How to Configure Windows Server 2022 Active Directory Reporting

Introduction to Network Policy Server

Network Policy Server (NPS) is Microsoft’s implementation of a RADIUS (Remote Authentication Dial-In User Service) server and RADIUS proxy. It is included in Windows Server 2022 at no additional cost and provides centralized authentication, authorization, and accounting for network access scenarios including VPN, 802.1X wired and wireless, and dial-up. NPS integrates natively with Active Directory, allowing network devices such as VPN concentrators, wireless access points, and 802.1X-enabled switches to authenticate users against AD without each device needing direct AD access. This article covers complete NPS deployment on Windows Server 2022, from role installation through advanced configuration scenarios.

Installing the NPS Role

NPS is installed as part of the Network Policy and Access Services (NPAS) server role. The role includes NPS itself, the Connection Manager Administration Kit (CMAK), and the Routing and Remote Access Service (RRAS). For a standalone NPS deployment, install only the NPS role service.

# Install NPS role via PowerShell (recommended for server core or remote management)
Install-WindowsFeature NPAS -IncludeManagementTools

# Install only the NPS role service without RRAS
Install-WindowsFeature -Name NPAS -IncludeManagementTools
# Note: The above installs both. To install just NPS sub-role:
Install-WindowsFeature -Name "NPAS" -SubFeatures "NPS"

# Verify installation
Get-WindowsFeature NPAS

# The NPS service is named IAS (Internet Authentication Service) — this is historical
Get-Service -Name IAS
Start-Service -Name IAS   # If not already running

# Open NPS management console
nps.msc

After installation, verify the NPS service is running and configured to start automatically:

Set-Service -Name IAS -StartupType Automatic
Start-Service -Name IAS
Get-Service -Name IAS | Select-Object Name, Status, StartType

Registering NPS in Active Directory

For NPS to authenticate domain users, the NPS server’s computer account must be added to the RAS and IAS Servers security group in Active Directory. This grants NPS permission to read dial-in properties of user accounts. Without this registration, NPS will fail to authenticate domain users and Event ID 6273 will appear in the NPS log with reason code 16 (Authentication failed due to a user account restriction).

# Register NPS in Active Directory (run on the NPS server as Domain Admin)
netsh nps add registeredserver domain=domain.com server=NPSServer01.domain.com

# Or use the simpler version (registers the local server in its own domain)
netsh nps add registeredserver

# Verify registration
netsh nps show registeredservers

# PowerShell alternative: manually add the NPS computer account to the group
Add-ADGroupMember -Identity "RAS and IAS Servers" -Members "NPSServer01$"
# (The $ suffix denotes a computer account)

# Verify group membership
Get-ADGroupMember -Identity "RAS and IAS Servers" | Where-Object { $_.Name -eq "NPSServer01" }

If NPS is in a different domain than the users it authenticates, register NPS in each relevant domain or configure NPS to use a separate domain account with appropriate permissions across domains.

Configuring RADIUS Clients

RADIUS clients are the network devices (VPN servers, wireless access points, switches) that send authentication requests to NPS. Each device must be added to NPS with a matching shared secret. The shared secret is used to authenticate the RADIUS client to the NPS server and to encrypt sensitive attributes in RADIUS packets.

# Add a RADIUS client via PowerShell
# Import the NPS module
Import-Module NPS

# Add a single RADIUS client (a VPN appliance at 192.168.10.5)
New-NpsRadiusClient -Address "192.168.10.5" `
    -Name "VPN-Concentrator-01" `
    -SharedSecret "Use-A-Strong-Random-Secret-32Chars+" `
    -Enabled $true `
    -VendorName "RADIUS Standard"

# Add a range of wireless APs from a subnet (NPS supports CIDR notation for client address)
New-NpsRadiusClient -Address "10.20.30.0/24" `
    -Name "Wireless-APs-Floor3" `
    -SharedSecret "AnotherStrongSharedSecret2024!" `
    -Enabled $true

# List all RADIUS clients
Get-NpsRadiusClient | Format-Table Name, Address, Enabled

# Remove a RADIUS client
Remove-NpsRadiusClient -Name "VPN-Concentrator-01"

Use long, random shared secrets (minimum 22 characters, mixed case, numbers, and symbols) for all RADIUS clients. The shared secret is not the password for the VPN — it is the secret that authenticates the VPN appliance to NPS. Different clients should use different shared secrets so that compromise of one device does not expose all clients.

