Add a New RADIUS Client
Applies To: Windows Server 2008
When you configure a network access server (NAS) as a RADIUS client in the Network Policy Server (NPS) Microsoft Management Console (MMC) snap-in, the RADIUS client forwards connection requests from access clients to the NPS server for authentication, authorization, and accounting.
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
In addition to configuring a new RADIUS client, you must also configure the network access server so that it can communicate with NPS. For more information, see your NAS documentation.
Use one of the following procedures to add a network access server as a RADIUS client in the NPS MMC snap-in:
In Windows Server® 2008 R2 and Windows Server® 2008, you must run the New RADIUS Client Wizard.
In Windows Server® 2012, you can run the New RADIUS Client Wizard, or you can use Windows PowerShell®.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see How to Run a Windows PowerShell Cmdlet.
To add a new RADIUS client by using the New RADIUS Client Wizard
At an elevated command prompt, type nps.msc and then press ENTER. The NPS console will open.
In the NPS console tree, double-click RADIUS Clients and Servers.
Right-click RADIUS Clients, and then click New RADIUS Client.
Follow the steps in the New RADIUS Client Wizard.
While following the steps in the New RADIUS Client Wizard:
If your access server supports use of the Message Authenticator attribute (also known as the signature attribute), in the New RADIUS Client Wizard, click Request must contain the Message Authenticator attribute. If the access server does not support the Message Authenticator attribute, do not select this option. Enabling the use of the Message Authenticator attribute provides additional security when PAP, CHAP, MS-CHAP, and MS-CHAP v2 are configured in network policies as authentication methods. EAP uses the Message Authenticator attribute by default and does not require that you enable it.
If you use NAS-specific network policies (for example, a network policy that contains vendor-specific attributes), click Client-Vendor, and then select the name of the NAS manufacturer. If you do not know the name of the NAS manufacturer or it is not in the list, select RADIUS Standard.
If NPS receives an access request from a RADIUS proxy, it cannot detect the manufacturer of the NAS that originated the request. This can cause problems if you plan to use network policy conditions that are based on the client vendor and if you have at least one RADIUS client that is a RADIUS proxy. In this case, connection requests that are forwarded to NPS from the RADIUS proxy might not match any of the network policies, causing all connection requests to be denied. For this reason, when you use RADIUS proxies, you must configure at least one network policy that is not based on NAS-specific attributes, such as the vendor-specific attribute.
To add a new RADIUS client by using Windows PowerShell
Beginning with Windows Server 2012, you can add a new RADIUS client using Windows PowerShell.
The command syntax for adding a RADIUS client is as follows. Optional parameters appear within brackets.
New-NpsRadiusClient –Name <String> -Address <String> [-Vendor <String>] [-Disabled] [-SharedSecret <String>] [-AuthAttributeRequired] [-NapCompatible]
The following table lists parameters for the New-NpsRadiusClient cmdlet in Windows PowerShell. Parameters in bold are required.
Specifies the Fully Qualified Domain Name (FQDN) or IP address of the RADIUS client.
Specifies whether verification for Access-Request messages is enabled or disabled. The default is disabled.
By default a new RADIUS client is enabled. To disable the client, specify this flag.
Specifies the friendly name of the RADIUS client. Note: this name must be unique.
Specifies whether the RADIUS client is compatible with Network Access Protection (NAP). The default is $False, which means that the RADIUS client is not compatible with Network Access Protection (NAP).
Specifies the shared secret that is also configured at the RADIUS client. The shared secret is used to validate messages between the RADIUS client and NPS.
Specifies the RADIUS client vendor name. The default is RADIUS for "RADIUS Standard".
The allowed values are (PowerShell Value > Vendor):
RADIUS > Radius Standard
3Com > 3Com
ACC > ACC
ADC > ADC Kentrox
Ascend > Ascend Communications Inc.
BBN > BBN
BinTec < BinTec Communications GmbH
Cabletron > Cabletron Systems
Cisco > Cisco
Digi > Digi International
EICON > EICON
Gandalf > Gandalf
Intel > Intel Corporation
Livingston >Livingston Enterprises Inc.
Proteon > Proteon
Shiva > Shiva Corporation
Telebit > Telebit
US_Robotics > U.S. Robotics, Inc.
Xylogics > Xylogics, Inc.
Microsoft > Microsoft
RedBack > RedBack Networks
Nortel > Nortel Networks
Windows PowerShell switches accept $TRUE or $FALSE arguments. For example, the New-NpsRadiusClient cmdlet adds a RADIUS client that is not compatible with NAP by default, the way to make the new client compatible with NAP is to use:
In the following example, a NAP-compatible wireless access point is added as a RADIUS client to the NPS configuration. This RADIUS client has the name WirelessAP, the IP address 10.0.0.200, an enabled state, and a shared secret of 9vq7822hFsJ8rm.
New-NpsRadiusClient -Name WirelessAP -Address 10.0.0.200 sharedsecret 9vq7822hFsJ8rm NapCompatible:$true
Verify via the Windows PowerShell console that the RADIUS client was added successfully. Under Success, the result should be True.