SafeNet Agent for NPS
The SafeNet Agent for NPS adds strong authentication to Microsoft’s Network Policy Server (NPS) environments, by transferring Remote Authentication Dial-In User Service (RADIUS) requests received by NPS to the SAS PCE or STA.
NPS is the Microsoft implementation of a RADIUS server, and is included in the Microsoft Windows Server 2008, 2012 and 2016 families. The NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, remote access (dial-up and VPN), and router-to-router connections.
Release Information
Release Summary – SafeNet Agent for Network Policy Server 2.1.1
This release includes important security updates, and resolves issues since the previous release. Following provides the details.
Security Enhancements
Important security updates are introduced with this release, both at the infrastructure and the agent level, empowering users with a more dependable authentication experience.
Resolved Issues
Please find below details of the solutions provided.
| Issue | Synopsis |
|---|---|
| SASNOI-3499 | The incorrect parameter error, encountered during installation of the SafeNet Agent for NPS on non-English Operating Systems is now resolved. |
| SASNOI-3491 | The internal error about a non-functioning device attached to the system< is now resolved. |
Release Summary – SafeNet Agent for Network Policy Server 2.1.0
The SafeNet Agent for NPS2.1.0 introduces new features and resolves a known issue.
Support for Transport Layer Security v1.2
Support for Transport Layer (TLS) v1.2 protocol has now been added.
Extended Operating System Support
The SafeNet Agent for Network Policy Server now supports Windows 2016 (64-bit).
Security Enhancements
To better secure the communication between channels, the SafeNet Agent for Network Policy Server 2.1.0 contains certain security enhancements at infrastructure and agent level.
Upgrade from Version 2.0
The SafeNet Agent for Network Policy Server 2.1.0 supports upgrade from version 2.0.
Resolved Issue
| Issue | Synopsis |
|---|---|
| SASNOI-3600 | The SafeNet Agent for Network Policy Server now works correctly when receiving an authentication request using the MSCHAPv2 protocol. |
Release Summary – SafeNet Agent for Network Policy Server 2.0
The SafeNet Agent for Network Policy Server 2.0 introduces new features and repairs a known issue.
Support for Push OTP
The SafeNet Agent for Network Policy Server 2.0 supports the Push OTP function with MobilePASS+ (Gemalto’s new generation mobile authenticator) when SAS Authentication Server Cloud Edition 3.9.1 and later versions become available.
Support for Return Attributes
The SafeNet Agent for Network Policy Server 2.0 supports the use of SAS-defined user or group RADIUS Return Attributes.
Gemalto Branding
The SafeNet Agent for Network Policy Server 2.0 has been updated with Gemalto branding.
Upgrade from Version 1.31
The SafeNet Agent for Network Policy Server 2.0 supports upgrade from version 1.31.
Resolved Issue
| Issue | Synopsis |
|---|---|
| SASIL-2640 | The SafeNet Agent for Network Policy Server now works correctly when receiving an authentication request from Aruba ClearPass. |
Advisory Notes
Administrator Credentials Required
The SafeNet Agent for Network Policy Server must execute with administrator credentials. This applies to the installation of the agent and to running NPS Configuration Management options.
Logging with Push OTP
When logging to a website supporting the Push OTP function, the user enters the Username, leaves the password field empty, and clicks the login button. The user will then receive a prompt on their MobilePASS+ app, to accept or reject the logon request. On accepting the logon request, the user is logged in to the website.
Known Issues
| Issue | Synopsis |
|---|---|
SASNOI-3737 |
Description: If you select Authenticate requests on this server option (on the Specify Connection Request Forwarding window), the authentication sometimes direct to the SAS/STA (and approves) instead of being rejected to perform an AD user validation check. Workaround: None. Will be fixed in a future release. |
| SASNOI-3604 | Description: Sometimes, an error may be encountered while opening the agent. Workaround: Navigate to Active Directory > Builtin > Create New Group, and add Network Service Group manually. |
| SASNOI-3589 | Description: Authentication fails using challenge-response token if CHAP or MSCHAPv2 protocol is employed. Workaround: None. Will be fixed in a future release. |
| SASNOI-3533 | Description: The Server Status Check always reports that the Secondary (Failover) Server is off-line, even if it is running correctly. Workaround: None. Will be fixed in a future release. |
| SASNOI-3499 | Description: An error message is encountered while installing the agent on non-English Operating Systems. Workaround: None. Will be fixed in a future release. |
| SASNOI-3366 | Description: Push functionality does not work when NPS is configured using the Token Validator Proxy (TVP) Agent. Workaround: Add an exception that when NPS is configured with Proxy, connection to the TVP should route directly. |
| SASIL-3183 | Description: If the SafeNet Agent for NPS is working via a proxy server, when running the Server Status Check procedure (NPS Configuration Management > Authentication Test), the SAS/STA server is reported as being off-line, even though it is running correctly. Workaround: None. Will be fixed in a future release. |
Compatibility and Component Information
System Requirements
Prerequisites
Microsoft .NET Framework 4.5.2 (or above) must be installed on the same computer as the SafeNet Agent for NPS.
Operating Systems
-
Windows Server 2008 R2 (64-bit)
NPS does not support TLS v1.2 on Windows Server 2008 R2 environments. To use TLS v1.2, the administrator must upgrade to Windows 2008 R2 SP1 and install the following patch: KB3140245.
-
Windows Server 2012 R2 (64-bit)
-
Windows Server 2016 (64-bit)
Authentication Management Platforms
-
(STA)
-
SAS PCE 3.9.1 and later
Authentication Protocols
The SafeNet Agent for NPS supports the following authentication protocols:
-
PAP
-
CHAP
-
MS-CHAP v2
The following restrictions apply when working in Challenge/ Response mode:
-
Tokens in Challenge/ Response mode are supported only for PAP.
-
GrIDSure tokens are supported only for PAP and MS CHAP v2. MS-CHAPv2 requires SAS 3.5.1 or later.
To use GrIDSure with the SafeNet Agent for NPS, the user must utilize an external GrIDSure service (for example SAS Self Service Portal).
Push OTP
The SafeNet Agent for NPS will support the Push OTP function with MobilePASS+ when working with the STA as well as the SAS PCE 3.9.1 and later versions.
Note
-
High Push OTP utilization can lower the authentication throughput in the NPS.
-
To use PUSH OTP, ensure that the agent's server can connect with the PUSH Service. If you are using a proxy with the agent's server, add IP address of the PUSH Service in the proxy.
When using Push OTP, we recommend the following settings in the RADIUS Client:
Multiple NPS servers |
Timeout: 60 seconds Retries: 1 |
| Single NPS server | Timeout: 20 seconds Retries: 3 |
Upgrade
The SafeNet Agent for Network Policy Server 2.1.1 supports upgrade from 2.0 and 2.1.0 versions.