Connection Request Policies

Connection Request Policies (CRPs) determine how NPS handles incoming RADIUS requests — whether to process them locally or forward them to a remote RADIUS server (proxy scenario). Each CRP has conditions that are evaluated against the incoming request. If conditions match, the policy is applied and NPS either processes the request locally or forwards it.

# View existing Connection Request Policies via PowerShell
Get-NpsConnectionRequestPolicy | Format-Table Name, ProcessingOrder, Enabled

# Create a Connection Request Policy that processes requests locally
# when they come from a specific RADIUS client
New-NpsConnectionRequestPolicy -Name "Process-VPN-Requests" `
    -ProcessingOrder 1 `
    -Enabled $true `
    -Condition @(
        "MATCH(`"NAS-IP-Address`",`"192.168.10.5`")"
    ) `
    -AuthenticationType @("PAP", "CHAP", "MS-CHAPv2", "EAP") `
    -Action "Authenticate requests on this server"

# Typical CRP conditions:
# - NAS-IP-Address: match specific RADIUS client IP
# - NAS-Port-Type: Wireless-IEEE-802.11, Virtual (VPN), etc.
# - Called-Station-ID: match SSID for wireless, or VPN interface
# - Client-Friendly-Name: match by RADIUS client name configured in NPS

Network Policies

Network Policies define the conditions under which users are granted or denied network access, and what connection settings (constraints and settings) apply. A request must match a Connection Request Policy first, then be evaluated against Network Policies in order. The first matching Network Policy is applied.

# Network Policy components:
# Conditions: criteria that must match for the policy to apply
#   - Windows Groups: only members of a specific AD group
#   - Day and Time Restrictions: allow access only during business hours
#   - NAS Port Type: Wireless, VPN, wired 802.1X
#   - Authentication Type: EAP, MS-CHAPv2, etc.

# Constraints: requirements that limit how a connection is used
#   - Authentication Methods: which EAP types are allowed
#   - Idle Timeout: disconnect after N minutes of idle
#   - Session Timeout: maximum connection duration
#   - Called-Station-ID: only connect to specific access points

# Settings: attributes returned to the RADIUS client to configure the session
#   - RADIUS Attributes: VLAN assignment, IP address pool, etc.
#   - NAP Enforcement: health policy checking

# Create a Network Policy via PowerShell
New-NpsNetworkPolicy -Name "VPN-Domain-Users" `
    -ProcessingOrder 1 `
    -Enabled $true `
    -AccessType "Grant access" `
    -Condition @(
        "MATCH(`"Windows-Groups`",`"domain\VPN-Users`")"
    ) `
    -AuthenticationType @("MS-CHAPv2") `
    -EncryptionType @("Strongest") `
    -SessionTimeout 28800   # 8 hours in seconds

To assign a VLAN to wireless users via RADIUS attributes in a Network Policy, add the following standard RADIUS attributes to the policy’s Settings section:

Tunnel-Type         = 13 (VLAN)
Tunnel-Medium-Type  = 6 (802)
Tunnel-Private-Group-ID = 100   (VLAN ID as a string)

# These attributes are returned to the access point, which then places
# the authenticated client on VLAN 100

# Add RADIUS attributes to a Network Policy via PowerShell
# (NPS PowerShell does not expose all settings; use netsh or the GUI for attributes)
netsh nps set networkpolicy name="VPN-Domain-Users" attribute="64=13" attribute="65=6" attribute="81=100"

NPS with 802.1X for Wired and Wireless

802.1X is a port-based network access control protocol that prevents unauthorized devices from connecting to the network. Before a device can communicate on a switch port or wireless SSID, it must authenticate. NPS serves as the RADIUS backend for 802.1X authentication.

