Configure a Wired Access Point as an NPS RADIUS Client [Preliminary
Applies To: Windows Server 2008, Windows Server 2008 R2
Follow these steps to configure an 802.1X-capable Ethernet switch, also known as a network access server (NAS), as a Remote Authentication Dial-In User Service (RADIUS) client by using the Network Policy Server (NPS) snap-in.
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.
To add a NAS as a RADIUS client in NPS
On the server running NPS, click Start, click Administrative Tools, and then click Network Policy Server. The NPS snap-in opens.
In the NPS snap-in, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.
In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.
In New RADIUS Client, in Friendly name, type a display name for the NAS.
For example, if you want to add an 802.1X-capable switch named “Switch-01,” type Switch-01.
In Address (IP or DNS), type the IP address or fully qualified domain name (FQDN) for the NAS.
If you enter the FQDN, to verify that the name is correct and maps to a valid IP address, click Verify, and then, in Verify Client, in Client, click Resolve. If the FQDN name maps to a valid IP address, the IP address of that NAS automatically appears in IP Address. If the FQDN does not resolve to an IP address, you receive a message stating that no such host is known.
In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.
In New RADIUS Client, in Shared secret, do one of the following:
To manually configure a RADIUS shared secret, ensure that Manual is selected, and then, in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.
To automatically generate a shared secret, select the Generate check box, and then click the Generate button. Save the generated shared secret, and then use that value to configure the NAS so that it can communicate with the NPS server.
In New RADIUS Client, in Additional Options, if you are using any authentication methods other than Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP), and your NAS supports use of the Message-Authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.
In New RADIUS Client, in Additional Options, if you plan on deploying Network Access Protection (NAP) and your NAS supports NAP, select RADIUS client is NAP-capable.
Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.