Configure a Wireless AP as an NPS RADIUS Client

Applies To: Windows Server 2008, Windows Vista

Use this procedure to configure a wireless access point (AP), also known as a network access server (NAS), as a Remote Authentication Dial-In User Service (RADIUS) client by using the NPS snap-in.


Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

Beginning in Windows Server® 2012, you can use a Windows PowerShell® command to complete this task. For information about how to use Windows PowerShell to add a network access server as a RADIUS client in NPS, see Add a New RADIUS Client.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To add a network access server as a RADIUS client in NPS

  1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS snap-in opens.

  2. In the NPS snap-in, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.

  3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.

  4. In New RADIUS Client, in Friendly name, type a display name for the NAS.

    For example, if you want to add a wireless access point (AP) named AP-01, type AP-01.

  5. In Address (IP or DNS), type the IP address or fully qualified domain name (FQDN) for the NAS.

    If you enter the FQDN, to verify that the name is correct and maps to a valid IP address, click Verify, and then in Verify Client, in Client, click Resolve. If the FQDN name maps to a valid IP address, the IP address of that NAS will automatically appear in IP Address. If the FQDN does not resolve to an IP address you will receive a message indicating that no such host is known.

  6. In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.

  7. In New RADIUS Client, in Shared secret, do one of the following:

    • To manually configure a RADIUS shared secret, ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.

    • To automatically generate a shared secret, select the Generate check box, and then click the Generate button. Save the generated shared secret, and then use that value to configure the NAS so that it can communicate with the NPS server.

  8. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and your NAS supports use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.

  9. In New RADIUS Client, in Additional Options, if you plan on deploying Network Access Protection (NAP) and your NAS supports NAP, select RADIUS client is NAP-capable.

  10. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.