How to Set Up RADIUS Authentication with NPS on Windows Server 2012 R2

Network Policy Server (NPS) is Microsoft’s implementation of a RADIUS (Remote Authentication Dial-In User Service) server and proxy, included with Windows Server 2012 R2. NPS centralizes authentication, authorization, and accounting for network access—including VPN connections, 802.1X wired and wireless connections, dial-up connections, and remote desktop gateway sessions. By centralizing these authentication decisions in NPS, you enforce consistent access policies across all network access points and integrate authentication with Active Directory, reducing the need for separate credential stores on network devices.

Prerequisites

  • Windows Server 2012 R2 joined to the Active Directory domain
  • Active Directory domain with user accounts and security groups
  • The NPS server’s computer account must have Read Access to domain user account dial-in properties (automatic in most domain configurations)
  • Network Access Server (NAS) devices (VPN concentrator, wireless access points, switches) that support RADIUS authentication
  • Server certificate from an internal or commercial CA (required for EAP-based authentication such as PEAP-MSCHAPv2 or EAP-TLS)

Step 1: Install the NPS Role

Install-WindowsFeature NPAS -IncludeManagementTools -Restart
# NPAS = Network Policy and Access Services
# After restart, verify installation:
Get-WindowsFeature NPAS,NPAS-Policy-Server

Step 2: Register NPS in Active Directory

NPS must be registered in Active Directory to read domain user account properties (including dial-in settings). Run from the NPS server:

# Register NPS in AD (adds NPS server to RAS and IAS Servers group)
netsh nps add registeredserver domain=corp.example.com server=NPSSERVER01

# Or use the GUI: NPS console → right-click NPS (Local) → Register Server in Active Directory

# Verify registration (NPS computer account should be in RAS and IAS Servers group)
Get-ADGroupMember -Identity "RAS and IAS Servers" | Where-Object { $_.Name -eq "NPSSERVER01$" }

Step 3: Configure NPS for RADIUS Server Mode

NPS can operate as a RADIUS server (authenticating requests directly) or as a RADIUS proxy (forwarding requests to another RADIUS server). For a direct AD authentication deployment, use RADIUS server mode:

Open the NPS console (nps.msc), expand NPS (Local), and ensure RADIUS server is selected. Configure the standard RADIUS ports if needed (default: UDP 1812 for authentication, 1813 for accounting):

# Verify NPS is listening on RADIUS ports
netsh nps show config

# Check firewall rules for NPS
Get-NetFirewallRule -DisplayName "*NPS*" | Select-Object DisplayName, Enabled, Direction

Step 4: Add RADIUS Clients

Each network device that forwards RADIUS authentication requests must be configured as a RADIUS client in NPS. Use a strong, randomly generated shared secret:

# Add a RADIUS client via NPS PowerShell cmdlets
# Import NPS module
Import-Module NPS

# Add a VPN server as a RADIUS client
$sharedSecret = [System.Web.Security.Membership]::GeneratePassword(32, 8)
Write-Host "Generated shared secret: $sharedSecret"  # Save this securely!

New-NpsRadiusClient -Name "VPN-Gateway-01" `
    -Address "10.0.1.50" `
    -SharedSecret $sharedSecret `
    -AuthAttributeRequired $false `
    -VendorName "RADIUS Standard"

Alternatively, add clients through the GUI: NPS console → RADIUS Clients and Servers → RADIUS Clients → New.

Step 5: Create a Connection Request Policy

Connection Request Policies determine whether NPS processes authentication requests locally or forwards them to another RADIUS server. For local authentication:

In the NPS console: Policies → Connection Request Policies → New

  1. Name: VPN-Authentication
  2. Specify conditions: Client IPv4 Address — set to the IP range of your VPN gateways
  3. Authentication: select Authenticate requests on this server
  4. Settings: leave EAP types as default or configure PEAP for wireless

Step 6: Create a Network Policy

Network Policies define who is allowed to connect and under what conditions. Create a policy for VPN users:

In the NPS console: Policies → Network Policies → New

  1. Name: VPN-Users-Allow
  2. Type: Remote Access Server (VPN-Dial up)
  3. Conditions:
    • Windows Groups — add your VPN Users AD group
    • Day and Time Restrictions — optionally restrict to business hours
  4. Access Permission: Access granted
  5. Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAPv2) and/or PEAP
  6. Constraints: Maximum session timeout — set to 480 minutes (8 hours)
# Verify policies were created
netsh nps show np
netsh nps show crp

Step 7: Configure PEAP-MSCHAPv2 with Server Certificate

PEAP (Protected Extensible Authentication Protocol) protects the MSCHAPv2 authentication exchange inside a TLS tunnel. The NPS server needs a server certificate for this:

# Request a server certificate from the internal CA
# Certificate requirements for NPS:
# - Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
# - Subject Name or SAN matching the NPS server FQDN
# - Private key exportable: not required

# Request via certreq or use autoenrollment via GPO:
# Certificate Templates → RAS and IAS Server template → enroll

# Verify the certificate is installed
Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.EnhancedKeyUsageList -match "Server Authentication" }

In the NPS Network Policy, configure PEAP: Authentication Methods → PEAP → Configure → select the NPS server certificate.

Step 8: Configure NPS Accounting and Logging

NPS can log authentication events to text files, SQL Server, or Windows Event Viewer. Configure logging to the Security event log and a local text file:

# Enable local file logging
netsh nps set logging logfile accountingloglocation="D:NPS-LogsNPS-Accounting.log" `
    accounting=yes authentication=yes periodic=yes periodicinterval=24

# Verify NPS events appear in the Security log (Event ID 6272 = access granted, 6273 = access denied)
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=6272 or EventID=6273]]" -MaxEvents 20 |
    Select-Object TimeCreated, Id, Message

Step 9: Test RADIUS Authentication

Test NPS authentication using the built-in NPS diagnostic commands:

# Test from a RADIUS client by attempting a VPN connection, then check NPS event log
# On NPS server, monitor authentication events:
Get-WinEvent -LogName "Security" -FilterXPath `
    "*[System[EventID=6272 or EventID=6273 or EventID=6274]]" -MaxEvents 50 |
    Select-Object TimeCreated, Id, Message | Format-List

For command-line testing, use the NPS event log and the NPS console’s built-in test functionality: right-click NPS (Local)Export Configuration to review and validate all policies.

Summary

NPS on Windows Server 2012 R2 provides a centralized RADIUS authentication service that integrates with Active Directory to authenticate and authorize VPN users, 802.1X clients, and other network access scenarios. By registering NPS in AD, adding RADIUS clients with strong shared secrets, creating connection request and network policies with appropriate conditions, configuring PEAP for secure authentication, and enabling comprehensive logging, you have a production-ready RADIUS infrastructure. For high availability, deploy a second NPS server and configure your RADIUS clients with both servers in a failover or load-balancing configuration.