Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide


Step1: Prepare AAA Environment

  • Windows Server 2008 SP2 or Windows Server 2008 R2
  • Active Directory Domain Services
  • Active Directory Certificate Services
  • DHCP
  • Radius i.e. NPS must be a member of domain
  • Computer certificate installed in Radius Server
  • Windows 7, Windows XP or Mac OSX 10.5.8 Client
  • Cisco Wireless Access Point

Step2: Installation

Start menu>Administrative Tools>Server manager>Roles>Add Roles

 1 2 3 4 5 6 7 8 9

Step3: Setup Clients

Administrative Tools>Network Policy Server>Radius Client>Right Click>New Radius Client

 10 11

Radius Secret mentioned here must be same in Cisco Wireless Access Point. You must verify connection by clicking verify.

Step4: Setup Policy

Network Policy Server>Policies>network Policies>Right Click>New

  13 14

This is highly important part of entire config. Based on your need, you have to choose desire config type among all.

VPN Tunnel Type:L2TP

NASPort Type: VPN or Wireless

EAP Type: EAP-TLS, MSChap v2 or PEAP

AD Group: Wireless User Group or VPN User Group

15 16 17 18 19 20

Here, you can choose one or both depending on your infrastructure. I have shown both VPN and Wireless Client.

 21 22 23 24

Here, I am showing both EAP type for this article. But you have to choose only one again depending on your infrastructure.

25 26 27 28

Smart card or Certificate is the best option. For Windows 7 and XP, only certificates will work smooth as silk. However, if you have Macintosh Client then you have choose Certificate and PEAP.

 29 30

If you want VPN client to authenticate via Radius i.e. NPS then select Tunnel type.

31 32 33 34 35 36 37 38 39

Here, I explained  standard Radius config. I would recommend following for two different situations:

  • L2TP, Certificate and EAP for VPN Client
  • Certificate, PEAP and MSChap v2 for Wireless Client.

You can have more then one policy in NPS. A single server can be used to authenticate both VPN and Wireless Client. For some weird reason, my Macintosh client did not work with only user and machine certificate. Apple support advised me to use user cert and Radius shared secret instead. But for Windows 7 and XP client, certificates and EAP will work smooth as silk.

Further Help:

Microsoft Technet 

Keywords: L2TP, Radius, NPS, Windows Server 2008, Certificates

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , . Bookmark the permalink.

31 Responses to Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

  1. Pingback: Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server « Information Technology Blog

    • AR says:

      Dear Raihan,

      I was able to establish L2TP for XP and 7 clients within the domain. And I tried user cert and Radius secret as you suggested in this article but of no avail.
      So I have two questions

      1. How do get my MAC client connected to the L2TP VPN?
      2. How do I get the clients from outside the domain to connect to the VPN. Like for example if I want to connect from home to my L2TP server at work how would I go about it? Is there a way forward?
      Do I need to export certificates to my home machine? If yes how would I do it?
      If not what is the best method for this?

      Your help on this occassion is gratefully received.



  2. NAJAM says:

    I have configured WLC2100 and Windows 2008. The server only authenticates Domain PCs, doesnt authenticate any other PCs although prompting for username and password.


  3. Matt says:

    Will this work if the NPS box is only acting as a DHCP relay agent and not DHCP?


  4. abdel ali says:

    How we can test if this configuration work on the client


  5. Charlie says:

    If I want certain guest accounts created just for wifi access and authenticating to the RADIUS and the machine they are using is not a member of AD, can you tell me best suitable setup in this regards? Domain users / computers will also be connecting and authenticating for wireless purpose. Thanks.


  6. Subi says:

    RADIUS server,1813 is being marked alive.
    4 Jul 8 20:22:02 Warning RADIUS server,1813 is not responding.

    I am getting the above error with Cisco 881W acces points (using CISCO 881W-GN-A-K9 router with wireless), it was working and suddenly stopped. I do have few Linksys / Cisco WAP4410N accespoints which are working fine. My NPS is running on a Windows 2008 R2 domain controller.


  7. Arshad Bashir Khattak says:

    WOW Raihan Al-Beruni ,Brother You are the man of IT, you know I did 27 certification andh have above 12 years exprince but I never saw IT guy like you, I realy want to see that who is that nice guy who,s put every things step by step, I love it bro and God bless you, Thanks

    Best Regards


  8. pix says:

    i have read your soluation but i have question does client laptop required to joing to domain to be authenticated with radius.


    • yes they need to be a domain member. But if they are not than you have to export certificates to standalone machine and use a domain account to join network.


      • pix says:

        i have test that but one problem even i didnt select validate certificate am able to login to wireless ,,, i think it must check the certificate if not valide it should not let me login by the even though am able to login.


      • pix says:

        i have export the certificate from nps server and import it in client laptop non domain to trust root authority ,and i have configure it to validate the certificate but am able to login the wireless network with checking the certificate. kindly correct me if am wrong regarding the steps to configurate the client machine am using 802.1x


  9. nitin says:

    Is it working without domain control in client pc


  10. pix says:

    regarding ca certificate for nps server , how to prepare this request coz it is showing in configuration server name of ca only no nps server name


  11. itgeek says:

    in this certificate option what kind of certificate shall i request
    domain controller authentication or domain controller


  12. Mohammed Refad says:

    Will it work for computers out side domain, like guest or non company laptos, how can we connect laptops with out joining to domain


  13. Shadab says:

    Hi Raihan,
    Thaks for the posting such a nice KB.Just wanted to ask one thing abot you above example.You have use ip of Ip belongs to WLC/APs or your Domain controller.Could you please tell me in detail asi am i am new in NAP


  14. Jack Mayer says:

    What do you know about setting up NPS and using MAC address authentication? We are not having any luck here with this type of setup!!


  15. gajanan says:

    Understanding exactly what people want, you prepare it perfectly. Nice…..


  16. Maria Castillo says:

    How can I change the network domain in the NPS role.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s