When you deploy dial-up or virtual private network (VPN) connections with Network Policy Server (NPS) as a RADIUS server, you must take the following steps:

  • Install and configure network access servers (NASs) as RADIUS clients.

  • Deploy components for authentication methods.

  • Configure NPS as a RADIUS server.

Install and configure network access servers (RADIUS clients)

To deploy dial-up access, you must install and configure Routing and Remote Access as a dial-up server. To deploy VPN access, you must install and configure Routing and Remote Access as a VPN server.


Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

You can install Routing and Remote Access on the local NPS server or on a remote computer.

Deploy components for authentication methods

For VPN, you can use the following authentication methods:

  • Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), known as EAP-TLS.

  • Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), known as PEAP-MS-CHAP v2.

  • PEAP with Transport Layer Security (TLS), known as PEAP-TLS.

For EAP-TLS and PEAP-TLS, you must deploy a public key infrastructure (PKI) by installing and configuring Active Directory® Certificate Services (AD CS) to issue certificates to domain member client computers and NPS servers. These certificates are used during the authentication process as proof of identity by both clients and NPS servers. If preferred, you can deploy smart cards rather than using client computer certificates. In this case, you must issue smart cards and smart card readers to organization employees.

For PEAP-MS-CHAP v2, you can deploy your own certification authority (CA) with AD CS to issue certificates to NPS servers or you can purchase server certificates from a public trusted root CA that clients trust, such as VeriSign.

For more information, see EAP Overview and PEAP Overview.

Configure NPS as a RADIUS server

When you configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.

Configure RADIUS clients

There are two stages to configuring RADIUS clients:

  • Configure the physical RADIUS client, such as the VPN server or dial-up server, with information that allows the network access server to communicate with NPS servers. This information includes configuring your NPS server IP address and the shared secret in the user interface of the VPN server or dial-up server.

  • In NPS, add a new RADIUS client. On the NPS server, add each VPN server or dial-up server as a RADIUS client. NPS allows you to provide a friendly name for each RADIUS client, as well as the IP address of the RADIUS client and the shared secret.

For more information, see Add a New RADIUS Client.

Configure network policies

Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can connect.

For more information, see Network Policies.

Configure RADIUS accounting

RADIUS accounting allows you to record user authentication and accounting requests in a local log file or to a Microsoft® SQL Server® database on the local computer or on a remote computer.