How to Configure Network Policy Server (NPS) on Windows Server 2019
Network Policy Server (NPS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. NPS centralizes authentication, authorization, and accounting for wireless connections, authenticating switches, remote access VPN connections, and dial-up connections. NPS enables you to enforce consistent network access policies, integrate with Active Directory for user authentication, and connect to logging servers for accounting records. It is also used as the RADIUS server for 802.1X network authentication.
Installing NPS
# Install the NPS role
Install-WindowsFeature -Name NPAS -IncludeManagementTools
# Verify the installation
Get-WindowsFeature -Name NPAS*
# Start the NPS service
Start-Service IAS
Set-Service IAS -StartupType Automatic
Get-Service IASRegistering NPS in Active Directory
To allow NPS to read user dial-in properties and group memberships from Active Directory, register it in AD. This adds the NPS server’s computer account to the RAS and IAS Servers security group:
# Register NPS in Active Directory
netsh nps add registeredserver domain=corp.example.com server=nps01.corp.example.com
# Or using the NPS console: right-click NPS (Local) > Register Server in Active Directory
# Verify registration - the computer account should be in the "RAS and IAS Servers" group
Get-ADGroupMember -Identity "RAS and IAS Servers" | Where-Object {$_.Name -like "*NPS01*"}Configuring RADIUS Clients
RADIUS clients are the network devices (access points, VPN servers, switches) that forward authentication requests to NPS. Each device must be registered with a shared secret:
# Add a RADIUS client (Cisco wireless access point)
New-NpsRadiusClient `
-Address 192.168.1.50 `
-Name "Cisco-AP-Floor1" `
-SharedSecret "SecureSharedSecret123!" `
-AuthAttributeRequired $false `
-VendorName "Cisco"
# Add multiple access points from a subnet (using address range)
New-NpsRadiusClient `
-Address 192.168.2.0/24 `
-Name "Floor2-APs" `
-SharedSecret "APSharedSecret456!" `
-AuthAttributeRequired $false
# Add a VPN server as a RADIUS client
New-NpsRadiusClient `
-Address 192.168.1.200 `
-Name "VPN-Server-01" `
-SharedSecret "VPNSecret789!" `
-VendorName "Microsoft"
# List all RADIUS clients
Get-NpsRadiusClient | Select-Object Name, Address, VendorName | Format-TableCreating Network Policies
Network policies define the conditions under which users and computers are granted or denied access. Policies are evaluated in priority order until a match is found:
# Create a network policy for wireless domain users
New-NpsNetworkPolicy `
-Name "Allow Domain Users Wireless" `
-ProcessingOrder 1 `
-Enabled $true `
-PolicyAction Grant `
-Condition @(
@{type="NAS-Port-Type"; value="19"}, # 19 = Wireless IEEE 802.11
@{type="Windows-Groups"; value="CORPDomain Users"}
) `
-AuthenticationMethod @("EAP","MsChapV2")
# Create a policy for VPN access restricted to VPN-Users group
New-NpsNetworkPolicy `
-Name "Allow VPN Users" `
-ProcessingOrder 2 `
-Enabled $true `
-PolicyAction Grant `
-Condition @(
@{type="NAS-Port-Type"; value="5"}, # 5 = Virtual (VPN)
@{type="Windows-Groups"; value="CORPVPN-Users"}
) `
-AuthenticationMethod @("EAP","MsChapV2") `
-IdleTimeout 900 `
-SessionTimeout 36000
# Create a deny-all policy (lowest priority, fallback)
New-NpsNetworkPolicy `
-Name "Deny All" `
-ProcessingOrder 100 `
-Enabled $true `
-PolicyAction Deny
# List network policies
Get-NpsNetworkPolicy | Select-Object Name, ProcessingOrder, Enabled, PolicyAction | Sort-Object ProcessingOrderConfiguring Connection Request Policies
Connection Request Policies determine whether NPS processes authentication requests locally or forwards them to a remote RADIUS server (acting as a RADIUS proxy). For local processing, use the default policy. For proxy scenarios, create forwarding rules:
# View existing connection request policies
Get-NpsConnectionRequestPolicy | Select-Object Name, ProcessingOrder, Enabled | Sort-Object ProcessingOrder
# Create a connection request policy to forward requests from a partner organization
New-NpsConnectionRequestPolicy `
-Name "Forward Partner RADIUS" `
-ProcessingOrder 1 `
-Enabled $true `
-Condition @(
@{type="User-Name"; value=".*@partner.com$"} # Regex match for partner UPN
) `
