui>New Network Policy</maml:ui> wizard until you have completed creating a new network policy.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure 802.1X Wired Access Clients for EAP-TLS Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure an Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) profile for authentication that uses smart cards or other certificates.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure an EAP-TLS profile for wired connections</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para> In <maml:ui>Policy Name</maml:ui>, type a name for the wired network policy. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Description</maml:ui>, type a brief description of the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Ensure that <maml:ui>Use Windows Wired Auto Config service for clients</maml:ui> is selected.</maml:para></maml:listItem>
<maml:listItem><maml:para>To permit users with computers running Windows 7 to enter and store their domain credentials (username and password), which the computer can then use to log on to the network (even though the user is not actively logged on), in <maml:ui>Windows 7 Policy Settings</maml:ui>, select <maml:ui>Enable Explicit Credentials</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify the duration for which computers running Windows 7 are prohibited from making auto connection attempts to the network, select <maml:ui>Enable Block Period</maml:ui>, and then in <maml:ui>Block Period (minutes)</maml:ui>, specify the number of minutes for which you want the block period to apply. The valid range of minutes is 1-60.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>For more information about the settings on any tab, press F1 while viewing that tab.</maml:para></maml:alertSet>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Security</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Select <maml:ui>Enable use of IEEE 802.1X authentication for network access</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Select a network authentication method</maml:ui>, select <maml:ui>Smart Card or other certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Authentication mode</maml:ui>, select from the following, depending on your needs: <maml:ui>User or Computer authentication</maml:ui>, <maml:ui>Computer authentication</maml:ui>, <maml:ui>User authentication</maml:ui>, <maml:ui>Guest authentication</maml:ui>. By default, <maml:ui>User or Computer authentication</maml:ui> is selected.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Max Authentication Failures</maml:ui>, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. By default, the value is set to “1.”</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To specify that user credentials are held in cache, select <maml:ui>Cache user information for subsequent connections to this network</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To configure Single Sign On or advanced 802.1X settings, click <maml:ui>Advanced</maml:ui>. On the <maml:ui>Advanced</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>To configure advanced 802.1X settings, select <maml:ui>Enforce advanced 802.1X settings</maml:ui>, and then modify — only as necessary — the settings for: <maml:ui>Max Eapol-Start Msgs</maml:ui>, <maml:ui>Held Period</maml:ui>, <maml:ui>Start Period</maml:ui>, <maml:ui>Auth Period</maml:ui>, <maml:ui>Eapol-Start Message</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To configure Single Sign On, select<maml:ui> Enable Single Sign On for this network</maml:ui>, and then modify — as necessary — the settings for:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:ui>Perform Immediately before User Logon</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Perform Immediately after User Logon</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Max delay for connectivity</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Allow additional dialogs to be displayed during Single Sign On</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>This network uses different VLAN for authentication with machine and user credentials</maml:ui></maml:para></maml:listItem></maml:list>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>. The <maml:ui>Advanced Security Settings</maml:ui> dialog box closes, returning you to the <maml:ui>Security</maml:ui> tab. On the <maml:ui>Security</maml:ui> tab, click <maml:ui>Properties</maml:ui>. The <maml:ui>Smart Card or other Certificate Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Smart Card or other Certificate Properties</maml:ui> dialog box, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem><maml:para>In <maml:ui>When connecting</maml:ui>, select either <maml:ui>Use my smart card</maml:ui>, or select both <maml:ui>Use a certificate on this computer</maml:ui> and <maml:ui>Use simple certificate selection (Recommended)</maml:ui>. </maml:para></maml:listItem>
<maml:listItem><maml:para>Select <maml:ui>Validate server certificate</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUS server names. </maml:para></maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store. </maml:para>
</maml:alertSet></maml:listItem>
<maml:listItem><maml:para>To specify that clients use an alternate name for the access attempt, select <maml:ui>Use a different user name for the connection</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>. </maml:para></maml:listItem>
<maml:listItem>
<maml:para>Click <maml:ui>OK</maml:ui> to save the <maml:ui>Smart Card or other Certificate Properties</maml:ui> settings. Click <maml:ui>OK</maml:ui> again to return to the <maml:ui>New Wired Network Policy Properties</maml:ui> dialog box.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Host Credential Authorization Protocol</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Host Credential Authorization Protocol (HCAP) allows you to integrate your Microsoft Network Access Protection (NAP) solution with Cisco Network Admission Control. When you deploy HCAP with Network Policy Server (NPS) and NAP, NPS can perform the authorization of Cisco 802.1X access clients, including the enforcement of NAP health policy, while Cisco authentication, authorization, and accounting (AAA) servers perform authentication.</maml:para>
<maml:para>To deploy a HCAP server, you must do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Deploy NAP-capable client computers. Configure client computers to use Cisco EAP-FAST as the authentication method for network access.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Using NAP deployment documentation, deploy NAP, which includes configuring client computers with system health agents (SHAs) and NPS servers with the corresponding system health validators (SHVs).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Using Cisco deployment documentation, deploy Cisco Network Admission Control.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Using the Add Roles wizard from Server Manager, install HCAP server. HCAP server is a role service of the Network Policy and Access Services server role. When you install HCAP server, the additional required components, Internet Information Services (IIS) and NPS, are installed on the same computer. In addition, a server certificate is autoenrolled to the server running IIS to allow Secure Sockets Layer (SSL) connections between IIS and the Cisco AAA server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure IIS to listen to specified IP addresses to allow Cisco AAA servers to send authorization requests.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the Cisco AAA server with the URL of the server running HCAP, NPS, and IIS so that the Cisco AAA server can send authorization requests to NPS.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure NPS on the HCAP server as a RADIUS proxy to forward authorization requests to NPS servers that are members of one or more remote RADIUS server groups. Optionally, you can configure NPS on the HCAP server as a RADIUS server to process authorization requests locally.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure NPS servers as RADIUS servers to perform authorization, which includes deploying NAP and creating health policy in NPS. If the NPS-HCAP server is a RADIUS proxy that forwards connection requests to NPS RADIUS servers in remote RADIUS server groups, you must configure the RADIUS proxy as a RADIUS client on each RADIUS server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>On NPS RADIUS servers, configure network policy with NAP health policy. If desired, network policy conditions can include HCAP-Group-Name and HCAP-Location-Group for NAP interoperability with Cisco Network Admission Control. In addition, you can use the Extended State condition in network policy to specify the extended state of the client computer that is required to match the network policy. Extended states are elements of Cisco Network Admission Control, and include Transitional, Infected, and Unknown. By using this network policy condition, you can configure NPS to authorize or reject access based on whether the client computer is in one of these states.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Authentication and authorization process</maml:title><maml:introduction>
<maml:para>After deploying both Cisco Network Admission Control and NPS with NAP, the authentication and authorization process works as follows:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>The client computer attempts to access the network. The client can attempt to connect through an 802.1X authenticating switch or through an 802.1X wireless access point that is configured as a RADIUS client to the Cisco AAA server. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>After the Cisco AAA server receives the connection request from the network access server or router, the Cisco AAA server requests statement of health (SoH) data from the client by sending an EAP-Type Length Value (EAP-TLV).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>SHAs on the client computer report health status to NAP Agent on the client, and NAP Agent creates an SoH, which it sends to the Cisco AAA server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The Cisco AAA server forwards the SoH using HCAP to the NPS proxy or server along with the client computer's user ID, machine ID, and location.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the NPS-HCAP server is configured as a RADIUS proxy, NPS forwards the authorization request to the appropriate remote RADIUS server group. (This determination is made with the evaluation by NPS of the configured connection request policies.) If the NPS-HCAP server is configured as a RADIUS server, the NPS-HCAP server processes the authorization request.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>NPS evaluates the SoH against configured network policy and, if a matching network policy is found, creates a statement of health response (SoHR) to be sent back to the client. This, along with the NAP enforcement state and extended state information, is then sent back to the Cisco AAA server using HCAP.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The Cisco AAA server evaluates the NAP enforcement state against Cisco Network Admission Control policy and determines the network access profile.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The Cisco AAA server sends the network access profile to the network access server (the switch, AP, or router). The network access profile contains the information that instructs the network access server whether to allow full access, restrict access, or deny access to the client computer.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The Cisco AAA server sends the SoHR back to the client computer.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the client configuration does not comply with health policy and the SoHR instructs the client to remediate, then the client attempts to take the required actions, such as downloading software updates or changing configuration settings. After remediation, the client attempts to access the network again, and the authentication and authorization process is repeated.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:para>For more information, see Network Access Protection at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=56443</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=56443"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=128799</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=128799"></maml:uri></maml:navigationLink>.</maml:para></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS Clients and Servers</maml:title><maml:introduction>
<maml:para>In the NPS console, if you click <maml:ui>RADIUS Clients and Servers</maml:ui>, you can then choose to configure either RADIUS clients or Remote RADIUS Server Groups.</maml:para>
<maml:para>For more information about RADIUS clients, see <maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>For more information about remote RADIUS server groups, see <maml:navigationLink><maml:linkText>Remote RADIUS Server Groups</maml:linkText><maml:uri href="mshelp://windows/?id=689390e0-760d-42e8-a894-78749558a626"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>For information about configuring NPS as a RADIUS server, see <maml:navigationLink><maml:linkText>RADIUS Server</maml:linkText><maml:uri href="mshelp://windows/?id=f3ebb128-d942-4251-b3fb-de6f78cd5f97"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Create Policies for Dial-Up or VPN with a Wizard</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use this procedure to create the connection request policies and network policies required to deploy either dial-up servers or virtual private network (VPN) servers as Remote Authentication Dial-In User Service (RADIUS) clients to the Network Policy Server (NPS) RADIUS server.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. </maml:para>
</maml:alertSet>
<maml:para>This procedure explains how to open the <maml:ui>New Dial-up or Virtual Private Network Connections</maml:ui> wizard in NPS.</maml:para>
<maml:para>After you run the wizard, the following policies are created:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>One connection request policy</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>One network policy</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Running the <maml:ui>New Dial-up or Virtual Private Network Connections</maml:ui> wizard is not the only step required to deploy dial-up or VPN servers as RADIUS clients to the NPS server. Both network access methods require that you deploy additional hardware and software components.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can run the <maml:ui>New Dial-up or Virtual Private Network Connections</maml:ui> wizard every time you need to create new policies for dial-up servers and VPN servers.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To create policies for dial-up or VPN with a wizard</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console. If it is not already selected, click <maml:ui>NPS (Local)</maml:ui>. If you are running the NPS MMC snap-in and want to create policies on a remote NPS server, select the server.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Getting Started</maml:ui> and <maml:ui>Standard Configuration</maml:ui>, select <maml:ui>RADIUS server for Dial-Up or VPN Connections</maml:ui>. The text and links under the text change to reflect your selection.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Configure VPN or Dial-Up with a wizard</maml:ui>. The <maml:ui>New Dial-up or Virtual Private Network Connections</maml:ui> wizard opens.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NPS and Firewalls</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Firewalls can be configured to allow or block types of IP traffic to and from the computer or device on which the firewall is running. If firewalls are not properly configured to allow RADIUS traffic between RADIUS clients, RADIUS proxies, and RADIUS servers, network access authentication can fail, preventing users from accessing network resources. </maml:para>
<maml:para>Two types of firewalls might need to be configured to allow RADIUS traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Windows Firewall on the local server running Network Policy Server (NPS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Firewalls running on other computers or hardware devices.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Windows Firewall on the local NPS server</maml:title><maml:introduction>
<maml:para>By default, NPS sends and receives RADIUS traffic by using User Datagram Protocol (UDP) ports 1812, 1813, 1645, and 1646. Windows Firewall on the NPS server is automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.</maml:para>
<maml:para>Therefore, if you are using the default UDP ports, you do not need to change the Windows Firewall configuration to allow RADIUS traffic to and from NPS servers.</maml:para>
<maml:para>In some cases, you might want to change the ports that NPS uses for RADIUS traffic. If you configure NPS and your network access servers to send and receive RADIUS traffic on ports other than the defaults, you must do the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Remove the exceptions that allow RADIUS traffic on the default ports.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Create new exceptions that allow RADIUS traffic on the new ports.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Configure NPS UDP Port Information</maml:linkText><maml:uri href="mshelp://windows/?id=9383c523-af71-4513-a942-e4458692f457"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Other firewalls</maml:title><maml:introduction>
<maml:para>In the most common configuration, the firewall is connected to the Internet and the NPS server is an intranet resource that is connected to the perimeter network.</maml:para>
<maml:para>To reach the domain controller within the intranet, the NPS server might have:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>An interface on the perimeter network and an interface on the intranet (IP routing is not enabled). </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>A single interface on the perimeter network. In this configuration, NPS communicates with domain controllers through another firewall that connects the perimeter network to the intranet.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Configuring the Internet firewall</maml:title><maml:introduction>
<maml:para>The firewall that is connected to the Internet must be configured with input and output filters on its Internet interface (and, optionally, its network perimeter interface), to allow the forwarding of RADIUS messages between the NPS server and RADIUS clients or proxies on the Internet. Additional filters can be used to allow the passing of traffic to Web servers, VPN servers, and other types of servers on the perimeter network.</maml:para>
<maml:para>Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Filters on the Internet interface</maml:title><maml:introduction>
<maml:para>Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Filters on the perimeter network interface</maml:title><maml:introduction>
<maml:para>Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server.</maml:para>
<maml:para>This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For added security, you can use the IP addresses of each RADIUS client that sends the packets through the firewall to define filters for traffic between the client and the IP address of the NPS server on the perimeter network.</maml:para>
</maml:introduction></maml:section></maml:sections>
</maml:section><maml:section>
<maml:title>Configuring the intranet firewall</maml:title><maml:introduction>
<maml:para>The firewall that is connected to the intranet must be configured with input and output filters on its perimeter network interface (and, optionally, its intranet interface), to allow the forwarding of RADIUS messages between the NPS server on the perimeter network and domain controllers on the intranet. Additional filters can allow the passing of traffic to Web, VPN, and other types of servers on the perimeter network.</maml:para>
<maml:para>Separate input and output packet filters can be configured on the perimeter network interface and the intranet interface.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Filters on the perimeter network interface</maml:title><maml:introduction>
<maml:para>Configure the following input packet filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Source IP address of the perimeter network interface of the NPS server.</maml:para>
<maml:para>This filter allows traffic from the NPS server on the perimeter network.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Configure the following output filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Destination IP address of the perimeter network interface of the NPS server.</maml:para>
<maml:para>This filter allows traffic to the NPS server on the perimeter network.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Filters on the intranet interface</maml:title><maml:introduction>
<maml:para>Configure the following input filters on the intranet interface of the firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Destination IP address of the perimeter network interface of the NPS server.</maml:para>
<maml:para>This filter allows traffic to the NPS server on the perimeter network.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Configure the following output packet filters on the intranet interface of the firewall to allow the following types of traffic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Source IP address of the perimeter network interface of the NPS server.</maml:para>
<maml:para>This filter allows traffic from the NPS server on the perimeter network.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>NAP Enforcement for DHCP</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Dynamic Host Configuration Protocol (DHCP) enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). By using DHCP NAP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method is not effective.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Health validation data that is stored in DHCP is visible to other computers. However, the DHCP enforcement client sends a statement of health (SoH) only if the SoH is requested by the DHCP server.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Requirements</maml:title><maml:introduction>
<maml:para>To deploy NAP with DHCP, you must configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the <maml:ui>New Network Access Protection</maml:ui> wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the NAP DHCP enforcement client and the NAP service on NAP-capable client computers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Install DHCP on the local computer or on a remote computer.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In the DHCP Microsoft Management Console (MMC) snap-in, enable NAP for individual scopes or for all scopes configured on the DHCP server.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>If DHCP is not installed on the local computer, you must also configure the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Install NPS on the computer that is running DHCP.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure NPS on the remote DHCP NPS server as a RADIUS proxy to forward connection requests to the local NPS server.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>802.1X Client Configuration with Group Policy</maml:title><maml:introduction>
<maml:para>You can use the procedures in the first section to access Group Policy extensions for wired and wireless policies. You can select from the other two sections for procedures to configure clients by using the Wired Network (IEEE 802.3) Policies and Wireless Network (IEEE 802.11) Policies extensions of Group Policy Management.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Access Group Policy Extensions for 802.1X Wired and Wireless</maml:linkText><maml:uri href="mshelp://windows/?id=e7b2e1e2-9da4-4a68-a1db-6a0886f7e028"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wired Access Clients by using Group Policy Management</maml:linkText><maml:uri href="mshelp://windows/?id=92ed06a5-f36b-4256-ab81-229fa7af9fc6"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure 802.1X Wireless Access Clients by using Group Policy Management</maml:linkText><maml:uri href="mshelp://windows/?id=5220ca1e-409e-4841-b43e-837b4edd2cb6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Network Policy Server</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Network Policy Server</maml:title><maml:introduction>
<maml:para>Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. In addition, you can use NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS servers that you configure in remote RADIUS server groups.</maml:para>
<maml:para>NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with the following three features:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:computerOutputInline>RADIUS server</maml:computerOutputInline>. NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database. For more information, see <maml:navigationLink><maml:linkText>RADIUS Server</maml:linkText><maml:uri href="mshelp://windows/?id=f3ebb128-d942-4251-b3fb-de6f78cd5f97"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:computerOutputInline>RADIUS proxy</maml:computerOutputInline>. When you use NPS as a RADIUS proxy, you configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group. For more information, see <maml:navigationLink><maml:linkText>RADIUS Proxy</maml:linkText><maml:uri href="mshelp://windows/?id=94c797c3-1efa-4a62-946b-a6923e0ee036"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:computerOutputInline>Network Access Protection (NAP) policy server</maml:computerOutputInline>. When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. NPS also acts as a RADIUS server when configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and remediation server groups that allow client computers to update their configuration to become compliant with your organization's network policy. For more information, see <maml:navigationLink><maml:linkText>Network Access Protection in NPS</maml:linkText><maml:uri href="mshelp://windows/?id=6aadc218-2112-4781-8b20-05d591066840"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You can configure NPS with any combination of the preceding features. For example, you can configure one NPS server to act as a NAP policy server using one or more enforcement methods, while also configuring the same NPS server as a RADIUS server for dial-up connections and as a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Configuration</maml:title><maml:introduction>
<maml:para>To configure NPS as a RADIUS server or a NAP policy server, you can use either standard configuration or advanced configuration in the NPS console or in Server Manager. To configure NPS as a RADIUS proxy, you must use advanced configuration.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Standard configuration</maml:title><maml:introduction>
<maml:para>With standard configuration, wizards are provided to help you configure NPS for the following scenarios:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>NAP policy server</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>RADIUS server for dial-up or VPN connections</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>RADIUS server for 802.1X wireless or wired connections</maml:para>
</maml:listItem>
</maml:list>
<maml:para>To configure NPS using a wizard, open the NPS console, select one of the preceding scenarios, and then click the link that opens the wizard.</maml:para>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Advanced configuration</maml:title><maml:introduction>
<maml:para>When you use advanced configuration, you manually configure NPS as a RADIUS server, NAP policy server, or RADIUS proxy. Some wizards are provided to assist you with policy and NAP configuration; however, these wizards are opened from the NPS folder tree in the NPS console rather than from the <maml:ui>Getting Started</maml:ui> section in the details pane of the console.</maml:para>
<maml:para>To configure NPS by using advanced configuration, open the NPS console, and then click the arrow next to <maml:ui>Advanced Configuration</maml:ui> to expand this section.</maml:para>
<maml:para>The following advanced configuration items are provided.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Configure RADIUS server</maml:title><maml:introduction>
<maml:para>To configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.</maml:para>
<maml:para>The following Help sections provide the information you need to deploy NPS as a RADIUS server:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Server</maml:linkText><maml:uri href="mshelp://windows/?id=f3ebb128-d942-4251-b3fb-de6f78cd5f97"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Accounting</maml:linkText><maml:uri href="mshelp://windows/?id=2a1b783d-cd88-445f-9397-3ed385a9f733"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure NAP policy server</maml:title><maml:introduction>
<maml:para>To deploy NAP, you must configure NAP components in addition to configuring RADIUS clients and network policy.</maml:para>
<maml:para>The following Help sections provide the information you need to deploy NPS as a NAP policy server:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Network Access Protection in NPS</maml:linkText><maml:uri href="mshelp://windows/?id=6aadc218-2112-4781-8b20-05d591066840"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Health Policies</maml:linkText><maml:uri href="mshelp://windows/?id=9561f22e-2bab-453c-a4de-36e4466850df"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Connection Request Policies</maml:linkText><maml:uri href="mshelp://windows/?id=418638e1-e88e-4b59-853d-ae16fc589bd9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Configure RADIUS proxy</maml:title><maml:introduction>
<maml:para>To configure NPS as a RADIUS proxy, you must configure RADIUS clients, remote RADIUS server groups, and connection request policies.</maml:para>
<maml:para>The following Help sections provide the information you need to deploy NPS as a RADIUS proxy:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Proxy</maml:linkText><maml:uri href="mshelp://windows/?id=94c797c3-1efa-4a62-946b-a6923e0ee036"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Connection Request Processing</maml:linkText><maml:uri href="mshelp://windows/?id=f1ef3288-9cae-4ba5-b55c-caa2f4f8967d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Remote RADIUS Server Groups</maml:linkText><maml:uri href="mshelp://windows/?id=689390e0-760d-42e8-a894-78749558a626"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section>
<maml:section>
<maml:title>NPS logging</maml:title><maml:introduction>
<maml:para>NPS logging is also called <maml:newTerm>RADIUS accounting</maml:newTerm>. Configure NPS logging to your requirements whether NPS is used as a RADIUS server, proxy, NAP policy server, or any combination of the three configurations.</maml:para>
<maml:para>To configure NPS logging, you must configure which events you want logged and viewed with Event Viewer, and then determine which other information you want to log. In addition, you must decide whether you want to log user authentication and accounting information to text log files stored on the local computer or to a SQL Server database on either the local computer or a remote computer.</maml:para>
<maml:para>The following Help sections provide the information you need to deploy RADIUS accounting:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure Log File Properties</maml:linkText><maml:uri href="mshelp://windows/?id=50d16bcb-06c3-4073-bca9-621701c55cf1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure SQL Server Logging in NPS</maml:linkText><maml:uri href="mshelp://windows/?id=5d57d701-429e-4389-8d03-6ff0b13ac488"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure an Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) profile for authentication using smart cards or other certificates.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure an EAP-TLS wireless profile for computers running Windows Vista</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open the New Wireless Network (IEEE 802.11) Policies Properties dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>General</maml:ui> tab, in <maml:ui>Policy Name</maml:ui>, type a new name for your policy, or leave the default.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Description</maml:ui>, type a description of your policy.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select <maml:ui>Use Windows to configure wireless network settings for clients</maml:ui> to specify that WLAN AutoConfig is used to configure wireless network adapter settings.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, do one of the following: </maml:para><maml:para> </maml:para>
</maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To add and configure a new profile, click <maml:ui>Add</maml:ui>, and then select <maml:ui>Infrastructure</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To edit an existing profile, select the profile you want to modify, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Connection</maml:ui> tab, in <maml:ui>Profile Name</maml:ui>, if you are adding a new profile, type a name for the profile. If you are editing a profile that is already added, use the existing profile name, or modify the name as needed. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Network Name(s) (SSID)</maml:ui>, type the service set identifier (SSID) for your wireless APs, and then click <maml:ui>Add</maml:ui>. </maml:para>
<maml:para>If your deployment uses multiple SSIDs and each wireless AP uses the same wireless security settings, repeat this step to add the SSID for each wireless AP to which you want this profile to apply. </maml:para>
<maml:para>If your deployment uses multiple SSIDs and the security settings for each SSID do not match, configure a separate profile for each group of SSIDs that use the same security settings. For example, if you have one group of wireless APs configured to use WPA2-Enterprise and AES, and another group of wireless APs to use WPA-Enterprise and TKIP, configure a profile for each group of wireless APs.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless clients automatically connect to wireless APs for which the SSID is specified in <maml:ui>Network Name(s) (SSID)</maml:ui>, select <maml:ui>Connect automatically when this network is in range</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless clients connect to networks in order of preference, select <maml:ui>Connect to a more preferred network if available</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you deployed wireless access points that are configured to suppress the broadcast beacon, select <maml:ui>Connect even if the network is not broadcasting</maml:ui>. </maml:para>
<maml:alertSet class="security"><maml:title>Security Note </maml:title><maml:para>Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled. </maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click the <maml:ui>Security</maml:ui> tab. In <maml:ui>Select the security methods for this network</maml:ui>, in <maml:ui>Authentication</maml:ui>, select <maml:ui>WPA2-Enterprise</maml:ui> if it is supported by your wireless AP and wireless client network adapters. Otherwise, select <maml:ui>WPA-Enterprise</maml:ui>. </maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Selecting WPA2 exposes settings for Fast Roaming that are not displayed if WPA is selected. The default settings for Fast Roaming are sufficient for most wireless deployments. </maml:para></maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Encryption</maml:ui>, select <maml:ui>AES</maml:ui>, if it is supported by your wireless AP and wireless client network adapters. Otherwise, select <maml:ui>TKIP</maml:ui>. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The settings for both <maml:ui>Authentication</maml:ui> and <maml:ui>Encryption</maml:ui> must match the settings configured on your wireless AP. </maml:para></maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Select a network authentication method</maml:ui>, select <maml:ui>Microsoft: Smart card or other certificate</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Authentication mode</maml:ui>, select from the following, depending on your needs: <maml:ui>User or Computer authentication</maml:ui>, <maml:ui>Computer authentication</maml:ui>, <maml:ui>User authentication</maml:ui>, <maml:ui>Guest authentication</maml:ui>. By default, <maml:ui>User or Computer authentication</maml:ui> is selected.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Max Authentication Failures</maml:ui>, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. By default, the value is set to “1.”</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that user credentials are held in cache, select <maml:ui>Cache user information for subsequent connections to this network</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para> Click <maml:ui>Advanced</maml:ui>, and then configure the following: </maml:para>
</maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To configure advanced 802.1X settings, in <maml:ui>IEEE 802.1X</maml:ui>, select <maml:ui>Enforce advanced 802.1X settings</maml:ui>, and then configure the following settings, depending on your needs: <maml:ui>Max Eapol-Start Msgs</maml:ui>, <maml:ui>Held Period</maml:ui>, <maml:ui>Start Period</maml:ui>, and <maml:ui>Auth Period</maml:ui>. </maml:para><maml:para>When the advanced 802.1X settings are enforced, the default values are sufficient for most wireless deployments. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable Single Sign On, select <maml:ui>Enable Single Sign On for this network</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify when Single Sign On occurs, select either <maml:ui>Perform immediately before User Logon</maml:ui> or <maml:ui>Perform immediately after User Logon</maml:ui>, depending on your needs.</maml:para>
<maml:para>The remaining default values in <maml:ui>Single Sign On</maml:ui> are sufficient for typical wireless deployments. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify the maximum amount of time, in seconds, in which 802.1X authentication must complete and authorize network access, in <maml:ui>Max delay for connectivity (seconds)</maml:ui>, enter a value, depending on your needs.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To allow dialogs during Single Sing On, select <maml:ui>Allow additional dialogs to be displayed during Single Sign On</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that wireless computers are placed on one virtual local area network (VLAN) at startup, and then transitioned to a different network after the user logs on to the computer, select <maml:ui>This network uses different VLAN for authentication with machine and user credentials</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To enable Fast Roaming, in <maml:ui>Fast Roaming</maml:ui>, select <maml:ui>Enable Pairwise Master Key (PMK) Caching</maml:ui>. The default values for <maml:ui>PMK Time to Live (minutes)</maml:ui> and <maml:ui>Number of entries in PMK Cache</maml:ui> are typically sufficient for Fast Roaming.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select <maml:ui>This network uses pre-authentication</maml:ui>, if your wireless AP is configured for pre-authentication. The default value of 3 is typically sufficient for <maml:ui>Maximum Pre-authentication attempts</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that cryptography adheres to the FIPS 140-2 certified mode, select <maml:ui>Perform cryptography in FIPS 140-2 certified mode</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Properties</maml:ui>. In the <maml:ui>Smart Card or other Certificate Properties</maml:ui> dialog box, in <maml:ui>When connecting</maml:ui>, select either <maml:ui>Use my smart card</maml:ui> or select both <maml:ui>Use a certificate on this computer</maml:ui> and <maml:ui>Use simple certificate selection (Recommended)</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To require that access clients validate the Network Policy Server (NPS) server certificate, select <maml:ui>Validate server certificate</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the CA that issued certificates to your servers running NPS.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify that clients use an alternate name for the access attempt, select <maml:ui>Use a different user name for the connection</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to close the <maml:ui>Smart card or other Certificate Properties</maml:ui> dialog box, and return to the <maml:ui>New Wireless Network Policy Properties</maml:ui> dialog box.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a New RADIUS Client</maml:title><maml:introduction>
<maml:para>Use this procedure to add a network access server as a Remote Authentication Dial-In User Service (RADIUS) client in the Network Policy Server (NPS) Microsoft Management Console (MMC) snap-in.</maml:para>
<maml:para>When you configure a network access server (NAS) as a RADIUS client in the NPS snap-in, the RADIUS client forwards connection requests from access clients to the NPS server for authentication, authorization, and accounting.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.</maml:para>
</maml:alertSet>
<maml:para>In addition to configuring a new RADIUS client, you must also configure the network access server so that it can communicate with NPS. For more information, see the documentation of your NAS manufacturer.</maml:para>
<maml:para>To configure a new RADIUS client in NPS, you must run the New RADIUS Client Wizard. While following the steps in the New RADIUS Client Wizard:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If your NAS supports use of the Message-Authenticator attribute (also known as the <maml:newTerm>signature attribute</maml:newTerm>), in the New RADIUS Client Wizard, click <maml:ui>Request must contain the Message Authenticator attribute</maml:ui>. If the NAS does not support the Message-Authenticator attribute, do not select this setting. Enabling the use of the Message-Authenticator attribute provides additional security when Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and MS-CHAP v2 are configured in network policies as authentication methods. Extensible Authentication Protocol (EAP) uses the Message-Authenticator attribute by default and does not require that you enable it.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you use NAS-specific network policies (for example, a network policy that contains vendor-specific attributes), click <maml:ui>Client-Vendor</maml:ui>, and then select the name of the NAS manufacturer. If you do not know the name of the NAS manufacturer or it is not in the list, select <maml:ui>RADIUS Standard</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If NPS receives an access request from a RADIUS proxy, it cannot detect the manufacturer of the NAS that originated the request. This can cause problems if you plan to use network policy conditions that are based on the client vendor and if you have at least one RADIUS client that is a RADIUS proxy. In this case, connection requests that are forwarded to NPS from the RADIUS proxy might not match any of the network policies, causing all connection requests to be denied. For this reason, when you use RADIUS proxies, you must configure at least one network policy that is not based on NAS-specific attributes, such as the vendor-specific attribute.</maml:para>
</maml:alertSet>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To add a new RADIUS client </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS MMC snap-in, and then double-click <maml:ui>RADIUS Clients and Servers</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>RADIUS Clients</maml:ui>, and then click <maml:ui>New RADIUS Client</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Follow the steps in the New RADIUS Client Wizard.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Register the NPS Server in Active Directory Domain Services</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>When Network Policy Server (NPS) is a member of an Active Directory® Domain Services (AD DS) domain, NPS performs authentication by comparing user credentials that it receives from network access servers with the credentials that are stored for the user account in AD DS. In addition, NPS authorizes connection requests by using network policy and by checking user account dial-in properties in AD DS.</maml:para>
<maml:para>For NPS to have permission to access user account credentials and dial-in properties in AD DS, the server running NPS must be registered in AD DS.</maml:para>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To register the NPS server in the default domain by using the NPS console</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Log on to the NPS server by using an account that has administrative credentials for the domain.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>NPS (Local)</maml:ui>, and then click <maml:ui>Register server in Active Directory</maml:ui>. When the <maml:ui>Register Network Policy Server in Active Directory</maml:ui> dialog box appears, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:procedure><maml:title>To register the NPS server in the default domain using the netsh command</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Log on to the NPS server by using an account that has administrative credentials for the domain.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At the command prompt, type <maml:userInput>netsh ras add registeredserver</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:procedure><maml:title>To register the NPS server in the default domain using Active Directory Users and Computers</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Log on to the NPS server by using an account that has administrative credentials for the domain.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the <maml:ui>Users</maml:ui> folder in the appropriate domain.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click <maml:ui>RAS and IAS Servers</maml:ui>, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>RAS and IAS Servers Properties</maml:ui> dialog box, on the <maml:ui>Members</maml:ui> tab, add each of the NPS servers.</maml:para>
<maml:para>You can also add the NPS server to the <maml:ui>RAS and IAS Servers</maml:ui> group by using the Dsmod tool.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:procedure><maml:title>To register the NPS server in another domain using Active Directory Users and Computers</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Log on to the NPS server by using an account that has administrative credentials for the domain.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Active Directory Users and Computers snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the <maml:ui>Users</maml:ui> folder in the appropriate domain.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click <maml:ui>RAS and IAS Servers</maml:ui>, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>RAS and IAS Servers Properties</maml:ui> dialog box, on the <maml:ui>Members</maml:ui> tab, add each of the NPS servers.</maml:para>
<maml:para>You can also add the NPS server to the <maml:ui>RAS and IAS Servers</maml:ui> group by using the Dsmod tool.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:procedure><maml:title>To register the NPS server in another domain by using the netsh command</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Log on to the NPS server by using an account that has administrative credentials for the domain.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At the command prompt, type <maml:computerOutputInline>netsh ras add registeredserver </maml:computerOutputInline><maml:replaceable>Domain</maml:replaceable><maml:foreignPhrase> </maml:foreignPhrase><maml:replaceable>NPSServer</maml:replaceable>, where <maml:replaceable>Domain</maml:replaceable> is the Domain Name System (DNS) name of the domain and <maml:replaceable>NPSServer</maml:replaceable> is the name of the NPS server computer.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>To open Active Directory Users and Computers, click <maml:ui>Start</maml:ui>, click <maml:ui>Control Panel</maml:ui>, double-click <maml:ui>Administrative Tools</maml:ui>, and then double-click <maml:ui>Active Directory Users and Computers</maml:ui>.</maml:para>
</maml:alertSet>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>To open a command prompt, click <maml:ui>Start</maml:ui>, point to <maml:ui>All programs</maml:ui>, point to <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command prompt</maml:ui>.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure 802.1X Wired Access Clients for PEAP-TLS Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure a Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) profile for client authentication by using smart cards or other certificates.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a profile for PEAP-TLS wired connections</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>In <maml:ui>Policy Name</maml:ui>, type a name for the wired network policy. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Description</maml:ui>, type a brief description of the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Ensure that <maml:ui>Use Windows Wired Auto Config service for clients</maml:ui> is selected.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To permit users with computers running Windows 7 to enter and store their domain credentials (username and password), which the computer can then use to log on to the network (even though the user is not actively logged on), in <maml:ui>Windows 7 Policy Settings</maml:ui>, select <maml:ui>Enable Explicit Credentials</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify the duration for which computers running Windows 7 are prohibited from making auto connection attempts to the network, select <maml:ui>Enable Block Period</maml:ui>, and then in <maml:ui>Block Period (minutes)</maml:ui>, specify the number of minutes for which you want the block period to apply. The valid range of minutes is 1–60.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>For more information about the settings on any tab, press F1 while viewing that tab.</maml:para></maml:alertSet>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Security</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Select <maml:ui>Enable use of IEEE 802.1X authentication for network access</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Select a network authentication method</maml:ui>, select <maml:ui>Microsoft: Protected EAP (PEAP)</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Authentication mode</maml:ui>, select from the following, depending on your needs: <maml:ui>User or Computer authentication</maml:ui>, <maml:ui>Computer authentication</maml:ui>, <maml:ui>User authentication</maml:ui>, <maml:ui>Guest authentication</maml:ui>. By default, <maml:ui>User or Computer authentication</maml:ui> is selected.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Max Authentication Failures</maml:ui>, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. By default, the value is set to “1.”</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To specify that user credentials are held in cache, select <maml:ui>Cache user information for subsequent connections to this network</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To configure Single Sign On or advanced 802.1X settings, click <maml:ui>Advanced</maml:ui>. On the <maml:ui>Advanced</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>To configure advanced 802.1X settings, select <maml:ui>Enforce advanced 802.1X settings</maml:ui>, and then modify — only as necessary — the settings for: <maml:ui>Max Eapol-Start Msgs</maml:ui>, <maml:ui>Held Period</maml:ui>, <maml:ui>Start Period</maml:ui>, <maml:ui>Auth Period</maml:ui>, <maml:ui>Eapol-Start Message</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To configure Single Sign On, select <maml:ui>Enable Single Sign On for this network</maml:ui>, and then modify — as necessary — the settings for:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:ui>Perform Immediately before User Logon</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Perform Immediately after User Logon</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Max delay for connectivity</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Allow additional dialogs to be displayed during Single Sign On</maml:ui></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>This network uses different VLAN for authentication with machine and user credentials</maml:ui></maml:para></maml:listItem>
</maml:list>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>. The <maml:ui>Advanced Security Settings</maml:ui> dialog box closes, returning you to the <maml:ui>Security</maml:ui> tab. On the <maml:ui>Security</maml:ui> tab, click <maml:ui>Properties</maml:ui>. The <maml:ui>Protected EAP Properties</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Protected EAP Properties</maml:ui> dialog box, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Select <maml:ui>Validate server certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUS server names. </maml:para></maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your servers running Network Policy Server (NPS).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store. </maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Select Authentication Method</maml:ui>, select <maml:ui>Smart Card or other certificate</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To enable PEAP fast reconnect, select <maml:ui>Enable Fast Reconnect</maml:ui>.</maml:para></maml:listItem>
<maml:listItem>
<maml:para>To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select <maml:ui>Enforce Network Access Protection</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To require cryptobinding Type-Length Value (TLV), select <maml:ui>Disconnect if server does not present cryptobinding TLV</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To configure your clients so that they do not send their identity in plaintext before the client has authenticated the RADIUS server, select <maml:ui>Enable Identity Privacy</maml:ui>, and then in <maml:ui>Anonymous Identity</maml:ui>, type a name or value, or leave the field empty.</maml:para>
<maml:para>For example, if <maml:ui>Enable Identity Privacy</maml:ui> is enabled, and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select <maml:ui>Enable Identity Privacy</maml:ui>, but do not provide an anonymous identity value, the identity response is @realm.</maml:para></maml:listItem>
<maml:listItem><maml:para>To configure PEAP-TLS properties, click <maml:ui>Configure</maml:ui>, and then in <maml:ui>Smart Card or other Certificate Properties</maml:ui>, configure the following items according to your needs:</maml:para><maml:list class="unordered">
<maml:listItem><maml:para>In <maml:ui>When connecting</maml:ui>, select either <maml:ui>Use my smart card</maml:ui>, or select both <maml:ui>Use a certificate on this computer</maml:ui> and <maml:ui>Use simple certificate selection (Recommended)</maml:ui>. </maml:para></maml:listItem>
<maml:listItem><maml:para>To require that access clients validate the NPS server certificate, select <maml:ui>Validate server certificate</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify which RADIUS servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUUS server names. </maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the CA that issued NPS server certificates on your network.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify that clients use an alternate name for the access attempt, select <maml:ui>Use a different user name for the connection</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To prevent users from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>. (Recommended)</maml:para></maml:listItem>
<maml:listItem><maml:para>Click <maml:ui>OK</maml:ui> to close the <maml:ui>Smart card or other Certificate Properties</maml:ui> dialog box, and then click <maml:ui>OK</maml:ui> again to close the <maml:ui>Protected EAP (PEAP) Properties</maml:ui> dialog box. This returns you to the <maml:ui>New Wired Network Policy Properties</maml:ui> dialog box. </maml:para></maml:listItem></maml:list></maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklists for NPS</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Checklists for Network Policy Server (NPS)</maml:title><maml:introduction>
<maml:para>The following checklists provide the steps required to deploy NPS as a Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configure NPS for 802.1X Authenticating Switch Access</maml:linkText><maml:uri href="mshelp://windows/?id=b607dabd-8eca-41ab-9953-ea2941a90154"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configure NPS for Dial-Up and VPN Access</maml:linkText><maml:uri href="mshelp://windows/?id=4cd859ba-2651-42a3-83fe-95197ce38a5c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configure NPS as a RADIUS Proxy</maml:linkText><maml:uri href="mshelp://windows/?id=ff35a554-2006-442d-a8e6-bf05d33ff1a7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configure NPS for Secure Wireless Access</maml:linkText><maml:uri href="mshelp://windows/?id=74b6dbef-a26e-48ef-a26d-fb33e4e7730c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configure Network Access Protection (NAP)</maml:linkText><maml:uri href="mshelp://windows/?id=08ce0e6b-93f2-43b5-b1cf-8e2454cd5272"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Access Group Policy Extensions for 802.1X Wired and Wireless</maml:title><maml:introduction>
<maml:para>This section provides procedures about how to activate and open Wired Network (IEEE 802.3) Policies and Wireless Network (IEEE 802.11) Policies and then access those policies for viewing or modification. </maml:para>
<maml:para>If you have already activated the policy that you want to access, you need only to follow the procedures in the topic <maml:navigationLink><maml:linkText>Open Wired or Wireless Network Policies for Editing</maml:linkText><maml:uri href="mshelp://windows/?id=77f4d1e3-4766-430e-9f78-82364b35d225"></maml:uri></maml:navigationLink>. Otherwise, you must follow the steps in the first two procedures to open the correct Group Policy object (GPO), and then activate the policy, before you can open the policy that you want to access.</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Open or Add and Open a Group Policy Object</maml:linkText><maml:uri href="mshelp://windows/?id=f45775a5-af6b-4b71-97fb-8fafd5277b30"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Activate Default Wired or Wireless Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=7f441bba-13e0-4676-bf8a-bb410c50d91e"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Open Wired or Wireless Network Policies for Editing</maml:linkText><maml:uri href="mshelp://windows/?id=77f4d1e3-4766-430e-9f78-82364b35d225"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Access Permission</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Access permission is configured on the <maml:ui>Overview</maml:ui> tab of each network policy in Network Policy Server (NPS). It allows you to configure the policy to either grant or deny access to users if the conditions and constraints of the network policy are matched by the connection request. Access permission settings have the following effect:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Grant access</maml:phrase>. Access is granted if the connection request matches the conditions and constraints that are configured in the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Deny access</maml:phrase>. Access is denied if the connection request matches the conditions and constraints that are configured in the policy.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Access permission is also granted or denied based on the dial-in properties of each user account.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>User accounts and their properties, such as dial-in properties, are configured in either the Active Directory Users and Computers or the Local Users and Groups Microsoft Management Console (MMC) snap-in, depending on whether you have Active Directory Domain Services (AD DS) installed.</maml:para>
</maml:alertSet>
<maml:para>The user account setting <maml:ui>Network Access Permission</maml:ui>, which is configured on the dial-in properties of user accounts, overrides the network policy access permission setting. When network access permission on a user account is set to the <maml:ui>Control access through NPS Network Policy</maml:ui> option, the network policy access permission setting determines whether the user is granted or denied access.</maml:para>
<maml:para>When NPS evaluates connection requests against configured network policies, it performs the following actions:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the conditions of the first policy are not matched, NPS evaluates the next policy, and continues this process until either a match is found or all policies have been evaluated for a match.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the conditions and constraints of a policy are matched, NPS either grants or denies access, depending on the value of the <maml:ui>Access Permission</maml:ui> setting in the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the conditions of a policy match but the constraints in the policy do not match, NPS rejects the connection request.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the conditions of all policies do not match, NPS rejects the connection request.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Ignore user account dial-in properties</maml:title><maml:introduction>
<maml:para>You can configure NPS network policy to ignore the dial-in properties of user accounts by selecting or clearing the <maml:ui>Ignore user account dial-in properties</maml:ui> check box on the <maml:ui>Overview</maml:ui> tab of a network policy. Normally when NPS performs authorization of a connection request, it checks the dial-in properties of the user account, where the network access permission setting value can affect whether the user is authorized to connect to the network. When you configure NPS to ignore the dial-in properties of user accounts during authorization, network policy settings determine whether the user is granted access to the network.</maml:para>
<maml:para>The dial-in properties of user accounts contain the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Network access permission</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Caller-ID</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Callback options</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Static IP address</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Static routes</maml:para>
</maml:listItem>
</maml:list>
<maml:para>To support multiple types of connections for which NPS provides authentication and authorization, it might be necessary to disable the processing of user account dial-in properties. This can be done to support scenarios in which specific dial-in properties are not required.</maml:para>
<maml:para>For example, the caller-ID, callback, static IP address, and static routes properties are designed for a client that is dialing into a network access server (NAS), not for clients that are connecting to wireless access points. A wireless access point that receives these settings in a RADIUS message from NPS might not be able to process them, which can cause the wireless client to be disconnected.</maml:para>
<maml:para>When NPS provides authentication and authorization for users who are both dialing in and accessing the organization network through wireless access points, the dial-in properties must be configured to support either dial-in connections (by setting dial-in properties) or wireless connections (by not setting dial-in properties).</maml:para>
<maml:para>You can use NPS to enable dial-in properties processing for the user account in some scenarios (such as dial-in) and to disable dial-in properties processing in other scenarios (such as 802.1X wireless and authenticating switch).</maml:para>
<maml:para>You can also use <maml:ui>Ignore user account dial-in properties</maml:ui> to manage network access control through groups and the access permission setting on the network policy. When you select the <maml:ui>Ignore user account dial-in properties</maml:ui> check box, network access permission on the user account is ignored.</maml:para>
<maml:para>The only disadvantage to this configuration is that you cannot use the additional user account dial-in properties of caller-ID, callback, static IP address, and static routes.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual>GIF89az�p��,����z�����0�4�44�8�88<
<<�@@
D @DD D�L
L�L
H
P
L L0L$P(P�],U�a0Yi�e@Ymi4a8a8a<a�y@eq�@muHm yLqPq�(}�Uy�0Yyq8]8aae@ieiD miƾ$$q(P,uʕy0Yu8}@ae΅H҉P֍uY�]a֕ځiڅ֝m quޥڍy0ު@ޅaq}ҍ֕�
H*\ȰÇ#JHŋ3jȱǏ C
Iɓ(S\ɲ˗0cʜI͛
�(Sȝ$S@
화RCJzϣ"ZJ҂V~mخh*)Tar
Oo5^j75KV+۲+^0YXN8r䲖;{91c
O&4ϨSwtlޝVOMd̶ {}f})ȓSVZz4ض| L8d망VpRMϽO/-Wm<CLJnnrnESǡ[nsv' s
fؘ
w(t(K؍hTq0c+K
@"Gc�2x,CFxOjءP*$\V=u@�T\p
ZH ^DBo|S]b�* Ζ\)I%3'nam`uR4'"#(O(y8]Ċy㊟J
9Ā6VaG%]YEcfQM&,[~%8k4iʩ'p30**hGB{zk8
į1Uj|ML
'6<BZ{Zi\l mV.>=r+ .L4p84l1 -J̜BJ_jE!&p'.BddgA.V=e03ڌ-B7.U3b=DE ]=;;Ϩx
NMXׄ QL<i=z05M5xw^
\2ݱպa=Tⲗ($q>7Lr
TTΖؓ
]9iSU@pw?8
O<
s?ԘOֳ"ݣ]KHGWrb~3
qw""2`cs.
F
(>$cSA2� @hTq @0J#=P
P(#bs!
� pĝdPEJ_ Ş^lFD
+&;`=DQ}CH ,"[�FVPG4
]$1}P"�PK
Vĩ22&&
I[ y
YDd9�l\R)I~�UR]6Lr@ tT(?b gIˊO
X> 2]h>!{xOfR0.( qMt8OrZĀ;�96
@cJ{]4ic"C=BJ<(AR[
D`CN(9-*e GϮ=NIc
}KgtTiO
訡]y:
*KXSUDHRRъ|Kθ'SN\+*
>[ZQq⻂]�""$aW;U M�܁k\
!lZP)15g
�FЇ
wDqr(Fz3 y6
AkJ$ȢHlrS܇9 P>H_va@{4Cjo'4!X-p�C!"4\ճ ^}ia
$%-Du`pq|`E<|e5䥊y
X @=A{pE tAx`-0{l7>NzhCƎ$Oeit�VF偠
G
HeFØ\3 >e>
g "�G4<O= G)jAZָεwk]G �d@R赲Z!әf?
*[Cn{
MӠv.Xj
e!�XCy`Z '*S
�Np;~A#
#�K('N#
jieٽW GNrrAws[nvDfl7B1qXY?ıᦔɸ-ic֧8}/mr2Djf9_.r{Xp>>@@WBt
7Yz
F]^.5mu`qAR
y
)A(ϣr
NE^[8|3DqJs=E8lC
z1`)!
=a0;agW
�pWK<0+ |0
5p\PыN`Wޱ8�
�
>BLxzׇ}Y}{~
2~Q~H0d6|
T|6Q`
۠q
Op=Uw^vzI7`
d =}.7{
0{kig|@
j UDGR&*hF$ B\=Z`
Tx�2�'p 7 ASPCP1$Q�P٧pƀ&H`<Af~7pƵ AT
Deo�G~.``Q �ƈ'NP#�EP)gHh7!
bP
`�v&q郊(&V=a/-!�J�V�?CS#M@ aGXvhwǍo&x"
8 c28 �mʸ�_7AeqOxu! "�c3o`O8C+ 6hQԃ
fz[@
Y=dp8iN:!=iE9y00IDא+Br(V@�&
@@`c ~g!4&m0`F<8
qY#7CBg99//`
bU $3&|`89i
c
DQ@+0
9И"
2YH
"9ٹB>+0�T%
=gdӲ
YCe93$@`#0?19b�
0
]@)qܸ:U@0D ʠ X b'+.,
�`0{@dc6
u-ڣ&r6ڝJ!`HLZVu� b�^W-ڗ
(hiڦnpr:t*
Sx=ħUJ!s:R,&p&
C,ibQq ˡwڢr; qѨaQj;z
&;#,S
:*
C+ꪨ%-Uҩʪ
RjĚqzJ,
'ʪ
ݪ::ʫ*: Ɗ顬
9ݡjz:q:ŲJۧ$&ګອ
Sbk *0:J**R#ߡ<{*˯۪ j:{7EZڲ
5z:88[;zڳđT+"i{k2*3|k°
볡cT遨*۴Ϛ
2K±fky
%"[{s
$_9 �R u; (3Ḣ+벎0 C5;
7=6{ ;n¹k%
S
.nQR+-(
;?%#
<̵
q
k/6K/89Q<
VR
,/<i6 }J{r<<9sC´
;#!3RC3M̾!+3l
K˽%#
Q]ޫ°,( Á
U
;
6K(+TۿC25,7A[8BsSS[j)j, r<67lgA,ɫǃə<g{ʂ*{
{
ܨ)
LƢ\<\|ڼܫ\l6뇾+)kkr¼=l0"6ށ)Ĝ,<ALǝB:,#3lzŴ
/Ȁ\sʽQ)W|ѐ9r/[;o+иa!
Ϭ}
6?AHlY;Ǡ{Lxlԣ3R¿ۿ;џ
!e2 `,ԕ
㛽s\ױ
"-D=
Нm#8cҖ̿(
4adf,jp
TMr3[mÒ l]�J
s!
칊*M}ȝʽ'Q{,[]k]ս|Bm?
ѹ}Ӹ
]OZ;Vp<Їm
ހƝ>*}ʒLʅ<?
L߳
~
$N�;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Connection Request Processing</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>You can use connection request processing to specify where the authentication of connection requests is performed - on the local computer or at a remote RADIUS server that is a member of a remote RADIUS server group. </maml:para>
<maml:para>If you want the local server running Network Policy Server (NPS) to perform authentication for connection requests, you can use the default connection request policy without additional configuration. Based on the default policy, NPS authenticates users and computers that have an account in the local domain and in trusted domains.</maml:para>
<maml:para>If you want to forward connection requests to a remote NPS or other RADIUS server, create a remote RADIUS server group and then configure a connection request policy that forwards requests to that remote RADIUS server group. With this configuration, NPS can forward authentication requests to any RADIUS server, and users with accounts in untrusted domains can be authenticated.</maml:para>
<maml:para>The following illustration shows the path of an Access-Request message from a network access server to a RADIUS proxy, and then on to a RADIUS server in a remote RADIUS server group. On the RADIUS proxy, the network access server is configured as a RADIUS client; and on each RADIUS server, the RADIUS proxy is configured as a RADIUS client.</maml:para>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=6abe5f5f-c467-44c9-b3fd-55b8cb7e16a3" mimeType="image/gif"><maml:summary>RADIUS clients and servers</maml:summary></maml:objectUri></maml:embedObject></maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The network access servers that you use with NPS can be gateway devices that are compliant with the RADIUS protocol, such as 802.1X wireless access points and authenticating switches, servers running Routing and Remote Access that are configured as VPN or dial-up servers, Remote Desktop Gateway (RD°Gateway) servers, and other devices.</maml:para>
</maml:alertSet>
<maml:para>If you want NPS to process some authentication requests locally while forwarding other requests to a remote RADIUS server group, configure more than one connection request policy.</maml:para>
<maml:para>To configure a connection request policy that specifies which NPS or RADIUS server group processes authentication requests, see <maml:navigationLink><maml:linkText>Connection Request Policies</maml:linkText><maml:uri href="mshelp://windows/?id=418638e1-e88e-4b59-853d-ae16fc589bd9"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>To specify NPS or other RADIUS servers to which authentication requests are forwarded, see <maml:navigationLink><maml:linkText>Remote RADIUS Server Groups</maml:linkText><maml:uri href="mshelp://windows/?id=689390e0-760d-42e8-a894-78749558a626"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual>GIF89aIp��,����I���
�0�44�88<<
@@@
DD@@@DH
HPL L$P(P
]a(U
a�e�eUUU0Y�e0]4]�qi8]8a�u8a<a4e@e�}q}@i@i�u�HmHmHq y�LqPq }$}�PuDyUu�Uy�0YyY}]}}}}aae0Ue@i@i
i qLquu,y4]}<@}]΅qL҉ΉґmҍUu֑֕a֕ځ֮mڙޝڡuڥޥ╾ޅƪή�
H*\Z#J(Ë3jȱǏ C
Iɓ(S)�0cʄi͛8sɳϟ@9BrѣH*]ʴ)NJJի)bʵׯ`qj
KٳhM˶۷pGKݻh
kRZZ;+E/d6
D&&>5B1!@�qiHxbT{xDv_(ȃgGa1 4DK8㤬~ F1愚W3Z%"ܝ9f
z*hMl^WfXP[y< G
D@ (QB5X�]
Q*C}~}A\xBS+wU;H=N:Jg"
#@#`sO
u%�$$D
tsO$2`;T3,7&i\t
q60=eg|)(QB8|C̋1 !+\
?)cn_pd�O2L)l[j/j+' 3|s̖]ʘ3O,r>z'쓡�3$
<%<O7c:R`�>bI$(,</R"
3O5z@dIB#
8Q6{/|c
LP1ܓqVj#x<kLފHr<
%8@A=h33.j?X`FX
>$>|b)#=��Sz|3.k¦Z$,c0<0,I0N,
5>wW̢13G2
wLTG6 ۷J>spS/tM'd"GGq,T'}>،B1(Kݑ3ţLÏ
:lCLC1
06
;Q|PL
6,w M-es3$
Hx �txFv�x[І_ Y
r;
rZ4э Hx<Cl>@8"#%Cb%teC�
Ѕ X Ōo
Ub 42)
a
h@;@cA*$5A�5&L)`N\a;:"+ԝX 1<.CC,\R."FM
,M?AIKbr 4
I;>8ʑc
SB6q[jw"`+@0W:I$0o*0 6=`(F*d*
L�W(6px
Z/
QH
H:QT?Lg~Bh8?!0BpwJ2(C2Pi@
Q
a
;8=YU⣯XET
D/(QД|Ҡ&Zpvl!NN�0gI֛Tl$Jaʂ$ cC!OEl h
KץvӭJ8Zq,H
$ xؠL)$; kkAq�
V+dq> q\l-wFv/zjD�F\
=-GN[u=ߚ:VUqD
oF[ؓ ^B];xGxX&rb B.}iEތ/cGS 07%Oq9
]~kKX 2ya
1Wb {|߅q
+
Gy-c�#x�P%%yh!,
`dFN,`VrnSeጌcb
C&`@|8h@:B�A
͋Kd
kc Zv @}
1kq!`ȥ3
)*ceQa)'+w�x큅y֚댸)1q
,J5CM
�@
(D
Tcnq
yHڥ(p
4�yXoEP/v\
FWT
'�};R+0�.
x~H$p �\!@xDȻDK
Ačx^3";ԁafA̎+B6/e~9r
@b`oa72u@o tqp6H6:?/࿘~w7\
A*R
!<66z, B2`yZ J6$
@x'
yc-0
߀sq
@�yo*bszcbpZq{*@m/t0GLpq|QRŷK4s|h�}ߠ6
q+g-'p~W7w77w
M1Pj%�
gpGJ
0
Ĵj$fIj
Wx2vyaҀrߠk}G&IThzPwM @&9TX{ 0 @#28|c2%T'B
`H#(wdV2GLep
ȅ!
�x0h-pĔpHBHhx7ly(hWO9~8>WGsPoxp |?1
!U!q巃MW
@
(x
PPV@ Pp`\`] �q`p1YB
PF29ш8p
3Xe'A
��t
&ƅ#@=Xg]
hTG�^8
h*!Dc8c;V&�0B r{Qx
,G 7H%o Yop
kd])p:sˠqGjx`uF
P# Bf[
qR
`
fSiIX^KLuq3RY;(I��
Ye@=yM $� dC(Ub:Y
�Ay00^Hᛂ�
c`:Р a�9x 0
driRib1l&
�ajS
95&cE'
"*G0G6P I
_"ZhCYC S(C 9
$.8a@
HH|
a`Y@
P6 k樍r
Q0ܠ/ M q9r`)�>Cq90n<$Y)UL*7SzPhk.2Z)Zi:uj9Y
#Gű8a``eF1溧}I8Z
a
1kP,תPi9-xc
&Q=EqMʝKQq
a)S_k:'pasؚh)q)@}`J^
P5ZAA!
M6
[
Py 9
٫>
�o)QY^%76fc&{I*
۪Da;xh>
(^0
N,Mq
&"�%
P�;Av2{_/
Q`
Bp
{V`"6VZ+
x*
@
yГ{{[
kQ*@pxq#a
�0�y0*#S,T
�
.ZH<!;
?`7¥a�&
A n_!Oc(*
(8
_y � D^j]?@9L\țYOL!�ܛ�'OR91GL8m<o^qs,�)
p� |}|\p>8Q
A�)TQ;qJ6Ʌ1,HaXwĴLu
l'N�`,v̱Lǜ hb�0
[@p#4ipNa=ͯŜ0`
q=`/P,�~\Q)l}N0'>�jP_A71'*A].
E)q�~p�'Жl}/}13F5{
ӑL HO%$A
�QV
p�r>�>Si&Lem352<!
Ӝoy]- FҁM3Mu!A~p ց{m>$Dʛ}h-؟
gmN:
�jP a
`
)00[ )ۺmփm-0!q�`} NPaם=۽
5�
~Ob
i �0^
PHݸ=8Q Aڥj!-)p�K@
11
4>.
n=n֝9Ym N
>�6Z.^
-CJ ~+/bp
ޓ&]pTbfLQVu;vNJ}^ ^r>>^
t<T^F*>
q@Q>Ț.w p�bp!PCM9Ѝva�D+)@�2NxNN
j]])
�G<q@�O@>ój3@13ԾvFr١~^*:='@~+
5�
lQ
/ϼE �
-7@1>Fa$s~>c*qP
M?AHn<QWe/ Nxʭ"5f/c`FQؾ\ 3bP
ƀ
X�M[_gp2x_ao9A
QUᘒA9
@2 b0l
z/
y
|P
qxE¯f1BY~oo?Qb
�JK|q�Vҿ]+ݟ)6QQ�B;i0e>ޏ-OF
=~RH
),)Q�ʔ-]liJ@SN=}IӥM?B@�w >
?T_"T<1V'a6gК7ŞEVFCͮ
a{ޅm;
T^_%<mK
?qqƑwH/^YKj^o-5鰓KVf
[6O$a.H�v;>H}4u{
ytg-Z4
gNh߹<es.^~!
hf LsI#p@/AZMt)Ӈ",
$@ѣ=D}:A7Ĺ6
G`ED
D iD2"7:2qG
uIg$MbI,$:2L%d̴
@3)7%@R$!}\R&ij-Txs
MRO>RQ3/c�폝4ȡЯEQ0#O
BF)}(8CsQCY }PF(z` Mt[kX(ex}ve 2lX-$GeTYJ
VPn%}`b|XU\1Eo
gzf>G ~j/@{KW++4şiHi~M(H`BأAbc}Ly`
,ǟy)f_DrLWhEf![TFiY"hoXN$_bZAS�
N
bZ
9ki'
o陞j
)pFKUs|Mg0qeE]BD&1PARxa'bYLfkWu__Q�14'
J�'l Jڱ")WT{#S|U8"@+HdY@
GN/ه`!x<>"<@X>C
B
S*d
Q
H# 01v'Fqa 9wGKN DD1\L)GD�\G1|p#ɘ?4972_P<*B
dI,1yL
) 5*҅(;2S
K)7HfHS"H4Җ*/cL#p']&2Ĝ1=Lgl4#͎P7ӸE2%@:Q5l79Nwpkg=CfFPL>|
1D<7BOPICA(T#
4ҝP
Eg8'EiJOkEӱ?0Z;@i
DP:T,=MNLg#xY>`�
̲VH$
a Cd*&{k*WQS0mH#(œBG%�
ZWټL@ʹ˯n${"41T0
q@]EPn
Dw4Q -feǁ4 ="C O㇔@gt2V6qe`
@:_
0;@v_#9@Ŭ=_)L)Pg-iaU
kOx7qy�P#^�/
zC`ȗVn(PxqKИ0yGGq؍g_ŕqG�%ƎQ_
{i؇fSnFl
%9&#aBVܒ1bL
t9>id�&Έ}H<@ѐFz
P,yҏ)sG08) "D@Se<g12"Ig>:*
e0p
Y:a
R�yB1Q |
skrfG[
f˾
w
^ϻ/Ajdvx-Xu!
S'؏1ZMlK<?,Y?Vx"r!HӶ"b;6?ĈA�/Hey_֫
�
_yxb*[\<qpq?[{zjOD2r#b=y.5y"<#|%?f!�i^x+vN C^.n߽
|9z"wCv7C.s K|Nxϊ
5
@0/ƭx3<aDO'0c @=^tZ�/zk0 5\q?`#@2[S<:+:&pc
8hK>s:K@zz{
PJFX`!(0kc8ԉ�'?}$ C@;
9 ${=TAh33L<
T8*Ȃ&�̾4D;KC3D1< ̰+8BmqP B$
%R�'|'ć7ݚ
A˂QE;\ĐC<SSC0DJ`G8!8<hGTHT(EKl@0,.oxelؿOx6Y$E1{�U8ȣhyń
&88BZl+0<#:ŞŴEqra<u`VeFo(CƅlDnȖH$1/`z9?yThvwQlC H5I3]{6$\AHDJ@atPqʉt�-*8S|B
ɬT�uӇ?'bcxT&ԁs(KHI:Ǡ:7D;XʳEv('|Jd=̐+tKeIyJF
IɃAcFX<~@8�hGֱɠ�K]8tp{ǡ XL(HX(<LJˤHL#GLK<?(K
�$|O`@4CM
@pKЄ
NLI[ǰR
�+8HJN$NGx+x�|b<ʀJAlJ5;J2
LlTN4 %U((-PhL
NGPtS/55
Q�
/dLDC=1
;
h�cHS8dKc_M
$j@
E
Sw4:D;{ `RET1iΰ(Hgl:N
]S>X42?kHmF;-2=8=MU#SKF~04ʽc
xH]؆]@
=:
-ax'̄.
Kf3^3
$S?եp
}p_U5Qe
>ǟ�>} GHЄh9]?TohiU7-,WM}(dcXT0yUs_XUh5x~}U.Ձ]O]Yq8U_h�m,%X<mۮX}8ig $?Ї{`((+mַ-}6L(^t]WV`]hlQM!;MJTU}ԆY`~-UܾN}Ȁ0۵X8X\%D�Tj
Km'[�\pEܟ T}}(:20ͭٳף$W,$[e><̉
]k0'<UZ2>݆e
ݳJd<ӧCf?Q r9}G^e8oüSӜ=C0N (u\O86P� ;_CХ`gm]>ߣ(
?NZ 01]m|`+Tهwp?}Mӄi~˂w�\x<R`w�[RJ=;g³`xbhLm)PnPi! bbNeo`Wx�}ЇT0ze$=
0
�5߃!NdDX<h58Ȅ|BXdr�/ӎ,R
e.>eM]~ -,؇}g!pi9ރ[00}Uw`/Tw8`IP|;@D@
}HY
}+JGH+
En�/Rgv�h`xIX@5�>m�Hv�
(
bDS&bf6Pw`Ggd6 ULRv/x
rv[:ҝ8PK`=`wà8:G@C*&N& LT�6`F#
=2kYFQgnPlD~y@wy@
j
BH3h&&d;k80PB85=V.mmf+ƓG@+xMЈzR8K^C@8Ȃ%&Ӧ=vxʤk18f0�mWﴚi,xȇgx]K
"=g
cnwpHwHTpp)IhabǔoL�
j0ם )[`6w76&
�Y0d/@ hLn^o֚<%<=3>ݱK}*rs1l(pf@tyy/P7
3]NsYZusbd1B s"@
%d'agv+WGhgev@1v@oߊ2
^(\~tw
r
YS
SwPz
\2-ךKɼՙ
~.)"@
�~w&2x�Bw1ZxO,חK'ݹoҝ7yvɩQ
f%rqw'%%4'6n</ (@PZap!ovG.WG#'nG{Hѯ97SXxa6.Xu+
qbt/8#gZēOw'=aGO'ӯ' j.$w'٧}{G#O'ޟ߯G''wzro~.~ ao~l~~%
j*?~lZgj7O,h M !Ĉ'R,H7rܨBEǐ"G$ʔ*;:?aҤy1c͜$?鳠ɟB*lIṭJ \ ϧR7juѫ j]ڴШ`J �Ю
6[m}K2Y\D
.l<31Ȓ'C�XsE-osb5زgӮMwZfK&
hX]bV&0ҧS#B
s9'O\yhѣO3
<|_
R
>y
Oxqq^j
w`DT
Yz%wzv{: A
z8"d
waJXi!mHV#
@"`c][uy ]j
Z7G@6_KXE:(9%xMb`Ie^U^ &fZYS]}y&Xbf^f¹
ιw%jH v&v9U|DVVk"T(|BD^%GUjm&dir*ƵbA@2+�0
`G+
;,{,*k
ZJ;-ZK-N(!qmBo80.@ õ.@ϖ@ﴈןqݦCzpBc@" LZÓ*̰@g
f<0qJ
2@&YAx3,
*`x1l]C'-`!4KTk[;i595앭'@mS
"qMSw 8wuɀ/w~
~Fy#V8)
y^+<6nOXj d�N槗
t3.U
;>;T~
<Q/>?| μ:=<M4] =ͽ+}/zM({;%-
4s>翭o`g@pA@5pgAUpه�:' HC�b
f
@Zn8
qCO >ÂX!w4x0t� V"xUH1"L4HiERBfԢ5/Zĉ <H(GA$@}TL` y@^K#$vg 18d#
�d$C5x&i
l0p DD)˭�6 >Q yMp/]C/K&k|
(9I|3`ʂ<5\�ZIWX-p˂tR�@̂
Ӆ' tyf4Wೠj6
2LQ!
