Configure an 802.1X-Capable Switch as an NPS RADIUS Client

Updated: November 19, 2008

Applies To: Windows Server 2008, Windows Vista

Use this procedure to configure an 802.1X-capable switch as a Remote Authentication Dial-In User Service (RADIUS) client by using the NPS Microsoft Management Console (MMC) snap-in.


Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To add a 802.1X-capable switch as a RADIUS client in NPS

  1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS Microsoft Management Console (MMC) snap-in opens.

  2. In the NPS snap-in, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.

  3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.

  4. In New RADIUS Client, in Friendly name, type a display name for the NAS.

    For example, if you want to add a switch named switch-01, type switch-01.

  5. In Address (IP or DNS), type the IP address or fully qualified domain name (FQDN) of the 802.1X-capable switch.

    If you enter the FQDN, to verify that the name is correct and maps to a valid IP address, click Verify, and then in Verify Client, in Client, click Resolve. If the FQDN name maps to a valid IP address, the IP address of that switch automatically appears in IP Address. If the FQDN does not resolve to an IP address you will receive a message indicating that no such host is known.

  6. In New RADIUS Client, in Vendor, specify the switch manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.

  7. In New RADIUS Client, in Shared secret, do one of the following:

    • To manually configure a RADIUS shared secret, ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the switch. Retype the shared secret in Confirm shared secret.

    • To automatically generate a shared secret, select the Generate check box, and then click the Generate button. Save the generated shared secret, and then use that value to configure the NAS so that it can communicate with the NPS server.

  8. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.

  9. In New RADIUS Client, in Additional Options, if you plan on deploying Network Access Protection (NAP) and your NAS supports NAP, select RADIUS client is NAP-capable.

  10. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.