-AuthProvider "RemoteRADIUSServerGroup" `
-RemoteRadiusServerGroup "Partner-RADIUS-Group"Configuring 802.1X Wired Authentication
802.1X port authentication on network switches requires clients to authenticate before receiving network access. NPS provides the RADIUS backend for 802.1X:
# Create a network policy for 802.1X wired authentication
New-NpsNetworkPolicy `
-Name "802.1X Wired Domain Computers" `
-ProcessingOrder 3 `
-Enabled $true `
-PolicyAction Grant `
-Condition @(
@{type="NAS-Port-Type"; value="15"}, # 15 = Ethernet
@{type="Windows-Groups"; value="CORPDomain Computers"}
) `
-AuthenticationMethod @("EAP")
# Configure EAP settings for certificate-based authentication
# EAP type 13 = EAP-TLS (certificate-based, most secure)
# EAP type 25 = PEAP-MSCHAPv2 (password-based with TLS tunnel)
# For PEAP-MSCHAPv2, configure the server certificate
# The NPS server must have a valid server certificate from an enterprise CA
certutil -store My | findstr "Subject"
# Configure the NPS certificate for authentication
netsh nps show configConfiguring RADIUS Accounting
RADIUS accounting logs connection events (authentication, session start, session stop, interim updates) for billing, security auditing, and network monitoring:
# Configure RADIUS accounting to log to a SQL Server database
# First, create the RADIUS accounting database schema
# Schema script: C:WindowsSystem32iasiasAccesslog.sql
# Configure accounting in NPS
netsh nps set accounting `
accountingsql enable `
sqlaccountingdatalink "Provider=SQLOLEDB;Data Source=sql01;Initial Catalog=NPSAccounting;Integrated Security=SSPI"
# Configure local file-based accounting as fallback
netsh nps set accounting logaccountingonoff enable
netsh nps set accounting logdir C:NPSLogs
netsh nps set accounting logtype monthly
# View accounting log location
Get-WinEvent -LogName "Security" -FilterXPath "*[System[EventID=6272 or EventID=6273 or EventID=6274]]" | Select-Object -First 10 | Select-Object TimeCreated, MessageConfiguring NPS for RADIUS Proxy
When NPS acts as a RADIUS proxy, it forwards authentication requests to remote RADIUS servers. This is used for hub-and-spoke topologies or federated authentication scenarios:
# Create a remote RADIUS server group
New-NpsRemoteRadiusServerGroup -Name "Partner-RADIUS-Group"
# Add remote RADIUS servers to the group
Add-NpsRemoteRadiusServer `
-RemoteRadiusServerGroupName "Partner-RADIUS-Group" `
-Address 203.0.113.20 `
-SharedSecret "ProxySecret123!" `
-AuthenticationPort 1812 `
-AccountingPort 1813 `
-Priority 1 `
-Weight 50
Add-NpsRemoteRadiusServer `
-RemoteRadiusServerGroupName "Partner-RADIUS-Group" `
-Address 203.0.113.21 `
-SharedSecret "ProxySecret123!" `
-AuthenticationPort 1812 `
-AccountingPort 1813 `
-Priority 1 `
-Weight 50
# View remote RADIUS server groups
Get-NpsRemoteRadiusServerGroupBacking Up and Restoring NPS Configuration
# Export NPS configuration (policies, clients, settings)
netsh nps export filename="C:BackupNPS-Config-$(Get-Date -Format 'yyyyMMdd').xml" exportPSK=YES
# Import NPS configuration on a new or rebuilt server
netsh nps import filename="C:BackupNPS-Config-20240115.xml"
# Backup NPS configuration using built-in cmdlet
Export-NpsConfiguration -Path "C:BackupNPS-Export.xml"
# Import NPS configuration
Import-NpsConfiguration -Path "C:BackupNPS-Export.xml"Monitoring NPS
# View NPS authentication events in the Security log
Get-WinEvent -LogName Security | Where-Object {
$_.Id -in @(6272, 6273, 6274, 6275, 6276, 6278, 6279, 6280)
} | Select-Object TimeCreated, Id, Message | Select-Object -First 20
# Event IDs:
# 6272: Network Policy Server granted access to a user
# 6273: Network Policy Server denied access to a user
# 6274: Network Policy Server discarded the request for a user
# 6278: Network Policy Server granted full access to a user (health validation passed)
# Check NPS service health
Get-Service IAS
netsh nps show statusNPS is the central authentication authority for network access in Windows environments. Deploy it in pairs for redundancy, as RADIUS clients typically support primary and secondary server configurations. Ensure the NPS servers have valid certificates from your internal CA for EAP-TLS or PEAP authentication, and use strong shared secrets (minimum 22 characters) for RADIUS client configuration.
