Configure Remote RADIUS Server Groups for NAP
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Remote RADIUS server groups are used with NAP to forward client connection requests from NAP enforcement servers to one or more NAP health policy servers. For example, a remote Health Registration Authority (HRA) server is configured with a remote RADIUS server group containing the list of NAP health policy servers used to validate the health of NAP client computers. If the NAP enforcement point is located on the same server as the NAP health policy server, then you do not need to configure remote RADIUS server groups.
RADIUS server groups can also be used for Network Policy Server (NPS) load balancing and redundancy. The following procedure is used to configure remote RADIUS server groups on RADIUS clients that are also NAP enforcement points. For more information, see Planning Redundancy for a NAP Health Policy Server and Capacity Planning for NAP Health Policy Servers.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Configure remote RADIUS server groups for NAP
If the NAP health policy server is located on a server different from the NAP enforcement server, the health policy server must be added to remote RADIUS server groups on the NAP enforcement server, and you must configure connection request policy to forward connection requests to the remote RADIUS server group.
To configure remote RADIUS server groups
On the NAP enforcement server, click Start, click Run, type nps.msc, and then press ENTER.
In the Network Policy Server console tree, open RADIUS Clients and Server\Remote RADIUS Server Groups.
Right-click Remote RADIUS Server Groups, and then click New.
In the New Remote RADIUS Server Group dialog box, under Group name, type a friendly name for the new RADIUS server group (for example, NAP health policy servers), and then click Add.
In the Add RADIUS Server dialog box, under Server, type the NAP health policy server IP address or fully qualified domain name (FQDN). If you enter the FQDN, click Verify to verify that the name is correct and maps to a valid IP address.
Click the Authentication/Accounting tab, and in Shared secret, type the strong password that is also entered on the RADIUS client. Retype the shared secret in Confirm shared secret.
If different authentication and accounting port numbers are used, enter these in Authentication port and Accounting port, and then click OK.
If multiple NAP health policy servers are used, click the Load Balancing tab to configure priority and weight to be different from the default values. By default, each RADIUS server in the list is configured with equal weight and priority values.
To add more NAP health policy servers to the remote RADIUS server group, click Add, and repeat steps 5-8. When you have added all NAP health policy servers to the list, click OK.
Leave the NPS console open for the following procedure.
To forward connection requests to the remote RADIUS server group
In the Network Policy Server console tree, open Policies\Connection Request Policies.
In the console tree, click Connection Request Policies, and then in the details pane, under Policy Name, double-click the name of the connection request policy used to authenticate NAP client computers (for example, NAP IPsec with HRA).
In the connection request properties window, click the Settings tab.
Under Forwarding Connection Request, click Authentication, and then in the details pane, choose Forward requests to the following remote RADIUS server group for authentication.
Using the drop-down list, select the name of the remote RADIUS server group configured in the preceding procedure, and then click OK.
Close the NPS console.