How to Configure Radius Server on Windows Server 2016? – TheITBros

RADIUS ( Remote Authentication in Dial-In User Service ) is a network protocol for the execution of authentication, authorization, and collecting information about the resources used. It is designed to transfer information between the cardinal platform and net clients/devices. Your distant access ( RADIUS ) server can communicate with a central server/service ( for model, Active Directory domain control ) to authenticate distant dial-in clients and authorize them to access some net services or resources. Thanks to this, you can use a one centralized authentication system in your domain. In this article, we ’ ll picture how to configure the centralized RADIUS server based on Windows Server 2016 OS, and how to configure RADIUS authentication on Cisco devices using the network Policy Server ( NPS ) serve. In this model, the RADIUS will use the AD to authenticate distant users and authorize them to access Cisco switches and routers ( dissemble as RADIUS clients ) command-line interface .

Installing Radius Server (NPS) Role on Windows Server 2016

At first, create a new security group in the Active Directory domain ( for exemplar, RemoteCiscoUsers ) in which you will need to add all users that will be allowed to authenticate on Cisco routers and switches ( how to add a drug user to Active Directory group ? ).

radius server windows Starting with Windows Server 2008 R2, the RADIUS server functionality was implemented with the network Policy Services ( NPS ) function. With the NPS role, you can authenticate remote control clients against Active Directory using the Radius protocol. sol, you need to install the RADIUS server function on your Windows server 2016. Open the Server Manager console and run the Add Roles and Features charming. The outside Authentication Dial In User Service ( RADIUS ) protocol in Windows Server 2016 is a depart of the Network Policy Server character. In the sorcerer that appears, select the Network Policy and Access Services character in the function survival step .

Note. besides, you can install NPS function and management tools from an elevated PowerShell console :

Install-WindowsFeature NPAS -IncludeManagementTools

After the function initiation is completed, open the network Policy Server ( nps.msc ) in the Tools menu. windows radius server To use the NPS server in the domain, you must register it in the Active Directory. In the NPS snap-in, right-click on a settle and choose Register server in Active Directory. how to configure radius server in windows 2016 server step by step Confirm the registration of the server in Active Directory. configure radius server 2016 besides, you can register your NPS server in Active Directory with a control :

netsh ras add registeredserver

In this lawsuit, the server will be given the authority to read the properties of Active Directory drug user accounts to authenticate users. The server will be added to the built-in domain group RAS and IAS Servers. radius server windows 2016 nowadays you can add the Radius customer. Radius customer is the device from which your server will receive authentication requests. In this exemplar, it could be a Cisco router, switch, Wi-Fi access point, etc. To add the raw Radius client, expand the RADIUS Clients and Servers segment in the NPS console tree and choice New on the RADIUS Clients item. windows server radius On the Settings check, fill the fields Friendly name, customer Address ( you can specify IP address or DNS name ), and Shared Secret + Confirm shared password ( you will use this password in the configuration of the Cisco switch/router ) .

Note. The shared secret password is rarely used in huge corporate networks due to the problems with the distribution of shared keys. rather of shared passwords, it is recommended to use certificates. If you have a corporate Certification Authority deployed to implement PKI infrastructure, you can request and import a *.p12 certificate for the Radius/NPS server. Just add the security to the personal documentation store on the local Machine .

setup radius server 2016 In the Advanced tab, choice Vendor name – Cisco. radius server configuration You can use the PowerShell dominate rather of the NPS GUI to add a new RADIUS customer. In this case, you can use the New-NpsRadiusClient PowerShell cmdlet .

New-NpsRadiusClient –Address "" –Name "cisco2960" –SharedSecret "Zb+kp^JUy]v\ePb-h.Q*d=weya2AY?hn+npRRp[/J7d"

Configuring NPS Policies on the RADIUS Server

NPS policies allow you to authenticate distant users and grant them access permissions configured in the NPS function. Using NPS access policies, you can make a link to the RADIUS node records and the domain security group that determines the level of access to CISCO devices. There are two types of policies on a RADIUS server :

  • Connection request policies — these policies define a set of conditions that determines which RADIUS servers should authenticate and authorize connection requests received from RADIUS clients;
  • Network policies — a set of conditions and settings that allow you to specify who is authorized to connect to your network and a list of assigned access permissions. These policies are processed sequentially from the top to down;

In our event, we will use entirely the NPS Network policies. Expand the Policies > Network Policies arm and choice New : radius server configuration step by step Specify the policy name, the type of network access waiter should remain unchanged ( Unspecified ). install radius server 2016 In the following mistreat Specify conditions, you need to add the conditions under which this radius policy will be applied. Let ’ s attention deficit disorder two conditions — the authorize drug user must be a penis of a particular domain security group, and the device you want to access has a certain name. Use the Add to create a new stipulate by selecting the Windows Group type ( add the RemoteCiscoUsers group ) and specify the Client Friendly Name ( Cisco_* ) .

