Use this procedure to add a network access server as a Remote Authentication Dial-In User Service (RADIUS) client in the Network Policy Server (NPS) Microsoft Management Console (MMC) snap-in.
When you configure a network access server (NAS) as a RADIUS client in the NPS snap-in, the RADIUS client forwards connection requests from access clients to the NPS server for authentication, authorization, and accounting.
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
In addition to configuring a new RADIUS client, you must also configure the network access server so that it can communicate with NPS. For more information, see the documentation of your NAS manufacturer.
To configure a new RADIUS client in NPS, you must run the New RADIUS Client Wizard. While following the steps in the New RADIUS Client Wizard:
- If your NAS supports use of the
Message-Authenticator attribute (also known as the signature
attribute), in the New RADIUS Client Wizard, click Request must
contain the Message Authenticator attribute. If the NAS does
not support the Message-Authenticator attribute, do not select this
setting. Enabling the use of the Message-Authenticator attribute
provides additional security when Password Authentication Protocol
(PAP), Challenge Handshake Authentication Protocol (CHAP),
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP),
and MS-CHAP v2 are configured in network policies as authentication
methods. Extensible Authentication Protocol (EAP) uses the
Message-Authenticator attribute by default and does not require
that you enable it.
- If you use NAS-specific network policies (for
example, a network policy that contains vendor-specific
attributes), click Client-Vendor, and then select the name
of the NAS manufacturer. If you do not know the name of the NAS
manufacturer or it is not in the list, select RADIUS
If NPS receives an access request from a RADIUS proxy, it cannot detect the manufacturer of the NAS that originated the request. This can cause problems if you plan to use network policy conditions that are based on the client vendor and if you have at least one RADIUS client that is a RADIUS proxy. In this case, connection requests that are forwarded to NPS from the RADIUS proxy might not match any of the network policies, causing all connection requests to be denied. For this reason, when you use RADIUS proxies, you must configure at least one network policy that is not based on NAS-specific attributes, such as the vendor-specific attribute.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
|To add a new RADIUS client|
Open the NPS MMC snap-in, and then double-click RADIUS Clients and Servers.
Right-click RADIUS Clients, and then click New RADIUS Client.
Follow the steps in the New RADIUS Client Wizard.