Configure a Wireless AP as an NPS RADIUS Client

Updated: October 4, 2010

Applies To: Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP

Use this procedure to configure a wireless access point (AP), also known as a network access server (NAS), as a Remote Authentication Dial-In User Service (RADIUS) client by using the NPS snap-in. Unless your NPS servers are running Windows Server 2008 R2 Enterprise Edition or Datacenter Edition, you must repeat this procedure for every wireless AP that you deploy on your network.


Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To add a network access server as a RADIUS client in NPS

  1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS snap-in opens.

  2. In the NPS snap-in, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New.

  3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.

  4. In New RADIUS Client, in Friendly name, type a display name for the wireless access point.


In NPS a wireless access point is one type of device that falls within a group called network access server (NAS).

For example, if you want to add a wireless access point (AP) named AP-01, type **AP-01**.
  1. In Address (IP or DNS), type the IP address or fully qualified domain name (FQDN) for the NAS.

    If you enter the FQDN, to verify that the name is correct and maps to a valid IP address, click Verify, and then in Verify Client, in Client, click Resolve. If the FQDN name maps to a valid IP address, the IP address of that NAS will automatically appear in IP Address. If the FQDN does not resolve to an IP address you will receive a message indicating that no such host is known. If this occurs, verify that you have the correct AP name and that the AP is powered on and connected to the network.

  2. In New RADIUS Client, in Shared secret, do one of the following:

    • To manually configure a RADIUS shared secret, select Manual, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.

    • To automatically generate a shared secret, select the Generate check box, and then click the Generate button. Save the generated shared secret, and then use that value to configure the NAS so that it can communicate with the NPS server.


The RADIUS shared secret that you enter for your virtual AP’s in NPS must exactly match the RADIUS shared secret that is configured on your actual wireless AP’s. If you use the NPS option to generate a RADIUS shared secret, then you must configure the matching actual wireless AP with the RADIUS shared secret that was generated by NPS.

  1. In New RADIUS Client, on the Advanced tab, in Vendor name, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.

  2. In Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports the use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.

  3. If you plan on deploying Network Access Protection (NAP) and your NAS supports NAP, select RADIUS client is NAP-capable.

  4. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.