*Q::
Kx$h BpMTp')0!,<p�<Y]֔%<I`Ax]z
JGR
iB6=G(TD=V]Z U z<
jT54%.g
TAKG
`:TU
pehBX )W-}l`S l
$},Y.#
,=
+�1@6i$oG
3f
-t?{
;;\G>
`5\4]vc rQfZ
z
q(C
0y7i5J6>QK۠F
K*d4X�JG'
v"
0`CX>2Lb_
A:1 Y@12IC97\_x xﳏ:1;bX*WUA5q
OrDlaC /
'o4>K7eW`tr
b".s,d5"<6H4&Ǝ;b?c@#DPvfN4qFPHKXǨK;wKx%U6Τv8}Qӱ$[;ꡈK
{ؿJaSl
n]Bg&0W܃
.ÿ}}4߀ִSLDb *ҐBJ;
;B
H4 I(>Q]
̀nG{,0b
M`
?wj|)8×
z.
^%S�U~G,l;y�=Byյ2
Mo<G
t~~b
^8-.˨?ȇ:]uC:Ƈ C
i|yb(}_46#
|=#p_~1ۖpDZ{ j'?c^pFKy(P
ѕ wDϧIpD9
a?
#iAx,\/؞\i ߿6tØ8])8A-P�TA@A4]
A)
<B<�_`
^_5��;hQ#
kk @C7(_
v(,�R%L#*
-a|�<aM]%ă/$l 'zeņ�tdA #% m"v'z"
(!,l@, Fv
d`98b&"#8X#Cہ?Lo|#8҆<mC"5
[8#mXC9�#A=
2z36㻕#\LD#F]e;r"tcl!,(c*:$
d#,<aH!lXT/#'#�,;
""B8L
@C,>L4Y` "K< �G"!HJdaSrlLNe$N3dPnM$MR
FDT~
UHJ&>@X$H֙jcZ eTdd¡&LKXeY$c
$0�NEf[jXpk�NpfeYPx,
H�ia%jE'y@3
flmB
D h
P@3Bu&o&s~Tx�T
'i&b-sE2tV'l�[j'e&
$Y]~
n�^&(&
1D
','jZ`j'uXdu(tf6
[
9tA典~(
(?IIA'&Ё9�ѹhuvnY
(9[YUC@֨9X)
aSh(z&<S=
&)x,�8
5fM)9J9#35)*BT
T
4C4
C|biOii/n
t<i^=f24>rQ*X
C4Tg"Z}ЩC&T ~*9(kx@r1!39dB.દ�8B
)$ yC!Xt°[
4#dny@b8HkP;0BHݳBUb)\
B<.4S:"a:°UÎWy:BBk]12֍<B\ق` =*'cȲ>N
lX음)-Hc$>-FN-V^-fn->g4J: &DD G�ɫd̏rDݶBmڭ-FKȠİǎ�nHmHȸ
r̜ͤZH
Rn
ٞf.[l.-N
m,nJLq.$ z*Nnp
�.hJlTܶJ&y
J-
/TmF.oΠ𒌦og�/oLDn//
oF&H/+
R>?/SZĬ
ʌ
3o
fn0v.Jn0#7q?1W[OqGTrf/0wRnF1.
[c.R
so. !.소C2*~/soZ"
E p%O`L/8Ԏ2*q*'p$SoNĭ"].<*p+_Ʋ;o"s'rr
p&B.O 2w
*o5%_/W8˲*< Cs
+ ,.sMq8ð
�sS0
?4DGDO4EWEC_eF3Gwt
4A-2tނt$3[(2@4"KLϑ&7;3Ni%O;3P 3Jr,s ~4TT OU?E@��;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>RADIUS Server</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Policy Server (NPS) can be used as a Remote Authentication Dial-In User Service (RADIUS) server to perform authentication, authorization, and accounting for RADIUS clients. A RADIUS client can be an access server, such as a dial-up server or wireless access point, or a RADIUS proxy. When NPS is used as a RADIUS server, it provides the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>A central authentication and authorization service for all access requests that are sent by RADIUS clients. </maml:para>
<maml:para>NPS uses a Microsoft® Windows NT® Server 4.0 domain, an Active Directory® Domain Services (AD DS) domain, or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts. NPS uses the dial-in properties of the user account and network policies to authorize a connection.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>A central accounting recording service for all accounting requests that are sent by RADIUS clients. </maml:para>
<maml:para>Accounting requests are stored in a local log file or a Microsoft® SQL Server™ database for analysis.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The following illustration shows NPS as a RADIUS server for a variety of access clients, and also shows a RADIUS proxy. NPS uses an AD DS domain for user credential authentication of incoming RADIUS Access-Request messages.</maml:para>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=168d7bbd-0b7a-4371-b0a2-25a737a3e4ef" mimeType="image/gif"><maml:summary>NPS as a RADIUS server</maml:summary></maml:objectUri></maml:embedObject></maml:para>
<maml:para>When NPS is used as a RADIUS server, RADIUS messages provide authentication, authorization, and accounting for network access connections in the following way:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Access servers, such as dial-up network access servers, VPN servers, and wireless access points, receive connection requests from access clients. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The access server, configured to use RADIUS as the authentication, authorization, and accounting protocol, creates an Access-Request message and sends it to the NPS server. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NPS server evaluates the Access-Request message. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If required, the NPS server sends an Access-Challenge message to the access server. The access server processes the challenge and sends an updated Access-Request to the NPS server. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The connection attempt is authorized with both the dial-in properties of the user account and network policies. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the connection attempt is both authenticated and authorized, the NPS server sends an Access-Accept message to the access server. </maml:para>
<maml:para>If the connection attempt is either not authenticated or not authorized, the NPS server sends an Access-Reject message to the access server. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The access server completes the connection process with the access client and sends an Accounting-Request message to the NPS server, where the message is logged. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The NPS server sends an Accounting-Response to the access server. </maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The access server also sends Accounting-Request messages during the time in which the connection is established, when the access client connection is closed, and when the access server is started and stopped.</maml:para>
</maml:alertSet>
<maml:para>You can use NPS as a RADIUS server when:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>You are using a Windows NT Server 4.0 domain, an AD DS domain, or the local SAM user accounts database as your user account database for access clients. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You are using Routing and Remote Access on multiple dial-up servers, VPN servers, or demand-dial routers and you want to centralize both the configuration of network policies and connection logging for accounting. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You are outsourcing your dial-up, VPN, or wireless access to a service provider. The access servers use RADIUS to authenticate and authorize connections that are made by members of your organization.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You want to centralize authentication, authorization, and accounting for a heterogeneous set of access servers.</maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>In Internet Authentication Service (IAS) in the Windows Server® 2003 operating systems, network policies are referred to as remote access policies.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a Network Policy</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Policy Server (NPS) uses network policies, formerly named <maml:newTerm>remote access policies</maml:newTerm>, and the dial-in properties of user accounts to determine whether a connection request should be authorized to connect to the network.</maml:para>
<maml:para>You can use this procedure to configure a new network policy in either the NPS snap-in or the Routing and Remote Access Service snap-in.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Performing authorization</maml:title><maml:introduction>
<maml:para>When NPS performs the authorization of a connection request, it compares the request with each network policy in the ordered list of policies, starting with the first policy, and then moving down the list of configured policies. If NPS finds a policy whose conditions match the connection request, NPS uses the matching policy and the dial-in properties of the user account to perform authorization. If the dial-in properties of the user account are configured to grant access or control access through network policy and the connection request is authorized, NPS applies the settings that are configured in the network policy to the connection.</maml:para>
<maml:para>If NPS does not find a network policy that matches the connection request, the connection request is rejected unless the dial-in properties on the user account are set to grant access.</maml:para>
<maml:para>If the dial-in properties of the user account are set to deny access, the connection request is rejected by NPS.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Key settings</maml:title><maml:introduction>
<maml:para>When you use the <maml:ui>New Network Policy</maml:ui> wizard to create a network policy:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The value that you specify in <maml:ui>Network connection method</maml:ui> is used to automatically configure the <maml:ui>Policy Type</maml:ui> condition: </maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>If you keep the default value of <maml:ui>Unspecified</maml:ui>, the network policy that you create is evaluated by NPS for all network connection types that are using any kind of network access server (NAS).</maml:para></maml:listItem>
<maml:listItem><maml:para>If you specify a network connection method, NPS evaluates the network policy only if the connection request originates from the type of network access server that you specify.</maml:para>
<maml:para>For example, if you specify <maml:ui>Remote Desktop Gateway</maml:ui>, NPS evaluates the network policy only for connection requests that originate from Remote Desktop Gateway (RD Gateway).</maml:para></maml:listItem>
</maml:list></maml:listItem>
<maml:listItem>
<maml:para>On the <maml:ui>Access Permission</maml:ui> page, you must select <maml:ui>Access granted</maml:ui> if you want the policy to allow users to connect to your network. If you want the policy to prevent users from connecting to your network, select <maml:ui>Access denied</maml:ui>. If you want access permission to be determined by user account dial-in properties in Active Directory® Domain Services (AD DS), you can select the <maml:ui>Access is determined by User Dial-in properties</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To add a network policy </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the NPS console, and then double-click <maml:ui>Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Network Policies</maml:ui>, and click <maml:ui>New</maml:ui>. The <maml:ui>New Network Policy</maml:ui> wizard opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Use the <maml:ui>New Network Policy</maml:ui> wizard to create a policy.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Open or Add and Open a Group Policy Object</maml:title><maml:introduction>
<maml:para>By default, Group Policy Management is installed on computers running Windows Server 2008 when the Active Directory Domain Services (AD DS) server role is installed. This procedure describes how to open Group Policy Management on your domain controller running Windows Server 2008. The procedure then describes how to either open an existing domain-level Group Policy object (GPO) for editing, or create a new domain GPO and open it for editing.</maml:para>
<maml:para>Membership in <maml:ui>Domain Admins</maml:ui>, or equivalent, is the minimum required to perform this procedure.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To open or add and open a Group Policy object</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On your domain controller running Windows Server 2008, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. The Group Policy Management console opens. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the left pane, double-click your forest. For example, double-click <maml:phrase>Forest: example.com</maml:phrase>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the left pane, double-click <maml:ui>Domains</maml:ui>, and then double-click the domain that contains the GPO you want to manage. For example, double-click <maml:phrase>example.com</maml:phrase>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Do one of the following: </maml:para>
</maml:section></maml:sections><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para><maml:phrase>To open an existing domain-level GPO for editing</maml:phrase>, double click the domain that contains the GPO that you want to manage, right-click the domain policy you want to manage, and then click <maml:ui>Edit</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para><maml:phrase>To create a new Group Policy object and open for editing</maml:phrase>, right-click the domain for which you want to create a new GPO, and then click <maml:ui>Create a GPO in this domain, and link it here</maml:ui>. </maml:para>
<maml:para>In <maml:ui>New GPO</maml:ui>, in <maml:ui>Name</maml:ui>, type a name for the new GPO, and then click <maml:ui>OK</maml:ui>. </maml:para>
<maml:para>Right-click your new GPO, and then click <maml:ui>Edit</maml:ui>. Group Policy Management Editor opens.</maml:para>
</maml:section></maml:sections></maml:step></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Policies in NPS</maml:title><maml:introduction>
<maml:para> </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Network Policy Server (NPS) provides three types of policies:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:computerOutputInline>Connection request policies</maml:computerOutputInline>. Sets of conditions and settings that specify which RADIUS servers perform the authentication, authorization, and accounting of connection requests received by the NPS server from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>When you deploy Network Access Protection (NAP) using the VPN or 802.1X enforcement methods with PEAP authentication, you must configure PEAP authentication in connection request policy even when connection requests are processed locally.</maml:para>
</maml:alertSet></maml:listItem>
<maml:listItem><maml:para><maml:computerOutputInline>Network policies</maml:computerOutputInline>. Sets of conditions, constraints, and settings that specify who is authorized to connect to the network and the circumstances under which they can or cannot connect. When you deploy NAP, health policy is added to the network policy configuration so that NPS performs client health checks during the authorization process.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:computerOutputInline>Health policies</maml:computerOutputInline>. One or more system health validators (SHVs) and other settings that allow you to define client computer configuration requirements for the NAP-capable computers that attempt to connect to your network. Health policies are used only with NAP.</maml:para></maml:listItem>
</maml:list>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>These policies are different from and unrelated to Group Policy.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Connection Request Policies</maml:linkText><maml:uri href="mshelp://windows/?id=418638e1-e88e-4b59-853d-ae16fc589bd9"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Health Policies</maml:linkText><maml:uri href="mshelp://windows/?id=9561f22e-2bab-453c-a4de-36e4466850df"></maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Network Policies</maml:linkText><maml:uri href="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Wireless Clients running Windows XP for PEAP-TLS Authentication</maml:title><maml:introduction>
<maml:para>Use this procedure to configure a Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) wireless profile for wireless computers running Windows XP and Windows Server 2003.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a PEAP-TLS wireless profile for computers running Windows XP </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open <maml:ui>New XP Wireless Network (IEEE 802.11) Policies Properties</maml:ui> dialog box. </maml:para>
<maml:para>On the <maml:ui>General</maml:ui> tab, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>In <maml:ui>XP Policy Name</maml:ui>, type a name for your wireless policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Description</maml:ui>, type a description of the policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Networks to access</maml:ui>, select either <maml:ui>Access point (infrastructure) networks only</maml:ui> or <maml:ui>Any available network (access point preferred)</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Select <maml:ui>Use Windows to configure wireless network settings for clients</maml:ui>.</maml:para></maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Preferred Networks</maml:ui> tab, click <maml:ui>Add</maml:ui>, and then select <maml:ui>Infrastructure</maml:ui>. On the <maml:ui>Network Properties</maml:ui> tab, configure the following:</maml:para>
<maml:list class="ordered">
<maml:listItem><maml:para>In <maml:ui>Network Name (SSID)</maml:ui>, type the service set identifier (SSID) for your network.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The value you enter in this field must match the value configured on the access points you have deployed on your network.</maml:para></maml:alertSet></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Description</maml:ui>, enter a description for the <maml:ui>New Preferred Setting Properties</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Select the security methods for this network</maml:ui>, in <maml:ui>Authentication</maml:ui>, select either <maml:ui>WPA2</maml:ui> (preferred), or <maml:ui>WPA</maml:ui>. In <maml:ui>Encryption</maml:ui>, specify either <maml:ui>AES</maml:ui> or <maml:ui>TKIP</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>In Windows XP Wireless Network (IEEE 802.11) Policies, <maml:ui>WPA2</maml:ui> and <maml:ui>WPA</maml:ui> correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies <maml:ui>WPA2-Enterprise</maml:ui> and <maml:ui>WPA-Enterprise</maml:ui> settings, respectively.</maml:para>
</maml:alertSet>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.</maml:para></maml:alertSet>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>IEEE 802.1X</maml:ui> tab. In <maml:ui>EAP type</maml:ui>, by default, <maml:ui>Protected EAP (PEAP)</maml:ui> is selected.</maml:para>
<maml:para>The remaining default settings on the IEEE 802.1X tab are sufficient for most wireless deployments.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Settings</maml:ui>. In the <maml:ui>Protected EAP Properties</maml:ui> dialog box, do the following:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Select <maml:ui>Validate server certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names. </maml:para></maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store. </maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem><maml:para>For improved security and a better user experience, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Select Authentication Method</maml:ui>, select <maml:ui>Smart Card or other certificate</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To enable PEAP fast reconnect, select <maml:ui>Enable Fast Reconnect</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select <maml:ui>Enforce Network Access Protection</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To require cryptobinding Type-Length Value (TLV), select <maml:ui>Disconnect if server does not present cryptobinding TLV</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To configure your clients so that they will not send their identity in plaintext before the client has authenticated the RADIUS server, select <maml:ui>Enable Identity Privacy</maml:ui>, and then in <maml:ui>Anonymous Identity</maml:ui>, type a name or value, or leave the field empty.</maml:para>
<maml:para>For example, if <maml:ui>Enable Identity Privacy</maml:ui> is enabled and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select <maml:ui>Enable Identity Privacy</maml:ui> but do not provide an anonymous identity value, the identity response is @realm.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To configure PEAP-TLS properties, click <maml:ui>Configure</maml:ui>, and then in <maml:ui>Smart Card or other Certificate Properties</maml:ui>, configure the following items according to your needs:</maml:para><maml:list class="unordered">
<maml:listItem><maml:para>In <maml:ui>When connecting</maml:ui>, select either <maml:ui>Use my smart card</maml:ui>, or select both <maml:ui>Use a certificate on this computer</maml:ui> and <maml:ui>Use simple certificate selection (Recommended)</maml:ui>. </maml:para></maml:listItem>
<maml:listItem><maml:para>To require that access clients validate the NPS server certificate, select <maml:ui>Validate server certificate</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify which RADIUS servers your wired access clients must use for authentication and authorization, in <maml:ui>Connect to these servers</maml:ui>, type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUUS server names. </maml:para></maml:listItem>
<maml:listItem><maml:para>In <maml:ui>Trusted Root Certification Authorities</maml:ui>, select the CA that issued NPS server certificates on your network.</maml:para></maml:listItem>
<maml:listItem><maml:para>To specify that clients use an alternate name for the access attempt, select <maml:ui>Use a different user name for the connection</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>To prevent users from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both, select <maml:ui>Do not prompt user to authorize new servers or trusted certification authorities</maml:ui>. (Recommended)</maml:para></maml:listItem>
<maml:listItem><maml:para>Click <maml:ui>OK</maml:ui> to close the <maml:ui>Smart card or other Certificate Properties</maml:ui> dialog box, and then click <maml:ui>OK</maml:ui> again to close the <maml:ui>Protected EAP (PEAP) Properties</maml:ui> dialog box, returning you to the <maml:ui>New Vista Wired Network Policy Properties</maml:ui> dialog box. </maml:para></maml:listItem></maml:list></maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Configure NPS as a RADIUS Proxy</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>The following checklist provides the tasks required to configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) proxy that forwards connection requests to other RADIUS servers for authentication and authorization.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.</maml:para>
</maml:alertSet>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Configure network access servers as RADIUS clients in NPS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a New RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754"></maml:uri></maml:navigationLink>; <maml:navigationLink><maml:linkText>RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>On the NPS proxy server, use the <maml:ui>New Remote RADIUS Server Group Wizard</maml:ui> to create a remote server group with one or more RADIUS servers to which RADIUS messages are forwarded. Configure RADIUS ports and shared secrets that are common to both the NPS proxy server and the RADIUS servers (to which requests are forwarded).</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a Remote RADIUS Server Group</maml:linkText><maml:uri href="mshelp://windows/?id=592105a8-de1a-454d-94c7-fa770cafdf76"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Remote RADIUS Server Groups</maml:linkText><maml:uri href="mshelp://windows/?id=689390e0-760d-42e8-a894-78749558a626"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>On the NPS proxy server, use the <maml:ui>New Connection Request Policy Wizard</maml:ui> to create a connection request policy to forward connection requests and accounting information to the remote RADIUS server group.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a Connection Request Policy</maml:linkText><maml:uri href="mshelp://windows/?id=972043b0-0233-4ea1-8ddb-e1de1cbb9c57"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Connection Request Policies</maml:linkText><maml:uri href="mshelp://windows/?id=418638e1-e88e-4b59-853d-ae16fc589bd9"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure logging methods for user authentication and accounting requests.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>RADIUS Accounting</maml:linkText><maml:uri href="mshelp://windows/?id=2a1b783d-cd88-445f-9397-3ed385a9f733"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Configure Log File Properties</maml:linkText><maml:uri href="mshelp://windows/?id=50d16bcb-06c3-4073-bca9-621701c55cf1"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Register the NPS proxy servers in Active Directory® Domain Services (AD DS) domains.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Register the NPS Server in Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=d994b6fb-7936-4b4c-b8ad-d4b75801c70d"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure the NPS proxy servers as RADIUS clients on the RADIUS servers (to which requests are forwarded).</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Add a New RADIUS Client</maml:linkText><maml:uri href="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754"></maml:uri></maml:navigationLink> and your hardware documentation</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="radius" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="Network Policy Server" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
<IncludeFile File="radius.H1F" />
</CompilerOptions>
<TOCDef File="radius.H1T" Id="radius_TOC" />
<VTopicDef File="radius.H1V" />
<KeywordIndexDef File="radius_AssetId.H1K" />
<KeywordIndexDef File="radius_BestBet.H1K" />
<KeywordIndexDef File="radius_LinkTerm.H1K" />
<KeywordIndexDef File="radius_SubjectTerm.H1K" />
<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
<File Url="assets\08ce0e6b-93f2-43b5-b1cf-8e2454cd5272.xml" />
<File Url="assets\09e250cb-7d83-4f2e-bf98-1c6a54654f77.xml" />
<File Url="assets\13a5e651-d090-407f-a995-3e8509cf9a8e.xml" />
<File Url="assets\141ae7ad-a32d-4d29-9bbd-0e50cfc9164d.xml" />
<File Url="assets\1abd93f7-d617-4377-9cc7-c6bb35b0243b.xml" />
<File Url="assets\21bb6dd6-f462-4715-89cd-e94636557945.xml" />
<File Url="assets\25b886ed-75e9-4f49-8ca0-c90991dfc20e.xml" />
<File Url="assets\287a5491-9f3e-4e7e-97de-02ace47d018e.xml" />
<File Url="assets\2a1b783d-cd88-445f-9397-3ed385a9f733.xml" />
<File Url="assets\36720df9-0b4a-4725-bdd7-c7e12d5c535b.xml" />
<File Url="assets\36aa0cab-5ffe-4c18-95e4-b345ec0a67c6.xml" />
<File Url="assets\396c8b17-fdc0-43dc-8419-31311f8ac665.xml" />
<File Url="assets\418638e1-e88e-4b59-853d-ae16fc589bd9.xml" />
<File Url="assets\41f058fe-70c8-4269-bd08-efd98acf5fe3.xml" />
<File Url="assets\499cfc22-34ea-4f71-9c44-d7ffbb838e00.xml" />
<File Url="assets\4cd859ba-2651-42a3-83fe-95197ce38a5c.xml" />
<File Url="assets\4e4f927d-3273-40b5-a33b-f550be1587e2.xml" />
<File Url="assets\50b75202-0103-4285-80ac-c1234c3b5e9c.xml" />
<File Url="assets\50d16bcb-06c3-4073-bca9-621701c55cf1.xml" />
<File Url="assets\5220ca1e-409e-4841-b43e-837b4edd2cb6.xml" />
<File Url="assets\541cef62-a77e-483c-a847-27aacc68625d.xml" />
<File Url="assets\58cb0d00-d084-47c0-9fe7-b8f4b0166a4c.xml" />
<File Url="assets\58ec6857-153e-417f-b63c-40fd6addd216.xml" />
<File Url="assets\592105a8-de1a-454d-94c7-fa770cafdf76.xml" />
<File Url="assets\5ba4dfa8-674d-43fe-9196-93fc599ee94d.xml" />
<File Url="assets\5d00958c-4ffa-4b58-b84e-bcecfd40d61c.xml" />
<File Url="assets\5d57d701-429e-4389-8d03-6ff0b13ac488.xml" />
<File Url="assets\5e653bce-7b3b-48c8-b784-020e133c6bcc.xml" />
<File Url="assets\62aa0ab9-ce1c-4afc-831c-69325ec9fe1d.xml" />
<File Url="assets\689390e0-760d-42e8-a894-78749558a626.xml" />
<File Url="assets\6a4a5454-26bd-495f-a57c-a62493c91ac9.xml" />
<File Url="assets\6aadc218-2112-4781-8b20-05d591066840.xml" />
<File Url="assets\72747f28-80c0-45bf-8fcb-50938808b5b6.xml" />
<File Url="assets\74b6dbef-a26e-48ef-a26d-fb33e4e7730c.xml" />
<File Url="assets\77f4d1e3-4766-430e-9f78-82364b35d225.xml" />
<File Url="assets\78f2b506-66a2-45d8-a17e-c83203b7e9d6.xml" />
<File Url="assets\7a04cacb-8df7-4187-94ce-0410170cde1f.xml" />
<File Url="assets\7a2cb3e1-d6de-44d8-8f8e-7309acb68383.xml" />
<File Url="assets\7a3cc667-cc49-4bd2-b117-62f573751748.xml" />
<File Url="assets\7f441bba-13e0-4676-bf8a-bb410c50d91e.xml" />
<File Url="assets\88497044-c5b1-46a8-acc8-3be04052b6cf.xml" />
<File Url="assets\88ec0246-a5e1-425d-9dda-9bfc61249726.xml" />
<File Url="assets\89328686-ac05-4f04-a2cb-51c30c4d6796.xml" />
