How to Configure Network Policy Server (NPS) on Windows Server 2012 R2

Network Policy Server (NPS) is the Microsoft implementation of a RADIUS (Remote Authentication Dial-In User Service) server on Windows Server 2012 R2. NPS centralizes authentication, authorization, and accounting for network access, including VPN connections, wireless access points, 802.1X wired authentication, and dial-up connections. Acting as a RADIUS proxy, NPS can also forward authentication requests to other RADIUS servers for federation scenarios. This guide covers installing NPS, creating network policies, configuring RADIUS clients, and integrating with Active Directory for centralized network access control.

Prerequisites

The server running NPS should be domain-joined for Active Directory integration. NPS must be registered in Active Directory to read user dial-in properties. If NPS will service more than 50 RADIUS clients, consider deploying it on a dedicated server rather than co-locating with other roles. UDP ports 1812 (authentication) and 1813 (accounting) must be open from RADIUS clients (VPN servers, switches, APs) to the NPS server. SSL certificates may be required for EAP-TLS or PEAP authentication methods. You need Server 2012 R2 and Domain Admin rights.

Installing Network Policy Server

Install the NPS role via PowerShell or Server Manager:

# Install NPS with management tools
Install-WindowsFeature NPAS -IncludeManagementTools -IncludeAllSubFeature

# Verify installation
Get-WindowsFeature NPAS* | Where-Object {$_.InstallState -eq "Installed"}

After installation, register the NPS server in Active Directory so it can read user properties (including dial-in permission settings):

# Register NPS server in Active Directory (must be run as Domain Admin)
netsh nps add registeredserver

Alternatively, via the NPS console: right-click the root “NPS (Local)” node and select “Register server in Active Directory.” This adds the NPS computer account to the RAS and IAS Servers security group in each domain.

Configuring RADIUS Clients

RADIUS clients are the network devices (VPN servers, wireless controllers, managed switches) that send authentication requests to NPS. Add each device as a RADIUS client with a shared secret:

# Add a VPN server as a RADIUS client
New-NpsRadiusClient -Name "VPN-Server01" `
    -Address "192.168.1.50" `
    -SharedSecret "SuperSecureRadiusSecret123!" `
    -Enabled $true `
    -VendorName "Microsoft"

# Add a wireless access controller
New-NpsRadiusClient -Name "WiFi-Controller" `
    -Address "192.168.1.60" `
    -SharedSecret "AnotherSecureSecret456!" `
    -Enabled $true `
    -VendorName "Standard"

# List all configured RADIUS clients
Get-NpsRadiusClient | Select-Object Name, Address, Enabled | Format-Table

For production environments, use long (30+ character) randomly generated shared secrets and document them securely. The same shared secret must be configured on both the NPS server and the RADIUS client device.

Creating Connection Request Policies

Connection Request Policies determine whether NPS processes an authentication request locally or forwards it to a remote RADIUS server. For local processing (most common), configure a policy that matches your authentication scenarios:

# View existing connection request policies
Get-NpsConnectionRequestPolicy | Select-Object Name, ProcessingOrder, PolicyState | Format-Table

# Create a connection request policy for VPN authentication
# This is typically done through the NPS GUI for full control
# NPS Console > Policies > Connection Request Policies > New

The default connection request policy (“Use Windows authentication for all users”) processes all requests locally via Active Directory — this is appropriate for most environments.

Creating Network Policies

Network Policies define who can connect and under what conditions. Each policy specifies conditions (who), constraints (how), and settings (what access level). Create a policy for VPN users in a specific AD group:

# Create a network policy for VPN users
New-NpsNetworkPolicy -Name "VPN-Domain-Users" `
    -ProcessingOrder 1 `
    -PolicyState Enabled `
    -Conditions @{
        "Groups-WindowsGroup" = "domainVPN-Users"
    } `
    -AccessType Allow-Access `
    -AuthenticationMethod @("MS-CHAPv2", "MS-CHAP")

# View all network policies
Get-NpsNetworkPolicy | Select-Object Name, ProcessingOrder, PolicyState, AccessType | 
    Sort-Object ProcessingOrder | Format-Table

Configure a policy using the NPS console for complex scenarios with VLAN assignments. In the NPS MMC (nps.msc), navigate to Policies > Network Policies and create a new policy:

