Create a Remote Access Policy

 You are the security analyst for a small corporate network. You previously configured the BranchVPN1 server as a remote access server to allow VPN connections. Members of the sales department connect to the server to upload their sales reports as they work from home or on the road.

In this lab, your task is to create and configure a network policy to allow members of the sales department to remotely connect using the following parameters:

• Name the policy Sales.
• Use a remote access server.
• Connecting users/computers must belong to the Sales group.
• Deny access to any account that is not configured in Active Directory.
• Configure permissions to use settings in the Active Directory user accounts (User Dial-in properties). User account settings are configured by an Active Directory user account administrator.
• Use the secured password (EAP-MSCHAP v2).
• Configure a session timeout of 30 minutes.
• As a constraint, allow access only from 6:00 a.m. to 9:00 p.m., Monday–Friday.
• Make the policy first in the list of policies.

EXPLANATION

Complete this lab as follows:

1. Create a remote access network policy named Sales.
   1. From Server Manager, select Tools > Network Policy Server.
   2. Maximize the window for better viewing.
   3. Expand Policies.
   4. Right-click Network Policies and then select New.
   5. In the Policy name field, enter Sales.
   6. From the Type of network access server drop-down list, select Remote Access Server (VPN-Dial up).
   7. Select Next.
   8. Add a condition to the network policy.
      1. Select Add to add group membership as a condition.
      2. Select Windows Groups.
      3. Select Add.
      4. Select Add Groups.
      5. Under Enter the object names to select, enter Sales.
      6. Select OK.
      7. Select OK to close the Windows Groups dialog.
      8. Select Next.
   9. Specify the access permissions.
      1. Select Access denied.
      2. Select Access is determined by User Dial-in properties.
      3. Select Next.
   10. Configure the authentication methods.
       1. Under EAP Types, select Add.
       2. Select Microsoft: Secured password (EAP-MSCHAP v2) and then select OK.
       3. Under Less secure authentication methods, unmark all options.
       4. Select Next.
       5. Configure a session timeout constraint.
          1. Under Constraints, select Session Timeout.
          2. Select Disconnect after the following maximum session time.
          3. Set the timeout session time to 30 minutes.
       6. Configure a day and time restriction constraint.
          1. Under Constraints, select Day and Time restrictions.
          2. Select Allow access only on these days and at these times.
          3. Select Edit. Select the entire day and time box and then select denied then create days and times you want after as it will of cleared the access from the rest of the days and times. 
          4. Modify the settings to allow access only from 6:00 a.m. to 9:00 p.m., Monday-Friday.
          5. Select OK and then select Next.
          6. From the Configure Settings dialog (RADIUS Attributes), select Next.
          7. Select Finish.
       7. Under Policy Name, make sure that the Sales policy is at the top of the list.