<File Url="assets\912212d0-b52c-4f64-ace4-41fc01cfc5aa.xml" />
<File Url="assets\92ed06a5-f36b-4256-ab81-229fa7af9fc6.xml" />
<File Url="assets\9383c523-af71-4513-a942-e4458692f457.xml" />
<File Url="relatedAssets\b19e0940-c0e4-4e7a-bba7-7d9495e71453.gif" />
<File Url="assets\94c797c3-1efa-4a62-946b-a6923e0ee036.xml" />
<File Url="assets\94efe111-f74e-442a-b7f2-b545bed1107d.xml" />
<File Url="assets\9561f22e-2bab-453c-a4de-36e4466850df.xml" />
<File Url="assets\972043b0-0233-4ea1-8ddb-e1de1cbb9c57.xml" />
<File Url="assets\9d3f798f-0854-4602-adce-0b888e8c00ef.xml" />
<File Url="assets\9d851c01-7896-4074-b3dd-2e7ee422a477.xml" />
<File Url="assets\a1210cf7-7995-428a-8f25-246f1b5d11da.xml" />
<File Url="assets\a1ac8d7e-3479-46b4-932b-ab43362e021b.xml" />
<File Url="assets\a66e6bd0-d710-4668-a9f0-f44222ea10fd.xml" />
<File Url="assets\addbacc4-32a5-4dca-b12e-771bcba85733.xml" />
<File Url="assets\b607dabd-8eca-41ab-9953-ea2941a90154.xml" />
<File Url="assets\c23d0c91-d9d4-47d4-9542-e373040764fc.xml" />
<File Url="assets\c29cb16a-4263-47d9-8bbe-0d5db799ca7c.xml" />
<File Url="assets\c3c405fc-099d-497d-857d-be93314c4db6.xml" />
<File Url="assets\ca7d5422-1a5c-4472-b5e3-f6996f7a4084.xml" />
<File Url="assets\ceee0372-2286-4205-9c43-f3f242c07b60.xml" />
<File Url="assets\cfa37f4c-8133-4df8-9db8-657a0784ffd5.xml" />
<File Url="assets\cfdc3bc3-82ff-4b71-90e8-57c8029501e5.xml" />
<File Url="assets\d1c27e22-914b-4191-ba02-371f5fba137d.xml" />
<File Url="assets\d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27.xml" />
<File Url="assets\d80d8fd1-388f-49e1-8b32-855cf8fda137.xml" />
<File Url="assets\d82f6c3d-52d2-489a-b21e-cba7dd6850f5.xml" />
<File Url="assets\d90e87a7-0a9b-4d61-9355-14887f112754.xml" />
<File Url="assets\d994b6fb-7936-4b4c-b8ad-d4b75801c70d.xml" />
<File Url="assets\de982522-df50-465d-b221-656bc3b39468.xml" />
<File Url="assets\e4b41164-2fac-418e-ab9b-bc26baed1d11.xml" />
<File Url="assets\e7b2e1e2-9da4-4a68-a1db-6a0886f7e028.xml" />
<File Url="assets\e853adba-c8b8-4d19-8626-89a09a76a8c0.xml" />
<File Url="relatedAssets\6abe5f5f-c467-44c9-b3fd-55b8cb7e16a3.gif" />
<File Url="assets\f1ef3288-9cae-4ba5-b55c-caa2f4f8967d.xml" />
<File Url="relatedAssets\168d7bbd-0b7a-4371-b0a2-25a737a3e4ef.gif" />
<File Url="assets\f3ebb128-d942-4251-b3fb-de6f78cd5f97.xml" />
<File Url="assets\f4522491-921b-4ca9-974c-a41b90883ca7.xml" />
<File Url="assets\f45775a5-af6b-4b71-97fb-8fafd5277b30.xml" />
<File Url="assets\f55c57a1-6c80-43a4-837c-260ea3e68027.xml" />
<File Url="assets\fabff996-c60c-4dce-8a9d-39b705042901.xml" />
<File Url="assets\ff35a554-2006-442d-a8e6-bf05d33ff1a7.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
<Vtopic Url="assets\08ce0e6b-93f2-43b5-b1cf-8e2454cd5272.xml" RLTitle="Checklist: Configure Network Access Protection (NAP)">
<Attr Name="assetid" Value="08ce0e6b-93f2-43b5-b1cf-8e2454cd5272" />
<Keyword Index="AssetId" Term="08ce0e6b-93f2-43b5-b1cf-8e2454cd5272" />
<Keyword Index="AssetId" Term="08ce0e6b-93f2-43b5-b1cf-8e2454cd52721033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="08ce0e6b-93f2-43b5-b1cf-8e2454cd5272" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\09e250cb-7d83-4f2e-bf98-1c6a54654f77.xml" RLTitle="Configure Wireless Clients running Windows XP for EAP-TLS Authentication">
<Attr Name="assetid" Value="09e250cb-7d83-4f2e-bf98-1c6a54654f77" />
<Keyword Index="AssetId" Term="09e250cb-7d83-4f2e-bf98-1c6a54654f77" />
<Keyword Index="AssetId" Term="09e250cb-7d83-4f2e-bf98-1c6a54654f771033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="09e250cb-7d83-4f2e-bf98-1c6a54654f77" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\13a5e651-d090-407f-a995-3e8509cf9a8e.xml" RLTitle="EAP Overview">
<Attr Name="assetid" Value="13a5e651-d090-407f-a995-3e8509cf9a8e" />
<Keyword Index="AssetId" Term="13a5e651-d090-407f-a995-3e8509cf9a8e" />
<Keyword Index="AssetId" Term="13a5e651-d090-407f-a995-3e8509cf9a8e1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="13a5e651-d090-407f-a995-3e8509cf9a8e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\141ae7ad-a32d-4d29-9bbd-0e50cfc9164d.xml" RLTitle="Remediation Server Groups">
<Attr Name="assetid" Value="141ae7ad-a32d-4d29-9bbd-0e50cfc9164d" />
<Keyword Index="AssetId" Term="141ae7ad-a32d-4d29-9bbd-0e50cfc9164d" />
<Keyword Index="AssetId" Term="141ae7ad-a32d-4d29-9bbd-0e50cfc9164d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="141ae7ad-a32d-4d29-9bbd-0e50cfc9164d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1abd93f7-d617-4377-9cc7-c6bb35b0243b.xml" RLTitle="NAP Enforcement Methods">
<Attr Name="assetid" Value="1abd93f7-d617-4377-9cc7-c6bb35b0243b" />
<Keyword Index="AssetId" Term="1abd93f7-d617-4377-9cc7-c6bb35b0243b" />
<Keyword Index="AssetId" Term="1abd93f7-d617-4377-9cc7-c6bb35b0243b1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1abd93f7-d617-4377-9cc7-c6bb35b0243b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\21bb6dd6-f462-4715-89cd-e94636557945.xml" RLTitle="NAP Enforcement for 802.1X">
<Attr Name="assetid" Value="21bb6dd6-f462-4715-89cd-e94636557945" />
<Keyword Index="AssetId" Term="21bb6dd6-f462-4715-89cd-e94636557945" />
<Keyword Index="AssetId" Term="21bb6dd6-f462-4715-89cd-e946365579451033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="21bb6dd6-f462-4715-89cd-e94636557945" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\25b886ed-75e9-4f49-8ca0-c90991dfc20e.xml" RLTitle="Deploy User Certificates">
<Attr Name="assetid" Value="25b886ed-75e9-4f49-8ca0-c90991dfc20e" />
<Keyword Index="AssetId" Term="25b886ed-75e9-4f49-8ca0-c90991dfc20e" />
<Keyword Index="AssetId" Term="25b886ed-75e9-4f49-8ca0-c90991dfc20e1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="25b886ed-75e9-4f49-8ca0-c90991dfc20e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\287a5491-9f3e-4e7e-97de-02ace47d018e.xml" RLTitle="Configure 802.1X Wired Access Clients for PEAP-MS-CHAP v2 Authentication">
<Attr Name="assetid" Value="287a5491-9f3e-4e7e-97de-02ace47d018e" />
<Keyword Index="AssetId" Term="287a5491-9f3e-4e7e-97de-02ace47d018e" />
<Keyword Index="AssetId" Term="287a5491-9f3e-4e7e-97de-02ace47d018e1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="287a5491-9f3e-4e7e-97de-02ace47d018e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\2a1b783d-cd88-445f-9397-3ed385a9f733.xml" RLTitle="RADIUS Accounting">
<Attr Name="assetid" Value="2a1b783d-cd88-445f-9397-3ed385a9f733" />
<Keyword Index="AssetId" Term="2a1b783d-cd88-445f-9397-3ed385a9f733" />
<Keyword Index="AssetId" Term="2a1b783d-cd88-445f-9397-3ed385a9f7331033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="2a1b783d-cd88-445f-9397-3ed385a9f733" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\36720df9-0b4a-4725-bdd7-c7e12d5c535b.xml" RLTitle="System Health Validators">
<Attr Name="assetid" Value="36720df9-0b4a-4725-bdd7-c7e12d5c535b" />
<Keyword Index="AssetId" Term="36720df9-0b4a-4725-bdd7-c7e12d5c535b" />
<Keyword Index="AssetId" Term="36720df9-0b4a-4725-bdd7-c7e12d5c535b1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="36720df9-0b4a-4725-bdd7-c7e12d5c535b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\36aa0cab-5ffe-4c18-95e4-b345ec0a67c6.xml" RLTitle="NAP Enforcement for Remote Desktop Gateway">
<Attr Name="assetid" Value="36aa0cab-5ffe-4c18-95e4-b345ec0a67c6" />
<Keyword Index="AssetId" Term="36aa0cab-5ffe-4c18-95e4-b345ec0a67c6" />
<Keyword Index="AssetId" Term="36aa0cab-5ffe-4c18-95e4-b345ec0a67c61033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="36aa0cab-5ffe-4c18-95e4-b345ec0a67c6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\396c8b17-fdc0-43dc-8419-31311f8ac665.xml" RLTitle="System Health Validator Settings">
<Attr Name="assetid" Value="396c8b17-fdc0-43dc-8419-31311f8ac665" />
<Keyword Index="AssetId" Term="396c8b17-fdc0-43dc-8419-31311f8ac665" />
<Keyword Index="AssetId" Term="396c8b17-fdc0-43dc-8419-31311f8ac6651033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="396c8b17-fdc0-43dc-8419-31311f8ac665" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\418638e1-e88e-4b59-853d-ae16fc589bd9.xml" RLTitle="Connection Request Policies">
<Attr Name="assetid" Value="418638e1-e88e-4b59-853d-ae16fc589bd9" />
<Keyword Index="AssetId" Term="418638e1-e88e-4b59-853d-ae16fc589bd9" />
<Keyword Index="AssetId" Term="418638e1-e88e-4b59-853d-ae16fc589bd91033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="418638e1-e88e-4b59-853d-ae16fc589bd9" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\41f058fe-70c8-4269-bd08-efd98acf5fe3.xml" RLTitle="NAP Enforcement for VPN">
<Attr Name="assetid" Value="41f058fe-70c8-4269-bd08-efd98acf5fe3" />
<Keyword Index="AssetId" Term="41f058fe-70c8-4269-bd08-efd98acf5fe3" />
<Keyword Index="AssetId" Term="41f058fe-70c8-4269-bd08-efd98acf5fe31033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="41f058fe-70c8-4269-bd08-efd98acf5fe3" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\499cfc22-34ea-4f71-9c44-d7ffbb838e00.xml" RLTitle="System Health Validator Error Codes">
<Attr Name="assetid" Value="499cfc22-34ea-4f71-9c44-d7ffbb838e00" />
<Keyword Index="AssetId" Term="499cfc22-34ea-4f71-9c44-d7ffbb838e00" />
<Keyword Index="AssetId" Term="499cfc22-34ea-4f71-9c44-d7ffbb838e001033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="499cfc22-34ea-4f71-9c44-d7ffbb838e00" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\4cd859ba-2651-42a3-83fe-95197ce38a5c.xml" RLTitle="Checklist: Configure NPS for Dial-Up and VPN Access">
<Attr Name="assetid" Value="4cd859ba-2651-42a3-83fe-95197ce38a5c" />
<Keyword Index="AssetId" Term="4cd859ba-2651-42a3-83fe-95197ce38a5c" />
<Keyword Index="AssetId" Term="4cd859ba-2651-42a3-83fe-95197ce38a5c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="4cd859ba-2651-42a3-83fe-95197ce38a5c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\4e4f927d-3273-40b5-a33b-f550be1587e2.xml" RLTitle="NPS Server Certificate: Configure the Template and Autoenrollment">
<Attr Name="assetid" Value="4e4f927d-3273-40b5-a33b-f550be1587e2" />
<Keyword Index="AssetId" Term="4e4f927d-3273-40b5-a33b-f550be1587e2" />
<Keyword Index="AssetId" Term="4e4f927d-3273-40b5-a33b-f550be1587e21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="4e4f927d-3273-40b5-a33b-f550be1587e2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\50b75202-0103-4285-80ac-c1234c3b5e9c.xml" RLTitle="Configure 802.1X Wireless Access Clients running Windows 7 and Windows Vista">
<Attr Name="assetid" Value="50b75202-0103-4285-80ac-c1234c3b5e9c" />
<Keyword Index="AssetId" Term="50b75202-0103-4285-80ac-c1234c3b5e9c" />
<Keyword Index="AssetId" Term="50b75202-0103-4285-80ac-c1234c3b5e9c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="50b75202-0103-4285-80ac-c1234c3b5e9c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\50d16bcb-06c3-4073-bca9-621701c55cf1.xml" RLTitle="Configure Log File Properties">
<Attr Name="assetid" Value="50d16bcb-06c3-4073-bca9-621701c55cf1" />
<Keyword Index="AssetId" Term="50d16bcb-06c3-4073-bca9-621701c55cf1" />
<Keyword Index="AssetId" Term="50d16bcb-06c3-4073-bca9-621701c55cf11033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="50d16bcb-06c3-4073-bca9-621701c55cf1" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5220ca1e-409e-4841-b43e-837b4edd2cb6.xml" RLTitle="Configure 802.1X Wireless Access Clients by using Group Policy Management">
<Attr Name="assetid" Value="5220ca1e-409e-4841-b43e-837b4edd2cb6" />
<Keyword Index="AssetId" Term="5220ca1e-409e-4841-b43e-837b4edd2cb6" />
<Keyword Index="AssetId" Term="5220ca1e-409e-4841-b43e-837b4edd2cb61033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5220ca1e-409e-4841-b43e-837b4edd2cb6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\541cef62-a77e-483c-a847-27aacc68625d.xml" RLTitle="Create policies for 802.1X Wired or Wireless with a Wizard">
<Attr Name="assetid" Value="541cef62-a77e-483c-a847-27aacc68625d" />
<Keyword Index="AssetId" Term="541cef62-a77e-483c-a847-27aacc68625d" />
<Keyword Index="AssetId" Term="541cef62-a77e-483c-a847-27aacc68625d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="541cef62-a77e-483c-a847-27aacc68625d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\58cb0d00-d084-47c0-9fe7-b8f4b0166a4c.xml" RLTitle="Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-MS-CHAP v2 Authentication">
<Attr Name="assetid" Value="58cb0d00-d084-47c0-9fe7-b8f4b0166a4c" />
<Keyword Index="AssetId" Term="58cb0d00-d084-47c0-9fe7-b8f4b0166a4c" />
<Keyword Index="AssetId" Term="58cb0d00-d084-47c0-9fe7-b8f4b0166a4c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="58cb0d00-d084-47c0-9fe7-b8f4b0166a4c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\58ec6857-153e-417f-b63c-40fd6addd216.xml" RLTitle="Deploy a CA and NPS Server Certificate">
<Attr Name="assetid" Value="58ec6857-153e-417f-b63c-40fd6addd216" />
<Keyword Index="AssetId" Term="58ec6857-153e-417f-b63c-40fd6addd216" />
<Keyword Index="AssetId" Term="58ec6857-153e-417f-b63c-40fd6addd2161033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="58ec6857-153e-417f-b63c-40fd6addd216" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\592105a8-de1a-454d-94c7-fa770cafdf76.xml" RLTitle="Add a Remote RADIUS Server Group">
<Attr Name="assetid" Value="592105a8-de1a-454d-94c7-fa770cafdf76" />
<Keyword Index="AssetId" Term="592105a8-de1a-454d-94c7-fa770cafdf76" />
<Keyword Index="AssetId" Term="592105a8-de1a-454d-94c7-fa770cafdf761033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="592105a8-de1a-454d-94c7-fa770cafdf76" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5ba4dfa8-674d-43fe-9196-93fc599ee94d.xml" RLTitle="RADIUS Client">
<Attr Name="assetid" Value="5ba4dfa8-674d-43fe-9196-93fc599ee94d" />
<Keyword Index="AssetId" Term="5ba4dfa8-674d-43fe-9196-93fc599ee94d" />
<Keyword Index="AssetId" Term="5ba4dfa8-674d-43fe-9196-93fc599ee94d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5ba4dfa8-674d-43fe-9196-93fc599ee94d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5d00958c-4ffa-4b58-b84e-bcecfd40d61c.xml" RLTitle="Network Policies">
<Attr Name="assetid" Value="5d00958c-4ffa-4b58-b84e-bcecfd40d61c" />
<Keyword Index="AssetId" Term="5d00958c-4ffa-4b58-b84e-bcecfd40d61c" />
<Keyword Index="AssetId" Term="5d00958c-4ffa-4b58-b84e-bcecfd40d61c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5d00958c-4ffa-4b58-b84e-bcecfd40d61c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5d57d701-429e-4389-8d03-6ff0b13ac488.xml" RLTitle="Configure SQL Server Logging in NPS">
<Attr Name="assetid" Value="5d57d701-429e-4389-8d03-6ff0b13ac488" />
<Keyword Index="AssetId" Term="5d57d701-429e-4389-8d03-6ff0b13ac488" />
<Keyword Index="AssetId" Term="5d57d701-429e-4389-8d03-6ff0b13ac4881033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5d57d701-429e-4389-8d03-6ff0b13ac488" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5e653bce-7b3b-48c8-b784-020e133c6bcc.xml" RLTitle="PEAP Overview">
<Attr Name="assetid" Value="5e653bce-7b3b-48c8-b784-020e133c6bcc" />
<Keyword Index="AssetId" Term="5e653bce-7b3b-48c8-b784-020e133c6bcc" />
<Keyword Index="AssetId" Term="5e653bce-7b3b-48c8-b784-020e133c6bcc1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5e653bce-7b3b-48c8-b784-020e133c6bcc" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\62aa0ab9-ce1c-4afc-831c-69325ec9fe1d.xml" RLTitle="NPS Templates">
<Attr Name="assetid" Value="62aa0ab9-ce1c-4afc-831c-69325ec9fe1d" />
<Keyword Index="AssetId" Term="62aa0ab9-ce1c-4afc-831c-69325ec9fe1d" />
<Keyword Index="AssetId" Term="62aa0ab9-ce1c-4afc-831c-69325ec9fe1d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="62aa0ab9-ce1c-4afc-831c-69325ec9fe1d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\689390e0-760d-42e8-a894-78749558a626.xml" RLTitle="Remote RADIUS Server Groups">
<Attr Name="assetid" Value="689390e0-760d-42e8-a894-78749558a626" />
<Keyword Index="AssetId" Term="689390e0-760d-42e8-a894-78749558a626" />
<Keyword Index="AssetId" Term="689390e0-760d-42e8-a894-78749558a6261033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="689390e0-760d-42e8-a894-78749558a626" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\6a4a5454-26bd-495f-a57c-a62493c91ac9.xml" RLTitle="Deploying Certificates for PEAP and EAP">
<Attr Name="assetid" Value="6a4a5454-26bd-495f-a57c-a62493c91ac9" />
<Keyword Index="AssetId" Term="6a4a5454-26bd-495f-a57c-a62493c91ac9" />
<Keyword Index="AssetId" Term="6a4a5454-26bd-495f-a57c-a62493c91ac91033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="6a4a5454-26bd-495f-a57c-a62493c91ac9" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\6aadc218-2112-4781-8b20-05d591066840.xml" RLTitle="Network Access Protection in NPS">
<Attr Name="assetid" Value="6aadc218-2112-4781-8b20-05d591066840" />
<Keyword Index="AssetId" Term="6aadc218-2112-4781-8b20-05d591066840" />
<Keyword Index="AssetId" Term="6aadc218-2112-4781-8b20-05d5910668401033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="6aadc218-2112-4781-8b20-05d591066840" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\72747f28-80c0-45bf-8fcb-50938808b5b6.xml" RLTitle="Configure 802.1X Wireless Access Clients running Windows XP">
<Attr Name="assetid" Value="72747f28-80c0-45bf-8fcb-50938808b5b6" />
<Keyword Index="AssetId" Term="72747f28-80c0-45bf-8fcb-50938808b5b6" />
<Keyword Index="AssetId" Term="72747f28-80c0-45bf-8fcb-50938808b5b61033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="72747f28-80c0-45bf-8fcb-50938808b5b6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\74b6dbef-a26e-48ef-a26d-fb33e4e7730c.xml" RLTitle="Checklist: Configure NPS for Secure Wireless Access">
<Attr Name="assetid" Value="74b6dbef-a26e-48ef-a26d-fb33e4e7730c" />
<Keyword Index="AssetId" Term="74b6dbef-a26e-48ef-a26d-fb33e4e7730c" />
<Keyword Index="AssetId" Term="74b6dbef-a26e-48ef-a26d-fb33e4e7730c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="74b6dbef-a26e-48ef-a26d-fb33e4e7730c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\77f4d1e3-4766-430e-9f78-82364b35d225.xml" RLTitle="Open Wired or Wireless Network Policies for Editing">
<Attr Name="assetid" Value="77f4d1e3-4766-430e-9f78-82364b35d225" />
<Keyword Index="AssetId" Term="77f4d1e3-4766-430e-9f78-82364b35d225" />
<Keyword Index="AssetId" Term="77f4d1e3-4766-430e-9f78-82364b35d2251033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="77f4d1e3-4766-430e-9f78-82364b35d225" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\78f2b506-66a2-45d8-a17e-c83203b7e9d6.xml" RLTitle="Network Policy Server Overview">
<Attr Name="assetid" Value="78f2b506-66a2-45d8-a17e-c83203b7e9d6" />
<Keyword Index="AssetId" Term="78f2b506-66a2-45d8-a17e-c83203b7e9d6" />
<Keyword Index="AssetId" Term="78f2b506-66a2-45d8-a17e-c83203b7e9d61033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="78f2b506-66a2-45d8-a17e-c83203b7e9d6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7a04cacb-8df7-4187-94ce-0410170cde1f.xml" RLTitle="Configure NPS on a Multihomed Computer">
<Attr Name="assetid" Value="7a04cacb-8df7-4187-94ce-0410170cde1f" />
<Keyword Index="AssetId" Term="7a04cacb-8df7-4187-94ce-0410170cde1f" />
<Keyword Index="AssetId" Term="7a04cacb-8df7-4187-94ce-0410170cde1f1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7a04cacb-8df7-4187-94ce-0410170cde1f" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7a2cb3e1-d6de-44d8-8f8e-7309acb68383.xml" RLTitle="NPS Server Certificate: CA Installation">
<Attr Name="assetid" Value="7a2cb3e1-d6de-44d8-8f8e-7309acb68383" />
<Keyword Index="AssetId" Term="7a2cb3e1-d6de-44d8-8f8e-7309acb68383" />
<Keyword Index="AssetId" Term="7a2cb3e1-d6de-44d8-8f8e-7309acb683831033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7a2cb3e1-d6de-44d8-8f8e-7309acb68383" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7a3cc667-cc49-4bd2-b117-62f573751748.xml" RLTitle="Configure Wireless Clients running Windows XP for PEAP-MS-CHAP v2 Authentication">
<Attr Name="assetid" Value="7a3cc667-cc49-4bd2-b117-62f573751748" />
<Keyword Index="AssetId" Term="7a3cc667-cc49-4bd2-b117-62f573751748" />
<Keyword Index="AssetId" Term="7a3cc667-cc49-4bd2-b117-62f5737517481033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7a3cc667-cc49-4bd2-b117-62f573751748" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7f441bba-13e0-4676-bf8a-bb410c50d91e.xml" RLTitle="Activate Default Wired or Wireless Network Policies">
<Attr Name="assetid" Value="7f441bba-13e0-4676-bf8a-bb410c50d91e" />
<Keyword Index="AssetId" Term="7f441bba-13e0-4676-bf8a-bb410c50d91e" />
<Keyword Index="AssetId" Term="7f441bba-13e0-4676-bf8a-bb410c50d91e1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7f441bba-13e0-4676-bf8a-bb410c50d91e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\88497044-c5b1-46a8-acc8-3be04052b6cf.xml" RLTitle="Configure Network Permissions and Connection Preferences">
<Attr Name="assetid" Value="88497044-c5b1-46a8-acc8-3be04052b6cf" />
<Keyword Index="AssetId" Term="88497044-c5b1-46a8-acc8-3be04052b6cf" />
<Keyword Index="AssetId" Term="88497044-c5b1-46a8-acc8-3be04052b6cf1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="88497044-c5b1-46a8-acc8-3be04052b6cf" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\88ec0246-a5e1-425d-9dda-9bfc61249726.xml" RLTitle="RADIUS">
<Attr Name="assetid" Value="88ec0246-a5e1-425d-9dda-9bfc61249726" />
<Keyword Index="AssetId" Term="88ec0246-a5e1-425d-9dda-9bfc61249726" />
<Keyword Index="AssetId" Term="88ec0246-a5e1-425d-9dda-9bfc612497261033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="88ec0246-a5e1-425d-9dda-9bfc61249726" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\89328686-ac05-4f04-a2cb-51c30c4d6796.xml" RLTitle="Configure a Network Policy to Grant or Deny Access">
<Attr Name="assetid" Value="89328686-ac05-4f04-a2cb-51c30c4d6796" />
<Keyword Index="AssetId" Term="89328686-ac05-4f04-a2cb-51c30c4d6796" />
<Keyword Index="AssetId" Term="89328686-ac05-4f04-a2cb-51c30c4d67961033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="89328686-ac05-4f04-a2cb-51c30c4d6796" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\912212d0-b52c-4f64-ace4-41fc01cfc5aa.xml" RLTitle="RADIUS Server for Dial-Up or VPN Connections">
<Attr Name="assetid" Value="912212d0-b52c-4f64-ace4-41fc01cfc5aa" />
<Keyword Index="AssetId" Term="912212d0-b52c-4f64-ace4-41fc01cfc5aa" />
<Keyword Index="AssetId" Term="912212d0-b52c-4f64-ace4-41fc01cfc5aa1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="912212d0-b52c-4f64-ace4-41fc01cfc5aa" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\92ed06a5-f36b-4256-ab81-229fa7af9fc6.xml" RLTitle="Configure 802.1X Wired Access Clients by using Group Policy Management">
<Attr Name="assetid" Value="92ed06a5-f36b-4256-ab81-229fa7af9fc6" />
<Keyword Index="AssetId" Term="92ed06a5-f36b-4256-ab81-229fa7af9fc6" />
<Keyword Index="AssetId" Term="92ed06a5-f36b-4256-ab81-229fa7af9fc61033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="92ed06a5-f36b-4256-ab81-229fa7af9fc6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\9383c523-af71-4513-a942-e4458692f457.xml" RLTitle="Configure NPS UDP Port Information">
<Attr Name="assetid" Value="9383c523-af71-4513-a942-e4458692f457" />
<Keyword Index="AssetId" Term="9383c523-af71-4513-a942-e4458692f457" />
<Keyword Index="AssetId" Term="9383c523-af71-4513-a942-e4458692f4571033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="9383c523-af71-4513-a942-e4458692f457" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="relatedAssets\b19e0940-c0e4-4e7a-bba7-7d9495e71453.gif">
<Keyword Index="AssetId" Term="b19e0940-c0e4-4e7a-bba7-7d9495e71453" />
</Vtopic>
<Vtopic Url="assets\94c797c3-1efa-4a62-946b-a6923e0ee036.xml" RLTitle="RADIUS Proxy">
<Attr Name="assetid" Value="94c797c3-1efa-4a62-946b-a6923e0ee036" />
<Keyword Index="AssetId" Term="94c797c3-1efa-4a62-946b-a6923e0ee036" />
<Keyword Index="AssetId" Term="94c797c3-1efa-4a62-946b-a6923e0ee0361033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="94c797c3-1efa-4a62-946b-a6923e0ee036" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\94efe111-f74e-442a-b7f2-b545bed1107d.xml" RLTitle="NAP Enforcement for IPsec Communications">
<Attr Name="assetid" Value="94efe111-f74e-442a-b7f2-b545bed1107d" />
<Keyword Index="AssetId" Term="94efe111-f74e-442a-b7f2-b545bed1107d" />
<Keyword Index="AssetId" Term="94efe111-f74e-442a-b7f2-b545bed1107d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="94efe111-f74e-442a-b7f2-b545bed1107d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\9561f22e-2bab-453c-a4de-36e4466850df.xml" RLTitle="Health Policies">
<Attr Name="assetid" Value="9561f22e-2bab-453c-a4de-36e4466850df" />
<Keyword Index="AssetId" Term="9561f22e-2bab-453c-a4de-36e4466850df" />
<Keyword Index="AssetId" Term="9561f22e-2bab-453c-a4de-36e4466850df1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="9561f22e-2bab-453c-a4de-36e4466850df" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\972043b0-0233-4ea1-8ddb-e1de1cbb9c57.xml" RLTitle="Add a Connection Request Policy">
<Attr Name="assetid" Value="972043b0-0233-4ea1-8ddb-e1de1cbb9c57" />
<Keyword Index="AssetId" Term="972043b0-0233-4ea1-8ddb-e1de1cbb9c57" />
<Keyword Index="AssetId" Term="972043b0-0233-4ea1-8ddb-e1de1cbb9c571033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="972043b0-0233-4ea1-8ddb-e1de1cbb9c57" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\9d3f798f-0854-4602-adce-0b888e8c00ef.xml" RLTitle="Deploy Client Computer Certificates">
<Attr Name="assetid" Value="9d3f798f-0854-4602-adce-0b888e8c00ef" />
<Keyword Index="AssetId" Term="9d3f798f-0854-4602-adce-0b888e8c00ef" />
<Keyword Index="AssetId" Term="9d3f798f-0854-4602-adce-0b888e8c00ef1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="9d3f798f-0854-4602-adce-0b888e8c00ef" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\9d851c01-7896-4074-b3dd-2e7ee422a477.xml" RLTitle="Windows Security Health Validator">
<Attr Name="assetid" Value="9d851c01-7896-4074-b3dd-2e7ee422a477" />
<Keyword Index="AssetId" Term="9d851c01-7896-4074-b3dd-2e7ee422a477" />
<Keyword Index="AssetId" Term="9d851c01-7896-4074-b3dd-2e7ee422a4771033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="9d851c01-7896-4074-b3dd-2e7ee422a477" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\a1210cf7-7995-428a-8f25-246f1b5d11da.xml" RLTitle="Client Computer Configuration">
<Attr Name="assetid" Value="a1210cf7-7995-428a-8f25-246f1b5d11da" />
<Keyword Index="AssetId" Term="a1210cf7-7995-428a-8f25-246f1b5d11da" />
<Keyword Index="AssetId" Term="a1210cf7-7995-428a-8f25-246f1b5d11da1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="a1210cf7-7995-428a-8f25-246f1b5d11da" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\a1ac8d7e-3479-46b4-932b-ab43362e021b.xml" RLTitle="Certificate Requirements for PEAP and EAP">
<Attr Name="assetid" Value="a1ac8d7e-3479-46b4-932b-ab43362e021b" />
<Keyword Index="AssetId" Term="a1ac8d7e-3479-46b4-932b-ab43362e021b" />
<Keyword Index="AssetId" Term="a1ac8d7e-3479-46b4-932b-ab43362e021b1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="a1ac8d7e-3479-46b4-932b-ab43362e021b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\a66e6bd0-d710-4668-a9f0-f44222ea10fd.xml" RLTitle="Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-TLS Authentication">
<Attr Name="assetid" Value="a66e6bd0-d710-4668-a9f0-f44222ea10fd" />
<Keyword Index="AssetId" Term="a66e6bd0-d710-4668-a9f0-f44222ea10fd" />
<Keyword Index="AssetId" Term="a66e6bd0-d710-4668-a9f0-f44222ea10fd1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="a66e6bd0-d710-4668-a9f0-f44222ea10fd" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\addbacc4-32a5-4dca-b12e-771bcba85733.xml" RLTitle="RADIUS Server for 802.1X Wireless or Wired Connections">
<Attr Name="assetid" Value="addbacc4-32a5-4dca-b12e-771bcba85733" />
<Keyword Index="AssetId" Term="addbacc4-32a5-4dca-b12e-771bcba85733" />
<Keyword Index="AssetId" Term="addbacc4-32a5-4dca-b12e-771bcba857331033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="addbacc4-32a5-4dca-b12e-771bcba85733" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b607dabd-8eca-41ab-9953-ea2941a90154.xml" RLTitle="Checklist: Configure NPS for 802.1X Authenticating Switch Access">
