How to Configure Radius Server on Windows Server 2016?

RADIUS (Remote Authentication in Dial-In User Service) is a network protocol for the implementation of authentication, authorization and collection of information about the resources used, designed to transfer information between the central platform and network clients/devices. Your remote access (RADUIS) server can communicate with a central server/service (for example, Active Directory) to authenticate remote dial-in clients and authorize them to use some network services or resources. Thanks to this, you can use a single centralized authentication system in your domain.

In this article we’ll show you how to configure the centralized RADIUS server based on Windows Server 2016 OS, and how to configure RADIUS authentication on Cisco devices using the Network Policy Server service. In this example, the RADIUS will use AD to authenticate remote users and authorize them to access network equipment (Radius client) command line interface.

Installing Radius Server (NPS) Role on Windows Server 2016

At first, create a new security group in the Active Directory domain (for example, RemoteCiscoUsers) in which you will need to add all users (How to Add User to Active Directory Group) that will be allowed to authenticate on Cisco routers and switches.

radius server windows

Starting with Windows Server 2008 R2, the RADUIS server functionality is implemented with the Network Policy Services (NPS) role. With the NPS role, you can authenticate remote clients against Active Directory using the Radius protocol.

So, you need to install the RADIUS server role on your Windows Server 2016. Open the Server Manager console and run the Add Roles and features wizard. The Remote Authentication Dial In User Service (RADIUS) protocol in Windows Server 2016 is a part of the Network Policy Server role. In the wizard that appears, select the Network Policy and Access Services role in the role selection step.

Note. Also, you can install NPS role and management tools from elevated PowerShell console:

Install-WindowsFeature NPAS -IncludeManagementTools

After the role installation is complete, open the Network Policy Server (nps.msc) in the Tools menu.

windows radius server

To use the NPS server in the domain, you must register it in the Active Directory. In the NPS snap-in, right-click on a root and select Register server in Active Directory.

radius server windows 2016

Confirm the registration of the server in Active Directory.

configure radius server 2016

In this case, the server will be given the authority to read the properties of user accounts related to the remote access. The server will be added to the built-in domain group RAS and IAS Servers.

how to configure radius server in windows 2016 server step by step

Now you can add the Radius client. Radius client, this is the device from which your server will receive authentication requests. In this example, it could be a Cisco router, switch, Wi-Fi access point, etc.

To add the new Radius client, expand the RADIUS Clients and Servers section in the NPS console tree and select New on the RADIUS Clients item.

windows server radius

On the Settings tab, fill the fields Friendly name, client Address (you can specify IP address or DNS name) and Shared Secret + Confirm shared password (you will use this password in the configuration of the Cisco switch/router).

Note. Shared secret password is rarely used in huge corporate networks due to problems with the distribution of the shared keys. Instead of shared passwords, it is recommended to use certificates. If you have a corporate Certification Authority deployed to implement PKI infrastructure, you can request and import a *.p12 certificate for the Radius/NPS server. Just add the certificate to the personal certification store on the Local Machine

install radius server 2016

In the Advanced tab, select Vendor name – Cisco.

setup radius server 2016

Configuring NPS Policies on the RADUIS Server

NPS policies allow you to authenticate remote users and grant them configured in the NPS role access permissions. Using NPS access policies, you can make link to the RADUIS client records and the domain security group that determine the level of access to CISCO devices.

There are two types of policies on a RADIUS server:

  • Connection request policies – these policies define a set of conditions that determine which RADIUS servers should authenticate and authorize connection requests received from RADIUS clients;
  • Network policies – a set of conditions and settings that allow you to specify who is authorized to connect to your network and a list of assigned access permissions. These policies are processed sequentially from the top down;

In our case, we will use only the NPS Network policies. Expand the Policies > Network Policies branch and select New:

radius windows server 2016

Specify the Policy name, type of network access server should remain unchanged (Unspecified).

radius server configuration step by step

In next step Specify conditions, you need to add the conditions under which this RADIUS policy will be applied. Let’s add two conditions – that the user who passes authorization belongs to a certain domain security group, and the device you want to access had a certain name. Use the Add to create new condition by selecting the Windows Group type (add the RemoteCiscoUsers group) and specify the Client Friendly Name (Cisco_*).

Note. The Client Friendly Name field may differ from the DNS name of your device. We will need it in the future to identify a specific network device when creating access policies – Remote Access Policy. Using this name, you can specify, for example, a mask by which several different RADIUS clients will be processed by the access policies.

setup radius server

On the next screen select Access Granted.

how to setup a radius server

Because our Cisco switch supports only the Unencrypted authentication method (PAP, SPAP), uncheck all other options.

radius server configuration

Skip the next configuration Constraints step.

In the Configure Settings section, go to the RADIUS Attributes > Standard section. Delete the existing attributes there and click the Add button.

Select Access type > All, then Service-Type > Add. Specify Others = Login.

windows server 2016 radius

Now add a new attribute in the RADIUS Attributes > Vendor Specific section. Under Vendor, select Cisco and click Add. Here you need to add information about the attribute. Click Add and specify the following attribute value:

shell: priv-lvl = 15

This value means that the user authorized by this policy will be granted a maximum (15) administrative access permission on the Cisco device.

windows server 2016 radius setup

The last screen displays all selected NPS policy settings. Click Finish.

windows radius

When creating and planning RADUIS policies, pay attention to what matters their order. Policies are processed from the top to down, and when it turns out that all the conditions in the next policy are met, their further processing is terminated.

Configuring RADUIS Setting on Cisco Devices

After creating the policy, you can proceed to configure your Cisco routers or switches for authentication on the newly installed Radius NPS server.

Because we use domain accounts for authorization, it is necessary that the user credentials are transmitted over the network in an encrypted form. To do this, disable the telnet protocol on the switch and enable SSHv2 using the following commands in configuration mode:

configure terminal 

crypto key generate rsa modulus 1024 

ip ssh version 2

AAA works in such a way that if the response from the server is not received, the client assumes unsuccessful authentication. Be sure to create a local user in case the RADIUS server is unavailable for any reason.

You can create a local user with the following command:

username cisco_local password $UPerrP@ssw0rd

In order to make the use of SSH mandatory and disable remote access using Telnet, execute the following commands:

line vty 5 15

transport input ssh

Below is an example of the configuration for authorizing a Radius server for the Cisco Catalyst Switch:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

radius-server host key Sfs34e#sf

#Specify your RADIUS server IP address and key for encryption (the shared secret that we specified on the RADUIS server)

service password-encryption

# Enable password encryption

If you have several Radius servers, add them to the group:

aaa group server radius radius_srv_group



This completes the minimum switch configuration and you can try to check Radius authentication on your Cisco device.

Cyril Kardashevsky

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.