How to Configure 802.1X Network Access Control on Windows Server 2019

Introduction to 802.1X Network Access Control

802.1X is an IEEE standard for port-based network access control. It ensures that only authenticated and authorized devices can connect to a network—whether wired or wireless. In an enterprise environment, 802.1X prevents unauthorized devices (laptops, phones, IoT devices) from simply plugging into a network port or connecting to a corporate Wi-Fi and gaining access. Windows Server 2019 with the Network Policy Server (NPS) role acts as the RADIUS authentication server for 802.1X. This tutorial covers the complete 802.1X infrastructure: NPS RADIUS server configuration, certificate deployment for EAP-TLS, switch/AP RADIUS client configuration, and Group Policy for client supplicant settings.

802.1X Architecture

The 802.1X architecture has three components: the Supplicant (the client device requesting access), the Authenticator (the network switch or wireless access point that blocks or permits traffic), and the Authentication Server (NPS running RADIUS). When a device connects to a port, the switch places it in an unauthorized state and forwards only EAP frames to the NPS server. NPS validates the client’s credentials (certificate or username/password), and instructs the switch to authorize or deny the port.

Prerequisites

Before configuring 802.1X, ensure you have: NPS installed and registered in Active Directory (see Post 61), a working PKI with an Enterprise CA (see Post 59), certificate templates for NPS server authentication and client computer authentication, 802.1X-capable managed switches or wireless access points, and domain computers with auto-enrolled machine certificates.

Configuring the NPS Server Certificate

The NPS server needs a Server Authentication certificate issued by your internal CA. The certificate’s Subject or SAN must match the NPS server’s FQDN. This certificate is presented to clients during the TLS handshake. Enroll for it using the Certificates MMC snap-in.

# Request certificate via certreq or certlm.msc
certlm.msc

# Verify the NPS server has a valid server auth certificate
Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.EnhancedKeyUsageList -match "1.3.6.1.5.5.7.3.1" } |
    Select-Object Subject, Issuer, NotAfter, Thumbprint

Configuring the 802.1X Network Policy in NPS

Create a Connection Request Policy and Network Policy specifically for 802.1X. In the NPS console, right-click Network Policies and select New. Name the policy “802.1X Wired” or “802.1X Wireless” depending on the deployment.

Conditions to add: NAS Port Type should be Ethernet for wired or Wireless-IEEE 802.11 for wireless. Add a Windows Groups condition specifying “Domain Computers” (for machine authentication) or “Domain Users” (for user authentication). Most enterprise deployments use machine authentication only, so domain computers can authenticate before any user logs in.

In Constraints, configure Authentication Methods. Select EAP and configure Microsoft: Smart Card or other certificate for EAP-TLS, or Microsoft: Protected EAP (PEAP) for PEAP-MSCHAPv2. For EAP-TLS, select the NPS server certificate from the dropdown.

Configuring the Managed Switch as a RADIUS Client

Configure the managed switch to use NPS as its RADIUS authentication server. The exact CLI syntax varies by switch vendor (Cisco, HP/Aruba, Juniper, Dell). The following examples show Cisco IOS syntax for configuring 802.1X with NPS.

! Cisco IOS switch configuration
aaa new-model
radius server NPS01
 address ipv4 10.0.1.10 auth-port 1812 acct-port 1813
 key Y0urStr0ngSharedS3cret!

aaa group server radius NPS-SERVERS
 server name NPS01

aaa authentication dot1x default group NPS-SERVERS
aaa authorization network default group NPS-SERVERS
aaa accounting dot1x default start-stop group NPS-SERVERS

dot1x system-auth-control

interface GigabitEthernet0/1
 description "Workstation Port"
 switchport mode access
 switchport access vlan 10
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast

Add the Switch as a RADIUS Client in NPS

Register the switch’s IP address as a RADIUS client in NPS with the matching shared secret.

netsh nps add client `
    name="Core-Switch-01" `
    address=10.0.1.1 `
    state=enable `
    sharedSecret="Y0urStr0ngSharedS3cret!" `
    requireMessageAuthenticator=enable

Configuring Client Supplicant via Group Policy

Windows domain computers have a built-in 802.1X supplicant. Configure it via Group Policy to automatically use EAP-TLS with the machine certificate. Create a GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies. Right-click and select Create a new Wired Network Policy for Windows Vista and Later.

Name the policy and click Add on the Security tab to configure a profile. Select Microsoft: Smart Card or other Certificate as the authentication method. Under Configure, select the trusted root CA that issued the NPS server certificate. Enable “Use simple certificate selection” and “Verify the server’s identity by validating the certificate”. This ensures clients verify they are connecting to the correct NPS server.

Configuring VLAN Assignment via RADIUS

A powerful 802.1X feature is dynamic VLAN assignment. NPS returns RADIUS attributes to the switch that instruct it to place the authenticated client in a specific VLAN based on group membership. Add RADIUS Standard attributes to the Network Policy Settings: Tunnel-Type (13 = VLAN), Tunnel-Medium-Type (6 = 802), and Tunnel-Pvt-Group-ID (the VLAN ID number as a string).

# These attributes are set in NPS Network Policy > Settings > RADIUS Attributes > Standard
# Tunnel-Type: Value = 13 (VLAN)
# Tunnel-Medium-Type: Value = 6 (802)  
# Tunnel-Pvt-Group-ID: Value = "100" (VLAN 100 for workstations)

# Verify NPS RADIUS attributes using netsh
netsh nps show np name="802.1X Wired"

Testing 802.1X Authentication

Connect a domain computer to an 802.1X-enabled switch port. Monitor NPS events and the switch’s dot1x status:

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = @(6272, 6273, 6278)
    StartTime = (Get-Date).AddMinutes(-10)
} | Select-Object TimeCreated, Id, Message

On the Cisco switch, check authenticated port status:

show authentication sessions interface GigabitEthernet0/1
show dot1x all

Configuring Guest VLAN for Non-802.1X Devices

Some devices (printers, IP phones, IoT sensors) cannot perform 802.1X authentication. Configure a guest VLAN on the switch for unauthenticated devices to fall into a restricted network segment.

! Cisco IOS guest VLAN for non-802.1X capable devices
interface GigabitEthernet0/1
 dot1x guest-vlan 999
 dot1x auth-fail-vlan 999

Conclusion

802.1X Network Access Control on Windows Server 2019 with NPS provides port-level authentication that ensures only trusted domain members access the corporate network. EAP-TLS with machine certificates delivers the strongest security—requiring a valid CA-issued certificate rather than just a username and password. Combining 802.1X with dynamic VLAN assignment gives you automated network segmentation based on device identity. This is a cornerstone of zero-trust networking principles and is required by many compliance frameworks.