<Attr Name="assetid" Value="b607dabd-8eca-41ab-9953-ea2941a90154" />
<Keyword Index="AssetId" Term="b607dabd-8eca-41ab-9953-ea2941a90154" />
<Keyword Index="AssetId" Term="b607dabd-8eca-41ab-9953-ea2941a901541033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b607dabd-8eca-41ab-9953-ea2941a90154" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c23d0c91-d9d4-47d4-9542-e373040764fc.xml" RLTitle="Configure Network Policies">
<Attr Name="assetid" Value="c23d0c91-d9d4-47d4-9542-e373040764fc" />
<Keyword Index="AssetId" Term="c23d0c91-d9d4-47d4-9542-e373040764fc" />
<Keyword Index="AssetId" Term="c23d0c91-d9d4-47d4-9542-e373040764fc1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c23d0c91-d9d4-47d4-9542-e373040764fc" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c29cb16a-4263-47d9-8bbe-0d5db799ca7c.xml" RLTitle="Create a Group for a Network Policy">
<Attr Name="assetid" Value="c29cb16a-4263-47d9-8bbe-0d5db799ca7c" />
<Keyword Index="AssetId" Term="c29cb16a-4263-47d9-8bbe-0d5db799ca7c" />
<Keyword Index="AssetId" Term="c29cb16a-4263-47d9-8bbe-0d5db799ca7c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c29cb16a-4263-47d9-8bbe-0d5db799ca7c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c3c405fc-099d-497d-857d-be93314c4db6.xml" RLTitle="Configure 802.1X Wired Access Clients for EAP-TLS Authentication">
<Attr Name="assetid" Value="c3c405fc-099d-497d-857d-be93314c4db6" />
<Keyword Index="AssetId" Term="c3c405fc-099d-497d-857d-be93314c4db6" />
<Keyword Index="AssetId" Term="c3c405fc-099d-497d-857d-be93314c4db61033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c3c405fc-099d-497d-857d-be93314c4db6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ca7d5422-1a5c-4472-b5e3-f6996f7a4084.xml" RLTitle="Host Credential Authorization Protocol">
<Attr Name="assetid" Value="ca7d5422-1a5c-4472-b5e3-f6996f7a4084" />
<Keyword Index="AssetId" Term="ca7d5422-1a5c-4472-b5e3-f6996f7a4084" />
<Keyword Index="AssetId" Term="ca7d5422-1a5c-4472-b5e3-f6996f7a40841033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ca7d5422-1a5c-4472-b5e3-f6996f7a4084" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ceee0372-2286-4205-9c43-f3f242c07b60.xml" RLTitle="RADIUS Clients and Servers">
<Attr Name="assetid" Value="ceee0372-2286-4205-9c43-f3f242c07b60" />
<Keyword Index="AssetId" Term="ceee0372-2286-4205-9c43-f3f242c07b60" />
<Keyword Index="AssetId" Term="ceee0372-2286-4205-9c43-f3f242c07b601033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ceee0372-2286-4205-9c43-f3f242c07b60" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\cfa37f4c-8133-4df8-9db8-657a0784ffd5.xml" RLTitle="Create Policies for Dial-Up or VPN with a Wizard">
<Attr Name="assetid" Value="cfa37f4c-8133-4df8-9db8-657a0784ffd5" />
<Keyword Index="AssetId" Term="cfa37f4c-8133-4df8-9db8-657a0784ffd5" />
<Keyword Index="AssetId" Term="cfa37f4c-8133-4df8-9db8-657a0784ffd51033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="cfa37f4c-8133-4df8-9db8-657a0784ffd5" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\cfdc3bc3-82ff-4b71-90e8-57c8029501e5.xml" RLTitle="NPS and Firewalls">
<Attr Name="assetid" Value="cfdc3bc3-82ff-4b71-90e8-57c8029501e5" />
<Keyword Index="AssetId" Term="cfdc3bc3-82ff-4b71-90e8-57c8029501e5" />
<Keyword Index="AssetId" Term="cfdc3bc3-82ff-4b71-90e8-57c8029501e51033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="cfdc3bc3-82ff-4b71-90e8-57c8029501e5" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d1c27e22-914b-4191-ba02-371f5fba137d.xml" RLTitle="NAP Enforcement for DHCP">
<Attr Name="assetid" Value="d1c27e22-914b-4191-ba02-371f5fba137d" />
<Keyword Index="AssetId" Term="d1c27e22-914b-4191-ba02-371f5fba137d" />
<Keyword Index="AssetId" Term="d1c27e22-914b-4191-ba02-371f5fba137d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d1c27e22-914b-4191-ba02-371f5fba137d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27.xml" RLTitle="802.1X Client Configuration with Group Policy">
<Attr Name="assetid" Value="d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27" />
<Keyword Index="AssetId" Term="d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27" />
<Keyword Index="AssetId" Term="d68f5ec1-76bc-49d4-ba6d-477ee4eb8e271033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d80d8fd1-388f-49e1-8b32-855cf8fda137.xml" RLTitle="Network Policy Server">
<Attr Name="assetid" Value="d80d8fd1-388f-49e1-8b32-855cf8fda137" />
<Keyword Index="AssetId" Term="d80d8fd1-388f-49e1-8b32-855cf8fda137" />
<Keyword Index="AssetId" Term="d80d8fd1-388f-49e1-8b32-855cf8fda1371033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d80d8fd1-388f-49e1-8b32-855cf8fda137" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d82f6c3d-52d2-489a-b21e-cba7dd6850f5.xml" RLTitle="Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication">
<Attr Name="assetid" Value="d82f6c3d-52d2-489a-b21e-cba7dd6850f5" />
<Keyword Index="AssetId" Term="d82f6c3d-52d2-489a-b21e-cba7dd6850f5" />
<Keyword Index="AssetId" Term="d82f6c3d-52d2-489a-b21e-cba7dd6850f51033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d82f6c3d-52d2-489a-b21e-cba7dd6850f5" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d90e87a7-0a9b-4d61-9355-14887f112754.xml" RLTitle="Add a New RADIUS Client">
<Attr Name="assetid" Value="d90e87a7-0a9b-4d61-9355-14887f112754" />
<Keyword Index="AssetId" Term="d90e87a7-0a9b-4d61-9355-14887f112754" />
<Keyword Index="AssetId" Term="d90e87a7-0a9b-4d61-9355-14887f1127541033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d90e87a7-0a9b-4d61-9355-14887f112754" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d994b6fb-7936-4b4c-b8ad-d4b75801c70d.xml" RLTitle="Register the NPS Server in Active Directory Domain Services">
<Attr Name="assetid" Value="d994b6fb-7936-4b4c-b8ad-d4b75801c70d" />
<Keyword Index="AssetId" Term="d994b6fb-7936-4b4c-b8ad-d4b75801c70d" />
<Keyword Index="AssetId" Term="d994b6fb-7936-4b4c-b8ad-d4b75801c70d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d994b6fb-7936-4b4c-b8ad-d4b75801c70d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\de982522-df50-465d-b221-656bc3b39468.xml" RLTitle="Configure 802.1X Wired Access Clients for PEAP-TLS Authentication">
<Attr Name="assetid" Value="de982522-df50-465d-b221-656bc3b39468" />
<Keyword Index="AssetId" Term="de982522-df50-465d-b221-656bc3b39468" />
<Keyword Index="AssetId" Term="de982522-df50-465d-b221-656bc3b394681033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="de982522-df50-465d-b221-656bc3b39468" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e4b41164-2fac-418e-ab9b-bc26baed1d11.xml" RLTitle="Checklists for NPS">
<Attr Name="assetid" Value="e4b41164-2fac-418e-ab9b-bc26baed1d11" />
<Keyword Index="AssetId" Term="e4b41164-2fac-418e-ab9b-bc26baed1d11" />
<Keyword Index="AssetId" Term="e4b41164-2fac-418e-ab9b-bc26baed1d111033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e4b41164-2fac-418e-ab9b-bc26baed1d11" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e7b2e1e2-9da4-4a68-a1db-6a0886f7e028.xml" RLTitle="Access Group Policy Extensions for 802.1X Wired and Wireless">
<Attr Name="assetid" Value="e7b2e1e2-9da4-4a68-a1db-6a0886f7e028" />
<Keyword Index="AssetId" Term="e7b2e1e2-9da4-4a68-a1db-6a0886f7e028" />
<Keyword Index="AssetId" Term="e7b2e1e2-9da4-4a68-a1db-6a0886f7e0281033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e7b2e1e2-9da4-4a68-a1db-6a0886f7e028" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e853adba-c8b8-4d19-8626-89a09a76a8c0.xml" RLTitle="Access Permission">
<Attr Name="assetid" Value="e853adba-c8b8-4d19-8626-89a09a76a8c0" />
<Keyword Index="AssetId" Term="e853adba-c8b8-4d19-8626-89a09a76a8c0" />
<Keyword Index="AssetId" Term="e853adba-c8b8-4d19-8626-89a09a76a8c01033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e853adba-c8b8-4d19-8626-89a09a76a8c0" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="relatedAssets\6abe5f5f-c467-44c9-b3fd-55b8cb7e16a3.gif">
<Keyword Index="AssetId" Term="6abe5f5f-c467-44c9-b3fd-55b8cb7e16a3" />
</Vtopic>
<Vtopic Url="assets\f1ef3288-9cae-4ba5-b55c-caa2f4f8967d.xml" RLTitle="Connection Request Processing">
<Attr Name="assetid" Value="f1ef3288-9cae-4ba5-b55c-caa2f4f8967d" />
<Keyword Index="AssetId" Term="f1ef3288-9cae-4ba5-b55c-caa2f4f8967d" />
<Keyword Index="AssetId" Term="f1ef3288-9cae-4ba5-b55c-caa2f4f8967d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f1ef3288-9cae-4ba5-b55c-caa2f4f8967d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="relatedAssets\168d7bbd-0b7a-4371-b0a2-25a737a3e4ef.gif">
<Keyword Index="AssetId" Term="168d7bbd-0b7a-4371-b0a2-25a737a3e4ef" />
</Vtopic>
<Vtopic Url="assets\f3ebb128-d942-4251-b3fb-de6f78cd5f97.xml" RLTitle="RADIUS Server">
<Attr Name="assetid" Value="f3ebb128-d942-4251-b3fb-de6f78cd5f97" />
<Keyword Index="AssetId" Term="f3ebb128-d942-4251-b3fb-de6f78cd5f97" />
<Keyword Index="AssetId" Term="f3ebb128-d942-4251-b3fb-de6f78cd5f971033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f3ebb128-d942-4251-b3fb-de6f78cd5f97" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f4522491-921b-4ca9-974c-a41b90883ca7.xml" RLTitle="Add a Network Policy">
<Attr Name="assetid" Value="f4522491-921b-4ca9-974c-a41b90883ca7" />
<Keyword Index="AssetId" Term="f4522491-921b-4ca9-974c-a41b90883ca7" />
<Keyword Index="AssetId" Term="f4522491-921b-4ca9-974c-a41b90883ca71033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f4522491-921b-4ca9-974c-a41b90883ca7" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f45775a5-af6b-4b71-97fb-8fafd5277b30.xml" RLTitle="Open or Add and Open a Group Policy Object">
<Attr Name="assetid" Value="f45775a5-af6b-4b71-97fb-8fafd5277b30" />
<Keyword Index="AssetId" Term="f45775a5-af6b-4b71-97fb-8fafd5277b30" />
<Keyword Index="AssetId" Term="f45775a5-af6b-4b71-97fb-8fafd5277b301033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f45775a5-af6b-4b71-97fb-8fafd5277b30" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f55c57a1-6c80-43a4-837c-260ea3e68027.xml" RLTitle="Policies in NPS">
<Attr Name="assetid" Value="f55c57a1-6c80-43a4-837c-260ea3e68027" />
<Keyword Index="AssetId" Term="f55c57a1-6c80-43a4-837c-260ea3e68027" />
<Keyword Index="AssetId" Term="f55c57a1-6c80-43a4-837c-260ea3e680271033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f55c57a1-6c80-43a4-837c-260ea3e68027" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\fabff996-c60c-4dce-8a9d-39b705042901.xml" RLTitle="Configure Wireless Clients running Windows XP for PEAP-TLS Authentication">
<Attr Name="assetid" Value="fabff996-c60c-4dce-8a9d-39b705042901" />
<Keyword Index="AssetId" Term="fabff996-c60c-4dce-8a9d-39b705042901" />
<Keyword Index="AssetId" Term="fabff996-c60c-4dce-8a9d-39b7050429011033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="fabff996-c60c-4dce-8a9d-39b705042901" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ff35a554-2006-442d-a8e6-bf05d33ff1a7.xml" RLTitle="Checklist: Configure NPS as a RADIUS Proxy">
<Attr Name="assetid" Value="ff35a554-2006-442d-a8e6-bf05d33ff1a7" />
<Keyword Index="AssetId" Term="ff35a554-2006-442d-a8e6-bf05d33ff1a7" />
<Keyword Index="AssetId" Term="ff35a554-2006-442d-a8e6-bf05d33ff1a71033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1729" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ff35a554-2006-442d-a8e6-bf05d33ff1a7" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="radius_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
<HelpTOCNode Url="mshelp://windows/?tocid=89b95cf6-1676-47cf-a580-66b4f5f5b45b" Title="">
<HelpTOCNode Url="mshelp://windows/?id=d80d8fd1-388f-49e1-8b32-855cf8fda137" Title="Network Policy Server">
<HelpTOCNode Url="mshelp://windows/?id=78f2b506-66a2-45d8-a17e-c83203b7e9d6" Title="Network Policy Server Overview" />
<HelpTOCNode Url="mshelp://windows/?id=cfdc3bc3-82ff-4b71-90e8-57c8029501e5" Title="NPS and Firewalls" />
<HelpTOCNode Url="mshelp://windows/?id=62aa0ab9-ce1c-4afc-831c-69325ec9fe1d" Title="NPS Templates" />
<HelpTOCNode Url="mshelp://windows/?id=f55c57a1-6c80-43a4-837c-260ea3e68027" Title="Policies in NPS" />
<HelpTOCNode Url="mshelp://windows/?id=d994b6fb-7936-4b4c-b8ad-d4b75801c70d" Title="Register the NPS Server in Active Directory Domain Services" />
<HelpTOCNode Url="mshelp://windows/?id=a1ac8d7e-3479-46b4-932b-ab43362e021b" Title="Certificate Requirements for PEAP and EAP">
<HelpTOCNode Url="mshelp://windows/?id=13a5e651-d090-407f-a995-3e8509cf9a8e" Title="EAP Overview" />
<HelpTOCNode Url="mshelp://windows/?id=5e653bce-7b3b-48c8-b784-020e133c6bcc" Title="PEAP Overview" />
<HelpTOCNode Url="mshelp://windows/?id=6a4a5454-26bd-495f-a57c-a62493c91ac9" Title="Deploying Certificates for PEAP and EAP">
<HelpTOCNode Url="mshelp://windows/?id=9d3f798f-0854-4602-adce-0b888e8c00ef" Title="Deploy Client Computer Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=25b886ed-75e9-4f49-8ca0-c90991dfc20e" Title="Deploy User Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=58ec6857-153e-417f-b63c-40fd6addd216" Title="Deploy a CA and NPS Server Certificate">
<HelpTOCNode Url="mshelp://windows/?id=7a2cb3e1-d6de-44d8-8f8e-7309acb68383" Title="NPS Server Certificate: CA Installation" />
<HelpTOCNode Url="mshelp://windows/?id=4e4f927d-3273-40b5-a33b-f550be1587e2" Title="NPS Server Certificate: Configure the Template and Autoenrollment" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=e4b41164-2fac-418e-ab9b-bc26baed1d11" Title="Checklists for NPS">
<HelpTOCNode Url="mshelp://windows/?id=b607dabd-8eca-41ab-9953-ea2941a90154" Title="Checklist: Configure NPS for 802.1X Authenticating Switch Access" />
<HelpTOCNode Url="mshelp://windows/?id=4cd859ba-2651-42a3-83fe-95197ce38a5c" Title="Checklist: Configure NPS for Dial-Up and VPN Access" />
<HelpTOCNode Url="mshelp://windows/?id=ff35a554-2006-442d-a8e6-bf05d33ff1a7" Title="Checklist: Configure NPS as a RADIUS Proxy" />
<HelpTOCNode Url="mshelp://windows/?id=74b6dbef-a26e-48ef-a26d-fb33e4e7730c" Title="Checklist: Configure NPS for Secure Wireless Access" />
<HelpTOCNode Url="mshelp://windows/?id=08ce0e6b-93f2-43b5-b1cf-8e2454cd5272" Title="Checklist: Configure Network Access Protection (NAP)" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=9383c523-af71-4513-a942-e4458692f457" Title="Configure NPS UDP Port Information">
<HelpTOCNode Url="mshelp://windows/?id=7a04cacb-8df7-4187-94ce-0410170cde1f" Title="Configure NPS on a Multihomed Computer" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=a1210cf7-7995-428a-8f25-246f1b5d11da" Title="Client Computer Configuration">
<HelpTOCNode Url="mshelp://windows/?id=d68f5ec1-76bc-49d4-ba6d-477ee4eb8e27" Title="802.1X Client Configuration with Group Policy">
<HelpTOCNode Url="mshelp://windows/?id=e7b2e1e2-9da4-4a68-a1db-6a0886f7e028" Title="Access Group Policy Extensions for 802.1X Wired and Wireless">
<HelpTOCNode Url="mshelp://windows/?id=f45775a5-af6b-4b71-97fb-8fafd5277b30" Title="Open or Add and Open a Group Policy Object" />
<HelpTOCNode Url="mshelp://windows/?id=7f441bba-13e0-4676-bf8a-bb410c50d91e" Title="Activate Default Wired or Wireless Network Policies" />
<HelpTOCNode Url="mshelp://windows/?id=77f4d1e3-4766-430e-9f78-82364b35d225" Title="Open Wired or Wireless Network Policies for Editing" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=92ed06a5-f36b-4256-ab81-229fa7af9fc6" Title="Configure 802.1X Wired Access Clients by using Group Policy Management">
<HelpTOCNode Url="mshelp://windows/?id=287a5491-9f3e-4e7e-97de-02ace47d018e" Title="Configure 802.1X Wired Access Clients for PEAP-MS-CHAP v2 Authentication" />
<HelpTOCNode Url="mshelp://windows/?id=de982522-df50-465d-b221-656bc3b39468" Title="Configure 802.1X Wired Access Clients for PEAP-TLS Authentication" />
<HelpTOCNode Url="mshelp://windows/?id=c3c405fc-099d-497d-857d-be93314c4db6" Title="Configure 802.1X Wired Access Clients for EAP-TLS Authentication" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=5220ca1e-409e-4841-b43e-837b4edd2cb6" Title="Configure 802.1X Wireless Access Clients by using Group Policy Management">
<HelpTOCNode Url="mshelp://windows/?id=50b75202-0103-4285-80ac-c1234c3b5e9c" Title="Configure 802.1X Wireless Access Clients running Windows 7 and Windows Vista">
<HelpTOCNode Url="mshelp://windows/?id=58cb0d00-d084-47c0-9fe7-b8f4b0166a4c" Title="Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-MS-CHAP v2 Authentication" />
<HelpTOCNode Url="mshelp://windows/?id=a66e6bd0-d710-4668-a9f0-f44222ea10fd" Title="Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-TLS Authentication" />
<HelpTOCNode Url="mshelp://windows/?id=d82f6c3d-52d2-489a-b21e-cba7dd6850f5" Title="Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication" />
<HelpTOCNode Url="mshelp://windows/?id=88497044-c5b1-46a8-acc8-3be04052b6cf" Title="Configure Network Permissions and Connection Preferences" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=72747f28-80c0-45bf-8fcb-50938808b5b6" Title="Configure 802.1X Wireless Access Clients running Windows XP">
<HelpTOCNode Url="mshelp://windows/?id=7a3cc667-cc49-4bd2-b117-62f573751748" Title="Configure Wireless Clients running Windows XP for PEAP-MS-CHAP v2 Authentication" />
<HelpTOCNode Url="mshelp://windows/?id=fabff996-c60c-4dce-8a9d-39b705042901" Title="Configure Wireless Clients running Windows XP for PEAP-TLS Authentication" />
<HelpTOCNode Url="mshelp://windows/?id=09e250cb-7d83-4f2e-bf98-1c6a54654f77" Title="Configure Wireless Clients running Windows XP for EAP-TLS Authentication" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=6aadc218-2112-4781-8b20-05d591066840" Title="Network Access Protection in NPS">
<HelpTOCNode Url="mshelp://windows/?id=9561f22e-2bab-453c-a4de-36e4466850df" Title="Health Policies" />
<HelpTOCNode Url="mshelp://windows/?id=141ae7ad-a32d-4d29-9bbd-0e50cfc9164d" Title="Remediation Server Groups" />
<HelpTOCNode Url="mshelp://windows/?id=36720df9-0b4a-4725-bdd7-c7e12d5c535b" Title="System Health Validators" />
<HelpTOCNode Url="mshelp://windows/?id=396c8b17-fdc0-43dc-8419-31311f8ac665" Title="System Health Validator Settings" />
<HelpTOCNode Url="mshelp://windows/?id=499cfc22-34ea-4f71-9c44-d7ffbb838e00" Title="System Health Validator Error Codes" />
<HelpTOCNode Url="mshelp://windows/?id=9d851c01-7896-4074-b3dd-2e7ee422a477" Title="Windows Security Health Validator" />
<HelpTOCNode Url="mshelp://windows/?id=1abd93f7-d617-4377-9cc7-c6bb35b0243b" Title="NAP Enforcement Methods">
<HelpTOCNode Url="mshelp://windows/?id=21bb6dd6-f462-4715-89cd-e94636557945" Title="NAP Enforcement for 802.1X" />
<HelpTOCNode Url="mshelp://windows/?id=d1c27e22-914b-4191-ba02-371f5fba137d" Title="NAP Enforcement for DHCP" />
<HelpTOCNode Url="mshelp://windows/?id=94efe111-f74e-442a-b7f2-b545bed1107d" Title="NAP Enforcement for IPsec Communications" />
<HelpTOCNode Url="mshelp://windows/?id=36aa0cab-5ffe-4c18-95e4-b345ec0a67c6" Title="NAP Enforcement for Remote Desktop Gateway" />
<HelpTOCNode Url="mshelp://windows/?id=41f058fe-70c8-4269-bd08-efd98acf5fe3" Title="NAP Enforcement for VPN" />
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=88ec0246-a5e1-425d-9dda-9bfc61249726" Title="RADIUS">
<HelpTOCNode Url="mshelp://windows/?id=2a1b783d-cd88-445f-9397-3ed385a9f733" Title="RADIUS Accounting">
<HelpTOCNode Url="mshelp://windows/?id=50d16bcb-06c3-4073-bca9-621701c55cf1" Title="Configure Log File Properties" />
<HelpTOCNode Url="mshelp://windows/?id=5d57d701-429e-4389-8d03-6ff0b13ac488" Title="Configure SQL Server Logging in NPS" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=ceee0372-2286-4205-9c43-f3f242c07b60" Title="RADIUS Clients and Servers">
<HelpTOCNode Url="mshelp://windows/?id=5ba4dfa8-674d-43fe-9196-93fc599ee94d" Title="RADIUS Clients">
<HelpTOCNode Url="mshelp://windows/?id=d90e87a7-0a9b-4d61-9355-14887f112754" Title="Add a New RADIUS Client" />
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=94c797c3-1efa-4a62-946b-a6923e0ee036" Title="RADIUS Proxy">
<HelpTOCNode Url="mshelp://windows/?id=f1ef3288-9cae-4ba5-b55c-caa2f4f8967d" Title="Connection Request Processing">
<HelpTOCNode Url="mshelp://windows/?id=418638e1-e88e-4b59-853d-ae16fc589bd9" Title="Connection Request Policies">
<HelpTOCNode Url="mshelp://windows/?id=972043b0-0233-4ea1-8ddb-e1de1cbb9c57" Title="Add a Connection Request Policy" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=689390e0-760d-42e8-a894-78749558a626" Title="Remote RADIUS Server Groups">
<HelpTOCNode Url="mshelp://windows/?id=592105a8-de1a-454d-94c7-fa770cafdf76" Title="Add a Remote RADIUS Server Group" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=f3ebb128-d942-4251-b3fb-de6f78cd5f97" Title="RADIUS Server">
<HelpTOCNode Url="mshelp://windows/?id=addbacc4-32a5-4dca-b12e-771bcba85733" Title="RADIUS Server for 802.1X Wireless or Wired Connections" />
<HelpTOCNode Url="mshelp://windows/?id=912212d0-b52c-4f64-ace4-41fc01cfc5aa" Title="RADIUS Server for Dial-Up or VPN Connections" />
<HelpTOCNode Url="mshelp://windows/?id=5d00958c-4ffa-4b58-b84e-bcecfd40d61c" Title="Network Policies">
<HelpTOCNode Url="mshelp://windows/?id=e853adba-c8b8-4d19-8626-89a09a76a8c0" Title="Access Permission" />
<HelpTOCNode Url="mshelp://windows/?id=c29cb16a-4263-47d9-8bbe-0d5db799ca7c" Title="Create a Group for a Network Policy" />
<HelpTOCNode Url="mshelp://windows/?id=c23d0c91-d9d4-47d4-9542-e373040764fc" Title="Configure Network Policies">
<HelpTOCNode Url="mshelp://windows/?id=f4522491-921b-4ca9-974c-a41b90883ca7" Title="Add a Network Policy" />
<HelpTOCNode Url="mshelp://windows/?id=89328686-ac05-4f04-a2cb-51c30c4d6796" Title="Configure a Network Policy to Grant or Deny Access" />
<HelpTOCNode Url="mshelp://windows/?id=cfa37f4c-8133-4df8-9db8-657a0784ffd5" Title="Create Policies for Dial-Up or VPN with a Wizard" />
<HelpTOCNode Url="mshelp://windows/?id=541cef62-a77e-483c-a847-27aacc68625d" Title="Create Policies for 802.1X Wired or Wireless with a Wizard" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=ca7d5422-1a5c-4472-b5e3-f6996f7a4084" Title="Host Credential Authorization Protocol" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> g
O�`!�7�V��O{a}$ *ҌnTJKvJ*R#I%F
]7t}�1#(�nw>}�{r:CD#0\Tb"Ԣei-
�[(IL�lB�2< �@N)Hy�a���!!ɟ&<� #<J_ߛ7{~nmU}'wkkS ;z\~{{n ݡB譻V
W4ݽ&2}b[әDyvzBn45ÖVUfbznvazfՊms?!%]e[ktq<;9t{
qz-t«
[dEϴ%_&ׯOq]^R}<qWvMl:59[UK_\xzAfCK[9YL}5sqY43ײaC/
k^u
ϯ@{Y鹡Le-
=l7N+sr;Cγ,5
R?5kb3~K77;sarl;;|^ֆۚv8];;}vr]
!/{?W!ҹ
wZg^?5#(f.ΡiЛKkyʐ|b
YsrO-5(Ko?敭rnE}龓z*
`6_ώ ,_([~rG<~W~[/˹^6_[sYl
]9v8Yqo]L5q[enkq铭ӹq.iak9wTku˥ꅮ;#F=9n}{]nm鉶騍zQ5O[pOƹkmtIqjk+vkcs>tߞWwa/ێ~}?n#|y]Kx~
6q_w!w}j~w={K{b.'5^pX1w55އ.ژ2O
alY3=bw?.ûŗ={>}
Ė_LOcS/
neW1^c
W-3^x
r羜ˋ?wv+vv_2a\Wc)/
{^zn{~nљlTVzދzw!xc-z#g_챞:�?6U{1zGw;~O^N1YNyW=*/?arֿKmYѳm363|1=_;-wmf
A3=;tf
_f0g
8\h3ΝY3gv̙|
3mllw͙s~9;e۾9#wV1_;yn;̟n:9g!s{g
O_yC3g}gh/.w\1Ev-ڰE>sV芮1
]]q][+nbNn+mŮx陮銮顮ީ㎩cz=/hŝ.{VU_ܣ4G7v|x=K|W_!麍u |
ui}ui 3zk>K|4o]G|i#|Yv4L;䫇Gqgo>;?d9
+qcr̡ ?dE
yCx1=d
6v;C19c ǩdU?ȏ= Ȕ~
;fC2ح rǮr )~\!
.{C,qyg?erF{=!8rwj[lf
Qfw~IKi:ڷrw=t
jxA}?nC>h;jw?;~
7 _C4
p<xC
(<Typsy
-S?pl1lsz=9gUN'9<hOwo
^>J}{#~5?u۔6N})e:M>S_|JMQWNS:uJ[OO龎 )}>BSJ_|Y+N)}w}))ҷnS>^SJ_uO龘3)}_|J_O龜;)}}?)C)}WS>So;ӧJ_=}_vJ;ON})wY)}߸}JmקJ_}}e
N)}7SE;iܔU;kҗS;uo}i)o>S_wJ;N)}o;wSJ_wN})o;7N})<Wm)}<%/<5W.SJ_xO}
)<WNS_yJ[-O)}<řWnvSWRҔSM_s*+
++
++
++
++
++
++
++
++
++
++
++
++
++
+p)=
GC0TZZ0`
kp```0\[[00
CV!p`|[00
[\0B#.
d
É!q`h\0b(
Ìá`(ν.
7C{0^
C!`0^
!`
\0G.
$f
Ò`0<\.
S*
apr``x.
[.
s`0_
2
Ù!`0\.
o
C!8`0\/
ah`
w.
<
Cs`0\[]0.
B
á!t`h<[0?l
@�@ � @�@ � @�@ � @�@ � @�@ � @�@ � @�@ � @�@ � @�@ �s?{۳,
,,
,,
,,
,,
,,
,,
,,
,,
,,
,,
,,
,,
,,
,,
,,
,wE(!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D "oջOj?}_yO}o:G5MO[NS_S?pL}W% ?Sge;\\7K=NISVSp~yoaB}濯vcccj=h
ZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZhhZZho. AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A $H AH$ A K0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& a0&L 0aL& nc \pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\{(mOdw>BUPATATPPATATPPATATPPATCATPPATW
**
**
*oyATP<6TATPPATATPA݁cكu/j
**
*P*ePcTATPPATATPPATATPPATATPC;vPہCoh
>;0wCw
;wՙ0Á+xg=
x`37l]
<,x`Ñ$L
<Pyg:TA
vAB1yC**[|((((((((((((((((((((((((((((((((((*+y&LPO|ˢ(*+1EEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQeEUg2ggggggggggggggggggggggggzE١-"(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((?L j~&
l
TATPP5ص3
C=;-"(((((((((((((((((((((((׳@EQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQ$IEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEVu~QEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQ
UQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQYy]EQQ$EC=ms_yZͮo˞dO2WiGﷂ ?? ^;>'{=rS'RٿX:R~^7緟ﯲzz^{6`zVrxr ۯ͇o{krw?B0~m3 >X;EͻSp) ��D��4='u۪,+5IZ==JNV7i+ft5w}$tn}3D4WDef7UO�{5矵/\�|\2{&jn$S
\@10-J(C"$ZFh )T�(*$T6Ҹr$pV\uW#0qЗL��ajDCfkB` X
x߰W_X7/3(
ա?Y?xIa&Hu6Xк<bomЁ_
/պ!EW�|l
'-7%NB;
}.Vp,C
Û_&Ͽ=5
G]8a A7DN
cy
|
6XCchN6~^u}(&gKhfuM{LV/Q2>ne6LjW
z={
V
}E#+ljXc<;UCKmaޓ<{%F$&G`/{Ƈm/$z;<m\
�Kw^ "m5_e6g
Vj
ǟd+h`4,ű*|иOx
[)sa'Դf)TS^u}ma1S*B1h}<v%R4YMl(4jI-
mNo/>q2`+|ϰdH8X\LE4
IldK)1-wJ!/j2M<Fj9)
햙+>34?FMkXtL()GW=
�c~613r`5 o6dqQx_kTG#6SkMb3\wXq)AXXE;~-Q\EODJIU>f
XY7S|2NU|!B
ru>u
C+%
~B̈́6Ս(CSךD(5v9mA
`bqNOf?d5r
ڽ}_
A6^7?͗FJǿmv
&:70ؑaA($~qXwr"#iGM
όQz4>:X1bu2j97
W˩[pAdNUҤGqeWӌ]֊+@
MJz
|al}ƿ=6ҤmrP:}(-EnЗVM1ᓇhq<XVhXÌL7/ܯb}R
L>Uds }
X>
+ WG()ϕUOB~|[kzr;_×V6)?v�I.t'67M)WzSNuq8:u\켒8FpkA ؑƦK$*:ԀӳN!{1o\f4t
j"l9
FnˆV髕qb"T6+17(A&:OJC _d�bM O8p7g]Efc
"p_uCgz&I(J_.%6[9Sa
2ڷQPbp슴?~+
V@/AhGG]R
%c{ՙ-.ځ?`@?[V0R@<JEp!Z|r?0Í=74llϲ+zX5 Z !n&F+SLE-[<teJΥG㗏g!*aYMSW_\o_ ُ˽p[![M{JэP$5u[32)Mw?r=q$Jx'
8!f-\֘VD@a{vC+ؔF"6U̼Pf ֈ<-ŝ@IC_" .Z)я#kʡnx6-sRulXx
탒mnФb
LZmNI30T'Gy$8*mdftȏ:ܒI|+WCRx^1�o֧7CE@G2؏S
Ƶ|[
yKlrBLڪ Rfop=]tIA[HaCfqRq=uFCR
Xt.e32 x9M`c5/[FՄ#+�s:ʕ~MbK|K al?
=jSw^TqݬJ70ocs!k
s_;mı369Gh�v;�
e)aymrcht:IL֎"
:x
z3xs"/dBی$l�2ڌN:!虄FX)vS^g:Wj1lx5:/z@gº/HTD4�y1\A;ۥHhA?]0l¡|!XlƦPᆆF C_HgzʸsJ-Jʄ
oWzIu6Ya=q"ʡ(VlĆ5| zrFX&]o0`]LYVpT;
H`0SJ3,/1_^!Eo
\
.?�& S>?4>9N]Ԏ bMn
xMC<}s56/v-[X&6B8paՈ5rʓA
i-;!rN�(r$Vrfs Av
mz\^(762}== %t=9l]EV+:WֺQf#K\w�qޝ) JhIy1]ƧN,jR:iS{$kp X[cOs%�-Me7φ{i"#
3oi0xr5[
[Uo"a+
ʤ)DQ IKWRpGf
U*Q>?w ڙIeC8n
.;]Jl:]
_r>whkq-f $Ebpuc5m\ҵZyV*32}lgzt/s
zBæ"unj,.ɕu
HE^EQzi{dXn0;vZ08o0>zݐ8JUglZ
Q*qS` 1ShS`9{8nr]6l=
JLAP"T
D[2~
*%1qHC
=[L
]o 6Eo{(Uw
.fxZhjoMYi[U-uòUP
\J
5"
s{e_ G}p^!JݒiA160
�@DFXƄ!,lZB7Kj`Vu@|)'
TIQT˳I(R)TI" HW`#+B0M\
鱇\ved215?
2y�ev`
ALL
-zAprk6=z|-ڨ~lX1Q'3KnSko|aXl#)|
iܡq>NO2ϥ{k=S$4x
]ut]3/zFTZ
C53Wh){_R>OR{͍ ]Re=a";%# iP)fUqQcwt_(Qi w=$
pSXږWSuKd m5p%kۄ%5
>Yt?ʂ5LT'F$H>&Zh
NC39ñ^͜abWLTjAVJ)@L^P74|
Q0.tW$#Vc@G+XWQ ѷۓCNM
6/YT|Zp&3U~ e[ ,m$SY>;N3ۻi@l~XH=H
9{
9]pr
DPY<)[e iH\LpxZz`r=N]xc1s6 vMkV6;5zo^\/;]_oDY^E]sQk~lVie15A
?^ÇZ8~
/.Q
[m/dD&/;_ulʒvg(1(E_ llw.Iݮ
1
{fp/.OR
ӹRD?
J
^7 HqMj"E`W/Ӽ
FUz:eVSFbDP-(C6Ӧԉ,J=
gx_|
E"I#4}Ž퍸鉍G3h1NΓ
`
ѕEU,Iʮ
;梌Kv H-ѝ8WO
@dMU l ">v`AFh\Xi
*zvmn
6L=oO�#|iݢm:CNhVY[ۏnZnR5
14
?AB73n
4qfS94^/@bN'Uiؓ3
Ԍ @?"EĆx4Kܲ^,
%Ah< 1rOQ B3)¤ʔFܱ>z'w
}2+%fMWBiObdJ�(efK;Kƌ(X8(Ciin,w~s
ꍗf+UMߵ_\6(,I#~g,ٟ1. 3s:aj{=~
{Ck
B2a!gi3T]Th_ =wo;&Vy6k�[ˑ5ѾcŊj\1HMqP/[uoy*JSHpw%A4?gJrNuzb[^yZ~
|ǿe,9|kiLG6c_;%W}DR'M= C˻zvѺ<'
Iˇxi}o zLfk.
R), NXJUi
M\2NǼ /
J-w�DbfA}?pv4HQ:?' jǟŮ{d<!u_QBN.Wլ";U=\Qhjɣ*Qe^
_d"5}{'oDRm9xeԑ$P?䢳;n^
Hn
5x6P^m.
hT2
+!n@xb(<]73511yD
77v2`5\wjI@872/QJpﰗ%ѠuJ
0v4UTv
Baa K9۴ī;5Y*D
U3Q
>/
lϠ0A=lw@Y8ED:sy!\
l%Zzf
;ܩJ<.u0/{_ iplQqKs2ȣSF,;1
ONך rjX
\aa߰_1(
۽@qo'CGpe8J<fll7XTCE!UȀf z{ٕf-
qUbm1Ncz)EH'J
^jx'w
i|~:-+TBM.!.C
+
nf6Qo:AA
J@&u Ů
}E
vL-
^]-^7
weTLAyC4-" qE@C GaځhAh2h]A`ɍÍ+
exay
?hơ!~=W<3TA?
wqd:&3_FM^
O
;miNvmi;NvڶӴ;miNvmi;N� Qz8`mqPU->7k@ΐj8:}vba*
ѩXyhUflcqe=
$DUނ5dX
Q5?ZZ`�,PF.R9x
tI!êR�??,l՝#y\
?%pŭ,/y+{+FȔNfDl8 C<
jc&hh@\唿{$mgD';讜XvLR:
W
ڭ:F)ss@#N2Q|s^g۽JQ!`Y6B{'X
_F'Mq<
VnC:-檡GtXy8mi^2HayO~`Lm|AP؟w̐i
SX[[قuAeuq!"a|d!_ђ JQtN9v$Z$O(moa�;G %Z]of3+k~o
TvT=ͯDU&\hJ%U,n,ht-hC*\J"
FC,5uo(YBpmWČm;fc9
-?+qO\ktLشq%h{'I(7t)L]&5w
RV'r #\d|w7
*t3K!R;jc?;v.kG\ 6+ gFv-줓I,[dY6`eE<(qcѵ;AO~%o;Md&GnzszdwP*s8ׇL::E
FZG)mDtVwJ3Ŧ|w
a?@בƺW!n9^U|_^ow,x8kKU\&Zk \ j 9שc/}�AK|Gy
Y+
62QT
fpQ^CN^DN
H5W345GȉBsڅ4TcbHn1)-8=~B
4L#Yl;pʱ/&fd.-}:^<±oM89%T
U>ЈG[AhCݱkr9Wܢ)
;H
ZŶ)5EE\5{p
~}&w.ռA 4訚Mb89!cn/*.S
P9 U71wƜWZ#Wmgկ?A0]sHI)m0N`-
@z]'[hp1 室9jj~p
}l
iz%
|
CL
}?w6}Em:
a
ʗč5m34$
k9.gT>+ܐU
9"4b"5._lK,
p@ZӒQ0_BHK�S
=kyhȠ PM
s1F/0.s#A{M"\a*onzy EC=j/b#sf$ܫe_(P
ƻ TWزr"507*\gi)&,lx?xc=;LlN76/8Q:!}2X5f{ȳ2$1fDDĻ#ì] YԎd_rgw+ -AvJ'q:DPYJJt`V7
̂& jUqFFW
QlBe,!d<r.
