Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide


Step1: Prepare AAA Environment

  • Windows Server 2008 SP2 or Windows Server 2008 R2
  • Active Directory Domain Services
  • Active Directory Certificate Services
  • DHCP
  • Radius i.e. NPS must be a member of domain
  • Computer certificate installed in Radius Server
  • Windows 7, Windows XP or Mac OSX 10.5.8 Client
  • Cisco Wireless Access Point

Step2: Installation

Start menu>Administrative Tools>Server manager>Roles>Add Roles

 1 2 3 4 5 6 7 8 9

Step3: Setup Clients

Administrative Tools>Network Policy Server>Radius Client>Right Click>New Radius Client

 10 11

Radius Secret mentioned here must be same in Cisco Wireless Access Point. You must verify connection by clicking verify.

Step4: Setup Policy

Network Policy Server>Policies>network Policies>Right Click>New

  13 14

This is highly important part of entire config. Based on your need, you have to choose desire config type among all.

VPN Tunnel Type:L2TP

NASPort Type: VPN or Wireless

EAP Type: EAP-TLS, MSChap v2 or PEAP

AD Group: Wireless User Group or VPN User Group

15 16 17 18 19 20

Here, you can choose one or both depending on your infrastructure. I have shown both VPN and Wireless Client.

 21 22 23 24

Here, I am showing both EAP type for this article. But you have to choose only one again depending on your infrastructure.

25 26 27 28

Smart card or Certificate is the best option. For Windows 7 and XP, only certificates will work smooth as silk. However, if you have Macintosh Client then you have choose Certificate and PEAP.

 29 30

If you want VPN client to authenticate via Radius i.e. NPS then select Tunnel type.

31 32 33 34 35 36 37 38 39

Here, I explained  standard Radius config. I would recommend following for two different situations:

  • L2TP, Certificate and EAP for VPN Client
  • Certificate, PEAP and MSChap v2 for Wireless Client.

You can have more then one policy in NPS. A single server can be used to authenticate both VPN and Wireless Client. For some weird reason, my Macintosh client did not work with only user and machine certificate. Apple support advised me to use user cert and Radius shared secret instead. But for Windows 7 and XP client, certificates and EAP will work smooth as silk.

Further Help:

Microsoft Technet 

Keywords: L2TP, Radius, NPS, Windows Server 2008, Certificates

31 thoughts on “Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

  1. Pingback: Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server « Information Technology Blog

    • Dear Raihan,

      I was able to establish L2TP for XP and 7 clients within the domain. And I tried user cert and Radius secret as you suggested in this article but of no avail.
      So I have two questions

      1. How do get my MAC client connected to the L2TP VPN?
      2. How do I get the clients from outside the domain to connect to the VPN. Like for example if I want to connect from home to my L2TP server at work how would I go about it? Is there a way forward?
      Do I need to export certificates to my home machine? If yes how would I do it?
      If not what is the best method for this?

      Your help on this occassion is gratefully received.



  2. I have configured WLC2100 and Windows 2008. The server only authenticates Domain PCs, doesnt authenticate any other PCs although prompting for username and password.


  3. If I want certain guest accounts created just for wifi access and authenticating to the RADIUS and the machine they are using is not a member of AD, can you tell me best suitable setup in this regards? Domain users / computers will also be connecting and authenticating for wireless purpose. Thanks.


  4. RADIUS server,1813 is being marked alive.
    4 Jul 8 20:22:02 Warning RADIUS server,1813 is not responding.

    I am getting the above error with Cisco 881W acces points (using CISCO 881W-GN-A-K9 router with wireless), it was working and suddenly stopped. I do have few Linksys / Cisco WAP4410N accespoints which are working fine. My NPS is running on a Windows 2008 R2 domain controller.


  5. WOW Raihan Al-Beruni ,Brother You are the man of IT, you know I did 27 certification andh have above 12 years exprince but I never saw IT guy like you, I realy want to see that who is that nice guy who,s put every things step by step, I love it bro and God bless you, Thanks

    Best Regards


      • i have test that but one problem even i didnt select validate certificate am able to login to wireless ,,, i think it must check the certificate if not valide it should not let me login by the even though am able to login.


      • i have export the certificate from nps server and import it in client laptop non domain to trust root authority ,and i have configure it to validate the certificate but am able to login the wireless network with checking the certificate. kindly correct me if am wrong regarding the steps to configurate the client machine am using 802.1x


  6. regarding ca certificate for nps server , how to prepare this request coz it is showing in configuration server name of ca only no nps server name


  7. Will it work for computers out side domain, like guest or non company laptos, how can we connect laptops with out joining to domain


  8. Hi Raihan,
    Thaks for the posting such a nice KB.Just wanted to ask one thing abot you above example.You have use ip of Ip belongs to WLC/APs or your Domain controller.Could you please tell me in detail asi am i am new in NAP


  9. What do you know about setting up NPS and using MAC address authentication? We are not having any luck here with this type of setup!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.