How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (2024)

RADIUS (Remote Authentication in Dial-In User Service) is a network protocol that provides centralized management of authentication, authorization, and accounting (AAA), and designed to exchange of information between a central platform and client devices. RADIUS server can communicate with a central server for example, Active Directory domain controller) to authenticate remote dial-in clients and authorize them to access specific network services or resources.

The Network Policy Server (NPS) role implements the RADIUS server function in the Windows environment and allows you to authenticate remote clients against Active Directory. In this article, we’ll show how to configure a RADIUS server on Windows Server 2022/2019/2016, and how to configure RADIUS authentication on Cisco and MikroTic network devices (RADIUS clients) under AD user accounts.

Installing Network Policy Server (RADIUS) on Windows Server

Windows Server with the NPS (RADIUS) role forwards connecting user authentication requests to Active Directory domain controller, which performs user authentication. Therefore, the presence of an on-premises Active Directory is a mandatory requirement before the start of an NPS deployment.

Now you can to install the RADIUS server role on your Windows Server 2022/2019/2016. Open the Server Manager console, run the Add Roles and Features wizard > select the Network Policy and Access Services role.

Note. Also, you can install NPS role and management tools from an elevated PowerShell console:

Install-WindowsFeature NPAS –IncludeManagementTools

Check if the NPAS role is installed on your Windows Server host:

Get-WindowsFeature -Name NPAS

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (1)

After the role installation is completed, open the Network Policy Server (nps.msc) in the Tools menu.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (2)

Right-click on a root node of the NPS console and click Register server in Active Directory.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (3)

Confirm the new NPS server registration in Active Directory.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (4)

Also, you can register your NPS server in Active Directory with a command:

netsh ras add registeredserver

The AD machine account on the NPS server is given permission to read the properties Active Directory user accounts to authenticate users. Your NPS host computer account will be added to the built-in domain group RAS and IAS Servers.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (5)

Next, create a new security group in the Active Directory domain (for example, RemoteCiscoUsers) and add all users who will be allowed to authenticate on Cisco routers and switches to this group.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (6)

The next step is to add the Radius client. Radius client is the device from which your server can receive authentication requests. This could be a Cisco router, switch, Wi-Fi access point, etc.

Expand the RADIUS Clients and Servers > RADIUS Clients, select New.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (7)

On the Settings tab, fill the fields Friendly name, client Address (you can specify IP address or DNS name), and Shared Secret + Confirm shared password (you will use this password in the configuration of the Cisco switch/router).

Note. The shared secret password is rarely used in large corporate networks due to the problems with the distribution of shared secrets. It is recommended to use certificates instead of shared passwords. If you have a corporate Certification Authority (CA) deployed to implement PKI infrastructure, you can request a *.p12 certificate for the Radius/NPS server. Just import the certificate to the personal certification store of the Local Machine.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (8)

In the Advanced tab, select Vendor name – Cisco.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (9)

You can use the PowerShell command instead of the NPS GUI to add a new RADIUS client. In this case, you can use the New-NpsRadiusClient PowerShell cmdlet:

New-NpsRadiusClient –Address "192.168.31.1" –Name "cisco2960" –SharedSecret "Zb+kp^JUy]v\ePb-h.Q*d=weya2AY?hn+npRRp[/J7d"

Note. On Windows Server Datacenter edition you can add RADIUS clients to NPS by IP address range. This allows to add a large number of RADIUS clients (such as wireless access points) rather than adding them individually. You can specify the IP range using the format 10.1.0.0/22.

By default, NPS uses the following UDP ports to send and receive RADIUS traffic: 1812, 1813, 1645, and 1646. When you install the NPS role on Windows Server, rules for these ports are automatically created and enabled in Windows Defender Firewall. You can list these Windows Firewall rules using PowerShell:

Get-NetFirewallRule -DisplayGroup "Network Policy Server"

If your RADIUS client is located in a DMZ network or an external security perimeter, you must create the appropriate firewall rules on your network firewall.

Configure NPS Policies on the RADIUS Server

NPS policies allow you to authenticate remote users and grant them access permissions configured in the NPS role. NPS access policies allow you to associate the RADIUS client to the domain security group that determines the user privileges on CISCO devices.

There are two types of policy on a RADIUS server:

  • Connection request policies — determine which RADIUS servers should authenticate and authorize connection requests received from RADIUS clients;
  • Network policies — allow you to specify who is authorized to connect to your network and a list of assigned privileges.

In our case, we will use only the NPS Network policies. Expand the Policies > Network Policies branch and select New:

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (10)

Specify the Policy name, the type of network access server should remain unchanged (Unspecified).

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (11)

In the Specify conditions step, you need to add the conditions under which this RADIUS policy will be applied. Let’s add two conditions — the authorized user must be a member of a specific domain security group, and the device you want to access has a specific name. Use the Add option to create a new condition by selecting the Windows Group type (add the RemoteCiscoUsers group) and specifying the Client Friendly Name (Cisco_*).

Note. The Client Friendly Name field may differ from the DNS name of your device. We will need it in the further steps to identify a specific network device when creating a Remote Access Policy. For example, you can use this name to specify a mask through which several different RADIUS clients are processed by a single access policy.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (12)

On the next screen, select Access Granted.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (13)

My Cisco switch only supports Unencrypted authentication methods (PAP, SPAP), so I’ve disabled all other options.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (14)

Skip the next configuration Constraints step.

In the Configure Settings section, go to the RADIUS Attributes > Standard section. Delete the existing attributes there and click the Add button.

Select Access type > All, then Service-Type > Add. Specify Others = Login.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (15)

Now add a new attribute in the RADIUS Attributes > Vendor Specific section. Under Vendor, select Cisco, and click Add. Here you need to add information about the attribute. Click Add and specify the following value:

shell: priv-lvl = 15

This value means that the user authorized by this policy will be granted a maximum (15) administrative access privileges on the Cisco device.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (16)

The last screen displays all selected NPS policy settings. Click Finish.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (17)

If you have created several network policies in the NPS console, please note that they are processed from top to bottom, so the order of the policies is important. Further processing will stop if all conditions in the next policy are met. You can change the priority of policies in the NPS console using the Processing Order value.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (18)

By default, all AD accounts can be used to authenticate using RADIUS. You can check this using the Active Directory Users and Computers snap-in (dsa.msc). Open any user properties, go to the Dial-In tab, and check that the Control access through NPS Network Policy option in enabled in the Network Access Permission section.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (19)

Or you can reset msNPAllowDialin attribute for all users in the specific Active Directory OUusing the LDAP filter:

Get-ADUser -SearchBase "ou=Users,ou=Paris,dc=theitbros,dc=com" -LDAPFilter "(msNPAllowDialin=*)" | % {Set-ADUser $_ -Clear msNPAllowDialin}

Configuring RADIUS Authentication on Cisco Devices

Once you have created the NFS policy, you can proceed to configure your Cisco routers or switches for authentication on the newly installed RADUIS server.

As it is insecure to send unencrypted user credentials over the network, you should disable the Telnet protocol on your Cisco devices. To disable Telnet and enable SSH, use the following commands in Configuration Mode on the Cisco device:

configure terminalcrypto key generate rsa modulus 1024ip ssh version 2

You should create a local user on your Cisco device to avoid losing access to it if the RADIUS server or AD is unavailable. Create a local user with the following command:

username cisco_local password $UPerrP@ssw0rd

To make the use of SSH mandatory and disable remote access using Telnet, execute the following commands:

line vty 5 15transport input ssh

Below is an example of the configuration for authorizing a Radius server for the Cisco Catalyst Switch:

aaa new-modelaaa authentication login default group radius localaaa authorization exec default group radius if-authenticatedradius-server host 192.168.1.16 key Sfs34e#sf#Specify your RADIUS server IP address and key for encryption (the shared secret that we specified on the RADIUS server)service password-encryption# Enable password encryption

If you have several Radius servers, add them to the group:

aaa group server radius radius_srv_groupserver 192.168.1.16server 192.168.101.16

This completes the minimum switch configuration and you can try to check Radius authentication on your Cisco device.

How to Enable MikroTik (RouterOS) User Authentication via RADIUS

In this part, we will show you how to configure RADIUS authentication for VPN user connections on a MikroTik router (RouterOS based).

Open the Network Policy Server console (nps.msc) and create a new Radius client.

Select New RADIUS Client and configure the following settings:

  • Enable this RADIUS Client;
  • Friendly Name — enter the name of your MikroTik router;
  • Address — specific the IP address of the MikroTik router;
  • Specify your Pre-shared secret key.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (20)

Create a new Network Policy with the following settings:

  • User Groups — specify the name of the domain user group that is allowed to authenticate on your MikroTik router;
  • Authentication Type — MS-CHAPv2;
  • Tunnel Type — Point-to-Point Tunneling Protocol (PPTP);
  • Access Permissions — Access granted;
  • In the Configure Authentication Methods window, leave only MS-CHAPv2 and allow users to change expired passwords (User can change password after it has expired option);
  • Multilink and Bandwidth Allocation Protocol (BAP) – Do not allow Multilink connections;
  • In the Standard section, remove Service-Type – Framed and leave only Framed-Protocol PPP;
  • Encryptions — leave only the strongest encryption (MPP 128-bit) method.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (21)

Once you have created a new policy, open the Network Policy Server settings.

Leave only the following UDP ports for the RADIUS server communications:

  • Authentication — 1812;
  • Accounting — 1813.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (22)

Check if these UDP ports are open in Microsoft Defender Firewall Rules. If not, open them manually.

Now you need to configure the connection settings for Windows Server RADIUS in the MikroTik configuration (we assume that PPP VPN Server is already configured on RouterOS).

Check in the PPTP server settings that only mschap2 is allowed to use for authentication.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (23)

Now we need to configure the connection to Radius NPS server. Select New Radius Server and specify the following options:

  • Service: ppp;
  • Address: IP address of the RADIUS server;
  • Secret: pre-shared key that you specified in the network policy settings;
  • Src/ Address: MikroTik IP address from which traffic will be sent to NPS;
  • Authentication Port: 1812;
  • Accounting Port: 1813.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (24)

Add appropriate access rules to MikroTik Firewall.

Then go to Secrets > PPP Authentication and Accounting and enable the Use Radius option.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (25)

It remains to configure a PPTP VPN connection to your MikroTik VPN on users’ computers. Users can use their Active Directory account credentials to authenticate against Mikrotik (accounts must be added to the AD group that you have specified when creating the MiktoTik Network Policy on NPS).

How to View the NPS/RADIUS Event Logs on Windows?

To enable NPS Server Radius Authentication logging, you need to enable the Network Policy Server audit policy via the local Group Policy Editor (gpedit.msc). Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff > Audit Network Policy Server and check the option to audit both success and failure logon attempts.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (26)

Or you can enable this NPS audit policy with the following commands:

auditpol /get /subcategory:"Network Policy Server"auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (27)

Now you can open the Event Viewer console (eventvwr.msc), go to the Windows Logs > Security, and filter the event by the Event ID 6272.

Network Policy Server granted access to a user.

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (28)

If the user has entered an incorrect password or is not authorized to log on through the RADIUS Client, Event ID 6272 is displayed:

Network Policy Server denied access to a user.

If the user has entered an incorrect user name and password, an event will be displayed in the Event Viewer:

Authentication failed due to a user credentials mismatch

If the user is not a member of the correct security group, or if Network Access Permission= Deny is set in the AD user properties on the Dial-in tab, the following event will occur:

The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the use

If a user enters an incorrect password multiple times, their account will be locked out in accordance with your Account Lockout Policy in AD.

Event ID: 6279

Network Policy Server locked the user account due to repeated failed authentication attempts.

If you need to find all NPS authorizations events for the specific user (Richard.Doe in this example), use the next PowerShell script:

$Query = @"<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data[@Name='SubjectUserName'] and (Data=theitbros\richard.doe')]] and*[System[(EventID='6272')]]</Select></Query></QueryList>"@$events = Get-WinEvent -FilterXML $Query$ipaddr = @{ label="IP"; Expression={$_.properties[9].value} }$events | select $ipaddr | group "IP" | format-table Count, Name -autosize

Windows Server

How to Configure RADIUS (NPS) Server on Windows Server – TheITBros (2024)

FAQs

What is the difference between NPS and RADIUS server? ›

Network Policy Server (NPS) is Microsoft's implementation of a Remote Authentication Dial-In User Service (RADIUS) server. NPS provides centralized authentication, authorization, and accounting (AAA) capabilities to your network.

How to configure RADIUS server in Windows Server? ›

How To Set Up Windows RADIUS with NPS
  1. Set up a Security Group. In the Active Directory domain, create a security group. ...
  2. Add Network Policy and Access Services Role. The Server Manager console contains the Add Roles and Features wizard. ...
  3. Snap-In NPS to AD. ...
  4. Add RADIUS Client to NPS.

Does Windows have a RADIUS server? ›

Many applications still rely on the RADIUS protocol to authenticate users. Microsoft Windows Server has a role called the Network Policy Server (NPS), which can act as a RADIUS server and support RADIUS authentication. Microsoft Entra ID enables multifactor authentication with RADIUS-based systems.

How do I add NPS to Windows Server? ›

To install NPS by using Server Manager
  1. On NPS1, in Server Manager, click Manage, and then click Add Roles and Features. ...
  2. In Before You Begin, click Next. ...
  3. In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.
Mar 3, 2021

What port does Windows NPS use for RADIUS? ›

By default, NPS sends and receives RADIUS traffic by using User Datagram Protocol (UDP) ports 1812, 1813, 1645, and 1646.

Can you have two NPS servers? ›

To provide fault tolerance for RADIUS-based authentication and accounting, use at least two NPSs. One NPS is used as the primary RADIUS server and the other is used as a backup. Each RADIUS client is then configured on both NPSs.

How to check if RADIUS server is working? ›

Create a test RADIUS client
  1. Login to the Security Console and navigate to RADIUS > RADIUS Client > Add New.
  2. Enter information to register your local machine as a RADIUS client. Enter a client name and the IP address of your machine. Leave the make/model as - Standard RADIUS -

Should a RADIUS server be a domain controller? ›

Yes, it is considered a good practice to install Network Policy Server (NPS) as a RADIUS server on all of your domain controllers to effectively balance the load of traffic.

What is the Microsoft implementation of a RADIUS server? ›

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy.

Is NPS the same as RADIUS? ›

NPS as both RADIUS server and RADIUS proxy.

In addition to the default connection request policy, which designates that connection requests are processed locally, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain.

What is the most used RADIUS server? ›

Fast, feature-rich, modular, and scalable. FreeRADIUS is the most widely used RADIUS server in the world. It powers most major Internet Service Providers and Telecommunications companies world-wide and is one of the key technologies behind eduroam, the international Wi-Fi education roaming service.

Does NPS need to be on a domain controller? ›

To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.

How to check RADIUS logs in Windows Server? ›

RADIUS logs are helpful when troubleshooting. The location of these logs varies by platform: Windows: C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs.

How to set up NPS? ›

Here are the steps for NSDL NPS registration.
  1. Step 1: Locate your nearest PoP.
  2. Step 2: Visit the PoP and fill up the application form.
  3. Step 3: Fulfill the KYC norms by submitting all the relevant documents.
  4. Step 4: You will have to pay a minimum of Rs 500 for a Tier I account.
  5. Step 5: Submit the application form.
May 20, 2024

What is alternative to NPS server? ›

The best overall RADIUS Server - Wireless Authentication NPS on Windows 2019 alternative is Coro Cybersecurity. Other similar apps like RADIUS Server - Wireless Authentication NPS on Windows 2019 are NordLayer, Genea Security, Citrix Gateway, and McAfee NAC.

What is the difference between RADIUS server and network access server? ›

RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication.

What is a RADIUS server for access point? ›

A RADIUS server provides user-based authentication to improve security and control wireless device access. The access point can authenticate users before they can gain access to the network. You can set a primary and a secondary RADIUS server for each wireless frequency.

What is the purpose of a RADIUS server? ›

A RADIUS server is a central server that provides authentication and authorization services for remote users who access a network. It receives authentication requests from RADIUS clients, such as routers, firewalls, or VPNs, verifies the credentials of the user, and returns an authorization decision to the client.

References

Top Articles
Latest Posts
Article information

Author: Msgr. Refugio Daniel

Last Updated:

Views: 5737

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Msgr. Refugio Daniel

Birthday: 1999-09-15

Address: 8416 Beatty Center, Derekfort, VA 72092-0500

Phone: +6838967160603

Job: Mining Executive

Hobby: Woodworking, Knitting, Fishing, Coffee roasting, Kayaking, Horseback riding, Kite flying

Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.