How to Set Up Windows Server 2022 Container Monitoring

Introduction to Network Access Control on Windows Server 2022

Network Access Control (NAC) is a set of policies and technologies that restricts network access based on the identity and health state of the connecting device. On Windows Server 2022, the primary NAC infrastructure component is the Network Policy Server (NPS), which acts as a RADIUS server to authenticate and authorize network connections from wired clients, wireless clients, VPN clients, and other network devices. Understanding how to configure NPS, 802.1X, RADIUS, and health validation allows you to enforce consistent access policies across your entire network infrastructure.

Network Policy Server (NPS) Overview

NPS is a Windows Server role that implements the RADIUS (Remote Authentication Dial-In User Service) protocol, allowing centralized authentication and authorization for network connections. NPS can serve as a RADIUS server (processing authentication requests), a RADIUS proxy (forwarding requests to other RADIUS servers), or both simultaneously.

NPS integrates directly with Active Directory, allowing network devices such as switches, wireless access points, and VPN concentrators to authenticate users and computers against the domain. NPS evaluates three types of policies:

• Connection Request Policies: Determine whether a request is processed locally or forwarded to a RADIUS proxy.
• Network Policies: Define the conditions and constraints under which access is granted or denied.
• Health Policies: (Used with NAP) Evaluate the compliance state of connecting clients.

Install NPS on Windows Server 2022:

Install-WindowsFeature NPAS -IncludeManagementTools

Open the NPS console:

nps.msc

RADIUS Configuration

To use NPS as a RADIUS server, you must register it in Active Directory and add your network access devices (switches, APs, VPN gateways) as RADIUS clients.

Register the NPS server in Active Directory to allow it to read dial-in properties from user accounts:

netsh nps add registeredserver domain=corp.local server=nps01.corp.local

Or use the NPS console: right-click NPS (Local) and select “Register server in Active Directory.”

Add a RADIUS client (e.g., a Cisco switch or wireless controller) via PowerShell:

New-NpsRadiusClient `
    -Address "10.0.2.50" `
    -Name "CoreSwitch01" `
    -SharedSecret "R@d1usS3cr3t!2024" `
    -AuthAttributeRequired $false `
    -VendorName "Cisco"

The shared secret must match exactly what is configured on the network device. Use a long, random shared secret (32 characters or more) — RADIUS uses MD5-based message authentication, so a weak shared secret can be brute-forced offline.

List configured RADIUS clients:

Get-NpsRadiusClient

NPS listens on UDP 1812 (authentication) and UDP 1813 (accounting) by default. Ensure your firewall allows these ports from all RADIUS clients to the NPS server.

802.1X Authentication with NPS — Wired Networks

802.1X is an IEEE standard for port-based network access control. When a device connects to an 802.1X-enabled switch port, the switch (the authenticator) intercepts the connection and communicates with the NPS RADIUS server (the authentication server) to verify the device’s identity before allowing access to the network.

To configure wired 802.1X in Windows, deploy the Wired AutoConfig service and configure 802.1X settings via Group Policy:

Computer Configuration > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies
  Create a new policy:
    Policy Name: Corporate Wired 802.1X
    Use Windows Wired Auto Config service: Enabled
    Security Settings:
      Enable IEEE 802.1X authentication: Enabled
      Authentication Method: Microsoft: Smart Card or other certificate (EAP-TLS)
      Authenticate as computer when computer information is available: Enabled
      Authenticate as guest when user or computer information is unavailable: Disabled

EAP-TLS (Extensible Authentication Protocol – Transport Layer Security) is the most secure 802.1X authentication method. It uses certificates on both the client and the authentication server (NPS), providing mutual authentication. The client needs a computer certificate issued by an enterprise CA, and NPS needs a server certificate trusted by the clients.