Cc. E=j/ ÙH!d x3ߓ*2yw{4�mhIWGM;s-IfP1b
h-͐^g4OR@f}"^rY4ŃktP49qP F3
옎8K((w ӊz^(Qe%zh!\brc|{ R0B}pa=EWV+a0vbU3Xl"E`1
n۸GⶰxeH,bJݖ#<!هdj7-_rϫ
\`^J!v6]lf^[Bo`u
7{+})qEwljpK6H0121�ys¤GF'8&?Vm&N+or;ZumgfDYFl7]ؑHA
ATFKÉ
J4qКTE-P/ߩ3&d
˴k[k*k(ehuB'UpC'ff%`pl k9˽
HoXK}N/s6iQ'VD>:ȫt㇗䙿~,P?b8AJ:C��0C.=VRo�^P8$Tȫ3TC`cj6v5;CF+11pPDU%YBFQࡾѲG n*5/fo;gs{ѡ
H~/Ē!�fsUٹj6-8H)Hk
WH y NZy`1菷'ٟ ۗ75!6 e&k
=/d}|j>
K-ɼhٰg||e֣e-z!ژ2ϱWM*_$(ˍ{DOmmzCVm\MEn@47&vsH>rSGXmۂdP!|
S_k)b]g8;8=`S
cuB#p
]i
X3}1^!.1ۜmJB25W嘴`Ԟ¾
vJd!SewrVq7m-_Tah[)|
XWWHVoLdZ12
;H?dxh$^~idD
?.{5'{d#Ad$&Kj
ZG
e7Fq*u@+:>=Go�d% ˕Tʜ*/x0B最E1<uLV#چBC߸Gh tO/܈*J(uxHO4L:t;:
e
]Sjv
c/jG
H v tj\A*6W4Ć> !V\(~_HST zv+bGKɉ%97{=(^ qhSYv$=ګ�y|f
O?Ŷ"귘6v.Æp
K`ҠK240rqxFqoIW קMSImU甝'
[! Zس-\C\d$F*i?4H{ΰM EWO6
um[,
2/ÆF8U0)2>(Nu=
~G!>I?H8MSPy To)Ҫ`HCy`
?ZR5VbM
9eDc[?*w<ah
Fd3t;q(RCk(\aGA(S[,xOu
'5VH%0yE<0pq
nB7mmJ}
hos
.mpޡEi
ch-d>.Z!a
cDNV:
2Aܣ>in,{6}<=6]scsݨa>BOQ^R f.T)PS`KigگJ㴼1ڬ߇:ZkEv~,' xX[Q�UYpV[[_/}/4`}2guخ]Uq
_?r|2T;k_-rH?
Bh7 x%qt1/$vPxalJ? =M**3
!xE!F`]
l
onmuϑ5*W+t"`¸0X5�guݯJڍ廼
7.t1
ʅyN
;dSQXdrÞ8kv$/
HY
`F]|b(!כP sc=8m[uGa=R6kbC6Z5Z6@/O=rVX
D+j>D" �e
_
ԿGɸh ^&vl?D}IJ0_bZvM5ϺVH]suA-m^|'Wp_vqtW=Ne+f4-c8+7hk~wnꂀmD/%5R
n&udqM{گ;m
lOG
ݐ{ÖՁ2y;[P{VƝi/]ٔYuL-jkE
Ta]qKzbaeBE@E
ۡn
_nH?DbvYr\b-
V@6!yL܀}ov`lIo$5*k!l뚢LF`'hZuG@15X`x}OfT2hXzOK7EMc'kZb'Ng>KK}%23=}}Vx|ϊ -B'i~
Ecw0
drքXv{&OMȝM&JA)Flt+oT4Fm
DIɩj.'HWyj䠍m
ۅ
1R. 窧>s
%q
4ߕ,ӌI~ь&
+Vz
屑de~B;({ݑ0pkOF
( D.V'Lh"H9Wjs&Z-BG.x^H|%QU&
wϚ\ѻ]O9|>?ŭYe^2Ja5=0𧻓|Hx>�j!Bc/st
!iTTSԪli`O(Z.ntFUC8S
y|
xف#4 ]g0W3t)vAA)&_)3&sl}Dȣ< M-
kZ[QjSLV
vE <˓iWw4c(ihӿҧS0o1'2
f|L
x&O^Ih,HP$D-v
r@9)tYpdp` NC.cۢO�8=F5/%>Z>%0VV]q? VM`hev
oLy�
n+\@tL~�hZLC
q7
Oi:#)9#k3Gn`FpMΈ
v%3ߐ8wg
cv(`JY@Oj", !.E=1҅p+Z{!r킖
kCojTRI;!b5
Le lDmq]MG+
5;ï
(hE_Ipx3]\=�z"+G.}|/^EI*!J4K|T-s7
\DR
)oqw \!O4|К:2tUyTnG~A4RKy/|㻺/X?Ǒ;<`&ؘ3`}m~">FȻO5
y$B
|qp
Ȟ
5NhuK¿;ݎ0
64URypdOSô86&ї d*լҋlP
6p+ /M;cԋm>O쪛a
"oJkD3/{]apCԿbD<<6^]ANн
C܋uMuINo}mA/O`\wi<jUDZxٙ|FԘ6a z,IСJJ-00rlFג5ӊdMqіF ͽT
s$V O84>\0j/glDCmsR=I}y�U!J8{W
M焚|"z`勰]Mңק:I&yT˷m73b
*
"
lDy5F+\yddE6r8Knx2IL*|@qmB>
2To/U/ a#9m!;
Og-4$p ^!έzn:-g7˻=\lwݦi!5kaԏޕ7/Pzܸ.Cn?&!/m
&N}D)>}6Z7qnARL#ϸo:5H=#1s&Vg'ʶَ/A#+Fר˻'3_I"
xuNL\};c(@]0?:٢Eٟ/Kc֭Y
uhs+_.
=3Eׯ(>4?4h<U
.6<g3D
؎b�jIyaя5/A?#7H@lUkߘZCMx O|UBr9 _}u .UVGf=_&(qV6ژߢ{>q<.
ER SN)hZЅ+j8\݊T4]yT
,$iݭjYrJñg~
>1hN$7B6;Iy
P
2iV\IiZG-RQ!Le"cf
TLU@Z{cc^W lZXS"6 X"xBmW
ᡱ\qEu
تv;7}UC#?n_%Ж<1uhip$[ȱb1nܩƛNȟ{elGe
!x3E; n=
ʕɻ㖋!lR/X
/$):**`ķ$obapk\Eo1
C<
�T&8(SUv%
P(:*
ۻc&Icy2
"ms&"&loIݵ,}RW|A74�Řkmb
9d;qK"?]ߖXت-;U|TB!>o
Wmǫ/'ftwc! FrD
vQ(;PQ iĴhVpRBM\0H!4d-w8e{#"4S
*T{F=ybʶAmm
�JleH1o?rϺKX^jھI7 1dSEg/[d6_Q
b|fX r
˾? taJZh?D:Do7ZI4j>&xM7Jn]ZB
f!B1y@nC^-ⅲb4:C|M+=QGWZ-wڀ
&rwj=rl8Ұ-]ͱߩ@Z|"z5DyPkʏPV
㳎
A">>M@&ia/vSd_~b֟5R3upѫsV
*E
'vꆿ0Ajw?َ SkCk=̈́~O$
dI'9g^G?
4%]7&8w#f_WQRIF0l0e@}Gp #Gz}ݯgO4qCgѻi|f1Y;s0'
�g07x$.7#+ߑ
~֪Pd2\xee,D($
eve]dG!;60+ׄޢ
r/j~
5S/[
IFuS%Ԛ5B~Bʖ
^Roy}zW :bR
ђ^ȟ-?fn
ӱzrĿ
W_r'-~s 'N˂r(qp} 勀5-5oHm
7mu^"?]A?xY|[Um4cô2GG4\
:
q1
cmlVYFZh5^=ZRV|9!Zw>K- l 넭+2Ȍ!/.sBGrױ}_
E3e:Zn>e.(\ŢDj%(#$6ps=Lr/Bv@bQ<-D|+$:!idͭJHjAnI,r.FT`Ͻfat x$F%,.)
B)pCyi
3{??췞^Iqѷ@R]
U)[f<Ͳq
ъR
Kˇ(I&Z;0* Rv3 = |:V"zAܳ&\R*u?e$⒢8cCeL]9cҥ#oVMx76.�!1
!ޠ'Wp`̓{3u$ZĽ߳&i\1{T7/ .v=CEG jdSAmD\UPR
"^ķ
ltowrkֻXV9h<ҋbkx
yfLh"fJ�\+@
/pjD<$O0\8>C�i
Z?Ɣ(mCpf\cU\)X
Hdc#et Rq
;!oerM 3ZqmN@9{]I4q2suW6
҃
+
T³6n;~A!.EᬠG'a
nƏvU4ەKwZ2_8}Ӏ
f|
I](xSD_,%B(-? q戝>ge)Ցdv[_ՋӱS3:2!F#k%UeRv6P5vS;ֺ]꺟NM/=E [.b
(WUOݓo6]
eKfw:cs#
[Wu.Uy%˙
ZnN8^CV
##q
RCncoy/шHϗmEkY
hDF
oGMUBpaűD;W)b'6nXQq>#m5蜏&~
ORS|
7-z>y=HPzUk'y'~8F;aP6KjwI#">rf؊
pUM
ˋ^&t3g]- Z(
IF@{SpKhV6/("!ٕ
hÂ
V*1z
R
y|y:
XF]P<v2|
7_ƋrtY)ȵ:%F:W^)HBl
?|;mPG傅{iG
g+rOվ
3
l-brԹwnz}
H ,{9wCugy:F1=}yXPzOZZ
{(=dp&_bF.N_p+3c=
V>�3Km9aRxHOd{@U̺ƅ
^svuLNƐa.:ۿ¦Ӈ
dY]͕jW/\6,X|Oe
s
_^A\V* .D4>
;7yL?
Z]:`ϏM.X1-#&O2|ۤp=4i{ Τ%-D>W3axTOL;@S3lp+u#j#Pz:,g3uOݼLG$\ңٗ9ԭ*0Ȋ
ԕ
cW7-,0@0 !2dM(= }]2V9x$ݦ
9JL^aW*zr^_PI3
Hr8]LS-XBams̀
WQ]WGt~�i*0/Q()Liˍg
"X|)6p/nت^;P|3OZXؑKn
zrgud/wF 3pwz z�_7yXHT`h<2aN 1ܪ_ iÉwx
BZ㳯q @Df^9P)%͚iz[
2aa)c_�
S\NOw&"%K%$ꑳH6D
xyvr$lnp.P En`U0"WKtAhbXG
<5x[AYm_tO<4][?ԲT2K1b=uƅFfehIeVГ"f{^ɮN Xվ C5J_<cE^F8zXݠ -rnh`DNo7ɗDu̞dҹ/ɡO$y;n6~|_vԑMj2W6G:ʔd{6z+ʿv
o"x2kRpIc[ƝkKF 2
'd%i"_
ڮcf@(j0N
6wGp!KY+a_a\#[MNOL*vFL $
1MrҪ%xhH
έJ僷G/
"TwGf8'maw,q`ݼ-'*;
^LmtD
/)EV '8kbhVo/c8l^9
LXUF4[
xN)%Rf5g+-e)[E>At*=!1~/y뭾9a*^831H0
>
tS+[뿚ܞ
u/|
2ia 6
3> H?X~gk
t16S&vJ:ABc]ťzua}XcG->[9ݶ
vwGCu>3{- |boZ$lPQxFRDxdR?gF\�/;e:S}x(z9Pk8ߒ{n:"/Td^D.Q8ׂIR-Wt0k
c!t
I
qVX
h{;JwgR۔l~<:~
=
G/?XhLV![T}2�E/>YUb
3E=`
+Vމu{+
Z70KN瀵?:>
+>ya0ԋߛeC(y l.!(9�Q%šOۮJP:44;CPQZ7bD0g\g;0 \ɾK;1#�ז
pύ
XjM2ه(kv\!<*DN G_HmK$-mMhj,(UR1
q]6z[1oݵil@ۮ
]
Mpa^:2Y�UbC(L
dNJ_"Ծ
QɈ6W!
Д/rb02!7I($GY
XߦEɕez7b)wM/t KkOU' b`aj
3=Zܪ5WNe#呅h,ES~Q0j<UGߴ֖9~Pq!U^?!ĻO_A!81GeK;1
\ƿP
hx;5_&= \
qx`
wM<Mrhمq7sk#0=
'-vWm
gkݹTB~ɩyPwޖ'Aws,ɺ,͗!ZuxBm h)L6Iìn
2mytJօs|/~lOsʹmG/Hc5寨ˢvWGD6鶌mBR; wb|]G~2Qxײxk^Dd#)+vb%"i]pV|cWq9؛vߺ
?{
p#[4ՙ
˵
zB(ԩr1T?Hor|gyQK*^gmd[077=Aӑ
3~C~%RQ:2G;"mTuiR\Ugʭ|T7X,Ȯ}Ov:`v.M?S}
^G@;VZ^{r0IiIqM#&yr^Mˑ6`7 ]h׳]nEj|QnuAe*Hg`7uCSh3?H
{/
,jE
NM@j垱N
UbOp[d/=:'ԌA#VtsȈR_9Z!J劳Pg5)yD1m4= 7N0-SkVR6NR2rsMIxwIDb. \
L
%@4�aAs݅{c]w[E2r? :�O66+fZ(4e�)cDOКԪិ_j; lGc}8<lN+rh[ЙT3Vwv: C"cv+z)C{ߵdnh \-^AR{s]g%^ <$8AI$gxRsc]_\=<RtGˬmu7 MB>__@bÜɽປbT轟6ǤM^h:75m
|s֧1tM
MQ,^~~
'Gϱ"m1=\|I!3m@-s*iTvb}#@*3\J5a3skHj% Ϻ??kn6B
Zguتf攍1*du<89~%ϯu1%}+q{
1K(U[[Pgip~Ɍ2 }e
4MW{iies\c
CXK,TD~^OsӀAAAܩ
4bNlY"vLb}U):7i\Byk"%ͪPdi76Geh^=
9Ͱ< \TmƊ]gze:\%矠<BW`Z薽M}�
m*tPspx<DV "/HW1TԏiѮ,tdaȶHLNm9?nC¦ bQ D BJ Є^5H
g#YTV)e =EMfz@pyzMYPA]ෞ\AOf\{pWn>
kbH9@ɻe_=k_D
,%n']H�p$ ax2E5D
)@ACe- s|o>#xv>N!
q3 \Y"&qy
F
0H
9|1Li;O Pr$ק-
eO6WN7j
U}v
YaiRTlތl3KGFD$_=|6qGN%JET
PRpv5zs
8?UcQV&u/9nYG?Arnb"1t}7YA>:+4/@DKpdŴV&vg
StYpx"({,50[[ht7+u-HT2p5 :!C
lBVȎEʣ_
Au7_g6YwӋVlha?l/;3R#f@],FFjpXSB'
R̻7N=;KȄk_^4XL/9րN"t#:,7,YOAd}0>wɍkO4QYz r\HܺyOO0Vdcr6
${Z[ψ9'4m[BIX5XgӠϒ6
C<Ѱ["qM1#2M+\µ+Yol(۽7
$f+ۆeGpti?8(7F<}ng)(/M? 1|X0 .0*ň=<Ӥ_Z.|~kzy
_+v)aŅ3NOrt9'[0Z.֔d%!a8k;<r=u 4r%HK s j
#�JzܝN)Yl(,Ǩ_vDTfw tݍYt4ǨNkDOf:>< #"[nǾ-ڛ=OȕpGcv*
Y%ħ
Tx"ŗW%R|Gy
U;iXߝkTn*w0wii"T*i6V&ĺ
nD}@ReED,fqưt!0xrm1@^WvH,mC|
z-9xN@Ҡc bgj!7U=r<\5vyK;\U)WHѐL
)<ĭ8#kЛ6p/¸R
)R
PD2
.<8Nf
ՑSQm4Qy{U%CNBRR]A_g21NNa:p>jN2sBȭ ZErq,+aLlRVNPn*;6,p]]
_pt
XچE~pGpwupjd$2G';" Sm
5e,XcbD?F
쿟US>ͧy-S�&GP+?yǫ@qa�d!h3\o:o8yԱ G(DZ. i�\e.jS!._=c
TVy@cGተy%&+5nE9tj{vQ3йuE65I
v~ʿ{j<0y_'SZ
K$TlW 剏!
"02Oh
dMŨc5fa#oiFdѴK^P
? &wR Cw
wоo"7?D?*By ~ xl\Q(LM%$$IԈDZ+)Ӈᇊ?]!Ë c
&ΈV?mX�oJ$P}�
K|Mu$|NPmqjY 'yۆ"5,Z Ilo}
}/z]塹Nudyz�
N)4v+zH $SCLV
RtC
4u�:Ad/t{)-矣.iz1Du,3
<_k_qCi)/';HlSM\.f
fb誴<p]&nTOħLBf7rW3VzG&e""q?ۦʦ ^.QʒmJ{'_$:ͩiLn;8REd_u(
7^:pl:4y6dirX}>[]xvK þkBlDץz
]ݾx
FٿȚ�$dž[E#[
l"f,$L YI(&yb
=;6Eiلg\!px>fE"o)g[K͙HPex\TXV5瘯Y1hZV^l%~42AVޱ:|M>-Qդ'VO{4٩Lfu
Wbݎ0! :{sT:uՀش`h9uQϜz+ǐ
m
<OU)s/xaMf9ɚP9j
W LؠǡU"){
xԼNmE}J;j(pT'QG3402s%f=
RLrrQH18
強$/uGG[ћ8$TrgM
9q*MaRl*
htp
b3
:%-eT6UG7+NYxt#MJӜ`;SbYP7誑$éR=J;
̐roJqDez_1az.쬹�u{<t]ɞܙ-YaэlM*,"3ew|.$Md EΓy9IUTQ7шNHMlP&ء!JOtl]pwXME?Wd麇iQYF1oxRK
,Q-q
Esd
9j?Gˠ~vN0W0IZW1yWwI1
.[뱅|ϥ"T>㍍n{Sl^OԹq[EW1fh
EJ({єAB!qzN\sE
FL"cA#»eF?{slʧ#1Z
W1]$k匋}5wo?^K7Lvon4h[
=nvӎO{{}{H
4('
gT&ߛnnXȶf8(Ƣ3arQA%ܱ[Ek
P:>wy7.mi[|!ƴbΥtmh0$%RykϏ*Ķɤ³=o(;^tkndQ:EQ:ANbEB\Tjfn#&Tb=B;S[B=
*#8p8v̊r#OFh{~P;@w".xMB;jd^K( He4C^[VVל?[^hkK
X?_~b8!1z 1?WGGywi5UI)|gTYt3uIjL
)6
>?Z}_9|.Y+ʘbR4E&FSn<
[
5?kuk=ϵ8
2k2>wʅ5Xy'~G,6P'RbTx
̼*nWo&E &m
�
%Qq|aHoG!{r|Ωޮ`TOV[n3d
҈Fm[do;
N\AH؝WLU`h]jT$ݲ0@2&d
N0ƣĩ
sl}ezk--RQ
B<EAK+r]||
1s҇)-`z&
[O
z=|>\$[^IuhΟhOa*rpԤ
R5H@sl
"
Kx/b_d0G"Q�~LS
>&d.bHmEv<Z?13�`a8JC=Zo0i[罉hH
-*hP
9-FiDYzTe
XK'f'_S9Ǽcr
菵]% +Tl^2k0(~SA~NeR3+|ZA.m
?6+9.Y}q"[31W
,9| yu:L),s6ˡ}W}fO%U䠐N;&QQ}|~ȅǶ$g[&K3^t¨
5(1-tb՜K=J5't={
@IgKa$#-^kӜQXg@̎c?Lh³8sE
>疜^:2zG
p}fS
cJȤ:nAlYkd×K
KA/j꒛ل[%FIPX+g4l
`Fju|EJE&J]q=塎8 ne
>
3PU`
"[f
Cm[O
S'^^
C<!1d/?YN#cI
mf>ﲨo2mP]y
y|CJ|@|Ի7' $͆$
zbsC߬&ׂ[.vyxfb ly
إ/mY
ׇEk]is?ԩ
iC=n۫u
U
̩UuLW14&@?FfK]^o,+AcE9$_ 壿Fe<1Q$يNbD<v`v%D`flcIC|rKFK
*z|Mҳ-
e~pv*>#ī02lߏ';,WaFpJ.YA ɄH)
4|=J� O30=Q"bԯFm/ĺ˝@/d" m<EkŃZ{Lz_�J
r1gX OC4,Rg+4oVwB5Vc
܅QFY
&^/9JO~Z_�撦vEEǗ{~sp/fףFy9+-gsv?dQE}4ۑ__b=.ldžX^te u-J]3Ϻz`@a<
E[!gkVM/{
Q9)
T%7Jna9'喖 ߗjp"`sn3܂Pv^dPⓙ*PMbpb
!
ușۊY
q;4ԑJ
6/8h}|3%(?_`"9
skZopg`a!jc~Шpt#;
fv#KiaNRLnϕ'/1[
o:Cw{ (x<H]8Aoiy.z3!,5k
x.]E[ gX1ȑ͊]+rb2yΥHy['Wꛩ.
)ѩ"klMfl
½PEygR"?ϱt+dLyMq<
rIW#|pȌīGq
Yu=0_ W
$xgٕr!%j7)&x.aNU*EMi
sdA-vYCRb)xӑN\(똋
qaڄLQF<>Su詡D|{|
_֟<##ૼ,gb+MaG="o(
|i0L_Tt~{;
YϫۑϾ`F'ou3vpyo<F!/$Orٮ߫}
j櫟A6^{
g
`糟!MAI;`DC/G/?�⟍l6iٗAC-v&*k4<tzArb3iߤ[gk(/mR%q:|?
|ԢYH 4\)ueFi(4<?_Ԍ]ub=W
V#F
,}bNBKQç<@wbHLʙN""14=,%kA#(q.
EQNC
+N(tpF0]iAi�qzbq[3fD{L
>x$ShK(
Hl :IB5qU
j;«ȷ}R2ҺW?^`T@,z.óuݨ&jm*SQ%N4I- ckk9Wrߵ]uA5G䵜?u76(,$X 7g:"Q$b=@ͩn۳sǡ-)OzK=*Wf㞏L\
DᄮeI1dTؐp:b2$S͓쾕YRcj% _<&Az~^66f:U X"a_wu9@4uůkꆓF$
dE)q
q E['
xL{m7u
J~RJ+UUYpw
(6Usc "xEv
2@`۸ p V 6F>w~dȵT$0PFN
L K$HG"!i r
M
T
f
)Pqq}K�߅X9:J5^UbUj;mg\U,B`=[Ԣtbfu:-'* <=6yAO
n"rns (?
6ľU妵ǚԩõ
t?Y'n@x
CR#/[H[呜tb3NU)<j%a(k-%i͉EKQ`pDre3ٰܼkԹ
`$-TJRܴ3g#M:CܩaP<;տ踀O7wٛxGl~%
+u@0|kl
?u@}WY96H8ѓmߗ%eBv/{_v
y娠$!w?SLުqѪRU5XfƯO# !̨
v_J9 -?p,+Xebl*VXui| WUv
�qFJh%=6ͺ<5AXcaSģ,i&lBa
P*2"
c`E|fFh>(\Xx訝py1"zM}?}i^Í2=v:,`Y2~4I䅚Vm ?X9zpd\C&MtѪ¬ɏDɻ]4T
Ä-G.ݛIw;3V1YO^<NiΦ<;w95
I3Hc79 v^l(kRp欰+j
Uehx P
s
I qOͿ'gFk?px6ee&A>O3
<a&GG
7MPv=
}
NWqcЮB%^3 4/W<!2zD
^Nt(x,:Y\
hF/#-P7+mh옽D7Ҽ%\_=/$
:ɅIu@V-Ȩ$ ǒM
Hkї|w-̠
9EUyKΡ8]")/G8]xBG؊H_p
('<"[xz6}s
vSӾbi85
,RY7=4zLvOkaNyf]z
}/4W̪2;Zji!t֓@iò
ce I*,ƦjĈ܈^坑JR\#E0
H$- J
/>npp!=a]w<.eW$H͔cP%"qd(&U]\)n[T
)4,CaCg_p>/Fu{`or㴻(Dճe;ԜOf!mB*eL?'LSG1B+I\.Fm
tu|
VHF
]yed2I2
4 gk5!@
ţˉHa
skrԾ
>;q̞0lqDm&"ښVe5ځgkNc l{V1"Df<=܅|8c0
JJ_]{qȮ/oP) w$\),S~y4ȊX Hn9c-S4`cpɑMb2p
7wݤ(5
{d(uzm`OxB3
T`1g
켒w3ノ
|ԡt"3Ηr8I{Ar
o
~y|SmF
-~_&8ah
([kl>7tmUJ,v:
yW>Τ`_e~^ nwE,Ⱥ Vdp9\B |}#X粲]oDW%+
6
8/ELп˽i`pvPY*7
q!hRs;C=/797"8*
_HU7Ow}kkDp7ؾ2MuC]BX{085JL+\ˎU7 W
kygR$t=IR{hZcP!\0L/K_&&E`bP
Y%7ChuPwsy[My%Xm r_ϵvŊ
~~4`'=f}?'6�HO|G%|!�Y^TQ
=
!#W_{K\܃cH'cAt!sQߌ'?P:6BS[J~:o*l/<X RdhSpMVs#nCD+
ZJ]c(h&!+RU#-7o!OrHYIX .͗
u
@3 [ɇbZTX
G.S
z媡1r 0J[fˑIT49^N6^2N<
y7\FWl
djEتcY
fÓ
o!8$Ap^ntƴWO]qb[):z|پ (V_F
&�;.f`Z)?$`GO-d6-)9MѩK^FO0c.xfym|cB?]nl5
L
8Nyul/F5J&kF*EM\'
XVd\A/\*a�aUKNS=3
6!c&-#jJ)8˖LGe[Æ2\1l12g9|EQ9LwlSs
6�:w+Xo7v}
c)
>1J�/Tb
NK#Ji݉#]r@Mc% DdΖ74N=
o2'
1Ia[�*
~Ylƚ!͔a)
D
~L#,Ǟldݛ~ToO
"ʋA2
!JSqm#zCz
j#ɮcuiMjc){K}rv Ko'cLFq[g{"zA[YM W_M'59حnmY̵+͡QT
3x|�Wp$b^[4k%KH
M0ov�z6 Rz,r_W[UvF>h.f,A>
p-b}'sfbT~\0+!i+zxE
f+rib7Jd
Q11T?ph#o4T^}~X[~l(ߊwjHyv :!rL5@Ȑ4p0y#
ktwCUĒ
H.C = M*#GD4D!C8h_06ӳCD/
sc.~CW$KG#pۖ?jSEI@6~̐O Γ]h/5X¦
D}D]l1ԿvPE#FzRF^bH
@زjۂRr_YG3q5d2Peь
VZ\7_F
,$ӊ0}
#MϨNϿCugfJHIL$F֓
^g3Q+NzIXylVw'J>FЛ>![j:RŅ
idħG/mRԷ=f:?a0Ex+"r:Zʬ8 :
%ߌ⫥[oɨAUpWxCBD_9>9
jY)HǁIZsLDUiŀiE@{+eiCB/Q3XWk<,vtHsOUŕVrwK#z4zVӆtE6ō}< MUWR֊_ٙ{Q}Vexao]Y?5=P5.qzO_}tqijQEi<ռu~WS=O1P^S
ZISMS`œ'Q[?~ni\>ZQ\
#/\t<K͍
}QxNP:2:QxIzebR
154hJ%Nz,5=dFY5F76->8,FsAm~ڨ@-
x
lh.VL
n5=G97l+^ ͱ,;
pX+8}1
;+[EC~"7ݤ6Ӈ5Y@~
vCN(f!g{_Օ
k{Sي1ůaA�:%#gQ'$ kQ"#a
۬6t] ͋QPϛ\
/+Y>JyI7sOں4ˉ^ΊgT K-w>g
ͰkҞFݣG4_XkW
bzϠ-:ՊZu6Z*h"f)SG/ԳI
# ԱSnHU
XlaFN
֩;n AY
Ԑ
NLzg taf nrGtsΒ%7!sW
e '(
lwv
xn[
֩YuAb,k (Cy+
B
{Yڋ3nNKaͱw~DV/Хk
<3\'/
VĜ/ۮ~<vL7nƿnC.4=n%�l
c`66I@Ý]鐌}CNIBLo8 <f*_j8rI3{N;h`OB.RkQ77сjWY#v{0;^шғ>oNS*ۗ}r͈y͊
Ag;j4WI:|' pӛРy
՝i
%̀V
!j
JT)=p En5W?:fe^h B۰m?7-I'Mܮ ;GUt
lrlKv؇zIXh!ꡁ*~DrV~`ߴXV:8D3J8/iC6eEΠ+Ţ3*DhJZhHr$NU˺IljqsX|0fHM<C
bJ
ƈ}^t
p F`ռC1
f~7`^_"..Öa
P(E9uyBdrhK#
ID@6=;b
M[;44P3~
k oMG/дzM�J&శcz(
}&샇p+m
v9ͨ_a3Cw7MR!Ci y;Dr7Q:t ,:hQg>uV;|_k^_GyZ S8-,nl_99F2t%D}O Vǃ*6^]w"#K$iP<fr
Nh2K[
:@3r
Mg@nd
S
WsD+�+n{ �˅ȲG,I=LC͏eDVPg7f)}[fz'08+/'bKRpZJ}ъpd&C
q?8Ǩ
Ì@o'
U6Pԥ'BiVAbM:G+
Knqɮ";!
aJtp3LhLZs(
WDOT0@'6QOSm83گy`HS3n(ʄ d(3ލ/_"?;
*%]
)�ER1RuݫΤp
6[V^z|_v.C۾5q0N%H"ǰkDfB0~5"zDflB=(FԞ I$abT[۰MX�ώ"D̯
uGKXԕ>zyTOhAZ4uF
e
msc✏*:}teT_
"1*Yq(Gk̢`nWqvuAThNntzpF}
^
\RG=t$$dClj;+2OvcSRD
t阰{qr6jr$74
|*%
p"_pًa͔HбЃ`K#Digp\' fsLx{<,!xh|\Aƚ/UQ{v~.{j<_$
fDKFNh7AU>LhNԼrZ^7
^$,Ac^ǦƼydyWNr|C%k6I["+H^:pv !Zy�6
H-"*Z;n<?Tf~A5l
X9~-Ш0Ʊ79m^|a G-\8Dם^B5ʡ=^L
EqUi+^>Q
%!z(<
Tt%fL*[An:~cYHuj"<
VgVk
y}K,B}nn ,pSdeݖr!3lfUO8\*6
X\9-.PWM~#pU <\uA?�ӡFYkџ;cH}Y5i:}89k
EG} $v_hMr,HYR'
Ϻm9jPꅘaebCo9mj|vaJ4p`^n La{->?RKy`
l
Ю
95[F.]1RtN
h'X9Q}ͩ9J0;u)3Yo 5:c@7%C-jɴmgȆyp4e<\n=+tesXf(pw^G"pLG&)
<ɦ)T&ROmp}*t~=$/*I*e@Y�*=u&n"ã+8kC <b4&ι
71 ]Cs~|g78Cf1Dw` _Ēʶ>
+Tc!iR5<`3JܫCvhȯۑ51+
-Q1,zjzq{(_{K"(Ѷr֢~3%(̓&
nuh*O
"X^N-*;JlB_ùI
rL$6۳7XW:
JJ̹
_aMQs|BD;æ7so^hT)D/?* 8tҌUe1ʔQW+*-p,S}ZV)Xxe![<}u
!ǑTj%mmOJ#/}\0(gQU%ZU잶ĿT8foK@s?h_}L-v
.
}]ʿ~M)[">3mg9#MlAQ{ͧ駃CA~xT+g9kkyvP8(*X[r>
Fcv".0
y|܂'a왫^'y̧qfUѺr{.ؖb#_PO`S{`"gC#n$Nd8BE/XuMŰѶ~q^XX^"Zqh&
+n8}c
%%GgG;vf&aQd7m~nM
fp`zjx=
VS ,S%Cܣz>
CP6@
5g*#,lOQѯpxؤ'|w֠5iTu
bQC:V^+߱pM\f7[?.x1Y(}F!*Li|
߽(iM!(e4Dp
etkl9ڙc+
*P_J\
0_t\ llyWx@k+V%E[xɍ
۰0:tEҤ
*^Sz^(4rTjp:Kd3P#7GjZ8`PU="E;?V
bGyF*#%33v%
<zn
Y
a_5aL
[>ПXVa8dyR%&@3S<4-
3¥ Sw 'ӀHj^*u:$qUψOswv'JӪAqQ;QXݼBײƂ6�,`Qo8C
\\aˀ
(Z=T-ʽy68X? O +5ϹaGY{x.B3#X
1%#
i=t`[@Khx"X"uȃT#.$^?*ΩRєD{z]m
W
/Pg!IVv,50Oqwwu,,{n;5.v}sR~Is6u.\7
jL<>%9dC9Q
:FA
en^fCɾ
dRiEma*nO:TeXt'�Q^tPB;$g^%uXy�:l
߫Ew& ,RoLL
Xs
p2k]PTXQDسM
y4(�ɇ?