For 802.1X to work, configure the following:

1. NPS side:
   - Add the switch or AP as a RADIUS client with shared secret
   - Create a Network Policy matching the 802.1X scenario:
     Condition: NAS-Port-Type = Ethernet (for wired) or Wireless-IEEE-802.11 (for WiFi)
     Authentication: EAP (PEAP or EAP-TLS)
   - Configure the EAP method:
     For PEAP-MSCHAPv2: Select the NPS server certificate for the inner tunnel
     For EAP-TLS: Configure certificate validation on both client and server

2. Certificate requirement for PEAP:
   # NPS must have a server certificate trusted by the clients
   # Request a Computer certificate from the internal CA
   certlm.msc > Personal > Certificates > right-click > All Tasks > Request New Certificate
   # Select the Computer or Web Server template
   # The NPS computer account must be able to enroll

3. Cisco switch configuration (example for 802.1X with NPS):
dot1x system-auth-control
radius server NPS-Server
 address ipv4 192.168.1.10 auth-port 1812 acct-port 1813
 key StrongSharedSecret2024!
interface GigabitEthernet0/1
 switchport mode access
 dot1x port-control auto
 dot1x timeout tx-period 7

For EAP-TLS (certificate-based 802.1X), clients must have machine or user certificates issued by a CA trusted by NPS. This is more secure than PEAP-MSCHAPv2 because it provides mutual authentication and does not rely on passwords. Deploy client certificates via Group Policy auto-enrollment.

NPS with VPN (RRAS Integration)

When NPS and RRAS (Routing and Remote Access Service) are deployed together, RRAS serves as the VPN server (RADIUS client) and NPS handles authentication. This is the standard Windows Server VPN architecture.

# Install both RRAS and NPS
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install-WindowsFeature NPAS -IncludeManagementTools

# Configure RRAS to use NPS for authentication
# During RRAS setup wizard, select "Remote access (dial-up or VPN)"
# When prompted for RADIUS, point to the NPS server

# If NPS and RRAS are on the same server:
# Add 127.0.0.1 as a RADIUS client in NPS with the shared secret configured in RRAS

# Configure RRAS to send auth requests to NPS:
netsh ras set authmode mode=aaa
netsh ras add authprovider aaa server=localhost secret="LocalSharedSecret"

# Verify RRAS authentication configuration
netsh ras show authmode
netsh ras show authprovider

RADIUS Accounting

RADIUS accounting records connection start, stop, and interim update events. NPS can log accounting data to a local text file, a SQL Server database, or forward accounting packets to a remote RADIUS server.

# Configure NPS accounting to log to local files
# Default log location: C:WindowsSystem32LogFiles
# Log files are named IAS*.log in IAS format or W3C extended format

# Via netsh:
netsh nps set accounting loggingtypes=accountingon,accountingoff,authenticationon,authenticationoff
netsh nps set accounting logfiledir="D:NPS-Logs"
netsh nps set accounting logfileformat=IAS   # or W3CEXTENDED

# Configure SQL Server accounting (requires SQL client installed on NPS server)
# In NPS console: Accounting > Configure Accounting > SQL Server Logging
# Connection string: Server=sqlserver.domain.com;Database=IASLOG;Integrated Security=True

# View current accounting configuration
netsh nps show accounting

# Parse NPS log files with PowerShell
# NPS logs in IAS format use commas as delimiters
$logFile = "C:WindowsSystem32LogFilesIN240101.log"
Import-Csv $logFile -Header ComputerName,ServiceName,Record,ClientName,ClientIp,Username,CalledStationId,TimeCreated,EventCode |
    Where-Object { $_.EventCode -in @("6272","6273") } |
    Select-Object TimeCreated, Username, ClientName, EventCode

NPS Event IDs for Monitoring

NPS logs authentication and accounting events to the Security event log. The most important event IDs for monitoring are:

Event ID 6272: Network Policy Server granted access to a user
  - User was successfully authenticated and authorized
  - Contains: username, IP address, NAS identifier, policy name used