Configure an NPS Network Policy for 802.1X wired access:

# Create a network policy for domain computers on wired connections
New-NpsNetworkPolicy `
    -Name "Corp Wired - Domain Computers" `
    -ProcessingOrder 1 `
    -ConditionWindowsGroup "CorpDomain Computers" `
    -GrantAccess $true `
    -AuthenticationTypes "EapTls"

802.1X Authentication — Wireless Networks

Wireless 802.1X (WPA2-Enterprise or WPA3-Enterprise) uses NPS to authenticate wireless clients before they receive an IP address on the corporate network. This is far more secure than PSK-based Wi-Fi authentication because each user/device authenticates individually.

Deploy wireless 802.1X policy via GPO:

Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies
  Add Infrastructure Network:
    SSID: CorpWiFi
    Security Type: WPA2-Enterprise
    Encryption Type: AES
    Authentication Method: Microsoft EAP (PEAP) or EAP-TLS
    Validate server certificate: Enabled
    Trusted root CAs: [Select your enterprise CA]
    Authentication Mode: Computer Authentication

PEAP-MSCHAPv2 (Protected EAP with MSCHAPv2) is a popular option because it does not require client certificates — users authenticate with domain credentials inside a TLS tunnel. However, EAP-TLS with certificates is recommended for higher security because it eliminates password-based authentication entirely.

System Health Validators and Health Policies

System Health Validators (SHVs) are components of Windows Network Access Protection (NAP) that assess the health state of connecting clients. The Windows Security Health Validator (WSHA) is the built-in SHV that checks:

• Windows Firewall status (on/off)
• Antivirus software state (installed, up to date, enabled)
• Antispyware software state
• Automatic Updates configuration
• Security update status (whether all required updates are installed)

Configure WSHA via NPS console: navigate to Network Access Protection > System Health Validators > Windows Security Health Validator > Settings. You can configure which checks are required and which generate warnings.

Health Policies define what constitutes a “healthy” or “unhealthy” client by referencing one or more SHVs and specifying whether the client must pass all checks or at least one. Create a health policy in the NPS console:

NPS > Network Access Protection > Health Policies > New
  Policy Name: Full Compliance
  Client SHV checks: Client passed all SHV checks
  SHVs used: Windows Security Health Validator

Network Access Protection Overview

Network Access Protection (NAP) was a Windows feature that combined health validation with enforcement to quarantine non-compliant clients. Microsoft deprecated NAP starting with Windows Server 2012 R2 and removed it from Windows Server 2019 and later. However, the conceptual model — health assessment, network restriction, and remediation — remains relevant and is implemented in modern solutions through different technology stacks.

The NAP architecture consisted of:

• NAP Client: The agent on the connecting device that collects health information.
• NPS Health Policy Server: Evaluates health statements and applies network policy.
• Enforcement Points: DHCP, IPsec, 802.1X switch, or VPN gateway that restricts or grants access.
• Remediation Servers: WSUS, antivirus update servers, and other resources accessible from the quarantine network.

While NAP as an enforcement mechanism is no longer available in Windows Server 2022, NPS still supports health policies that can influence access decisions when used with compatible 802.1X enforcement points or third-party NAC solutions.

Modern Alternatives — Azure AD Conditional Access and Microsoft Endpoint Manager

For organizations using Microsoft 365 and Azure AD, the modern replacement for NAP is Azure AD Conditional Access combined with Microsoft Intune (Endpoint Manager) device compliance policies.

Azure AD Conditional Access allows you to define policies that grant or block access to cloud and on-premises applications based on:

• User identity and group membership
• Device compliance state (as reported by Intune)
• Device platform and management state (domain-joined, Intune-enrolled, Azure AD joined)
• Sign-in risk (from Azure AD Identity Protection)
• Location (IP range or named location)

Microsoft Intune Device Compliance Policies define the minimum security requirements a device must meet to be considered compliant: BitLocker enabled, OS version minimum, antivirus active, jailbreak/root detection for mobile devices, and so on. Devices that fail compliance are reported to Azure AD, which then applies Conditional Access policies to restrict access.

