Deploy an NPS Server for RADIUS Authentication

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

For a site-to-site only connection, use Windows authentication instead of Network Policy Server (NPS). However, if you use the same router for both a site-to-site connection and a remote access connection that supports mobile or home users, you might want to use RADIUS authentication instead. If you plan to use RADIUS authentication and Windows ServerĀ 2008 NPS, you must have an NPS server available in your network. Deploying an NPS server is the same for both dial-up and VPN site-to-site connections.

To enable RADIUS authentication

  1. Install an NPS server. To ensure that RADIUS authentication and accounting services remain available, configure both a primary NPS server and one or more backup (secondary) NPS servers to provide redundancy and fault tolerance.

  2. Register the NPS servers in the appropriate Active Directory domain.

  3. Configure the primary NPS server with RADIUS clients corresponding to your answering routers.

  4. Configure each answering router with the RADIUS servers of your primary and secondary RADIUS servers.

  5. After you enable the Routing and Remote Access service, configure remote access network policies on the primary NPS server that reflect your dial-up or VPN connection requirements. For more information, see Configure the Routing and Remote Access Service and Demand-Dial Interfaces and Configure a Network Policy.

  6. Configure logging methods for user authentication and accounting requests.

  7. Copy the NPS configuration (including the remote access network policies) from the primary NPS server to the secondary NPS server.

For more information about installing an NPS server and using it for RADIUS authentication, see Network Policy Server.