Skip to Content

How to Setup Multiple NPS Servers for Wired and Wireless Networks

By: Author Alex Lim

Posted on

Categories Uncategorized

Are you looking for a way to improve the security and reliability of your wired and wireless networks? Do you want to use Network Policy Server (NPS) to authenticate and authorize your devices and users? Do you want to have a backup NPS server in case your primary one fails?

If you answered yes to any of these questions, then this blog post is for you. In this post, you will learn:

  • What is NPS and how it works with 802.1X
  • How to install and configure NPS on a domain controller (DC)
  • How to export and import NPS settings to another DC
  • How to test and troubleshoot your NPS servers

By the end of this post, you will be able to set up multiple NPS servers for your wired and wireless networks and ensure that your network access is secure and uninterrupted.

What is NPS and how it works with 802.1X

NPS is a role service of the Network Policy and Access Services (NPAS) server role in Windows Server. It allows you to create and enforce network access policies for your devices and users. NPS can act as a RADIUS server or a RADIUS proxy, depending on your network design.

NPS works with 802.1X, which is an industry-standard protocol for network access control. 802.1X provides authentication and authorization for devices and users that want to access a network. 802.1X consists of three components:

  • Supplicant: The device or user that requests network access
  • Authenticator: The device that controls the physical access to the network, such as a switch or a wireless access point
  • Authentication server: The server that verifies the identity and credentials of the supplicant, such as NPS

The 802.1X authentication process involves the following steps:

  1. The supplicant connects to the network and sends an EAPOL-Start message to the authenticator.
  2. The authenticator responds with an EAP-Request/Identity message to the supplicant.
  3. The supplicant sends an EAP-Response/Identity message with its identity to the authenticator.
  4. The authenticator forwards the identity to the authentication server.
  5. The authentication server challenges the supplicant with an EAP-Request message, which may contain a request for credentials, such as a username and password, a certificate, or a token.
  6. The supplicant responds with an EAP-Response message, which may contain the credentials or a confirmation of the challenge.
  7. The authentication server verifies the credentials or the challenge and sends an EAP-Success or an EAP-Failure message to the authenticator.
  8. The authenticator grants or denies network access to the supplicant based on the message from the authentication server.

How to install and configure NPS on a domain controller (DC)

To use NPS as a RADIUS server for your wired and wireless networks, you need to install and configure it on a DC. Here are the steps to do so:

  1. On your DC, open Server Manager and click Manage > Add Roles and Features.
  2. On the Before You Begin page, click Next.
  3. On the Select Installation Type page, select Role-Based or Feature-Based Installation and click Next.
  4. On the Select Destination Server page, select your DC from the server pool and click Next.
  5. On the Select Server Roles page, select Network Policy and Access Services and click Next.
  6. On the Select Features page, click Next.
  7. On the Network Policy and Access Services page, click Next.
  8. On the Select Role Services page, select Network Policy Server and click Next.
  9. On the Confirm Installation Selections page, click Install.
  10. On the Installation Progress page, wait for the installation to complete and click Close.
  11. On your DC, open the NPS console from the Start menu or the Tools menu in Server Manager.
  12. In the NPS console, expand NPS (Local) and click RADIUS Clients and Servers.
  13. Right-click RADIUS Clients and click New.
  14. On the New RADIUS Client page, enter a friendly name and an IP address or a DNS name for your authenticator, such as a switch or a wireless access point.
  15. Enter a shared secret that matches the one configured on your authenticator and click OK.
  16. Repeat steps 13 to 15 for each authenticator in your network.
  17. In the NPS console, click Policies and right-click Network Policies and click New.
  18. On the Specify Network Policy Name and Connection Type page, enter a name for your policy and select the connection type that matches your network, such as Wired or Wireless.
  19. On the Specify Conditions page, click Add and select the conditions that you want to apply to your policy, such as Windows Groups, User Name, or Certificate.
  20. On the Configure Authentication Methods page, select the authentication methods that you want to use for your policy, such as Microsoft Protected EAP (PEAP), Microsoft Smart Card or Other Certificate, or Unencrypted Authentication (PAP, SPAP).
  21. On the Configure Constraints page, configure the settings that you want to apply to your policy, such as Idle Timeout, Session Timeout, or Called Station ID.
  22. On the Configure Settings page, configure the attributes that you want to send to your authenticator, such as Standard RADIUS Attributes, Vendor-Specific RADIUS Attributes, or NAP Enforcement.
  23. On the Completing New Network Policy page, review your settings and click Finish.