For on-premises network access, Intune can issue certificates to managed devices via SCEP or PKCS certificate profiles, which are then used for 802.1X EAP-TLS authentication against NPS — combining cloud-managed compliance with on-premises network enforcement.

NPS Logging

NPS logging is essential for auditing who connected to the network and diagnosing authentication failures. NPS supports two types of logging:

Windows Event Log: NPS writes authentication successes and failures to the Windows Security event log. Key event IDs include:

• 6272: Network Policy Server granted access to a user
• 6273: Network Policy Server denied access to a user (includes the reason code)
• 6274: Network Policy Server discarded the request for a user
• 6275: Network Policy Server discarded the accounting request
• 6276: Network Policy Server quarantined a user

SQL Server / text file logging: NPS can log detailed RADIUS authentication and accounting data to a text file or SQL Server database for long-term retention and reporting.

Configure text-file logging via the NPS console (Accounting node) or PowerShell:

Set-NpsAccounting `
    -LogFileDirectory "C:NPSLogs" `
    -LoggingFormat DTS `
    -LogFileRolloverType MonthDay `
    -RecordAccountingRequests $true `
    -RecordAccountingResponses $true `
    -RecordAuthenticationRequests $true

RADIUS Accounting

RADIUS Accounting is a separate function from RADIUS Authentication. Accounting messages are sent by network devices (switches, APs, VPN gateways) to the RADIUS server to record session start, stop, and interim update events. Accounting data includes the user name, session duration, bytes transferred, and the IP address assigned to the client.

NPS receives accounting packets on UDP port 1813. Accounting data is valuable for capacity planning, billing, and security investigations (determining when a specific device was connected and to which switch port).

To view current accounting configuration:

Get-NpsAccounting

For SQL-based accounting, configure the ODBC connection in NPS and ensure the NPS service account has write permissions on the SQL database. The SQL logging schema creates tables for authentication and accounting records that can be queried for reporting.

NPS Proxy Configuration

An NPS Proxy forwards RADIUS authentication requests from network devices to one or more remote RADIUS servers. This is useful when:

• Multiple NPS servers exist in different domains or forests and you want a single RADIUS endpoint for network devices.
• You need to load-balance RADIUS requests across multiple authentication servers.
• You have a perimeter network where the RADIUS client (VPN gateway) cannot reach the internal NPS server directly.

Configure a Remote RADIUS Server Group on the proxy NPS:

# Add a remote RADIUS server group
New-NpsRemoteRadiusServerGroup -Name "Internal-NPS-Group"

# Add servers to the group
Add-NpsRemoteRadiusServer `
    -RemoteRadiusServerGroupName "Internal-NPS-Group" `
    -Address "10.0.1.50" `
    -AuthenticationPort 1812 `
    -AccountingPort 1813 `
    -SharedSecret "SharedS3cr3t!NPS" `
    -Priority 1 `
    -Weight 50

Configure a Connection Request Policy on the proxy to forward requests to the remote group:

New-NpsConnectionRequestPolicy `
    -Name "Forward to Internal NPS" `
    -ProcessingOrder 1 `
    -ForwardRequest $true `
    -RemoteRadiusServerGroupName "Internal-NPS-Group"

NPS Proxy supports load balancing using priority and weight values. Servers with lower priority numbers are tried first. When multiple servers have the same priority, the weight value determines the percentage of traffic each server receives.

Summary

Network Policy Server on Windows Server 2022 provides a robust platform for implementing 802.1X-based network access control. By configuring RADIUS clients, authentication methods (EAP-TLS, PEAP), network policies, and detailed logging, you can enforce consistent access control policies across your wired and wireless infrastructure. While the NAP health enforcement mechanism has been deprecated, the combination of NPS, Intune device compliance, and Azure AD Conditional Access provides a modern equivalent that covers both on-premises and cloud resources. For complex multi-site environments, the NPS Proxy role enables centralized policy management with distributed enforcement points.