# Network Policy configuration via nps.msc wizard:
# 1. Policy Name: "VPN-Domain-Users"
# 2. Type of Network Access Server: Remote Access Server (VPN-Dial up)
# 3. Specify Conditions:
#    - Windows Groups: Add "VPN-Users" domain group
#    - NAS Port Type: Virtual (VPN) = Async (Modem), Virtual (VPN)
#    - Day and Time Restrictions: Business hours only if required
# 4. Specify Access Permission: Access Granted
# 5. Configure Authentication Methods:
#    - EAP with Microsoft: Secured Password (EAP-MSCHAP v2) [preferred]
#    - Or MS-CHAPv2 for legacy clients
# 6. Configure Constraints:
#    - Session timeout: 480 minutes (8 hours)
#    - Idle timeout: 30 minutes
# 7. Configure Settings (RADIUS Attributes):
#    - Framed-Protocol: PPP
#    - Service-Type: Framed

Configuring PEAP Authentication for Wireless

PEAP (Protected EAP) is the recommended authentication method for 802.1X wireless, as it creates a TLS tunnel before passing credentials. It requires a server certificate on the NPS server:

# Request a server authentication certificate for NPS from your internal CA
# The certificate needs Server Authentication (1.3.6.1.5.5.7.3.1) in Enhanced Key Usage
# Common Name should match the NPS server's FQDN

# After certificate enrollment, configure NPS to use it for PEAP:
# NPS Console > Policies > Network Policies > [Your Wireless Policy]
# Authentication Methods > EAP Types > Microsoft: Protected EAP (PEAP)
# Configure PEAP settings > Select the server certificate

# Create a wireless network policy
New-NpsNetworkPolicy -Name "Wireless-802.1X" `
    -ProcessingOrder 2 `
    -PolicyState Enabled

Configuring NPS Accounting Logging

NPS can log authentication attempts to a text file or SQL Server database for auditing and billing purposes:

# Configure NPS text file logging
# This logs all authentication requests, successes, and failures
nps accounting file log enable
nps accounting file format IAS
nps accounting file directory C:WindowsSystem32LogFiles

# Configure via PowerShell (limited direct cmdlet support - use netsh)
netsh nps set accountingconfigure logaccountingrequests=yes
netsh nps set accountingconfigure logauthenticationrequests=yes
netsh nps set accountingconfigure logperiodic=yes
netsh nps set accountingconfigure logperiodicinterval=daily

Enable NPS event logging to the Windows event log for failed authentication attempts:

# Enable NPS logging to Event Viewer
netsh nps set eventlogging logtype=accountsession

Exporting and Importing NPS Configuration

NPS configuration can be exported for backup or to clone to a secondary NPS server:

# Export entire NPS configuration to XML
netsh nps export filename="C:NPSConfig-Backup.xml" exportPSK=YES

# Import on secondary NPS server
netsh nps import filename="C:NPSConfig-Backup.xml"

# Export/import just specific components
Export-NpsConfiguration -Path "C:NPS-Full-Backup.xml"

Verification and Troubleshooting

Test NPS authentication and review event logs:

# Check NPS event log for authentication results
# Event 6272 = Network Policy Server granted access
# Event 6273 = Network Policy Server denied access  
# Event 6274 = Discarded request
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(6272,6273,6274)} -MaxEvents 20 |
    Select-Object TimeCreated, Id, Message | Format-List

# Check NPS log files
Get-Content "C:WindowsSystem32LogFilesIN*.log" -Tail 20

# Test RADIUS connectivity from a RADIUS client
# On the VPN server or network device, trigger a test authentication
# and verify the NPS server receives and processes the request

Summary

Network Policy Server on Windows Server 2012 R2 provides centralized RADIUS authentication and authorization for VPN, wireless, and 802.1X wired access scenarios. The deployment process involves: installing the NPAS role, registering NPS in AD, adding RADIUS clients with strong shared secrets, creating Connection Request Policies to handle local vs. proxied authentication, and creating Network Policies that grant access based on AD group membership with appropriate authentication methods. Enable accounting logging for all access attempts and configure a secondary NPS server for redundancy in production environments.