RADIUS server on Active Directory

blog.payperitem.com,

To configure a RADIUS server on Active Directory, you typically use Network Policy Server (NPS), which is Microsoft’s implementation of a RADIUS server and proxy. It integrates tightly with Active Directory to authenticate, authorize, and account (AAA) for network access requests (e.g., VPN, Wi-Fi, 802.1X switch ports, etc.).

Here’s a full guide to get you up and running on a Windows Server domain controller or member server.

✅ Prerequisites

  • Windows Server (2012 or later recommended)
  • Server is domain-joined
  • Active Directory set up
  • Devices (e.g., Wi-Fi AP, VPN, etc.) that support RADIUS

🔧 Step-by-Step: Configure RADIUS (NPS) with Active Directory

1. Install NPS Role

  • Open Server ManagerAdd Roles and Features
  • Role-based → Select server → Network Policy and Access Services
  • Under Role Services, check Network Policy Server
  • Finish the wizard and install

2. Register NPS in Active Directory

  • Open NPS console (nps.msc)
  • In the left pane, right-click NPS (Local)Register server in Active Directory
  • Confirm registration (this allows NPS to read user/computer info from AD)

3. Add RADIUS Clients

  • In NPS → Expand RADIUS Clients and ServersRADIUS Clients
  • Right-click → New
    • Friendly name: AP1, VPN-Gateway, etc.
    • IP address or DNS name of the RADIUS client
    • Shared Secret: Must match what’s configured on the client device

4. Configure Connection Request Policies (Optional)

  • Usually optional unless you’re proxying RADIUS requests
  • Found under Policies > Connection Request Policies

5. Configure Network Policies

  • Go to Policies > Network Policies
  • Right-click → New
  • Name it (e.g., WiFi Auth)
  • Conditions:
    • Add Windows Groups → Specify AD groups (e.g., VPN Users, WiFiUsers)
    • Add NAS Port Type if filtering by connection type (e.g., Wireless – 802.11)
  • Grant Access
  • Authentication methods:
    • For Wi-Fi: use PEAP (MS-CHAP v2), disable PAP
    • Add a valid server certificate for PEAP
  • Constraints and settings: Customize as needed (Idle timeout, encryption, etc.)

6. Configure Client Device (e.g., Wi-Fi AP)

  • Set RADIUS Server IP to your NPS server
  • Port: 1812 (auth) / 1813 (accounting) by default
  • Use the same Shared Secret
  • Set authentication to WPA2-Enterprise with RADIUS

🔒 Security Tips

  • Use strong shared secrets
  • Use certificates for PEAP (check auto-enrollment via AD if needed)
  • Optionally install NPS on a dedicated RADIUS server, not on DCs

📊 Optional: Enable Accounting

  • Configure RADIUS Accounting if you want logs of who logged in, when, etc.
  • Under RADIUS Accounting > New
  • Log to local file or forward to SIEM/SQL

🛠️ Troubleshooting

  • Use Event Viewer > Custom Views > Server Roles > Network Policy and Access Services for logs
  • Use Wireshark to see RADIUS traffic
  • Verify time sync between devices (important for EAP)
Download ScriptDownload

Active Directory Cloud OpenSource Server 2025 Windows

Related Posts

Download Professional Windows Desktop and Server Hardening PDF

​”Professional Windows Desktop and Server Hardening” is a comprehensive guide that offers practical advice on enhancing the security of Microsoft Windows desktops and servers. The book emphasizes configuring default security settings before deploying additional security products, providing readers with a solid foundation in understanding significant security threats and implementing effective…

Read More

Transfer & SEIZE FSMO Roles

Transferring and seizing FSMO (Flexible Single Master Operations) roles are critical tasks in Active Directory (AD) management. Here’s how to transfer and seize FSMO roles using both GUI and PowerShell/NTDSUTIL, depending on the situation. 🔁 FSMO Roles Overview There are 5 FSMO roles: ✅ Transfer FSMO Roles (Graceful Method) Use…

Read More

Leave a Reply