How to Set Up Windows Server 2016 NPS RADIUS
Network Policy Server (NPS) is the Microsoft implementation of a RADIUS (Remote Authentication Dial-In User Service) server and proxy. NPS provides centralized authentication, authorization, and accounting (AAA) for network access requests, including VPN connections, 802.1X wireless and wired authentication, dial-up, and remote access through RRAS. By centralizing authentication policy in NPS, you can enforce consistent access control policies across all network access infrastructure using Active Directory credentials and group memberships, eliminating the need to manage credentials on individual network devices.
Understanding NPS Components
NPS operates using three key components: Connection Request Policies determine whether NPS processes the request locally or forwards it to another RADIUS server. Network Policies define the conditions (such as group membership, time of day, or authentication method) that must be met for access to be granted. RADIUS Clients are the network devices (VPN servers, wireless access points, managed switches) that forward authentication requests to NPS. Understanding how these policies interact is essential for correct NPS configuration.
Prerequisites
NPS integrates with Active Directory for user authentication. The NPS server should be domain-joined. Network devices that will use NPS as a RADIUS server must be configured with the NPS server’s IP address and a shared secret. Plan your RADIUS shared secrets in advance — they should be complex, unique per device, and stored securely:
Get-ADDomain | Select DNSRoot, DomainMode, DomainSID
Test-ComputerSecureChannel -VerboseStep 1: Install the NPS Role
Install the Network Policy and Access Services role with the Network Policy Server sub-feature:
Install-WindowsFeature NPAS -IncludeManagementTools
Install-WindowsFeature -Name "RSAT-NPAS" -IncludeAllSubFeatureVerify the NPS service started:
Get-WindowsFeature NPAS | Select Name, InstallState
Get-Service IAS | Select Name, Status, StartTypeStep 2: Register NPS in Active Directory
NPS must be registered in Active Directory to read user account properties needed for dial-in permission checks. The NPS server’s computer account must be a member of the RAS and IAS Servers group in AD:
# Register NPS server in Active Directory
netsh nps add registeredserver
# Alternatively, add the computer account to the RAS and IAS Servers group
Add-ADGroupMember -Identity "RAS and IAS Servers" -Members (Get-ADComputer -Identity $env:COMPUTERNAME)Verify the registration:
Get-ADGroupMember -Identity "RAS and IAS Servers" | Where-Object { $_.objectClass -eq "computer" } | Select NameStep 3: Add RADIUS Clients
Add each network device (VPN server, wireless controller, switch) as a RADIUS client in NPS. The shared secret must match what is configured on the device:
# Add a VPN server as a RADIUS client
New-NpsRadiusClient -Name "VPN-Server-01" -Address "10.0.0.50" -SharedSecret "C0mpl3x$haredS3cr3t!" -AuthAttributeRequired $false
# Add a Cisco wireless LAN controller
New-NpsRadiusClient -Name "WLC-01" -Address "10.0.1.10" -SharedSecret "Wir3l3ss$ecr3t!" -VendorName "Cisco"
# Add a managed switch for 802.1X
New-NpsRadiusClient -Name "CoreSwitch-01" -Address "10.0.0.254" -SharedSecret "Sw1tch$ecr3t!" -VendorName "Cisco"
# List all configured RADIUS clients
Get-NpsRadiusClient | Select Name, Address, Enabled | Format-TableStep 4: Create a Network Policy for VPN Access
Network policies define the conditions required for access. Create a policy that allows VPN access for members of a specific AD group:
# Create an AD group for VPN users
New-ADGroup -Name "VPN-Users" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "VPN-Users" -Members "vpnuser1","vpnuser2"
# Create the NPS Network Policy
New-NpsNetworkPolicy `
-Name "Allow VPN Users" `
-ProcessingOrder 1 `
-PolicySource "Local" `
-ConditionWindowsGroup @("corpVPN-Users") `
-AuthenticationTypes @("MsCHAPV2") `
-EncryptionType @("MPPE128") `
-AccessType Allow `
-Enabled $trueView all configured network policies:
Get-NpsNetworkPolicy | Select Name, ProcessingOrder, Enabled, AccessType | Sort-Object ProcessingOrder | Format-TableStep 5: Configure NPS for RRAS Integration
When NPS is used as the RADIUS server for RRAS, configure RRAS to forward authentication requests to NPS instead of authenticating locally:
# On the RRAS server, configure it to use NPS for RADIUS authentication
netsh ras set authmode mode=radius
# Set the RADIUS server address and shared secret
netsh ras set radius primary=10.0.0.60 secondary=10.0.0.61 secret=C0mpl3x$haredS3cr3t! timeout=30 score=30
# Verify RRAS authentication settings
netsh ras show configStep 6: Configure 802.1X Policy for Wireless Authentication
Create a network policy for 802.1X wireless authentication. This requires EAP authentication (PEAP-MSCHAPv2 is most common for password-based wireless):
New-NpsNetworkPolicy `
-Name "Allow 802.1X Wireless" `
-ProcessingOrder 2 `
-ConditionWindowsGroup @("corpDomain Users") `
-AuthenticationTypes @("EAP") `
-EAPProviders @("Microsoft: Protected EAP (PEAP)") `
-AccessType Allow `
-Enabled $true
# Configure the server certificate for EAP/TLS
# Get the NPS server certificate thumbprint
Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.EnhancedKeyUsageList -like "*Server Authentication*" } | Select Subject, ThumbprintStep 7: Configure RADIUS Accounting
Enable RADIUS accounting to log authentication events, connection durations, and session statistics. This is important for auditing and troubleshooting:
# Configure NPS logging to Windows Event Log
Set-NpsAccountingConfiguration -LoggingType LocalFile -LogFileFormat IAS -LogDirectory "C:WindowsSystem32LogFiles"
# Enable accounting for authentication and session data
Set-NpsAccountingConfiguration -AccountingAcceptedRequests $true `
-AccountingRejectedRequests $true `
-AccountingInterimUpdates $true `
-AuthenticationRequests $true `
-AccountingOnOffRequests $trueStep 8: Monitor NPS and Troubleshoot
Review NPS authentication events and use the NPS log files for detailed troubleshooting:
# View recent NPS authentication events
Get-WinEvent -LogName Security | Where-Object { $_.Id -in @(6272, 6273, 6274, 6275, 6276, 6278, 6279) } | Select TimeCreated, Id, Message | Format-List
# Event IDs:
# 6272 = Network Policy Server granted access
# 6273 = Network Policy Server denied access
# 6274 = Network Policy Server discarded the request
# 6278 = Network Policy Server granted full access to a user
# Export NPS configuration for backup or migration
netsh nps export filename="C:NPS_Backupnps_config_$(Get-Date -Format yyyyMMdd).xml" exportPSK=YES
# Check NPS service health
Get-Service IAS | Select Name, Status
netsh nps show radiusNPS as a RADIUS server consolidates authentication policy for all network access in a Windows Active Directory environment. By centralizing 802.1X, VPN, and remote access authentication through a single NPS deployment, administrators gain consistent policy enforcement, unified logging, and simplified management across all network access technologies.
