How to Set Up a RADIUS Server with NPS on Windows Server 2012 R2
RADIUS (Remote Authentication Dial-In User Service) is the industry-standard AAA protocol — Authentication, Authorization, and Accounting — used by virtually all network access equipment including wireless access points, VPN concentrators, 802.1X network switches, and dial-up servers. Windows Server 2012 R2’s Network Policy Server (NPS) is a full-featured RADIUS server and proxy that integrates natively with Active Directory for user authentication and group-based policy enforcement. This guide provides a comprehensive walkthrough of deploying NPS as a RADIUS server for 802.1X wireless authentication, including certificate requirements, NPS policies, and RADIUS client configuration.
Prerequisites
NPS must be installed on a domain-joined Windows Server 2012 R2 machine. For 802.1X wireless or wired authentication using PEAP, the NPS server requires an SSL certificate with Server Authentication (OID 1.3.6.1.5.5.7.3.1) in the Enhanced Key Usage extension. The certificate CN must match the NPS server’s fully qualified domain name, and the certificate must be issued by a CA trusted by all client devices. The RADIUS clients (wireless controllers, switches) must support RADIUS authentication and be configured with the NPS server’s IP address and a shared secret. UDP ports 1812 and 1813 must be open from RADIUS clients to the NPS server.
Installing Network Policy Server
# Install NPS with all management tools
Install-WindowsFeature NPAS -IncludeManagementTools -IncludeAllSubFeature
# Verify all components installed
Get-WindowsFeature NPAS* | Where-Object {$_.InstallState -eq "Installed"} |
Select-Object Name, DisplayName | Format-TableRegister NPS in Active Directory so it can read dial-in properties from user accounts:
# Register NPS in Active Directory (adds NPS to the RAS and IAS Servers group)
netsh nps add registeredserver domain=contoso.com server=NPS01.contoso.com
# Verify registration
Get-ADGroupMember -Identity "RAS and IAS Servers" |
Where-Object {$_.Name -like "*NPS*"} | Select-Object NameConfiguring the NPS Server Certificate
For PEAP authentication (the standard for wireless 802.1X), the NPS server must have a machine certificate from a CA trusted by all clients. Request a certificate from your internal CA:
# The NPS server needs a certificate in the LOCAL MACHINE Personal store
# with Server Authentication EKU
# Check for existing server authentication certificates
Get-ChildItem Cert:LocalMachineMy |
Where-Object {$_.EnhancedKeyUsageList -like "*Server Authentication*"} |
Select-Object Subject, Thumbprint, NotAfter | Format-Table
# Request a certificate from your internal CA
# Via certlm.msc (Local Machine Certificate Manager):
# Personal > right-click > All Tasks > Request New Certificate
# Select "Computer" template and enroll
# Or via PowerShell (AD CS must be configured)
Get-Certificate -Template "Computer" `
-CertStoreLocation Cert:LocalMachineMy `
-DnsName "NPS01.contoso.com"Configuring RADIUS Clients
Add each device that will send RADIUS authentication requests to NPS as a RADIUS client. The shared secret must be configured identically on both the NPS server and each RADIUS client device:
# Add a wireless controller as RADIUS client
New-NpsRadiusClient -Name "Cisco-WLC-HQ" `
-Address "192.168.1.200" `
-SharedSecret "Cisc0WirelessSecret2024!" `
-Enabled $true `
-VendorName "Cisco"
# Add a managed switch for 802.1X wired authentication
New-NpsRadiusClient -Name "HP-Switch-Core" `
-Address "192.168.1.10" `
-SharedSecret "SwitchRadius2024!" `
-Enabled $true `
-VendorName "HP (Hewlett Packard)"
# Add a VPN server
New-NpsRadiusClient -Name "VPN-Server01" `
-Address "192.168.1.50" `
-SharedSecret "VPNRadiusSecret2024!" `
-Enabled $true `
-VendorName "Microsoft"
# List all RADIUS clients
Get-NpsRadiusClient | Select-Object Name, Address, Enabled | Format-TableCreating Network Policies for Wireless 802.1X
Network policies define authentication and authorization rules. Create policies for specific AD security groups:
# Create an AD group for wireless users
New-ADGroup -Name "Wireless-Users" `
-GroupScope Global `
-GroupCategory Security `
-Path "OU=Groups,DC=contoso,DC=com"
# Add users to the wireless group
Add-ADGroupMember -Identity "Wireless-Users" -Members "jsmith","ldoe","mwilson"
# Create a network policy for wireless authentication via NPS console
# NPS Console: Policies > Network Policies > New
# Use the following settings:
# Policy Name: "Wireless Domain Users"
# Processing Order: 1
# Type of Network Access: Wireless (802.11)
# Conditions:
# Windows Groups: DOMAINWireless-Users
# NAS Port Type: Wireless - IEEE 802.11
# Constraints:
# Authentication Methods: EAP (PEAP with MS-CHAPv2 inner method)
# Session Timeout: 480 minutes (8 hours)
# Idle Timeout: 30 minutes
# NAS Port Type: Wireless - IEEE 802.11
# Settings:
# Standard RADIUS Attributes:
# Framed-Protocol = PPP
# Service-Type = FramedConfiguring PEAP Authentication Method
PEAP (Protected EAP) with MS-CHAPv2 is the most common authentication method for corporate wireless. Configure it on the NPS server:
