How to Set Up NPS RADIUS Server on Windows Server 2016

April 11, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 Network Policy Server

Network Policy Server (NPS) is Microsoft’s implementation of a RADIUS (Remote Authentication Dial-In User Service) server, proxy, and network access policy engine in Windows Server 2016. NPS authenticates, authorizes, and accounts for dial-up, VPN, wireless, and switch connections. It integrates with Active Directory to enforce network access policies and log all connection attempts, making it central to 802.1X wired and wireless deployments, VPN authentication, and RADIUS accounting.

Common NPS Use Cases

VPN authentication for Windows Routing and Remote Access Service (RRAS).
802.1X authentication for wired and wireless network access.
RADIUS proxy to forward authentication to another RADIUS server.
Remote desktop gateway authentication.
Network device authentication for Cisco, Juniper, or other RADIUS clients.

Step 1: Install Network Policy Server

Install-WindowsFeature NPAS -IncludeManagementTools

This installs NPS along with the Health Registration Authority and Host Credential Authorization Protocol components. Verify installation:

Get-WindowsFeature -Name NPAS

Step 2: Register NPS in Active Directory

NPS must be registered in AD to read users’ dial-in properties:

netsh nps add registeredserver domain=corp.local server=NPSServer01.corp.local

Or using the NPS console: right-click NPS (Local) > “Register server in Active Directory”.

Add the NPS server computer account to the “RAS and IAS Servers” group in AD:

Add-ADGroupMember -Identity "RAS and IAS Servers" -Members "NPSServer01$"

Step 3: Add RADIUS Clients

RADIUS clients are network devices (VPN concentrators, wireless access points, switches) that send authentication requests to NPS. Add a client using PowerShell:

New-NpsRadiusClient -Name "VPN-Gateway" `
  -Address "192.168.1.1" `
  -SharedSecret "V3ryStr0ngRadiusSecret!" `
  -AuthAttributeRequired $false `
  -VendorName "Microsoft"

List all configured RADIUS clients:

Get-NpsRadiusClient

Step 4: Create a Connection Request Policy

Connection Request Policies determine whether NPS processes a request locally or forwards it. Create a policy to process all requests locally:

New-NpsConnectionRequestPolicy -Name "Process All Locally" `
  -State Enabled `
  -ProcessingOrder 1 `
  -PolicySource "Local"

Step 5: Create a Network Policy

Network Policies define who can connect and under what conditions. Create a policy that allows VPN access for members of the VPN-Users group:

New-NpsNetworkPolicy -Name "VPN Users Policy" `
  -State Enabled `
  -ProcessingOrder 1 `
  -Conditions @("MATCH(`"Windows Groups`",`"CORPVPN-Users`")") `
  -AuthenticationType MSCHAPv2 `
  -AccessType Allow

For 802.1X with certificate-based authentication:

New-NpsNetworkPolicy -Name "802.1X Wireless" `
  -State Enabled `
  -ProcessingOrder 2 `
  -Conditions @("MATCH(`"NAS Port Type`",`"19`")") `
  -AuthenticationType PEAP `
  -AccessType Allow

Step 6: Configure RADIUS Accounting

Enable SQL or text file accounting to log all connection attempts:

Set-NpsAccounting -EnableAccountingOnFailure $true `
  -AccountingOnOffRequest $true `
  -LogFileDirectory "C:WindowsSystem32LogFiles" `
  -LogFileFormat DTS

For SQL logging, configure the database connection:

Set-NpsSqlAccountingConfig -SqlServerName "SQLServer01" `
  -DatabaseName "NPS_Accounting" `
  -MaxSessions 50

Step 7: Configure NPS as a RADIUS Proxy

Configure NPS to forward authentication requests to a remote RADIUS server group:

New-NpsRemoteRadiusServer -Name "Remote-NPS" `
  -Address "10.0.0.50" `
  -SharedSecret "ProxySecret123!" `
  -AuthPort 1812 `
  -AcctPort 1813 `
  -Priority 1 `
  -Weight 50

New-NpsRemoteRadiusServerGroup -Name "RemoteNPSGroup" `
  -RemoteRadiusServer "Remote-NPS"

Step 8: Configure Windows Firewall for NPS

NPS uses UDP ports 1812 (authentication) and 1813 (accounting) by default:

New-NetFirewallRule -DisplayName "RADIUS Authentication" -Direction Inbound -Protocol UDP -LocalPort 1812 -Action Allow
New-NetFirewallRule -DisplayName "RADIUS Accounting" -Direction Inbound -Protocol UDP -LocalPort 1813 -Action Allow

Step 9: Export and Import NPS Configuration

Export NPS configuration for backup or migration:

Export-NpsConfiguration -Path "C:NPSNPSConfig.xml"

Import configuration on another NPS server:

Import-NpsConfiguration -Path "C:NPSNPSConfig.xml"

Step 10: Monitor NPS Events

Get-WinEvent -LogName "Security" | Where-Object {$_.Id -in @(6272,6273,6274,6275,6276,6278)} | Select-Object TimeCreated, Id, Message | Select-Object -First 20

Key NPS event IDs: 6272 = access granted, 6273 = access denied, 6274 = discarded request, 6278 = granted full access.

Summary

Network Policy Server on Windows Server 2016 is the cornerstone of network access control in Microsoft environments. By acting as a RADIUS server, NPS enforces who can access VPN, wireless, and wired networks based on AD group membership, certificate authentication, and time-of-day restrictions. Proper NPS configuration — with strong shared secrets, detailed accounting logs, and appropriate network policies — forms a critical layer of your network security architecture.