Your network contains an Active Directory domain named contoso.com. The domain contains a server named
NPS1 that has the Network Policy Server server role installed. All servers run Windows Server 2012 R2.
You install the Remote Access server role on 10 servers.
You need to ensure that all of the Remote Access servers use the same network policies.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
Configure each Remote Access server to use the Routing and Remote Access service (RRAS) to authenticate
connection requests.
B.
On NPS1, create a remote RADIUS server group. Add all of the Remote Access servers to the remote RADIUS
server group.
C.
On NPS1, create a new connection request policy and add a Tunnel-Type and a Service-Type condition.
D.
Configure each Remote Access server to use a RADIUS server named NPS1.
E.
On NPS1, create a RADIUS client template and use the template to create RADIUS clients.
Explanation:
Connection request policies are sets of conditions and settings that allow network administrators to designate
which RADIUS servers perform the authentication and authorization of connection requests that the server
running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be
configured to designate which RADIUS servers are used for RADIUS accounting.
When you configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS)
proxy, you use NPS to forward connection requests to RADIUS servers that are capable of processing the
connection requests because they can perform authentication and authorization in the domain where the user
or computer account is located. For example, if you want to forward connection requests to one or more
RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the
remote RADIUS servers in the untrusted domain.
To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the
information required for NPS to evaluate which messages to forward and where to send the messages.
Ref: http://technet.microsoft.com/en-us/library/cc730866(v=ws.10).aspx
Can someone explain why C? D is for sure needed, but I would also mark E as the correct answer – Radius clients need to be created on NPS.
1
0
I believe you are correct – D and E
I have read a dozen or more opinions, and the last one from Den seems to make the most sense.
http://www.aiotestking.com/microsoft/which-two-actions-should-you-perform-583/
1
0
I agree with Marcin about C being questionable. I think it could be E, or even B. Here’s a link that may help: https://technet.microsoft.com/en-us/library/ee663945%28v=ws.10%29.aspx
As to choice B, here’s a bit from the link (last line) reference given in the answer:
To configure a server running NPS to act as a RADIUS proxy and forward connection requests to other NPS or RADIUS servers, you must configure a remote RADIUS server group in addition to adding a new connection request policy that specifies conditions and settings that the connection requests must match.
You can create a new remote RADIUS server group during the process of creating a new connection request policy with the New Connection Request Policy Wizard.
1
0
In other words, I think it’s choices B and D.
1
0
The Connection Properties attribute group contains the following attributes.
Framed Protocol . Used to designate the type of framing for incoming packets. Examples are Point-to-Point Protocol (PPP), Serial Line Internet
Can anyone explain why choice C is correct? Here are the definitions that are given in the answer.
Protocol (SLIP), Frame Relay, and X.25.
Service Type . Used to designate the type of service being requested. Examples include framed (for example, PPP connections) and login (for example, Telnet connections). For more information about RADIUS service types, see RFC 2865, “Remote Authentication Dial-in User Service (RADIUS).”
Tunnel Type . Used to designate the type of tunnel that is being created by the requesting client. Tunnel types include the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol (L2TP).
https://msdn.microsoft.com/en-us/library/cc753603.aspx
0
0
B & C
0
1
C is NOT needed here!
The question is in fact “How to guard the SAME network policies.”
This is accomplished by making sure the servers point to each other.
Answer is B AND D
1
0
I think it’s C and D.
When you spin up your 10 VPN servers and you run through the configuration wizard and specify an NPS server…. If you then lookup the Remote RADIUS clients you will see the VPN servers listed.
If the NPS server is going to just serve as an intermediary where there are other NPS servers on the other side of it were other decisions are going to be made (Network or Health policies) then you setup a Remote RADIUS Server Group.
If you choose an answer with RR Server Group then there has to be another server(s) beyond the NPS server.
But this isn’t the case. You have 10 perimeter VPN servers that aren’t doing any decision making on their own. They are there to simply facilitate connectivity when they get the thumbs up from NPS1.
E isn’t correct. When you setup the VPN server *RRAS* and you run through the setup you specify NPS1 by either FQDN or IP Address. The RRAS server is automatically added to the NPS1 RADIUS Clients list.
0
0
C and D
https://technet.microsoft.com/en-us/library/cc771630(v=ws.10).aspx
f you have more than one remote access server, rather than administer the network policies of all the remote access servers separately, you can configure a single server with the Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server and configure the remote access servers as RADIUS clients. The NPS server provides centralized remote access authentication, authorization, accounting, and auditing.
0
0
D and E.
Not A: No. Obviously.
Not B: You would only use B if you were turning NPS1 into a RADIUS Proxy – and nothing is mentioned about forwarding connections upstream from NPS1.
Not C: The default Connection Request policy on NPS1 is fine – why create another? Nothing is mentioned about NPS1 being used to handle any other types of connection requests.
D: Because this is what tells RRAS to forward the connection onto NPS1 (and defines the shared secret to use to authenticate with NPS1).
E: Because without a RADIUS client configured NPS1 will not accept connections from RRAS servers (this is where you’d configure the shared secret that is accepted).
0
0
d and E for same reasons as plagueho
0
0
it cant be B. On NPS1, create a remote RADIUS server group. Add all of the Remote Access servers to the remote RADIUS
server group.
this is incorrect. u cant add vpn servers to a Radius server group. they dont even have nps installed
0
0
D and E. PlagueHO explanations is correct.
0
0
I understand why D and E is the answer however as the question states each remote access server should use the same NPS policies is there another way for the policy settings to be present on the remote access servers without having all policies be centralized no one NPS server?
0
0