# Configure PEAP settings in the NPS policy
# In the Network Policy > Authentication Methods tab:
# 1. Remove all other authentication methods
# 2. Add EAP > Microsoft: Protected EAP (PEAP)
# 3. Configure PEAP:
# - Certificate issued to: NPS01.contoso.com (select from store)
# - EAP Type within PEAP: Microsoft: Secured Password (EAP-MSCHAP v2)
# - Enable Fast Reconnect: Yes (for roaming)
# - Enable Disconnect Clients without Cryptobinding: No (security)
# To configure via PowerShell, export and re-import the NPS config:
netsh nps export filename="C:NPSNPSConfig-BeforeEdit.xml" exportPSK=YES
# Edit the XML to include PEAP configuration, then re-import:
# netsh nps import filename="C:NPSNPSConfig-Updated.xml"Configuring RADIUS Accounting
Enable RADIUS accounting to log all authentication attempts for security auditing and troubleshooting:
# Configure NPS accounting logging
netsh nps set accountingconfigure logaccountingrequests=yes
netsh nps set accountingconfigure logauthenticationrequests=yes
netsh nps set accountingconfigure logperiodicaccountingonstatus=yes
netsh nps set accountingconfigure logtype=localfile
netsh nps set accountingconfigure logperiodic=yes
netsh nps set accountingconfigure logperiodicinterval=monthly
# Configure log file location
netsh nps set accountingconfigure logfiledirectory="C:WindowsSystem32LogFiles"
# Configure SQL Server logging (for enterprise deployments)
# netsh nps set accountingconfigure logsqlserver=yes
# netsh nps set accountingconfigure sqlserverconnectionstring=""Configuring RADIUS Proxy (Optional)
NPS can act as a RADIUS proxy, forwarding authentication requests from specific realms to remote RADIUS servers. This is useful for multi-domain or federation scenarios:
# Add a remote RADIUS server group for proxy forwarding
New-NpsRemoteRadiusServerGroup -Name "Partner-RADIUS-Group"
# Add a server to the remote group
Add-NpsRemoteRadiusServer `
-RadiusServerGroupName "Partner-RADIUS-Group" `
-Address "10.200.1.50" `
-SharedSecret "PartnerRadiusSecret!" `
-AuthenticationPort 1812 `
-AccountingPort 1813
# Create a connection request policy to forward requests from partner domain
New-NpsConnectionRequestPolicy -Name "Forward-Partner-Domain" `
-ProcessingOrder 10 `
-PolicyState EnabledConfiguring NPS for VPN Authentication
Create a separate network policy for VPN authentication. VPN users typically authenticate with domain credentials:
# Create AD group for VPN users
New-ADGroup -Name "VPN-Users" `
-GroupScope Global `
-GroupCategory Security
# Create NPS policy for VPN access
# NPS Console: Policies > Network Policies > New
# Policy Name: "VPN Domain Users"
# Processing Order: 2
# Network Access Server Type: Remote Access Server (VPN-Dial up)
#
# Conditions:
# Windows Groups: DOMAINVPN-Users
# NAS Port Type: Virtual (VPN)
#
# Authentication:
# MS-CHAP v2 (for L2TP/PPTP VPN)
# Or EAP with PEAP for IKEv2
#
# Constraints:
# Session Timeout: 480 minutes
# Idle Timeout: 60 minutesMonitoring and Troubleshooting
# Monitor authentication events in Security event log
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(6272,6273,6274)} -MaxEvents 50 |
Select-Object TimeCreated, Id, Message | Format-List
# Key NPS Event IDs:
# 6272 = Access Granted
# 6273 = Access Denied (includes reason code)
# 6274 = Discarded
# 6278 = Full Access Granted (authorized)
# View NPS accounting log files
Get-ChildItem "C:WindowsSystem32LogFiles" -Filter "IN*.log" |
Sort-Object LastWriteTime -Descending | Select-Object -First 3
# View most recent log entries
Get-Content "C:WindowsSystem32LogFiles$(Get-ChildItem 'C:WindowsSystem32LogFiles' -Filter 'IN*.log' | Sort-Object LastWriteTime -Descending | Select-Object -First 1 -ExpandProperty Name)" -Tail 20
# Test RADIUS connectivity from a RADIUS client device
# The network device should show the NPS server as "responding" in its RADIUS configuration
# Check NPS server status
Get-Service -Name IAS | Select-Object Name, StatusBackup and Redundancy
# Export NPS configuration for backup and secondary server configuration
Export-NpsConfiguration -Path "C:NPSNPS-Config-$(Get-Date -Format 'yyyy-MM-dd').xml"
# Deploy configuration to secondary NPS server
Invoke-Command -ComputerName NPS02.contoso.com -ScriptBlock {
Import-NpsConfiguration -Path "C:NPSNPS-Config-Current.xml"
}
# For high availability, add the secondary NPS server as a RADIUS server
# on each network device, with lower priority than the primarySummary
NPS as a RADIUS server on Windows Server 2012 R2 provides enterprise-grade network access control integrating with Active Directory. The deployment involves: installing and registering NPS in AD, obtaining a machine certificate for PEAP authentication, adding RADIUS clients with strong shared secrets, creating network policies that map AD security groups to access grants with appropriate authentication methods (PEAP/MSCHAPv2 for wireless), and enabling full accounting logging. Deploy a secondary NPS server with the same configuration for redundancy, as all network access will depend on RADIUS availability. Monitor Event IDs 6272 and 6273 in the Security log for ongoing authentication auditing.