Event ID 6273: Network Policy Server denied access to a user
  - Authentication or authorization failed
  - Contains: Reason Code (see below for common codes)

Event ID 6274: Network Policy Server discarded the request for a user
  - Request did not match any Connection Request Policy
  - Usually indicates misconfigured RADIUS client or wrong NAS IP

Event ID 6278: Network Policy Server granted full access to a user
  - Used with NAP (Network Access Protection) — full access granted

Common 6273 Reason Codes:
  16 = Authentication failed due to user account restriction (check AD dial-in settings)
  23 = NPS policy denied access (no matching Network Policy)
  48 = The connection attempt did not match any policy
  65 = NPS could not contact Active Directory
  66 = The account is disabled
  

# Monitor failed authentications in real time
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=6273]]" -MaxEvents 50 |
    ForEach-Object {
        $xml = [xml]$_.ToXml()
        [PSCustomObject]@{
            Time     = $_.TimeCreated
            User     = ($xml.Event.EventData.Data | Where-Object Name -eq "SubjectUserName").'#text'
            Reason   = ($xml.Event.EventData.Data | Where-Object Name -eq "Reason").'#text'
            NAS      = ($xml.Event.EventData.Data | Where-Object Name -eq "CalledStationID").'#text'
        }
    } | Format-Table

NPS Templates and NPS Proxy

NPS Templates allow you to create reusable configurations for shared secrets, certificates, IP filters, and health policies. Templates are especially useful in large environments where dozens of RADIUS clients share common settings.

# Templates are configured in the NPS console under NPS (Local) > Templates Management
# Types: Shared Secrets, RADIUS Clients, Remote RADIUS Server Groups, IP Filters,
#        Health Policies, Remediation Server Groups

# Export NPS configuration (for backup or migration to another NPS server)
netsh nps export filename="C:NPS-Backupnps_config.xml" exportPSK=YES

# Import NPS configuration
netsh nps import filename="C:NPS-Backupnps_config.xml"

# Sync NPS configuration to another NPS server (useful for HA deployments)
# Run on the primary server:
netsh nps export filename="\NPSServer02C$nps_sync.xml" exportPSK=YES
# Run on the secondary server:
netsh nps import filename="C:nps_sync.xml"

NPS Proxy is used to distribute authentication load across multiple backend NPS servers or to forward requests to NPS servers in different domains. When acting as a proxy, NPS receives RADIUS requests from clients and forwards them to a Remote RADIUS Server Group — a pool of backend NPS servers with failover and load balancing.

# Configure NPS Proxy: add a Remote RADIUS Server Group
# In NPS console: RADIUS Clients and Servers > Remote RADIUS Server Groups > New

# PowerShell for Remote RADIUS Server Group
New-NpsRemoteRadiusServerGroup -Name "Backend-NPS-Pool" -Server @(
    @{Address="10.0.1.10"; SharedSecret="BackendSecret1"; Priority=1; Weight=50},
    @{Address="10.0.1.11"; SharedSecret="BackendSecret2"; Priority=1; Weight=50}
)

# Create a Connection Request Policy to forward to the remote group
# instead of processing locally
New-NpsConnectionRequestPolicy -Name "Forward-To-Backend" `
    -ProcessingOrder 1 `
    -Action "Forward requests to the following remote RADIUS server group" `
    -RemoteRadiusServerGroup "Backend-NPS-Pool"

For high-availability NPS deployments, deploy two NPS servers and synchronize configuration between them using the export/import method. Configure RADIUS clients with both NPS server IPs — most network devices support multiple RADIUS server entries with automatic failover when the primary server does not respond. NPS does not support native clustering or automatic synchronization, so configuration changes must be manually replicated or scripted.

NPS on Windows Server 2022 provides a robust, fully integrated RADIUS platform for enterprise network access control. Its deep integration with Active Directory, extensive policy flexibility, and support for modern EAP methods including EAP-TLS and PEAP make it a production-ready solution for VPN authentication, 802.1X network access control, and multi-site RADIUS proxy deployments without the licensing cost of third-party RADIUS solutions.