When you deploy 802.1X wired or wireless access with Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server, you must take the following steps:
- Install and configure network access servers
(NASs) as RADIUS clients.
- Deploy components for authentication
- Configure NPS as a RADIUS server.
Install and configure network access servers (RADIUS clients)
To deploy 802.1X wireless access, you must install and configure wireless access points. To deploy 802.1X wired access, you must install and configure 802.1X authenticating switches.
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
In both cases, these network access servers must meet the following requirements:
- Support for Institute of Electrical and
Electronics Engineers (IEEE) standard 802.1X authentication
- Support for RADIUS authentication and RADIUS
If you use billing or accounting applications that require session correlation, the following are required:
- Support for the Class attribute as defined by
the Internet Engineering Task Force (IETF) in RFC 2865, "Remote
Authentication Dial-in User Service (RADIUS)," to allow session
correlation for RADIUS authentication and accounting records. For
session correlation, when you configure RADIUS accounting at your
NPS server or proxy, you must log all accounting data that allow
applications (such as billing applications) to query the database,
correlate related fields, and return a cohesive view of each
session in the query results. At a minimum, to provide session
correlation, you must log the following NPS accounting data:
NAS-IP-Address; NAS-Identifier (you need both NAS-IP-Address and
NAS-Identifier because the access server can send either
attribute); Class; Acct-Session-Id; Acct-Multi-Session-Id;
Packet-Type; Acct-Status-Type; Acct-Interim-Interval; NAS-Port; and
- Support for accounting interim requests,
which are sent periodically by some network access servers (NASs)
during a user session, that can be logged. This type of request can
be used when the Acct-Interim-Interval RADIUS attribute is
configured to support periodic requests in the remote access
profile on the NPS server. The NAS must support the use of
accounting interim requests if you want the interim requests to be
logged on the NPS server.
If you use virtual local area networks (VLANs), the NASs must support VLANs.
For wide area network (WAN) environments, network access servers should provide the following:
- Support for dynamic retransmit timeout (RTO)
estimation or exponential backoff to handle congestion and delays
in a WAN environment.
In addition, there are filtering features that the network access servers should support to provide enhanced security for the network. These filtering options include:
- DHCP filtering. The NASs must filter
on IP ports to prevent the transmission of Dynamic Host
Configuration Protocol (DHCP) broadcast messages if the client is a
DHCP server. The network access servers must block the client from
sending IP packets from port 68 to the network.
- DNS filtering. The NASs must filter on
IP ports to prevent a client from performing as a DNS server. The
NASs must block the client from sending IP packets from port 53 to
If you are deploying wireless access points, support for Wi-Fi Protected Access (WPA) is preferred. WPA is supported by Windows Vista® and Windows XP with Service Pack 2. To deploy WPA, also use wireless network adapters that support WPA.
Deploy components for authentication methods
For 802.1X wireless and wired, you can use the following authentication methods:
- Extensible Authentication Protocol (EAP) with
Transport Layer Security (TLS), also called EAP-TLS.
- Protected EAP (PEAP) with Microsoft Challenge
Handshake Authentication Protocol version 2 (MS-CHAP v2), also
called PEAP-MS-CHAP v2.
- PEAP with EAP-TLS, also called PEAP-TLS.
For EAP-TLS and PEAP-TLS, you must deploy a public key infrastructure (PKI) by installing and configuring Active Directory® Certificate Services (AD CS) to issue certificates to domain member client computers and NPS servers. These certificates are used during the authentication process as proof of identity by both clients and NPS servers. If preferred, you can deploy smart cards rather than using client computer certificates. In this case, you must issue smart cards and smart card readers to organization employees.
For PEAP-MS-CHAP v2, you can deploy your own certification authority (CA) with AD CS to issue certificates to NPS servers or you can purchase server certificates from a public trusted root CA that clients trust, such as VeriSign.
Configure NPS as a RADIUS server
When you configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.
Configure RADIUS clients
There are two stages to configuring RADIUS clients:
- Configure the physical RADIUS client, such as
the wireless access point or authenticating switch, with
information that allows the network access server to communicate
with NPS servers. This information includes configuring the IP
address of your NPS server and the shared secret in the access
point or switch user interface.
- In NPS, add a new RADIUS client. On the NPS
server, add each access point or authenticating switch as a RADIUS
client. NPS allows you to provide a friendly name for each RADIUS
client, as well as the IP address of the RADIUS client and the
For more information, see Add a New RADIUS Client.
Configure network policies
Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can connect.
For more information, see Network Policies.
Configure RADIUS accounting
RADIUS accounting allows you to record user authentication and accounting requests in a local log file or to a Microsoft® SQL Server® database on the local computer or a remote computer.
For more information, see RADIUS Accounting.