Note. The Client Friendly Name field may differ from the DNS identify of your device. We will need it in the future to identify a particular network device when creating access policies — Remote Access Policy. Using this name, you can specify, for case, a mask by which respective different RADIUS clients will be processed by a single access policy .

windows 2016 radius server On the following riddle, choose Access Granted.

radius windows server 2016 Because our Cisco switch supports only the Unencrypted authentication method acting ( PAP, SPAP ), we ’ ll uncheck all early options. windows server radius setup Skip the adjacent configuration Constraints step. In the Configure Settings section, go to the RADIUS Attributes > Standard section. Delete the existing attributes there and click the Add button. choice Access type > All, then Service-Type > Add. Specify Others = Login. windows radius server setup now add a new impute in the RADIUS Attributes > Vendor Specific section. Under Vendor, blue-ribbon Cisco, and suction stop Add. hera you need to add information about the attribute. Click Add and specify the follow prize :

shell: priv-lvl = 15

This rate means that the drug user authorized by this policy will be granted a maximal ( 15 ) administrative access license on the Cisco device. windows radius The last screen displays all selected NPS policy settings. Click Finish. configure radius server

Hint. You can backup the stream NPS waiter configuration to the XML file using the command :

Export-NpsConfiguration -Path c:\ps\backup_nps.xml

If you need to restore NPS configuration from a previously created backup file, run :

Import-NpsConfiguration -Path c:\ps\backup_nps.xml

When creating and planning RADIUS policies, pay attention to what matters their order. Policies are processed from the top to down, and when it turns out that all the conditions in the following policy are met, their far process is terminated. You can change the priorities of policies in the NPS cabinet using the Processing Order rate. radius server setup To enable the drug user account to be used for Radius authentication, open the Active Directory Users and Computers console ( dsa.msc ), find the user, open its properties, go to the Dial-In pill and select the Control access through NPS Network Policy option in the Network Access Permission section. how to configure radius server on windows server 2016 besides, you can check the stream option value using PowerShell :

Get-ADUser richard.doe -Properties msNPAllowDialin -Server

If the above command did not return any result ( empty ), this means that the default value “ Control access through NPS Network Policy ” is used. If you want to reset this drug user assign to the default option express, use the command :

Set-ADUser richard.doe -Clear msNPAllowDialin -Server

Or you can reset this impute for all users in the particular Organizational Unit ( OU ) using the LDAP trickle :

Get-ADUser -SearchBase "ou=Users,ou=Paris,dc=theitbros,dc=com" -LDAPFilter "(msNPAllowDialin=*)" | % {Set-ADUser $_ -Clear msNPAllowDialin}

Configuring RADIUS Setting on Cisco Devices

After creating the policy, you can proceed to configure your Cisco routers or switches for authentication on the newly installed Radius NPS server. Because we use world accounts for authorization, the drug user credentials must be transmitted over the network in an code form. To do this, disable the telnet protocol on the switch and enable SSHv2 on Cisco using the follow commands in configuration mode :

configure terminal

crypto key generate rsa modulus 1024

ip ssh version 2

AAA works in such a way : if the reaction from the server is not received, the node assumes unsuccessful authentication. Be certain to create a local exploiter in case the RADIUS server is unavailable for any rationality. You can create a local exploiter with the pursue command :

username cisco_local password [email protected]

In ordering to make the use of SSH mandate and disable outside access using Telnet, execute the follow commands :

line vty 5 15

transport input ssh

Below is an model of the configuration for authorizing a Radius server for the Cisco Catalyst switch :

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

radius-server host key Sfs34e#sf

#Specify your RADIUS server IP address and key for encryption (the shared secret that we specified on the RADIUS server)

service password-encryption

# Enable password encryption

If you have several Radius servers, add them to the group:

aaa group server radius radius_srv_group



This completes the minimal switch configuration and you can try to check Radius authentication on your Cisco device .

How to Check the NPS/RADIUS Logs on Windows?

In decree to enable NPS Server Radius Authentication log, you need to enable the network Policy Server audit policy. You can enable this policy via the local Group Policy Editor or with the pursuit commands :

auditpol /get /subcategory:"Network Policy Server"

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

how to setup a radius server now you can open the Event Viewer console ( eventvwr.msc ), go to the Windows Logs > Security, and filter the event by the Event ID 6272 .

network Policy Server granted access to a exploiter.

how to setup radius server If you need to find all NPS authorizations event for the specific user ( Richard.Doe in this exemplar ), use the following PowerShell handwriting :

$Query = @"


$events = Get-WinEvent -FilterXML $Query
$ipaddr = @{ label="IP"; Expression={$[9].value} }
$events | select $ipaddr | group "IP" | format-table Count, Name -autosize
reference :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


How to Show Profile Picture Instead of Video in Zoom Meeting

Zoom is a democratic and utilitarian outside meet and television conferencing tool. however, not everyone …

Leave a Reply

Your email address will not be published. Required fields are marked *