How to Set Up NPS as a RADIUS Server on Windows Server

Network Policy Server (NPS) is Windows Server’s built-in RADIUS implementation. It lets you centralise authentication for VPN connections, Wi-Fi access points, and other network devices — so users authenticate against Active Directory rather than local accounts on each device. This guide covers installing NPS, configuring RADIUS clients, and building network policies.

What NPS Does

NPS acts as a RADIUS server: network devices (VPN concentrators, wireless access points, switches) send authentication requests to NPS, which validates credentials against Active Directory and returns an allow or deny. You configure policies in one place rather than managing user lists on every device.

Common use cases:

• VPN authentication — users authenticate with their AD credentials, not a separate VPN password
• 802.1X Wi-Fi — certificates or credentials authenticate devices to the wireless network
• Switch port authentication — 802.1X on wired ports, useful in higher-security environments

Installing Network Policy Server

NPS is a role service under the Network Policy and Access Services role. Install via Server Manager or PowerShell:

Install-WindowsFeature NPAS -IncludeManagementTools

After installation, open Network Policy Server from Administrative Tools. The console is organised into four sections: RADIUS Clients and Servers, Policies, Accounting, and Templates.

Register NPS with Active Directory

Before NPS can read user attributes from AD (such as dial-in permissions), you must register it:

1. In the NPS console, right-click NPS (Local) in the left pane
2. Click Register server in Active Directory
3. Click OK on the confirmation dialog

This adds the NPS server to the RAS and IAS Servers security group in AD, granting read access to user dial-in properties.

PowerShell equivalent:

netsh ras add registeredserver

Adding a RADIUS Client

A RADIUS client is the network device that will send authentication requests to NPS — your VPN server, wireless controller, or managed switch.

1. Expand RADIUS Clients and Servers → right-click RADIUS Clients → New
2. Enter a friendly name and the IP address or DNS name of the device
3. Set a shared secret — a long, random string used to sign RADIUS packets. Use the same secret in the device’s RADIUS configuration
4. Click OK

For multiple devices of the same type, use RADIUS client templates (under Templates Management) to avoid repeating configuration.

Network Policies

Network policies define who is allowed to connect and under what conditions. NPS evaluates policies in order — the first matching policy applies.

To create a policy:

1. Expand Policies → right-click Network Policies → New
2. Name the policy and set Type of network access server to match your device type (e.g. Remote Access Server for VPN)
3. Add conditions — typically Windows Groups (e.g. VPN-Users) or Client Friendly Name
4. Set access permission to Grant access
5. Configure authentication methods — for VPN, MS-CHAPv2 is common; for 802.1X, choose EAP/PEAP
6. Set constraints if needed (time of day, session timeout, idle timeout)

The default Connections to other access servers policy at the bottom denies everything not matched above — leave it in place as a security backstop.

Connection Request Policies

Connection request policies sit above network policies. They determine where requests are processed — locally on this NPS server, or forwarded to a remote RADIUS server (for proxy configurations). The default policy processes everything locally, which is correct for most setups.

Configuring VPN Server to Use NPS

On a Windows RRAS VPN server:

1. Open Routing and Remote Access
2. Right-click the server → Properties → Security tab
3. Set Authentication provider to RADIUS Authentication
4. Click Configure → Add → enter the NPS server IP and shared secret
5. Repeat for Accounting provider if you want to log sessions via RADIUS accounting

NPS Logging and Troubleshooting

NPS logs authentication attempts to the Windows Event Log under Applications and Services Logs → Microsoft → Windows → Security. Key event IDs:

• 6272 — access granted
• 6273 — access denied (includes reason code)
• 6274 — request discarded

NPS can also write SQL or text-file accounting logs. Enable under Accounting in the NPS console.

Common denial reasons:

• Reason 16 — no matching network policy found
• Reason 48 — password expired
• Reason 65 — EAP type mismatch between client and policy

Exporting and Restoring NPS Configuration

Back up your NPS configuration before making changes:

netsh nps export filename="C:\backup\nps-config.xml" exportPSK=YES

Restore with:

netsh nps import filename="C:\backup\nps-config.xml"

This exports RADIUS clients, policies, templates, and shared secrets — useful when migrating NPS to a new server.

Related Guides

• How to Set Up a VPN on Windows Server
• How to Configure DNS on Windows Server
• How to Check Active Directory Replication Status