Monday, March 11, 2013

New 2012 Powershell CmdLets: Role Focus on NPS (Radius) Server

This will be one in a series of posts highlighting the new Cmdlets available in Windows server 2012 that didn't previously exist. I'll be breaking them down on a role-by-role (or feature) basis for easier reading. The first we'll be focusing on is the NPS server included with Windows Server, which is often used for RADIUS authentication.



Load the module: (on a 2012 Server\Win8 machine with the NPS server role or management tools loaded)

import-module NPS

Get the commands:

get-command -module NPS

CommandType     Name                                  
-----------     ----                                            
Cmdlet          Export-NpsConfiguration
Cmdlet          Get-NpsRadiusClient
Cmdlet          Get-NpsRemediationServer
Cmdlet          Get-NpsRemediationServerGroup
Cmdlet          Get-NpsSharedSecretTemplate
Cmdlet          Import-NpsConfiguration
Cmdlet          New-NpsRadiusClient
Cmdlet          New-NpsRemediationServer
Cmdlet          New-NpsRemediationServerGroup
Cmdlet          Remove-NpsRadiusClient
Cmdlet          Remove-NpsRemediationServer
Cmdlet          Remove-NpsRemediationServerGroup
Cmdlet          Set-NpsRadiusClient


Let's walk through these:

Export-NpsConfiguration: This is great; exports all configuration of the NPS server EXCEPT templates to an XML file for backup or import to a different server. Anything containing template information will be converted to information specific to that configuration item and exported, i.e. if a client profile uses a template shared secret the shared secret will export successfully but it will be an asset of that client configuration rather than having the config linked to the template. This will remain true even if the target server for importing the profile already has the template elements defined by the same name. Also note that if you have a SQL server configured for auditing that information will not be exported either. Security Warning: All information including shared secrets will be stored in clear text. Command example:


Export-NpsConfiguration c:\temp\NPSConfig.xml


Get-NpsRadiusClient,Get-NpsRemediationServer,Get-NpsRemediationServerGroup,Get-NpsSharedSecretTemplate: Enumerates the Radiusclient, RemediationServer(groups), and shared secret templates on the local server. Only the Get-RemediationServer cmdlet requires an argument. The others will show all items on the server and you can use common parameters to parse. Security warning: Get-NpsSharedSecretTemplate will display shared secrets in clear text.

Import-NpsConfiguration: When supplied with an XML configuration file generated by the Export-NpsConfiguration(above) it will import an NPS server configuration. As noted above you cannot import information regarding templates or SQL auditing, but everything else will come over fine. These two commands could be used in a scheduled task if desired to sync configuration from a "master" NPS server to others within the organization. Command example:


Import-NpsConfiguration c:\temp\NPSConfigFromThatOtherServer.xml


New-NpsRadiusClient, New-NpsRemediationServer, New-NpsRemediationServerGroup, Remove-NpsRadiusClient, Remove-NpsRemediationServer,Remove-NpsRemediationServerGroup: Commands to setup and remove NPS/Radius clients, remediation servers, and remediation server groups. Pretty straightforward; here's a New-NpsRadiusClient example:


New-NpsRadiusClient -Name "NameOfMyClientGroup" -Address "10.1.0.0/16" -AuthAttributeRequired 0 -NapCompatible 0 -SharedSecret "SuperSharedSecretxyz" -VendorName "RADIUS Standard"


Set-NpsRadiusClient: All this does is change a value of an existing client specification. This would be useful for doing batch updates of all client profiles. Take, for example, this command which would disable all client profiles:


foreach ($i in Get-NpsRadiusClient){Set-NpsRadiusClient $i.name -Enabled 0}


So here's a fun idea: Automate config changes all your NPS/Radius servers to have a master/slave relationship using a shared storage space, powershell, and task scheduler. It's as easy as 1, 2, 3! (Sheesh, did I just say that?)


  1. Create simple powershell scripts to export the configuration to a shared file space (on "master" NPS server) and import from the shared file space (on "slave" NPS servers)  You may want to version them...
  2. Create Scheduled task on the "master" to export however often you like and one scheduled task on each "slave" NPS to import that config. Make sure the import comes after the export
  3. Profit!
Quick notes: if doing this be aware that changes will flow automatically so if you ruin your master you'll ruin your slaves too. As noted above I'd recommend versioning the configuration files (use the date) so that you have a history of the changes, just make sure you're fully aware of the fact that the shared secret is in the clear. If you wanted to get really fancy to protect that you could use a common service account and EFS, but that's a little deep for this article. :) 

In the mood for some references? Me too!
Technet NPS Migration Guide
Technet NPS Server Migration (different)
Technet NPS Cmdlets (Note the referenced -full and -examples aren't actually in the files)
Technet: Export NPS Config

Any questions? Let me know. Have fun!


No comments: