RADIUS server on Active Directory

blog.payperitem.com,

To configure a RADIUS server on Active Directory, you typically use Network Policy Server (NPS), which is Microsoft’s implementation of a RADIUS server and proxy. It integrates tightly with Active Directory to authenticate, authorize, and account (AAA) for network access requests (e.g., VPN, Wi-Fi, 802.1X switch ports, etc.).

Here’s a full guide to get you up and running on a Windows Server domain controller or member server.

✅ Prerequisites

  • Windows Server (2012 or later recommended)
  • Server is domain-joined
  • Active Directory set up
  • Devices (e.g., Wi-Fi AP, VPN, etc.) that support RADIUS

🔧 Step-by-Step: Configure RADIUS (NPS) with Active Directory

1. Install NPS Role

  • Open Server ManagerAdd Roles and Features
  • Role-based → Select server → Network Policy and Access Services
  • Under Role Services, check Network Policy Server
  • Finish the wizard and install

2. Register NPS in Active Directory

  • Open NPS console (nps.msc)
  • In the left pane, right-click NPS (Local)Register server in Active Directory
  • Confirm registration (this allows NPS to read user/computer info from AD)

3. Add RADIUS Clients

  • In NPS → Expand RADIUS Clients and ServersRADIUS Clients
  • Right-click → New
    • Friendly name: AP1, VPN-Gateway, etc.
    • IP address or DNS name of the RADIUS client
    • Shared Secret: Must match what’s configured on the client device

4. Configure Connection Request Policies (Optional)

  • Usually optional unless you’re proxying RADIUS requests
  • Found under Policies > Connection Request Policies

5. Configure Network Policies

  • Go to Policies > Network Policies
  • Right-click → New
  • Name it (e.g., WiFi Auth)
  • Conditions:
    • Add Windows Groups → Specify AD groups (e.g., VPN Users, WiFiUsers)
    • Add NAS Port Type if filtering by connection type (e.g., Wireless – 802.11)
  • Grant Access
  • Authentication methods:
    • For Wi-Fi: use PEAP (MS-CHAP v2), disable PAP
    • Add a valid server certificate for PEAP
  • Constraints and settings: Customize as needed (Idle timeout, encryption, etc.)

6. Configure Client Device (e.g., Wi-Fi AP)

  • Set RADIUS Server IP to your NPS server
  • Port: 1812 (auth) / 1813 (accounting) by default
  • Use the same Shared Secret
  • Set authentication to WPA2-Enterprise with RADIUS

🔒 Security Tips

  • Use strong shared secrets
  • Use certificates for PEAP (check auto-enrollment via AD if needed)
  • Optionally install NPS on a dedicated RADIUS server, not on DCs

📊 Optional: Enable Accounting

  • Configure RADIUS Accounting if you want logs of who logged in, when, etc.
  • Under RADIUS Accounting > New
  • Log to local file or forward to SIEM/SQL

🛠️ Troubleshooting

  • Use Event Viewer > Custom Views > Server Roles > Network Policy and Access Services for logs
  • Use Wireshark to see RADIUS traffic
  • Verify time sync between devices (important for EAP)
Download ScriptDownload

Active Directory Cloud OpenSource Server 2025 Windows

Related Posts