How to export and import NPS settings to another DC

To have a backup NPS server in case your primary one goes down, you need to export and import your NPS settings to another DC. Here are the steps to do so:

  1. On your primary NPS server, open an elevated command prompt and run the following command: 
    netsh nps export filename=“C:\NPS-Backup.xml” exportPSK=YES

    This command will export your NPS configuration to an XML file and include the shared secrets for your RADIUS clients. You can change the filename and the location as you wish.

  2. Copy the XML file to your backup NPS server.
  3. On your backup NPS server, open an elevated command prompt and run the following command: 
    netsh nps import filename=“C:\NPS-Backup.xml”

    This command will import your NPS configuration from the XML file. You need to use the same filename and location as the export command.

  4. On your backup NPS server, open the NPS console and verify that your RADIUS clients and network policies are imported correctly.
  5. On your authenticator, configure the IP address of your backup NPS server as a secondary RADIUS server and use the same shared secret as the primary one.

How to test and troubleshoot your NPS servers

To ensure that your NPS servers are working properly, you need to test and troubleshoot them regularly. Here are some tips to do so:

  • To test your NPS server, you can use the NTRadPing tool, which is a free RADIUS test utility.You can use this tool to send RADIUS authentication, accounting, and status requests to your NPS server and check the responses.
  • To troubleshoot your NPS server, you can use the Event Viewer, which logs the NPS events under the Custom Views > Server Roles > Network Policy and Access Services node. You can also enable the NPS tracing logs, which provide more detailed information about the NPS operations. To enable the NPS tracing logs, run the following command on your NPS server: 
    netsh ras set tracing * enabled

    To disable the NPS tracing logs, run the following command:

    netsh ras set tracing * disabled

    The NPS tracing logs are located in the %windir%\tracing folder. You can use the Netmon tool to analyze the NPS tracing logs. You can download it from here.

Frequently Asked Questions (FAQs)

Here are some frequently asked questions about NPS and 802.1X:

Question: What are the benefits of using NPS and 802.1X for wired and wireless networks?

Answer: NPS and 802.1X provide several benefits for wired and wireless networks, such as:

  • Enhanced security: NPS and 802.1X prevent unauthorized devices and users from accessing your network. They also encrypt the network traffic between the supplicant and the authenticator.
  • Centralized management: NPS and 802.1X allow you to manage your network access policies from a single location. You can also integrate NPS with Active Directory and other identity providers for easier user management.
  • Scalability and flexibility: NPS and 802.1X can support a large number of devices and users across different network types and vendors. You can also customize your network access policies based on various conditions and attributes.

Question: What are the requirements for using NPS and 802.1X for wired and wireless networks?

Answer: To use NPS and 802.1X for wired and wireless networks, you need the following:

  • A Windows Server with the NPS role service installed and configured
  • A domain controller with Active Directory or another identity provider
  • A switch or a wireless access point that supports 802.1X and RADIUS
  • A device or a user that has a certificate or a credential for authentication

Question: How can I monitor and report on the NPS and 802.1X activities?

Answer: You can use the following tools to monitor and report on the NPS and 802.1X activities:

  • The NPS Accounting feature, which records the network access activities of your devices and users in a log file or a database. You can use the NPS console or the Log File Viewer tool to view and analyze the accounting data.
  • The NPS Reports feature, which generates reports based on the NPS accounting data. You can use the NPS console or the Report Viewer tool to view and customize the reports. You can also schedule the reports to run automatically and send them by email.
  • The Performance Monitor tool, which collects and displays the performance data of your NPS server, such as the number of RADIUS requests, responses, and errors. You can use the Performance Monitor console or the Data Collector Sets feature to create and manage the performance counters and logs.

Summary

In this blog post, you have learned how to set up multiple NPS servers for your wired and wireless networks using 802.1X. You have also learned how to test and troubleshoot your NPS servers and how to monitor and report on your NPS and 802.1X activities. By following these steps, you can improve the security and reliability of your network access and manage your network policies more efficiently.

Disclaimer: This blog post is for informational purposes only and does not constitute professional advice. The author and the publisher are not liable for any damages or losses that may result from the use of the information or the procedures described in this blog post. The user is responsible for verifying the accuracy and suitability of the information and the procedures before applying them to their own environment. The user is also responsible for complying with any applicable laws and regulations when using NPS and 802.1X.