Configuring a Windows RADIUS Server (typically via NPS – Network Policy Server) in a deep and secure way involves more than just installing the role and creating a basic policy. You’ll want to cover advanced aspects like:
🔧 1. NPS (RADIUS) Server Installation and Registration
- Install NPS Role: powershellCopyEdit
Install-WindowsFeature NPAS -IncludeManagementTools - Register with Active Directory: powershellCopyEdit
netsh ras add registeredserverThis allows NPS to read user account information.
🔐 2. Secure RADIUS with Certificates (EAP-TLS)
- Use PEAP or EAP-TLS for wireless or VPN authentication.
- NPS certificate should be issued from a trusted internal CA:
- Open mmc.exe → Add Certificates (Local Computer) → Request certificate with Server Authentication EKU.
- Bind it under:
NPS → Policies → Network Policies → Constraints → Authentication Methods → EAP → Properties → Select certificate
🔄 3. Define RADIUS Clients (Switches, WAPs, VPNs)
- Go to
NPS → RADIUS Clients and Servers → RADIUS Clients - For each device:
- Friendly Name
- IP or DNS
- Shared Secret (Use a strong, unique one per device. Rotate regularly.)
- Consider using templates if managing many.
📜 4. Create Connection Request Policies
- Controls who can send requests to this server.
- Set conditions like:
- NAS IP
- NAS Port Type
- Time of Day
- Forward to another RADIUS if needed (proxy mode)
📋 5. Create Network Policies
This defines who is allowed, with what conditions, and with what restrictions.
Key Conditions:
- User Group (from AD)
- NAS Port Type (e.g., Wireless, Ethernet, VPN)
- Windows Group Membership
- Time constraints
Constraints:
- Authentication methods (e.g., PEAP/MSCHAPv2, EAP-TLS)
- Idle Timeout
- Session Timeout
- Called Station ID/Calling Station ID filters
Settings:
- RADIUS Attributes:
- Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID for VLAN assignment
- Filter-Id for downloadable ACLs (if supported by NAS)
- Vendor-Specific Attributes (VSA) for Cisco, Aruba, etc.
🛠️ 6. Advanced Tuning
Logging:
- Enable Accounting and log to:
- Local SQL Server
- Remote SQL Server
- Text Files (careful with privacy/data handling)
Load Balancing:
- Deploy NPS in redundant mode (multiple NPS servers)
- Use RADIUS proxy or network devices with multiple RADIUS target options
Health Monitoring:
- Use Event ID 6272 (Successful) and 6273 (Failed) for diagnostics
- Export logs to SIEM (Splunk, Sentinel, etc.)
📊 7. High-Security Practices
- Require EAP-TLS with client certificates (no passwords)
- Issue short-lived certs via Intune or Auto-enrollment
- Disable MSCHAPv2 if not needed
- Use Network Device Enrollment Service (NDES) for non-domain devices
- Rotate shared secrets on RADIUS clients quarterly
🧠 Optional: PowerShell Automation
You can script some aspects of configuration, for example:
powershellNew-NpsRadiusClient -Name "Cisco-Switch1" `
-Address "10.1.1.10" `
-SharedSecret "SuperSecret123" `
-VendorName "Cisco" `
-State "Enabled"