Configure Radius Server

blog.payperitem.com,

Configuring a Windows RADIUS Server (typically via NPS – Network Policy Server) in a deep and secure way involves more than just installing the role and creating a basic policy. You’ll want to cover advanced aspects like:

🔧 1. NPS (RADIUS) Server Installation and Registration

  • Install NPS Role: powershellCopyEditInstall-WindowsFeature NPAS -IncludeManagementTools
  • Register with Active Directory: powershellCopyEditnetsh ras add registeredserver This allows NPS to read user account information.

🔐 2. Secure RADIUS with Certificates (EAP-TLS)

  • Use PEAP or EAP-TLS for wireless or VPN authentication.
  • NPS certificate should be issued from a trusted internal CA:
    • Open mmc.exe → Add Certificates (Local Computer) → Request certificate with Server Authentication EKU.
    • Bind it under:
      NPS → Policies → Network Policies → Constraints → Authentication Methods → EAP → Properties → Select certificate

🔄 3. Define RADIUS Clients (Switches, WAPs, VPNs)

  • Go to NPS → RADIUS Clients and Servers → RADIUS Clients
  • For each device:
    • Friendly Name
    • IP or DNS
    • Shared Secret (Use a strong, unique one per device. Rotate regularly.)
    • Consider using templates if managing many.

📜 4. Create Connection Request Policies

  • Controls who can send requests to this server.
  • Set conditions like:
    • NAS IP
    • NAS Port Type
    • Time of Day
  • Forward to another RADIUS if needed (proxy mode)

📋 5. Create Network Policies

This defines who is allowed, with what conditions, and with what restrictions.

Key Conditions:

  • User Group (from AD)
  • NAS Port Type (e.g., Wireless, Ethernet, VPN)
  • Windows Group Membership
  • Time constraints

Constraints:

  • Authentication methods (e.g., PEAP/MSCHAPv2, EAP-TLS)
  • Idle Timeout
  • Session Timeout
  • Called Station ID/Calling Station ID filters

Settings:

  • RADIUS Attributes:
    • Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID for VLAN assignment
    • Filter-Id for downloadable ACLs (if supported by NAS)
    • Vendor-Specific Attributes (VSA) for Cisco, Aruba, etc.

🛠️ 6. Advanced Tuning

Logging:

  • Enable Accounting and log to:
    • Local SQL Server
    • Remote SQL Server
    • Text Files (careful with privacy/data handling)

Load Balancing:

  • Deploy NPS in redundant mode (multiple NPS servers)
  • Use RADIUS proxy or network devices with multiple RADIUS target options

Health Monitoring:

  • Use Event ID 6272 (Successful) and 6273 (Failed) for diagnostics
  • Export logs to SIEM (Splunk, Sentinel, etc.)

📊 7. High-Security Practices

  • Require EAP-TLS with client certificates (no passwords)
  • Issue short-lived certs via Intune or Auto-enrollment
  • Disable MSCHAPv2 if not needed
  • Use Network Device Enrollment Service (NDES) for non-domain devices
  • Rotate shared secrets on RADIUS clients quarterly

🧠 Optional: PowerShell Automation

You can script some aspects of configuration, for example:

powershellNew-NpsRadiusClient -Name "Cisco-Switch1" `
    -Address "10.1.1.10" `
    -SharedSecret "SuperSecret123" `
    -VendorName "Cisco" `
    -State "Enabled"
Active Directory Networking Security Server 2025 Windows

Related Posts

Windows update done through script

You can update Windows locally using a PowerShell script. Here’s a script that automates the update process, including checking for updates, installing them, and restarting the system if necessary. PowerShell Script for Local Windows Update powershell# Run as administrator$ErrorActionPreference = “Stop”# Check if running as Administratorfunction Test-Admin { $currentUser =…

Read More
Windows

Diskless Solution

CCBoot is a diskless boot system that will make all of your PCs like new after every single reboot. This means, no more worrying about Spyware, Viruses, and Trojans. Every single time a PC is rebooted, it’s wiped clean, leaving you with the feeling of a fresh install after every…

Read More