-Ʀam>~y.?aRjo=^.)oe3UUhYG\
ɹU1oj O<Awkv 5BϨ&YY\~<
kdwr=,"Ç<L̆(PY̬*C_nMY;L m4;g>2%,~ژ3ǗXIS^Єj,l6oՅw�32
N[/MA7[_]&.qq
8XG
0\"f\gqql")03Os8}#Q)VhpRE#?Z7.L7zy`ujDETj!ړPhJ%8"};LUK;
2 w
x;-vp Dg$(<A
P#7Y:`}'d`Ed7j_警*FƂ{{*/eǯhY!ږ60oLi4ЩVT;p߰
exF=<!mM63zFB3!53 W}BY>ٰ̲4g
y<|D/o
bQY67`QOe.XQ3HQV_ˎv}Z
_/ ^8}_)"f%&j-ZSjK+#( 7
89HgPh|=kPgG(6dzړ")gG"
.SMBnyWY^/k
i�њZEe!o
"z
~꡷:H
(a ʰ`vxm
nH}%fL1rN[e#HP)q-"}y~,LThd8@I8h"]̑"UH6Fwlzw5
3YuPPi T3
7xZ[եy읋vx-倂|^*
\\
�i]
d<,·j؛Vz[S]!hU(T>G'E"vZCtD64ǵ};2!
)K\5k(BNL?7Q�'\
}lzƯ<
dv^xJY@yWK`lY|(~&
g`^C
9o,@\ܔi982:
(X93iVil;!=ԪpFژ"rMgWHO\.weyy_G{
pCԓ/%-}g:#n!kv[,yDIOEX&f$
h
C/VQ(
GW(G
d6N3W댇3&"CvuVjc
@Uar6Z%IM=4W
)=aFzo@]>!$|a zMrW
G^e
H>&S>U#p,,Mf}`"W1XK9g
,_ħmuE9قMzKzFid
hb%dwEQTYR~rTڥ1%5
oGE,C&<cȋrh,בS5Q {Y4 ϋ%b;nlyZ Cbi?&
AXao'!no[]|Yƅ\L$�t,XVi&A2s+nog۰f2GsV
ﺡuO%_孅fBJy2f�$Ln0)R)\`ZMqRY:3fߟJ@Wmw9QS$lU:
4na*P3Y</c8D0-/).-e+*)]Q�\ȑf`Ez@A8 ob)hl
x0d S@q/
Ѵ
lϊs m%
yQ0ㄞgƍ{
k;qv<WXp8?LK$<Oulp|a1b)o@+TF
GN&'=O
ԠD
,{K^�Gr}o!9:$<w(~%l\ƉvwlHΔGbgUyVfVq\D45C'꽇@&
ds`P14?ЩCL38| 2@"?^!Qq:
4Ζ_dhZxt1XqVP
*Yr2U4D_wD(XK<'(&tտ5 C}Wgώ[\t)ֱG+l3kpJ41"+]
bL%@jtK9i
(C
k7l79<?=DS'ۆ9IHSuVCgՋOhphARmbP%" Rڶ6IJIYF@t<FT$ 䎴~[PXCPbVk
Ŷz.UKPO|+A$H
<,K"Qp*ژc9L1 '^4LE!;&-E[3=
JSW
|9⟛{ pZ嫮j ?IaӋ@}>7
T
pO#>^AOڮr5g'6+֠cN,l".}F ɩT
Eo,r^
x1d#/T +%Ʉ
?
v]Sv
hnOoP`
dn&V3 ز;;
"-
fO"m\KL �dW29ܭ-�1{(Ĕ4t~ �HÓRiSj
'P
z֓n 5 7|EWZ^ߙ*:0'i,J$W
u
%0h}b&skvgSL,R[}m| ڂdn
P~�ȣ*ը`߃k\gζ
#"1 T3E_-tWAꃕ˫bu7hy!U MkzpRN^tJ/1[UK
Z
yP!!/vsdbX @{#
S2
q4<;^-/+hdQk
iGM£fu)G*21@giVpsL#Xbգ{A ^zkܮ"toBQ>kgބD
Ec%Vט(qv(j-¼XO#p5r@xA[:uk
2'r70,8
[|Uܯxyxh &n#M
Vz3jNH;Z/)C f/"'y^ T7AemGo+:̏yȔb
jH?<W<ԯ37GM/ˢhW{;
/שb^}BXf/E
GQIE 7M? H' An,Z9nj0[(U6n&zQa2Ȅ
Arf*4u
^Z�T:`JO:OER_N=X][wl1шD3whMƀTmdUL9Avn^
W
[2l6T{^36kk9q({MUr%:ʨ4El"p~Eo
m5
4ZC̷@(
*7óK(,$l
LaM&ƗKf"F_̊mo.;oe$ӗJ7C;!nDJˤqEtڊ
M(ʸENwE>�-KЕ\"fMB֚1lNS
'=N'ا N
NX9ߜNu#4 ?N8m
}ְ&ps]ŞDI34j
|6fٔ-÷g'XD]1DwVf
`��C����*�U UUGU5UUf6ljf6m6m6Ѝ�\��!#Pio)$dc"to<tr&w{g;xѻ
a,#W
#,lT?ՙ&wt6/Iz8�@��̆?I^v] b/@п=F@(/@\*�rc|*v̧̅
>svhA'
tGɴHPb8n5jE
T
lBPkXSSS8SS_'
NAaabhJ,7
B J,
c~~|kW9TnU2ְ7pC.KKz
q|TY{<07,x�O>(
:6#zOz o(A))ތ36q~?
ˆ
,ݒ9/a:<l#d&:/QW9߉tE
~eMh\�T8o"o?3}8O2ZisH#kΗ
٣["kv7C
=H*AQ.liuY8Y} PW;m}qN?}P0YeB@@z_2/24Eډ{ߤT<6##
@2\Dvk[i=W
�e
yޟGt
X1i?_}a!
nyz#V
Mo .X
> 2{t \@X/l~G
:7;Aت\Yo+O{_bL7ҥ"1#
Ia8T-SC6rt9I
>:ߵ{G۰:#
G߭C:hWC{,/
gE~
b
@=V'*'sgo}7}nu:'MWi_j/4<<�Ud\ȵ Qxu<
3^y2fԎOwdnܡſ c`wr\;iwP@"3e>_!cZƚiBcr9wҿ+F
w=�ob _K=
hI)}tQ~źEcB<i3_A1k}[v!nL)[.t[&1pD"
D5H
v9C@b?gbEN
f=Y%V'R11*;v2
Bsѽq
|JaT9 _;#Nտy/}y=8Sq9
}lF%9Ď`cCh
WFacѽ w+)Bvg=ɽO*&s{Jm5 k40{) imꆷ`2В'Od3mc
sE&2pJ?8 r�y'Qm<k΅,}G
r}sޟ8w&,[P;D1nэԖF\"Y}<
UlhZZ%BY1Rnr.v#f'Tcbb:ۥ#Q;yJ"Zu8aU^Im6#3?Ës@x1<*u
3J*[n
s<~i|'k飦ZFY
+�
I8JiХWqFBFmL@3(o[ŏ#NqUtGh#w죏w<e!-f
Q}&mqx
ycŸnD)+b},G;h/{I vjJ_ B>h#<ʿo0\(z]3ۆ[6/K(^bmoJCW~!
:ղK7oxfz
B~mn/<iw"|>'l<쯔_}=
_
M-p4%
ۡc
@a =>Kbt6,+r
>
Jz1Ȭ_%S5a�^}J %y/rZ(`]ri
DY
%|%'5ҠۧxyQ
?+%JHpȓh^ScPO<.іС/T_�E^_De1-R9DqYZ0.ʯs[-o!RKx<y[#x6�rjT, a4k̎25.8zx G
6~zĢ3
ѣ3#3#+ʛ:nBFms4h
L
wt
Nf~3SWrMņ⯄a@S};
!3?p4Y5
cU|�|5~Z
t{֖KPG(͉gɿ)5976hwXEygsWk�t.Z
gXotw*Kr_ձOud?
Y m
ހ*9
:4P@9;;�&Q
m^+z5O
_R\Dk+oXF
ae?bz`f뙉=� &EۀT?o+4dkqnzR'7
[gȮ ,ߵD~Cgkڡz4d\#鸆^đA
8
Fm2f;"^gc(?
6%K7Dr!^"2+S~x@S{HRؚ#Mly/C7LɂnBvlպ=GP
.w)
NKeٽO(ccsʏ>ߓ]~:u+adԵ3gIqbiu">*~
:{`3?kpIh,$l"
>6.J
!$f-BW*Xn
jkvW(TZT7wK|J+3B'R{]
ΕVzZ ^J%9}k')]|mDga\/ЄMi
ݏ[x9W~%drqooY#o!kOPO
7,#8H
LQuޙ
U4ƎiVgefgY
%tT8UxWF&z Z
0z} ^Tcu=3Qҭ
le4X$YO<ݴqŌ�^N쓫
D$bG0#r@xxhhҘxx8L,HxX{8tmb@g,(.*
)IUIl~ ~!hA7OxM!A6&^{_vQA� i�mɻvν)5Gg;e%[jluX=)\ ?WU}<BoPEǺ;JMNG bFlɎdrh_Pu'YIWb$!J
*6QY_Ҧ(BbXh|>r
[!S
lu 2
$�玉H@,䛈u-7|Ǡ
UaҠWx1
%+||
L pf VxS&F'aQZ==+[|nZ_ntfP3+7R
֪r^"fߡuJ{Xo5ERƲE`
ًJfIqօg}X2>_R>ﱟ!"F
BZhal%~X WPTn
#_ p=T|o
$]6Bݸd͟ zwaR�F$ &SAB_]t5_ۦD7 ~l
ˢg` ![NY8/0.f?AOE3g
zK
}+-tr:H1vΏ C5
Xl�
{3(XsO,;ؗSx:Cg \@B+Lbb^/?|@D'="0pm]XI>t/Z
ⷬFAny2~.=AD2/V?BoxJ64}S'|AP
rJ{XC^#+<6q囸
~=zgLv&T8(B |v63�jk`Z
_wrOoͺ
RoS=iUPodɞx;Z@:fx1e$6u-FR)z|I'
}
:^I(<X0w7M9'@zއ!I
=٦:G{
q.nP*
2x=*ULt{ݠ(v>B4/Yz7'N,
RNxXi|aPJ3YJ#nTvB.šfgwb7Vm,i;s!Caf<Ļ뭫
}ɓ#ar}0P!n[?"Szŧg4is
0囻~\X*E 9YkO.͒謓Oipքzٰ" >4'AЮͻ⊷7R<x}
᭟Gn749%Jȏ_Hߵ<_ʇz v?<3{DtDC%ztΊ^m6/;+0.{ќ{WJؼ
{nuxȮvf"pQW>=m|mX:?-t
)6^E˲EqJ/ ߤCo=`Q[zN9DO /z1
CV/2/05
N͎
io{@QiDwco!d*3wYH> ={̼6'~!:Q&Ğ
}�]-C)WiDO(O (}9+8}{/GKc>9J�7pݣAjt<g
ՉsBXeyTv//<)ǒVOρM"ٷgXdP_?lfcx"
/7@lУ>\
�]4mz'W<._S
=YuO^~M \
!\zmn=IjWA @ )Ǭ^2&fi%pE2
VԃUS+^}GE]@}mQqK9D/ x
_EWlt] ӇpUM#M-ꥭfDǏl,bs^?xKsc
hq%?>GÀH?
+Ü7{r!77X@;
z3՛
ljh7
sa1.hYra2A
/)I*(,sf'=~X}?H
%/~,A'<
EkC.d
ljc"nL]ӪZ#ꄽfʿWk*Q \n"
~}|?_w龏x5Y_/XNy
fOo[Tm9WɥX
#}Es)ԯAkvy-
3GqM "u3R Ưr{G!xOv
)ۅS
O/Ki3-6Sq@~|TЗԕ
Q . ӟM4Oz@̏3}Eg qB g Hn#Ϯ
xfCKç_4~D{E;[.cso3&;ڈMz3;NKV?
{OeEp k\&tע`[,Fy
Y>
(;/KWhW
[^7!_?̍
NA
oML$7]8 ăw!4H&/kgo-9+#jfΥ.;QOt K03 hh XD7t{
CUGxEHO\
M?D@W0 E?o[
vUu>I-wPJG7{7pgf#
=g<V?0"eyYݛ"K3x7pDnA`'.SI{H�ÞyP8y{
uzDoF?@L\NW+rwg
T͘@J}\-/+Ege0
s4eEӰ&VdU\DqWkAHoUG_?
SHH
=
넇dΈA{`_l-d\#٤Дxqm(Bvf!Mߪ#g$u\a[3xȜn.sϨSQ+1Yn u%lJ]sw_.E
'I�
}FB
<;3h
hN6'y͋#c%r
X4(WFAzp$dH\f)$q11V|,Ρa4Mm
\f(?o{nqt%,,efn,@{!L5S yz |谿Pؤ]x
<
03l?lX>fZ!?d&#x=Oz۞hW˙
kXDhtcĻW]`Dڥ{B;-==,±",/Gs_ 64~)�_'}
eB}~&
wj?ZU[ޛ3ѹb/
6%ۿI G2UAi)`I2˄P媶JI,YŪi,WHɨZ[XCqӠ
{W<'xBt^qiIz\
^J
NdQ(s:x Z%SI5 6dg ~
a?"3W,
y
LmYWs;X_QWaWJo D@覸̠ẹky6kc
mj@YѴ7kыeR24A
9уqݖ͕.+8
ٙ!P Esk[:}WrI=
�~
�mFE銓Q+4Y!<mz¡oƢ
iouD:x}
?iti_DEEufrN 7qQWh"JR
V같ӓq?ab%{a O5t
>� D%|XߤQ)eAiv\_bgjcKX#-_
ߎk~^δdN?rSer"R]fh'uwue@
O/x
<Kwϻ$ۮ~VAXk5H_wwp|?s?U 8%0
ǩMn˰~iCvaPyA<w.$)κ1)b)w4=,z{t[zn=$vC/>XHP8%3p}_~#@u5=
,H!Opl,|C0
Ivת qhe/QfwPٌ&s/X4$]cpJ-Q4^='
n|_5]Ϲ:
'@/GxcG
4F7Se_>`iGXc[-h)D,-R17
rCȖo؋AI1,93HPۇ
�-Oљ0b{g2q:~}[,$aG&3uuygn:
Q:6^t
I3.;Q
J?[XkS^|]aO̢Lk_�5D[
uT
@g
Xg&uC JKFو!U4z 'cP&
� ͫIpWd*z<'>
[}^5ܽBYZ?x%9X
\ wL$
K!}GU0
x34C,;i0nB0G
kbC7o;
'=}%K _FOA~ݯ(+Dc!Pfg]wV#}-
%1!x$i8n54P[<?%_#% V_f%rm7GP:2HbZUq^_0䆓s>iG*IN
k|x,?H
^
GCmG=L$:M;NU.)Ԅ64n.|G,+p0E߉Xd8B_z#oϡl:
!Qn-5(S :2Rj~{H@@Y?J;�
a44$cgNu o+^Wx|J+DGd~
\%SY3@
<=.br^{# G'ߢ
w Ǭ_;_ߩ'Ȁ$8>
T`)N p4%D݄Q2UL0jR$0DC܃ޑl\m,k431./X-$
o
ĈDRe;!!!x #�K>We|
/߽y#`oXfb%3 cBښPu:K2+{g<ӟ
'd>>ROeB
E8w7q<
*aA$;K73WgrgN|l4AڒژyoiU7:
p
do`I
;l<v`
=Z1miS=L<KāH]
ɟ}ȢF EN+iW35p8rW<{sǒL.WErՠ~`ẋT;뎦
o'9ߪmmVIxm0o9
|iq聹hǯW*
da.`m
x0y*
:Jߌ DA}w]
"8
g?YPF
Z=t ƺȺW�[ǣo_8c
l"Si!و+t}!Kjr|&0
57W ^ۨ
(}4%ȗߴu!\'<y~d{ M sA_sV9tmOo}>_
/,Ukk0ߢ[%
\tg%hBik
so
.-ǿH
̬�6W( !q
S
HrZao4#ݗm
vo/Yn'xR<p&hZ袩g�]i0g8jC1zCʺQWv9 8$)�ͰV0+Z+<1j
YBx,r9Q\p0H o\0# gRF!6o
is.=x07,$
%"u96
p+4tn
-De=⟾sKD#0Y9Qe'(
Ao
$""��AZ;[(b %
(ˊ1$P*�X'Q
6<B(E
AޠH ,߰u8`ŨZ+ 5{ `8U/O\vf%Dz g%܄_mܹژh
fn;*!3y;#pd9#gkyGLZ]sU~�èA8Hz퓵]:&o0!S!4
}{
}crX~yz:I>-b/깬uY59سB@]Q+iu2F'mH_i2Qp2Dsy5:MHj^tS^k"0a;NøNs/>HAvcKxIJD]YkG q
vsFgԖumk1fyBs7|m
ϔr {H/&?:L 1!=^txE(Կ_M.EdHSͻh=s3i،xSRN.w㵞h#x
h(WIYn2
f:``ίsQـ<8oL!3ΰcet]aCC5ʤa~ͣ[3͍a
r=o̠]'hz!E
e<ǿy2fV
)TG.ָ, irQn̗zrѶˢ{'3`
�؉lkT%2IYᴡwa4
?}?
{b
?r0)E{7"_x�daL,
im4^}v/!efH1{.~P}3ϹD6y}{qҖ_)1S3=
N 8_$NOylP(D
tdd'Y=
[-@y1OBhg|OO8E6ş:e83
;4i
o!h
O(Jld6h s
'K8)~~ h~QCJjs$]m9Ε"Ŏ.
-zkrf(=zp+Sh^꼬?,z_3ψ�OǕt{u
|#_kNWCCQoz5|9FH)U
=RNrs̼r[5(9-+hl]PSZ:
k=C{oPOF>? 63aD
ȡ(g ;9 FtƈtBJ0L"b }|pDl^;@?eq,]n-]wHV5a
h`n-L,my38ˡG ʹ?`VіqbDs
OМ.BLkp7j4*P:Hۑ1;T
;@CfZd"|>]C)g5S_慞e/#o?Zmr{;!1aA'$3Q"iVW5[ݛy3])(rCåni,ks=&+HHbQyF8'[HW!?X_08X~o/
Z7G,C΅bK)"E*մ (EH9JO>YPe?g[O]!˯CK7!95Wjfb<4B!!Facr79Pٶ/
Vm
7[0| 1{O|p{7uݒAw>htaZx:tK
Ï@-%6*&
!-(u4I[b1
eEp$6]%7pQgNЌ(6l#T_F
`W w8@!g`Wse5%
냏QbH�{\t
Q
:
'X6I9'n{u_
h}~215$sZ; ?q,շA
B~5�+([ýVn2>DKe
yۿW
)->aMEi77;,
Dz\E`0mw}"
)d.̌A'PY pUL q$T`A[ɔnkxBNwCtivPK,y5#djp$ъ{
5- �
ĿӄXKfRf܁ ,Y]/c
Z/&-1C^%p6CwHyaďR^s>. :E?>HֲUʡä4ކzlGSG> AYf
]c ֜nbsekϝ+9V4-A
NXp2N \m^%7
ʻwEaE1p*[kסxg3 TMׯ,{(R
thMM pu
GJܡtNE VZ!O
uv:&q/ Eb
;]
riy
nZi3?κ|I*+
C3h7*v8u7UeR@#w+
i
wG{)7qN�ڱ
S
41 3Ib(
`-o7ZFB'_
>o5+?s]8ڠca!j?
P1|~v5?݉`yr
1_'謱k墓
VX;0aK,
@
HǙ[-n1|'vʦJ)B,,XY(�"GX�J,Vy}'qvיD
5~3Pvpffa
:;/d Dv!12ZY)
/e{&M$
84<rŪwO{XNLX2'E\-Ndv쀖qY/Ŭ'G
4KgJ
il�nJ�a8
*{b _&6 @ruFEBsLQ`YxRK#C
w
-Jljp4
SB~h7jkT;']P#eO/wIoYB7
X<
?
V ?WG9%C
1
%BB-(P%
@iO:?wy D7$LUd<!g+{
e
B"^ \HI@?f@^Ǧ ē˴9wvMKH' Et
[М(ʑ<|^>ZFCϑB
*^8/2au؟DK>n20=X;-;#9 sJ@.#6%WSʚo|hw#vw
cEC4¾Q,~6/a9OmW
7ħ;,
)>>2kwX+(^>Z"Gs}bkN̠!N%-ј>0će8K+)Y.Jgj9b} g(TpE?CGi Me2<!-^/E \Ak*lA
M\ ds$v%cYH.Lk(
ME
D
D6+NF|
mۻJ@`s{nM4`ts6Cu'HfA3#)Mh_*
EHX@bU8ׅ[�[j[>ZJmLWrDx4!l~bܽ%W_ӎg?
y:KS#ͯ|~Zj8ۺ%^ּnz7=
MGlDDC u
Q
!5y
Eىi�0!!sIA*?|+9|<&B|~
kt| PB0/@!<(;@Wq_0
__o^"%,~cM
ylA
$BdZZ{iN-N
Ffu.MݙKx}{cj*Y0eM(3sK&! 29(T.N 'HԋeDF8ZNE#_ۖKq['�0xewz
Gǰ8mlg[ kFP )$G$uW9FWF@ͅuN=/."N
I
H"
<bs#x=
6T,niif9
H cr i
@Klq'R5
Lf`T\0A<J`$
2
"w%1PhVHmZ3$*+
:2,g>6:ۄF|V�Kzvj:TƟۯ{ۧ;eBfekÉ._I+[5:65{
U#NL5Kp1#Qu01鶚ƴjYa-
b){ \;d1*^潑~X2~Nũ? +qZX\>#5.'8
£8\INFڸ~P̬Y^y8nAN
E*@6Mآ0 kiOy[&]|>O-j#zBw3J̋&V{|fm>g~*ܥ&)
N[jbEkQ
5#P8
YY
"U8<>w�|\�Ҹ=
C[DșglQ&$ $2ՙ�,
,S@s83,>06pi
"x1]
('B
Q%@%o%IKpe{,(K@ˮ;\F1KPN
K
fg$hv.wG
+?ߓe9,&
9DמK8%O5QCH;kx5I)Y.9.
*o*L͘H\
*IڭhN?�Tx |b¹5t
;gP$|
N1X6"Qd)ՎK=
㉿~M?%:fU^$4 W
;|[|d"x)2cN䳱ӮN{q<4YʭzjK z\z*V8f倱Sc!�rf% 5< c&kV95!]fS훴bQP>\,"͍I"B7<W9suX
;?@
*Fr&te4E&e[e BV9/:b:)
F~<!- [ȥ-I|PNqiɉYm1zSfn3uUͩS(
5{}I-P_ |9X-;q *
_q݃}|;
"
5cf]qra;SCb U@@Du0ca06_=Ca*Dpߧ/@k
I<)7hVqcgIօcŢfYmV
KL\Kfzb݁
F)y
0"``sUNŧ6;^ﰛ#I纪Lʲ:'z15yO`8ϵ<6:-6r~dp^Fb}E#MhyZ(
dEYjNUd
D{qXJ{7S*x@{E?
@$s[JB. q%
cYB4fI_WBWUk*R]
B5'
QK=c;jw 5
K8嬡U{ԩxcq{�H`&\ۢU.ܶEDmzρ}Y-S>Z9"8s8Iyab+8Hp=}K;zբ
eȤFBA DKv$`έ\h'*ʷm~sRJ(|犑;9D9s㔋�GV|~ RcJ_&L
.iAfg+.DPJ)L\pA!vux5m
Sg7B%텹a<>cפɸ<wQm8ݕ]?Pc>1 N~N,kO
2
&\jux1`!--6e""/hys
=<L;
]]9"|DθR&k,~[hEXh=r
F
_z,N̆U
{LǬrq#oq6*iOvֲuT)
z"r̺E!L683^t#ȼ֘{(!#]:
+9䤓~¨P
E~1
ؙν;fK@lj[%l9:b$it;qs"=2N൸
澝[y`Fs>89p$j+ypZԬ]O"ā ޘ8t>%-*a2LW4r`kJ
Z 9rQ{
cC[G^w2oHLiǀ$
r58Qn굧&wHr׳
69P²2 '6nTPWݺYewXHҌgd'H%UQ,# fG.$,m5�džl
jTaSo1P,tַǘ3v[L(F>
"xԆG=IfL*l`>buܦ
Ac
t)doe)~*>IrpVa
c1*0q EvY&][
4l8ebQhkQ[O-^b]a
BoNS=bRk2Iۘ껆t[%JrG)W"L8t4
cd[ϟ#3wt\.ɩNiɭreAO) DJi&/fc+k A3Z
N
xÅ";; Q4#+73w
p.NR`iؔcԸPaoFe
#DlqaK�4Fb:쟟rcz[q^Y
JcSe0L_\#NE9}>HҼ
Բ{˄W[)DRv 8@F6uEګRP
� x┹$7%Ձ=*K9'Fa
^
Lw(}nx/qdj0XLʫJJqR31&K%ږYɧo,N_ԜBPaY
*H=>W`Qyୋ9Jjj3n콜yپ
undjK3܉WN
tǢȜ_ͯj)_ɨS3}-ȓhS,!R I`�RzBv._c
oo&<8*꛵ iKdv%9
7xŞծ!42cY}ns
2iEf.�i>i+<_
*WJE?wu)KYJ 3?�-AWV҆M&_Ðs
&8:l>oAWEuՎPᬔ 6lsw=c;+}Yi]yv
$
"dx6)yahWA~5Py~58
%?Rƚ' ^¦`
%FE.wpAa{~9bIڀb%*
aܶʼiy
n
|y1ˌb6u q{]/V,5xA'p
'U)m⬝}vw3wGѤ;]]HjLp
.߆wps.
enɃN"z*IC@JqNxb|Tx_C\>8?9
;[XXnK,AƝ9qTa5,bmi<
л"yW⯅lp
KkjR
yzhCCڰ/h
1@t+zԜ,~ҶL6]fMCZʈj?~AQX0lZ1Lc0wiu98((S(
Ƴ
%U
̯텳e
ȳ Kw:DQ풵gMPi7{R۽k~C7Edc'XOCn$`oUv;pЖ
Wg
:Xl'*QNO2Ŝ;k[;Gd g @ΔM[_@3UE(_,6F
lFrl#
EPC�/_U+y9®9
#x
3�
;۔}RT6̂vѹ,O9
}iH
[6qZI4/Ši;9vY{HtRrW\w5@"vE
λ,ےeEp;iEb6,dv6X` <P۪ٳ=@bȹ�c9KEc]1[,+i0ij[A屖O1E -gN$Ep_feF_V->Wu :sFE%PJH)I[$b(ܽ5(
g
ss-mPdcA%<<}g1(`|
i]x]78(Q
lq�ʕ6d!y`P_2 oM
H̀y=:
dB\ߔlvo
90Ei
ͦM N\,pՠp|j,K;:}] ^!$j3`#i
a#}
ojyҕ!n:g0`MҢÕH,
59pӹm٠.'LyCaY#-v{W>"
<2A]X- -ܱ=E
m,΄iRjR<c~c {9V|"
@J9D ᭩
ˬwdF@y*8
cy& yr:{&
SO|Q~ˇo&VmG."gg3
On
:pNg9MH{ìmuR\s+RD8(e
z
=)Teh?Fzlʍ49rg*؍!
�Z
"`WЮ'99}(GS0$;
)l=~@~1I
,)V_F>
6EPL)VaDb\Cm!gTB0+nr!5�&KfbdZ?'|s1
}k7
(EfҎ[]+s+N\BD;9U
m.m
3p .S[!
ߊhs
CU"c,hg$?@#kn
MCG
2(XV3M'֠pjo!οT(8`3ըZK$4ZT
vdx2IG >t[p-aHvʍk' U;NKEuG[9
N("2
Xn kNTU3yDH&=q"*F%R=;a~U=1t~n_ͤԸ͆d~]w^[euvZQ
؆qMy
yX3#~K):GV ؓ㖧x,wt)J ^
L
`
6
s%N+ģ`<;9>�
ѡ/aCYZN6j5~BuXкy1p3t
ħ uv
hV]#U[
RR/_
h@зw.m
K(
a
uQw [*$,}59R~o^YDͳRR~eovۯFq>w6
B$$̪bDļ=S!B$&ɭ-$"
aO6yd
{]+W3-GoEEuG+(8}d5+dH�KZ;zycCHi4щ[3Sy54C/X<UI
imL(t
J}Ĕk5,/CW0AԻFU
f̕/IH-v{^TntkJ4T"0Ļ'
U^&e.sҋRK*hi77eY&Ws�%`_
4=UoKsD#ËNώ=&b.V�On"{!ę%{&KGAYtR꠴h"UiOwzCi%ZE<F)xDՎG^cuγ@==ϰ
%T0~ݝiY~_yÄEVJXšgٷ26s-.Ec|SF 2ڍ4pH:i(ۊK|D{mlzQ֩6>*iH0<z~Y~Ccy06pK8gtU%6 aR]:֑;y
ٷrx.v,AnjSZ&6,6g_I&"
,^!>`:0]
8āBQϥ$
mb)1g=Le&º<_ FKM{13Q۲�$ћqxJ>,A7ޮn
&"Q
փ !bQ}iH͗%io-#i3X+0p[B[<EqoWԧXN
^'�iCZu/dpI9v
5O'6*Z2֚}7x{Y
2Zt0iV-]goX
r6Fopr_α9K*
x?_ir1<mǑ2$-S1#QQdUuH
nx
'9xi
&/�b su]OTĎucꊒxe\EyuLq"KK}+wM +0k [vDVLCU"K䱻Cki<gH%Ah+6@
b
mƎZ`,aBS]DpM(uoeoKarT>]'>
RK@}{_:D>1&<s=:9rv,W./iENanE:0liyEծ앝Z%x3\ʧٛew
7gOI$BN.[2mw
\rOwQD66DG mFf "%Xc
@̯BÛ">\N@1<x@e
y C;F
o5
^
\DOZ
Jƪ�!fw* #ŏ#)-e5y|v Mʃ(2B?K(E)Y/
[S5;n
O/Cp
IrǫDWf:I;
R)9KYl5NR$<u3a>8m.ѕc
_=ڨ͜�n.SV0P~NZ2g6qTI^
57O;!-kxW)箑*,y&
Guĵ٘afêIVgAeh& Z(KWfQ(L\͗ObA=˩0fDz̩
ynuZ`Lm@C]ٱ+)TDc%O-fq2Mp9rB%<]-c
DM͘^"핿S<pkL{*w}9v{wV6PV1`Jv98z;SAu%XrD)fWU+)9LrX46Lop`yb*PePt�gxɠ,J:;<*GC0qz&WڮNF'gh2Ljs(XCs\`8nF
8rk]Ri\`ux|5. p3r/Itda0A%Y<̬)/^b*Ssj
հހ<x;"
2G(tK3d@MA.\!2f)
!l$$欉]V2fԄL
=]23&"f`HK F&E:BT3,$ha4jdq
&#PaoS4
.c.=
q 3sWV5+̗ES.VOHinUU
: +6nU*Q q&ݩ3.#o^J@N@0a/XJ8p<\g{fz )ש@FG\�kX{qyVe
ZCGdc.}R{su,\$Ęd7"YS"Pү0`"N-R_cjpFEZJqRʼ=
D$nCp=O
ȇ50
ꚡ`un[&ą|
!"xn0ћoiE\4==
;TͲz<x
rLm)=%5˖d<Τ2WU.x^CC:.A)2Cq?V$M6C)[w9:Џ
2Ru!]\+
\-gajFt'{)*3֝<ȵ'sp$bbP7B"e
eo [7/Qs[2>ƃ0y勇Rœ<bB51
[9]͜0u9!5Mϵ!3C"DUet+NmvyإE\^FՑΗ- 2.Z
h}
xoN`+\W5*7UB
26eX<t
+[c4Zdb=9Sy
:03='
�+
M&w5PFci]y?&
H-
[8gfK]Bzh(
-y]1KHuR;
~(d'/.
