Introduction to RADIUS Authentication

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) for network access. Windows Server 2019 implements RADIUS through the Network Policy Server (NPS) role. NPS acts as a RADIUS server that authenticates users trying to connect via VPN, wireless access points, 802.1X switches, and dial-up connections. By centralizing authentication through NPS, you enforce consistent access policies across all network access points using Active Directory credentials and group membership. This tutorial covers installing NPS, configuring RADIUS clients, creating network policies, and testing the configuration.

Understanding NPS Components

The Network Policy Server has three key components: RADIUS Clients (the devices—VPN servers, wireless APs, switches—that forward authentication requests to NPS), Connection Request Policies (rules that determine how NPS handles incoming connection requests), and Network Policies (rules that define who is authorized to connect and under what conditions). NPS also provides RADIUS Proxy functionality for forwarding requests to remote RADIUS servers.

Installing Network Policy Server

Install the NPS role using PowerShell or Server Manager. NPS is part of the Network Policy and Access Services (NPAS) role.

Install-WindowsFeature NPAS -IncludeManagementTools

Verify the installation:

Get-WindowsFeature NPAS, RSAT-NPAS

Open the NPS console after installation:

nps.msc

Registering NPS in Active Directory

For NPS to read user dial-in properties from Active Directory (needed to check whether a user account has dial-in permission), register the NPS server in AD. This adds the NPS computer account to the RAS and IAS Servers security group in the domain.

netsh nps add registeredserver domain=yourdomain.com server=NPS01.yourdomain.com

Or use the NPS console: right-click NPS (Local) in the left pane and select Register server in Active Directory.

Adding a RADIUS Client

A RADIUS client is any network device (VPN gateway, wireless AP, managed switch) that forwards authentication requests to NPS. Each client must be configured with the NPS server’s IP address and a shared secret—a password known to both the NPS server and the network device. Add the RADIUS client in NPS.

netsh nps add client `
    name="VPN-Gateway-01" `
    address=10.0.1.5 `
    state=enable `
    sharedSecret="Y0urStr0ngSharedS3cret!" `
    requireMessageAuthenticator=enable

In the NPS console, expand RADIUS Clients and Servers > RADIUS Clients. Right-click and select New. Fill in the friendly name, IP address or DNS name, and shared secret. Always use a randomly generated shared secret of at least 22 characters.

Creating a Network Policy for VPN Users

Network policies define authorization rules—who can connect and what connection properties apply. Create a policy that allows members of the VPN-Users Active Directory group to authenticate. Navigate to Policies > Network Policies in the NPS console, right-click, and select New.

Policy name: “Allow VPN Users”. Grant access. Conditions: add Windows Groups condition and specify the VPN-Users AD group. Constraints: configure authentication methods (MSCHAPv2 for PPTP/SSTP, or EAP-TLS for certificate-based auth). Settings: configure RADIUS attributes as needed (Framed-Protocol, Service-Type).

# Using netsh to create a basic network policy
netsh nps add np `
    name="Allow VPN Users" `
    processingOrder=1 `
    state=enable `
    conditionid="0x4a5a" `
    conditionvalue="S-1-5-21-xxxxx-VPN-Users"

Configuring EAP-TLS Authentication

EAP-TLS is the most secure authentication method for RADIUS, using certificates instead of passwords. Configure it in the Network Policy’s Constraints section under Authentication Methods. Enable EAP and select Microsoft: Smart Card or other certificate. This requires that both the NPS server and the connecting clients have valid certificates from a trusted CA.

# Verify the NPS server certificate
Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.EnhancedKeyUsageList -match "Server Authentication" } |
    Select-Object Subject, Issuer, NotAfter

Configuring PEAP-MSCHAPv2 for Password Authentication

PEAP-MSCHAPv2 (Protected EAP with Microsoft Challenge Handshake Authentication Protocol version 2) provides password-based authentication wrapped in TLS. The NPS server presents its certificate to the client, establishing a TLS tunnel, and then the MSCHAPv2 exchange happens inside the tunnel. This is the standard for most corporate VPN deployments. Configure in Network Policy > Constraints > Authentication Methods > EAP > Microsoft: Protected EAP (PEAP).

Testing RADIUS Authentication

Use the NPS built-in diagnostics and the Windows event log to verify RADIUS authentication is working. Successful authentications are logged in the Security event log (Event 6272) and failed authentications in Event 6273.

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = @(6272, 6273)
    StartTime = (Get-Date).AddHours(-1)
} | Select-Object TimeCreated, Id, Message | Format-List

Enable NPS text file logging for detailed RADIUS accounting:

netsh nps set accounting logfileformat=IAS
netsh nps set accounting logtype=AuthAll
netsh nps set accounting logfiledirectory=C:NPSLogs

Configuring NPS Accounting

RADIUS accounting records connection start, stop, and interim records. Configure NPS to log accounting data to SQL Server for long-term storage and reporting, or use text file logging for simpler environments.

netsh nps set accounting `
    logfilepath=C:WindowsSystem32LogFiles `
    logfileformat=DTS `
    logtype=AuthAll `
    maxlogfilesize=20MB `
    newlogfrequency=Monthly

High Availability for NPS

For production environments, deploy at least two NPS servers for redundancy. Configure RADIUS clients (VPN gateways, APs) to use both NPS servers with automatic failover. Both NPS servers should be registered in Active Directory. Export the NPS configuration from the primary server and import it on the secondary.

# Export NPS config from primary
netsh nps export filename=C:NPSConfig.xml exportPSK=YES

# Import on secondary NPS server
netsh nps import filename=C:NPSConfig.xml

Conclusion

Windows Server 2019’s Network Policy Server provides a robust, AD-integrated RADIUS solution for centralizing network access authentication. By configuring NPS as a RADIUS server, you ensure that all remote access—VPN, wireless, and wired 802.1X—uses domain credentials enforced by consistent network policies. EAP-TLS with certificates provides the highest security level, while PEAP-MSCHAPv2 is widely compatible. Deploy NPS in pairs for high availability and configure accounting logging to maintain an audit trail of all authentication events.