windows radius server

How to Configure Radius Server on Windows Server 2016


RADIUS (Remote Authentication in Dial-In User Service) is a network protocol for the implementation of authentication, authorization and collection of information about the resources used, designed to transfer information between the central platform and equipment.

In this article we’ll show you how to configure the centralized RADIUS server based on Windows Server 2016 OS, and how to configure RADIUS authentication on Cisco devices using the Network Policy Server service.

Radius Server Configuration on Windows Server 2016

At first, create a new security group in the Active Directory domain (for example, RemoteCiscoUsers) in which you will need to add all users (How to Add User to Active Directory Group) that will be allowed to authenticate on Cisco routers and switches.

radius server

Next you need to install RADIUS server role on your Windows Server 2016. Open the Server Manager console and run the Add Roles and features wizard. The Remote Authentication Dial In User Service (RADIUS) protocol in Windows Server 2016 is included in the Network Policy Server role. In the wizard that appears, select the Network Policy and Access Services role in the role selection step.

After the role installation is complete, open the Network Policy Server (nps.msc) in the Tools menu.

radius server windows

To use the NPS server in the domain, you must register it in the Active Directory. In the NPS, right-click on a root and select Register server in Active Directory.

radius server configuration

Confirm the registration of the server in Active Directory.

radius server authentication

In this case, the server will be given the authority to read the properties of user accounts related to the remote access. The server will be added to the built-in domain group RAS and IAS Servers.

radius server authentication windows

Now you can add the Radius client. To do this, in the NPS console tree, expand the RADIUS Clients and Servers section and select New on the RADIUS Clients item.

radius windows

On the Settings tab, fill the fields Friendly name, client Address (you can specify IP address or DNS name) and Shared Secret + Confirm shared password (you will use this password in the configuration of the Cisco switch/router).

radius server configuration windows

In the Advanced tab, select Vendor name – Cisco.

radius server client

Now you need to create access policies on the RADIUS server. Using the access policy, you will link the Radius client to the domain user group.

Expand the Policies > Network Policies branch and select New:

radius server nps

Specify the Policy name, type of network access server should remain unchanged (Unspecified).

radius server authentication on windows

In next step Specify conditions, you need to add the conditions under which this RADIUS policy will be applied. Let’s add two conditions – that the user who passes authorization belongs to a certain domain security group, and the device to which access is made had a certain name. Using the Add button, first add the condition by selecting the Windows Group type (add the RemoteCiscoUsers group) and specify the Client Friendly Name (Cisco_*).

radius accounting

On the next screen select Access Granted.

radius server permissions

Because our Cisco switch supports only the Unencrypted authentication (PAP, SPAP) authentication method, uncheck all other options.

radius server authentication methods

Skip the next configuration Constraints step.

In the Configure Settings section, go to the RADIUS Attributes > Standard section. Delete the existing attributes there and click the Add button.

Select Access type > All, then Service-Type > Add. Specify Others = Login.

radius server attribute

Now add a new attribute in the RADIUS Attributes > Vendor Specific section. Under Vendor, select Cisco and click Add. Here you need to add information about the attribute. Click Add and specify the following attribute value:

shell: priv-lvl = 15

radius server settings

The last screen displays all selected NPS policy settings. Click Finish.

radius server authentication settings

When creating and planning policies, pay attention to what matters their order. Policies are processed from the top to down, and when it turns out that all the conditions in the next policy are met, their further processing is terminated.

After creating the policy, you can proceed to configure Cisco routers or switches for authentication on the Radius NPS server.

AAA works in such a way that if the response from the server is not received, the client assumes unsuccessful authentication. Be sure to create a local user in case the RADIUS server is unavailable for any reason.

Below is an example of the configuration for authorizing a Radius server for the Cisco Catalyst Switch:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

radius-server host 192.168.1.16 key Sfs34e#sf

service password-encryption

This completes the minimum switch configuration and you can try to check Radius authentication on your Cisco device.

You may also like:

Using IIS Manager for Remote Administration Managing multiple IIS servers over RDP can be quite inconvenient, especially if you need to administer dozens of such servers. It is much more conveni...
Deploy Windows 10 with MDT 2013 and WDS In this article we will show you how to install and configure WDS role, MDT 2013 and Windows ADK on Windows Server 2012 R2 and use it to network PXE (...
Windows Server 2008 Print Job Stuck in Queue This tutorial will show you how to manually clear out a job stuck in the print queue in Windows Server 2008. The first thing to try is obviously resta...
How to Migrate Print and Document Services from Wi... This time we will take a closer look on how to migrate print server with the Print and Document Services role installed from Windows Server 2012 R2 to...
How to Install and Configure IIS Web Server with P... This guide will show you how to deploy your own IIS Web server, and enable it to run PHP on Windows 8 / Windows Server 2012. Thereafter this platform ...

Add Your Comment