D3+u*`B" (L2صn Vj|D$+
x
E#R2 -䎐Dk
=>h9 ^L-&~$
4e}cELzW )ϥGgVuׁrpfod>9EԶĠͯ8̗t,alA4$2PMc^Z-1K(TZKrCf8[O۷f
춒CU$c=ꇓ Y3
}"rw:*X常#ų|NcFxSZLJGSe)2F9BH(!96h" ,ݢ
Z̜¬
qoǨgN6cds
.{v -Z䖠ƦM
]ҤЅқ)8&++nxdV
N 5ze&6nJ6{cT[Ί
T3jRhC
{F hRV#љ K=)Y=*]jա]Au
^A=̉~#&,/6sR7lMKktرWif <
3PقI"ʕ}-=B_0X,W}":M&p
q)Nes$^l.ю}1˕h uӢGQX%A
9F7`q
gti+Lpviv xvIw||
Mz~:|((Y)u3b-Ko.jΞs~%y̅9VdV5
!:́&QlVq\|hN1zx^�>^
#ͽ~PP+J,OZxN`g4q-th7;`O!8I8Bݕ?cXoE+ IȯmB'iEMt3z6p 8qnKARP-AnŀvDauXǡr'p�hmcS3،+1S2%>ԏ$j ̑h_`6h473vːY\>Qn9;į8wtxum
aʽp$:6N)3gۢ/=m"q(fUD[8Y!Tf`b@&CɾO
Ss1ƣR{yHj`>[e[
NȒlX%ʺcL7%hU)aT/<nشVLO}}
D[ed'aꢖ4y3hv/uRP4Kw
rssFSojZ6EX笞J
i2
`M쬛#n!"M;ۣ;f¸vn+c[cRq33sخfiϓve^HUAWtBbŭ
M0e0Z>-s֬EAXך/"'7:4rXYA(Ѡ__+¿?
F%SJxRg
�Ӌ`r)㗆
Dt!b
A\.
~Sr$XpB+zSM#5.3q!q|P-~AfȩM9HqpjZ eKvJY geyߤVRʒz
YNTCk
s[3uJ֒ HHUfP|5|`{3�)ZNj8P'Jb^0A״u*VG9taqiaH]9;BY8Ç*zA.m&1BP.*(dey"<r1
NZ7#z5b@@kc&ZLFZ!A:8g}6]=fu9EFr!G
8v!:"NMo]WXg:r$R[><_WFp8ذl25t2"5!SJ\Pv_
zekmP%"vAv<6MV8d'B.AUvhus;yPulvirC8Q<
:#0d.~Z)M\N<~4%n
e<
ѻ]Cow5-,.SvOӥ,*k!A jE;A[i<C
)HJXN"N+0Cas;aIW-|觛ORB&݊a⼱v
Bo.'${+ADd0K@
J+)_;93ՅWu$j85DH-q~CPL\r~=! Le(+Y)GB'2D CS4e[i
K
7ث߆a(^2.J)Q\TPinc5@
c =
"i2r3cpӥq<<
fPK9f$AOLpUpf:I7Rx|K-vc
,eu[z20%2:4N)7kt
[]4"Ef7
zй ~X8OnU5b /rTpEˠE"qQf<np8c<U,
XИݠ!1ؙܥO=
wjC
ӒUX3V.:s9oCqW
H뼀:GJ $y[
>A+*KYk9t&\9IWA
ؤ#Umޒ$M
@O
(>.%ym۔j*,
Ż"
%;[gP"wJ/GY\{_"@VEjeuOyŴ/7z2>\T9^xu7T3{(}ם,{I/A}t\*
i?oΪ?R0^6sKߨJÐ+95d֩Q'V5e91AV cr$'ކ@P_=.06''0E!h{R
dvE!:hEIRy7u.C؉>/$%ٺX
2٣KCrAj^F2W<4w_=8ha99`C{Ֆb=E*
|,ysY)ÖŖew
wDMct.MQU2EkϤ⹐u'cf'Yo)جwk
o14Oe!+KMjXuNVⱯھ
ѯ�34*W~0u-P;
Z%)+܈-1ҠkNA}\?#�_c3�"K6ƲT-$+ps62-kF45wΓ
8%kX (Hxr
x{=uN0Ӹt}7^Lt:`f>FʌwYBTX"p0xi1+{lqJV
Ym]S@9,+d bA᪺HqTwFmbn
{`\fEҌ*64vZ:!`b1)(QBtTJ0RNlL 24]-5
榸_vB9/
qE /p uk
a[Rtz5diU$
M"8Rrq/r\[<
ă0,k9тWXŪO{|R':&S
I96w"p
+a$)
Ϟ<
<c
<[,8[
@/Rp
w5r.vs8~aTV)[�IXUha72]!4juA, -[a̹Xj Ng1man
@ ;>Nїx6鋴F_xf*bVYfYuU8&~<- w"y
+`V`/6'Н[wQ`sy +$ǮF
}H9StӤq
diA1 ,Z@2ٻP9z<r*6"AxR~sI[DTPs&g=vó
qea Ӆʰa
x$
aůfv4
8>R&#S2n:K;Z7,
4k^J"BRA;8T8F %;Yl*̑cv@!rjlNFت+E٬"V
>1/椼VkC
AOOǎmE NN%ˆX
; Rn"@ma3!rח
,xNId<w&R"ٰ<V�
O?dPB
)wqSI
F?LhhJa/͏O;26Lh%WI
ر
;qC
++`n:h*囹0�
( tر
[X/=Jn_
6b^b"5~"E0"LulJwzqd"pT**
))p7kD}K;:bSڵ`K9*i1&,mX#*6I
-%i$LY]B(W ;8sdHW846zWYpsQe.aA5F BLlGprH ^6!<So9ƥ:/ANм
Hcpt;ҪĦ\:"+'%W磿Ae2wG\!W5X=:9hcʦwu"uI1[m|rׅ
ȋ|N`fI,WB
�RO0Af}#)++15`3Ҁ[x]YpsѠ3qVRE?Hfcx:\JI~>d"-U
dtabF۪gD=Op&#+�
CEjg,I9^
|$U@
oBVʬ]BKO
YH+v@Ȝ!n_M"$ʧaxcK
fDY.ddQṹc7z@6
2$1|̈ɓ
�Fvd
$HsGgsCD.
zHy\ڧZ"h"c
tٖ-Ok#Af(h]�tX4e Iq{3gYW7p. `
g=FgƜj֧4+_}ԑ4}GլgZ:h6* d/caOxY)P%܁݇RѸif/g4
0l3,8SxZJ&ZEhGs#fwD
I4;tgYkRf2fA3_
7XN.[vv[=٭'E2
xv,cmMT3OcsMS0G
4C٬./Zy9 Js\3|Ϟsj
iE-;J+s_Oh.؈
U UGp-�Ϥsӷ
k"wv@d^
" UԡcF0~ýE8LT)N n4GU\Y"GLB+hN-I}Nj
?h
B64~V,S:|
)Dd|5hOR/PЋg
ޗǵh
Q9:RRG=A?}XXk
4"v
8? IUOǺQeԿ;3!ò xm
Q04͏mJl6.
IEK9 H=.xlNΖ%{ .|H½t7m
bm1hlky0^|py[ܾ1O3gv#D
tjjf&P|3v9-{kv! }/;PpW)B;X@4,laeU4ړxbyN e1u<L
`I_mLi?y
t}!qf
73
r)U~!4 DU=5̣>&]Zmt^48L@OCܓ(g9QKk 7
JWm)a/o}*Lէ
S?%DC<.}N"L#
�Q6IfN
)
W+>QVy"qPuce
x$<=CgH뉅g{,蜊P/xb
#KGDhlu f]2)6q,
VVxDg
^L{2č|{K@.s$;p!Qxi;6Ih�RE&rizph7$7*pXZ
G;0=S,79t+F{OO]z^N9oaPJb5[DR]G>^c,D1f
a!1TzG^=!ym9\=Ռ3,Ijf X4iuH_g26ie\IUN뮀Z%9L
yb�.;jId&D6lh,u<qH>
F
!#\^d
֑Vu\RA8-HVn jV�֘Y{ |J8֚̔24jD+XӜB<۳UsqhkY,jPoHUĭ�"`<z[TB㲁&߇NU2dt8\
f(�w )=(%U@i<yh`}f !Ԍmgq,&UiB!3
7,�+`k:s
vq
et3
HHuHd(ecku
kCˋ1?ñ$
)՛ȱɤA"( Ĥ!$
`iTP¤&!�%ŀ)_+k|f/F2>;E;9ĝ)cEAbH̍"EUɆ4UuG'rA?-
$礽/�2Vճ)j:
R�%?Kr.G͡:cp7ifIAi>mRY
Nj΅
|pShj:E'$9BD)z9o&Z
r0\@;E6
]&d6x2'
k.bfhs< l dǮR
R
C*2es*
eoCƖrC$*}@
[|Fz&>:h0/gEj3lR
1Gd
tjxh+2)6zJ:;C
6Set
D]zd5[:cZ&!)E*3iQ".w&X$;
ٽNn$.w";sJj �xsͥ/bEZ�DqFS"2ƪcJjtTJo8jeʗeTG{!(2 PD2D
hk}U7Jďa'
z/jQhѐt!Hb,laʋ`mrϖ#q7so7(hQ6hpLΑƒs_ öVn}4[
t;�r Re^?3~|择o`<n
*X6'wB& kUCoVaǠ T7کV]
*G
6,
Z1`yNN#i
PA_I";
DCjQ;4cc
=u
6DfJ>
76BicqfB̧]:*;lS !F
+H5
qc)
c)SJS=)^U}WiY!`ƾF$,Hg+0)KYs�Ə"*^�*20tlH
qyI!tN{DC:. [BdJiHP"ufLUxv%c\7+p!>d4HehtD46f
Htp4_-k"Uӹ}ϊmKIOyi"DVGE
<#!wV
ƪ/YlכJx_9ŀ9`"=P՜iIvN
(#pljv.&B,EYFY^yMXX$e9LDtMf<dLTŭ}0
Cd''H2!ĤQJ<=6K'ݮUqbxdhD^!aG=bvzb eL!
_Xc*1PV4;Wۼ`/ʬ6wZlǼև[jYǿz;ST!W=I 5tf}*#TNuӕ$?*Zd(~wq_C&Bk
XS
di:PDRP
4ՁΉg+*VdqF-f!py\t,7
,C*z
2eV
35O0@ t4m,+P`60=MM d99U!tk
OΈ "cvC5�_1㧿9
,Y5M;U><ދuF"P
9
xRTҸ
ll6KtT( FTt4PCijFUbAcEf谧!njnNc 41H@
8T6"~^-T^d2;gU~tlLӉ#8ҖyQcWaIX4H˵
*5[T֗:Q}AէXi#3 V�%^Z[\vH LƳdgef0յQaYF:.;LգFi#V
==;1O`M[#)d!-E-ux@ Pk%#ĩ`Np{5K5qPU<*
˼S1eTw/j
զPD(pq=QEb.\=<νCcR"mlcbJ~'Xl=G<&
}zqS7H*>
mőeSÕi+R딨]uX
8p9ޒP[{4kp,04F;P0"Z[H
ta/|CzBﵾ'B;̇
8
8`^0O8ɔf٢;ihi{h=E4F7?V
˶Bn)Xʢ_m;G_?`
Fڀb`Ehd>
T'Tג'DipE3,qA
ejfg
4W S)z:AbMeOTص@9'.VmOLB|Ѓՙ
d<Z
P,
!`4jy2DD
MGmm7<vD
[uʍn/ـ] n
j
8$ [_�vFjlO{0D<h 9w "nq=ENI99+*E~ւʐ(F|v||ȐSj3d �XU("'$Y)`x_RH
*q
_(Tu_4&3R\
QӇy2!ܖ4&{m0(>2(et 34:4gոjR0K!Wb.; :~m^Z6yÉiJ:ՕWc&f�_rCu%ո?F)ߒ%H ܘMzMSC)v{Il([=%&\Ӛ&!Q
fr2YAQh dgyIi[hWV-D/9xhM9zl
H
4
oVm( |,8kEdu
NdE
Ρᭉ0@yIN}\dH94C
[OFMBCJ">
>i5~
Q`H
٧QW.$o65_{n+*Ldd9Q(wx3)ש20C&%X~xʒߢ;N|*j
@r% $k֜gLhM ~%d$ A!\2ra)Y)vVQi.n`U&Qxyxr"SqckA4ܓsz
b[
C#D$碥(h�CVvK>ۏÎ%MPً=&pG0JeL2g-f-|/=ī2)ѓ#tH
S5hh@"eըH#pʓ&zkF�q7
{9(0s-f.PlQG|yzڴs`~q9QRlpXB=o=]|ybb:SE/
p=Ua'BN8(-u?
Y}\T.?n
|Xΐg'!{y),;ڃB9QF`JGgR PbR!Vշ܇Jխ3FU/4%EP8FgIS0^-~ϣ;bM :\
cg3%p_¹JaII7
s/
IN
&-[D .l1#"&*
NJ6P
*])Kl+XU^b`^E?cۍڿGz`ܰb\D+lR-$
BEX@ ד$CIl8j=]Iv=?)#qy? Q
"wL"Y멿 A
[ޞt-E",6/X3gE(]dt4>|
<*K0(!=VH>
˪}ӱ1#)~Ѽ.c{VnFOv,Ψ^
!m44z
JyOE *Dr6
7q$Kn\5U6~ԷGtAg.DVe0AuTgi{{�ٵ%aou0)OzwR,d7EKz70%RbƝXӽg57pej͕ ɺ
DlJhsHDҭ)Q�
*|ӬiX
m8<AN]$B ;&/jAF8s3
Xhnگ;ֽq^]20S[?~w qE:HcBBX8O�V
m)%`$Yq:WV
뙅
Uv(Vf;Yf
cuXB+͞
WLz5XdA;|
;>4t
LKۺďwDLJ9a`
\w!{ޏhO=nY
.DTߎX1^aUFN%TMG;{Bep%Z mspXܖ
^)ea8W<Bn&*l ,(倱mi;֪ NTSrQkY1+M2n,
Uu
TGWbjQ:%4
EX2Pxa
+]iIZ|S(J0Sx!bѹr
;gY.j5 Rӯ hӂWh0:SO8:s
0Н
HbSWӆrVfEWMPa vN|F
&?|eGt/I]6K3}ς2a]mZx(%#9 UӴO=$
]E3[ͬߢN$I/�nqнr)7JM]ƶ(G4k"
#A([3qKP17ƼkB6݃4٘F^L2g?�ڇeIhR:KO;
:\5WxQ7w*mDt5eȍ
۲L[q
'H>t%^h"HJ{#j䄖>љ5; ~-QPOlv@O
[rX[
k^&Gzؒ
Iġpnf:|
YE5
Rҹh%k_p=\<C'>f_[I'"KsFj#u6O`7(
R9C>FR73r:=׃sM;plsNW}\Mz
@Lkxs\@ tu
2
x
ڶոq'T~R\Fi&;.JJ^DU
87:f9D@#ֳ
wO.1F!!ˡہ3I�P
KêNƩOa{czj3HVc&1Lz�bAK䱑[N1(V)&
jY}^2㗦L>Cy�GC &CӿW c"TND
ͫG@U*G:âm͋gC^c[�a
f^Wh
e4USJ%!or5 -C%1Йd.t\
1vJ[T
fL$'\uIW8Hr >Χrwb$
Dl V
,F͉|JzQ-�;)h`ˣGx@rMl4{=s> \-d^іnJ:S]Av2-L==MB?
]_V2ne
vwQ߁$[U#Mn
Pp]q[)d4Qwyd<I{s]r>皥aЈۯwu
َP&,NX'Lxm.uOv�9gaRg?b@PZS;0
aHH7 =B|@h8#
a\h| ឌ%~?-x/[7| ԚZ5}dZ=_>%yӃmʶ@Jr?g}(Ͻއ}`aet
e9O"ja쿯~6澝ЦP`? q!c?K;xS)ce?[z=z ]$)֑
#g;6zc
Xsmq՟O,,-N-;^哼gνh
[؞gdlµ}RUCC Y
貟rK鿹Μ=zyf5y& Mk<<=R/<]OY=zy=Omy:
WuLP]
?Gc_oaEz?I`o
AY!@[H?8{bSC{/PǛzP8
K"j gLjW66?jOq|s
x[E~&LϚ
hԍGGE'Gb}8>?9ҿTÿoB//{??Sák~qG^Y}dI_z
g=9N
G1>#"ƾˤr=zqb'\\ҭbyo
2/8߬>{7Z=L"_)OS_o94U4/1LzxVR
wV<)=Sy{^W U>w;ycs~h:ߦ>=m{h
pvRκϗ=/W:dog|mXD^}$^b
lFBDYK
lW]F z
g!Gr^ M tϣ;!tQrEqB��H!DEA>'{:j<ƸR9QST2*[|⢤8Im478L3:{s
fffʬ�̉YJ9̍9M@;5
Dwm7vf!\J55Qc
JJ6�RAz6$ޒ[`C;�e�:\�_�W2fDEW}X3sr#O|n磌ʮjUwbw
b(*HB!HuN ,Z4Έ
mJngf;}#3$dWHrz)Ζl0*Kw^¡*@
Kʲ剎&J]*PF [YW /ޔ)#DIGkrcnKT,TK-enbMF^?aQ}'}Ni&ż
4Y
7% fMt;yl_X
tPGOU1٬]s>M6[䖒C"&E
݅z&ȍ\Ԋ=uz[Jjjٖ+.j;;o
M/N~1u6QoM.Tc-/l2ѼdP'Uq'NbjT'yM}r
bMKѠh
Kװ)Q볛"
uM(qb!IDdx>i=3c2S;ddf:<H16cG8]EM9>*'nN-YM8u6;}kYM8Zx,~pTΕLU }eKDN.e?S%O]K3!*?%˟(8;ߍn*o:yGнKЃ9@qW)F}cApП:b
/y%M;"<!_Lr
,@YD\rڏFT\QaaD㾨66ws\f@"Β]ȧu)+x-k}g*fdvXrWe{ni=O
bܨ:2y#nɹ̝n'Ow& g
y.I*'=N
cSbS;}ǡcSqT
o
t\&cVQVi
%P犩
^8JI7Ur6UkZMCkL͵Z3䠳B琞j
MmcKP!1¬(-*ƞU
mCk{=
ϻ{16ױ+bh'Q"˒ICz?SqJW82RV(+)lafZ'b0ztD1W?[&ǡzRK\s
%)s5i{/O6|/Zk2+ѩ A4ఝbcfY
Uԍ$Lgbq̇v
A}Gk
ѧ^9'a
r)Ou=
w֮ѧ{3TktIBr
Os"}c6lizf$n03y:_tGc@gjR�ѩ-x |swvyb=VzQD
{W~1X{͔7BjJ=㔺pe�u0wvjEВ8F4B{Sل'f-(JN9|ZKΥ\٧w(JliRgKf
_y6;wgPH|g
ik#} 4x>
N:P"dxC
A Gc�Y߽b?['='-
ɓkGTU}W;N4Jt?tќ9
.4AxY_c<߉(kV÷Y[])?SjqWS]� @�@ � @�*_�y$:
Kd/}f:]
L`v[Mؑ:3]B3F2t%5}蟞`dyz v{E, Ey-.4j(+\Ҳ
`zVbѿJz4 C%
GKRUKRXN^
eCo)|f-Vmr4FMIg&
R n2?8
HZ-PNׅѡkܟlB")*�N&"S(%zkxRX-PN`3]GG~ƫ6qrR(0 ߴKF_tɥXέ\0NXpeՌf0
vޗ>ԑc`n֚}$Mq_9xo9X`z;mZd9k@9]
g&42\4atrt*ŧ)m,tuxF;ep
\Zᔙ
Ŭ
iC9\ ݽF}47egfӓDpԐ9_u8+,obhI;w)qY;P;fTuD[-gm<} sw
jXq^J
2HD 0sEV1
hMg[4S}d5fq,�voyr Xdjk]$sprǰL=(:m
icO
NRT*
N[ ϡsU g"gF7^ AkU9b1|OkW?7o
.{Ib#Ύ
@L(*.K?0?S
\GqΊ#vEkɭb
u8pPGb-g*c'+IYutִgcK9iw݃h[N!2zuλQqlvS�"
κqr Q?
?$}4lݫ=E:ܚؠްYaY88zY}i?O$;bfq
\p\˭Nپ)
uGuo+}l7
8+t&_"2(|ؖ*\-Oyt%۫cu0Grw/1XealαN,F'r8wNhc ?d`Q e˅k8#?{[1ʈ1 {M͗joVeM,9D11nWGr�$99q7ޏ_b.wGiíj r7gD
b81[~L~ٖʸ#ߤ)>n%uBuGv1~e⛎θddZfym-ݤ\ŇqWulk|
bY~et?� @�@ }Аfnj=ե> ު{8"AȦЕ"줪ϖWT~3_cH]OUoO:O
^˛없Pe8\}ƞ"
-U�/Kr
-˕-
䯅�]f٩G/
Pk@Z
K}Asɑرi6J^ғۀ.Hۥ%_^iw] m=.[Q^BZmUv�-@kc]`=Glaf
*\p@
[ZW?~WpϹ
}F\OpckZu~E+~E�c\S�1幓SW W-]t9EuKac\ycZuޯn5;eRҖ]Uuxss%(/z
{Qê(ڛ2舘{9~pa_(tQ"h7_�/JUn@9B\XW n8ny�0F
Kpߎyu
WP}
En|pxB©XᩱZuDJ2S 䮴]{
YX/va:vKBV ?asT7_Sox2Qb]ׯJhXuD.QɓW()ִQUmeaVOU
]ٲZ1vC*mp9W8@|b[
2b7&C{>hV*#e0/h.邺�.H5D.X
(N@LB~
:/
u_
.
A|P,.
P9
@Tb1J(&WSTwt@_
ՂuZ`-fmh
�κBZW렱$ץk{-F|-%/v-] !B_]F .
ogF,3<Qm
A?C%
;
hXn&22˿HO||&%)ER"fIJ5)S8c8I):`زҤD"o0I&> 4")RI)01:DR?~ryjwOñIZk\Q-i
%Nk䍅|̯4 |c&02E{e~~
GG
e{8V�
etp,L
$e-
CI b1-^Аy;mIX73dAFi FBP<f$e,lf
$%iHAso
FPPAGq#b0Ij̃l$
3rpLҫ ;ɕIUg
eت5AZ{VKB̰43ve#R
�
o
ôC)f<xМ-6~S
D$b DQ4Q4̓ Y
-B4s4̓ Z,i
+4ІAY
-pZfoU;,^a.P}aeZ
,Z<+jiOҨJ4AJZBIAԡ[%Ic iQVFPy~ lT[#Q(IDmj
EZ65`$l%i
̓\ҶBKAAI[IB,D}wn,@m�kb$n%i
T
\-
6StzFrPk
EZ7g3t4ٌ
-В;ri$
%/<IPXhyCnZd$
t$n,Cvyn$?URY
L,%ZpÔynZ7!bܼ[FMP
)Z7!r꼒zFPC$yoo>#(I$ozCoDAoٛI#o(Cd
zooEFP
Z7`چs)&JI#o(C|z
-
# (I$pzCZ.C$z\IB7DK%bD7gH
J28BKlFi$%FTlW@NQ.Dvy/H
J)
>ac
_�
�?@~6
@a+
'zqd#[
c[?VhT6ݩfS*T
`/2;U"VIq|'/cF3k%ӹV-gő}fc=E
2I7kҨ7lU!8#~SϐTm
חu(D
z.PEʀnX:<)d̫e[7V6N8&|
r%樘IVWx
QKC%Ifvd@N7bG4k[5DM/
uƮt̊;|]oMҢ
(f̔LM
{igu
/yy2T^52uN
,0ym�Ic6h
|+fTp,N
k"
9lUFa7ŞQGSL]NV&P
$rr+94rήoy5d-&AٕԮ`ք1Lˍd1 J1 X+V>j2^8a9I֤jlͷ႕wLR<5cջaE{w.!:+3 &v%9Ϛ"K[R
:{z0gG|=gk7Lexr|XF0d9
L/sM
Cn&\~37T&CY{ @aT7FR2
!Z_'l7+l]4r4WRH|<
,PUA3V$
-qX-cqeɿix
ɳ˴'-c[[
3];l[+1
[Y&´?;[7NK aK9E٧l2dxv<Hx8*PiUҊ%Cg
Ϛ
%
Y{Zk&#}m!$ڋ&ZlG'E.ٕRRC;QWUbYq FBy_Ȇ6>s+e6eU%Яo8&(zd5X*@1d9[c
bg27-,'/o0OW/l}X
eOJ[>*'j+-IG UlQ n9) ܽPݾ
ޙ1d
M>>uE y/*]k؟z0_&iB
n/D>}xw X&
zY
`Qܤl];yrQ'_Od1b_cuh:N @^'Ĥ@
J
f&v]_{cw^ ab?Q~4U
q$.5Wk_UP:Pp'c٢c
E@A߰l~
mY
3'yч_`-4h>yÁבt)
,JlR
/,e6gF+5@q3
LMʪϣؑ2t[R5rj!6_#@
v`==B.z^
w!)V.ͺp�g^kv:s1
Zp/R>iѮBr)Ra,G.<Вe
THک> Y#t
RաAy"�,.
<˃[ZRNZ1zՓQ1Z%}
S9JM&`P{!3V*-<́d+. E
uDԀwQXHp2=rBquy
-x=}-"t>3%
-easi $
}Tq,
0kyk
\o_~k;
k&l2T0pZV:`3
i}Z!\!Ꜥ?}
4vC`$ MI.Ly
'0LՇCW.>R!Ձhis?f-tyuT"LNv^1_6hg<7K*Uƹh:DoK+볢1ܾXʈ+*
\80Wya0V
H\ZTW2
;8ā4e
z2A
$v글'
vbpXLҍ(7
)k&u$UfݮQw#.QIq.XKY9 w]J6>:dR$W*ܵQq:w@<V gf{:s[=:#U7{
72n|߆ţw([C[
׳@쳬ee:
uO,9&gc
W*
T?Df
~
~ʫ
,~:99+()<r!+VcdSV0ǬYO(� �UT�B�E"�`��OwĴrZݖ{UL2
1*}VfhH詂-*:&#a@ B"ɇXd�@ff�
5{֎?:[
@z,' 2b\vZ;bXvRvaip&-&@p�F@@X��j{=יDYDH3ٱ,lu@ő
')Ĉ8|!q
dLvXc` X!6WW]}>pskj w3LT67<P"L,bv)S?`
#.ۜ
o
vq(
f�1Qu@LO12%R
r5a[
0e"BN*upNs*
t3o({gL'~3eH3i':Ö~cgZlI`ץ2gW%{BP՟heD狇9RyW
!ODO1)D!$UE
vGZ{J,'>R쉣Y+3gjNQء:z
/agPRUPd*{ aǡ43~3Dqt+Z/քFRD<%:O@k,8SR{}
n
蟢,{jg) ݇9_(v8Ph"y
UQG !}
8c:3<f}|~;"!6/^W-DbHXq�$r.-s)YAykcsRLpx
T$b+UV摗jӉ+Dm
j{Dpjg(RN|CLbT-T-bTA=Y�Yc:tcB<c>hӗ\fu:eFgW<W2H
Uz2e\r ! 8s]Jc
F@UWB$HoT
MӐ`Êz!h
U
O-(:uG(ee.ijDϋ)pKlq"�
j߈!b@KtXN@7IL#XPodoSE:B
"k+#(}|7'4O#?:m;W|XdtA /8X먵P`"}<l7Jo옹J:r+Cߣ":
'HD{zx_ˤP*БI:i
hJBGq|�.Pm؋O%lohx8/)\hUWj7q'LF숱ҼŒYկZܐ gfXq4ڐ%]עaJ)-j&^~˴ܪMG*éě<ah>0Uy%)>4eEWTx&b?
*
{y-=h&U,Go-k^c\T-Ol1qQR(/hUV,OaN,~hX㵅"Zc2ynGdea Y)�zo잝ϣvK\3;_W\`L'yUV@0+jpƪtWXX+E~}YEG<-b˖
G"I]1\T~Z2FH)O<L'a
dgQˇqd2ตCEbҌL
q Nhԇb&zx5rY\ᄬ17V$LLskDYY'2qK3sˁ"hOO!&ۛӃv@YRZx7mx&(d&3x`^4UkJodoBM5CهĐ#IZL'UL>W=f4KX jn҄c)K/<XBJ[s"zK_Td1߷B->m@zمlcAcUcx14+/Lu;!$'G%JɚynKzc1|YXz#GKL'c\ȮeD3/
6s\abWjLG:%n
Jylژ-§ ucD8鄾t^*/^Lϐ 'Oc=9NXGE˜Lj$q,T"INsMG5d?H+q!@PUyBoFىhFj%CBonsZwWTr)ԧgsȆᄞױ5$%ؼΚ=g?n%a
+A>ND 2
la2:;*%@
P
ܝ
`Ÿ\ƣg8؝)\'(p+j*2l:XU@lag*Fj+9'E/8ک3;_HW9^5I
YN>1a^:+0E
%;0ER t"4*;Vrzhw5US5V2DvyZK
jƌDELa%C[Zr$t
<[NSN:B{HB3=r_8JZS$
BeLd?`n(X
NcYh-SeiԆ%?,
R6W
&=?4
f ɉ&W"NA0uZ7ӇbހmXn X(M
\r[ U`BK=3N`T3nM-x8z2g*p0)Ysi\%z(8i
ou
$_ X-
e:_a 9ۑCӷS"x]i\h$?2(
B06
I)gp7#]~H
LC'&z1�jݖ-tTo;;?I"%QǛя"bjW0̍J?kMY#A{RGeG?�H6 Ο:g'!3d>Y( Q#;H1ae`U?@Hh
) ڼ+Ƞ%
!7JZnϦA�8H@^ (sH9&bQv2 iNB %%vuA
ep
%9Vg ,#ҳdN} Auβ1Z,#"hag
IN,f5
Ϩw3P[iڞIx.$%7L;4"
-\p
~ [ȇw?
�F
b̛1*!
-Gy]vDFS}gNR\qkxPh4>c.ANU:vm; 9
U
IQ'
AY'r4w,nYLĴY$,m"ͱᇿt1w((I$Ph-)
a
rR BBbf-ܪ1Nm(q~p+voE%T'ӗ
<7NDwȀ $
IU
h{
\͛:϶.f Ҏ2xdke%SUZ2 262ٔMiM3~
At$I-o6:4fG
gWw_@pRfsz;
F>JTx50oxX`-'q(8m@Ye0}H03FpgoXն07)a)lvYg
_yT<2
FLItN2M a j1P
<G.Y8,|^
qpzǑ|?%Hy (#2>G2I`E-Ԍ,!PlH
%P(*7lX
0z,`;Ȱ
|ēddid
3Vv0,pi@
Hϑ
i32[x9m$2efee+} ד, Z) ,u'7d
H+
�(%Y.
;d斀
@0;Tǧ̿W'dc:d.`1nVa?9
ZCX倩'yF
@nS~u4Z"V<F
>o.5\uhS
XE*歼
A:(ٸ\#-B(8NsܯwNeO?u(o3רA+6;
h]
k's=J*?KJ
t]\܃Tt�u`_ӿsqk CU O=
P:Wѵvz?s 5LU콮{y.Bm+?m#^9sC{cprwCvqp!hS'A;*UŊ-kȭR/f5rnbG۔AWnC ےRJ975% 'أgh,ޝT]٪
5iN.l<囍{t ~{4p[8h
̐~B87u8dAMJ+Iج1fRg
-_6SZ[{cz
^t~ٶA6l/|6bE=R7`:7p<n^٥}>ۻEw
30{\
0Og}'W.NOTW.
k
+ט
ln}wwhkqع
o6]OgWRKf :F
S
Qy}x�K-d{w
\
T%y|
ÞG#t#Ukkh]8/d=
o(Zp?^ţ=S
{1Wzn|Η.xwY.} e}j.żoհ/} j}}yM^PFsܯS^;<|
a'a_0Uw}>α`ӹxX
oŋO'=zi1"mnԏ<~A
t*t-�/ܧ-}t6=A
imtj~'1]BO/5#Ct=k7eoE}ᴶZz'.
3|荸ߞD| t~mfj7 տ3#<+,ix+Eʑ:P]Mm7BT3a
QJ9Sp;Rv0@W-w}]-]?րUXzj*[xƢsbdqoxp"T(_*^TI
8�~I[Tl
EJ[FU-a#+KHD$kUPtFDN,#oM4�,qS$m
\?BvFa,ýص#5NE)WhV%vcN?Ijp~VkGl-M;-λtoG<&
rpyAĖ.8͂Oַ{Zi'
pDʚ֫vK\%:UM[S}Gxed깫xQk߮iGrGnO>Zr2GeЮP;&.Gמ{u"ͷ
bc[R\Qݻؘ
o5bʮtSn%&w9}]4aJOOv26-Qn2t^eDކ*6:).mWxKԀ;<Zʼ^ec9"
#37KWi:jG
"q}ˑ&cr|L-7*;&]w_dA8V
=J
/4DD;㶫Z<E%٩`DDDvJ;AK*<Ĥѻ`RjŇKFpLY-<VrB䎮aDYnF.7*;bD-g>-i$e9t
uk"ꦎ,F
y]bw8UQk]3澖 1*[%W6H4xJߕ$P#gxف
jblVۑT
�hĎ|}j/9~7z(ScOSl
dgL VBai=?dy,aku0kLc>Ց7kl,OĥDY
8KŖͻ[;9Fº<
:VDY%DQ'kjF³[/ڝn7;yb)acO;M
L`Gew
_w(o#! SUhxKrl) H;O97~E@SmJ%
U,nZulڶe
eSH<t⭡jOZ$lhU-GgY
[켐kl
0`
`0
0`
`0
0`
`0
0`
`0
0`
`0
0`
`0
0` ����
������(���D�����2��������������������������B'������g������������ �����]�����f�����0p�����R�����