Configure RADIUS Clients for NAP
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
RADIUS clients are network access servers or devices. If you specify a RADIUS client in Network Policy Server (NPS), then the corresponding RADIUS server configuration is required on the RADIUS client device. For example, remote Health Registration Authority (HRA) servers are configured as RADIUS clients on NPS. In a NAP infrastructure, RADIUS clients that are running Windows Server® 2008 or Windows Server 2008 R2 operating system must also be configured as NAP-capable.
If the NAP enforcement point is located on the same server as the NAP health policy server, then you do not need to configure RADIUS clients unless you are using the VPN enforcement method. For more information about the types of RADIUS clients used with each NAP enforcement method, see General Policy Design Considerations.
RADIUS clients and remote RADIUS server groups can also be used for NPS load balancing and redundancy. The following procedure is used to configure RADIUS clients that are also NAP enforcement points. For more information, see Planning Redundancy for a NAP Health Policy Server and Capacity Planning for NAP Health Policy Servers.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Configure RADIUS clients for NAP
If the NAP enforcement point is located on a server different from the NAP health policy server, the enforcement point must be added to the list of RADIUS clients on the NAP health policy server.
To configure RADIUS clients
On the NAP health policy server, click Start, click Run, type nps.msc, and then press ENTER.
In the Network Policy Server console tree, open RADIUS Clients and Server\RADIUS Clients.
Right-click RADIUS Clients, and the click New RADIUS Client.
In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.
In New RADIUS Client, in Friendly name, type a display name for the RADIUS client. In Address (IP or DNS), type the RADIUS client IP address or fully qualified domain name (FQDN). If you enter the FQDN, click Verify to verify that the name is correct and maps to a valid IP address.
In New RADIUS Client, in Vendor, specify the manufacturer name. If you are not sure of the manufacturer name, select RADIUS standard.
In New RADIUS Client, in Shared secret, do one of the following:
Ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the RADIUS client. Retype the shared secret in Confirm shared secret.
Select Generate, and then click Generate to generate a shared secret. Save the shared secret for configuration on the RADIUS client so that it can communicate with the NAP health policy server.
If the RADIUS client is running Windows Server 2008, in New RADIUS Client, in Additional Options, select RADIUS client is NAP-capable. Do not enable this setting if you are using NAP with 802.1X enforcement.
Verify that the new RADIUS client appears in the list of RADIUS clients.