A Complete Guide to Configuring Microsoft RADIUS Server

Need a solution for your network authentication, authorization, and accounting (AAA) requirements? RADIUS has been around for decades and is used by thousands of organizations.

Without a RADIUS server, authentication would have to occur at the access point (this would require some pretty powerful APs), such as with pre-shared key (PSK) authentication. PSK authentication only requires a single password to be remembered, so it is simple to implement.

But is PSK secure enough? An attacker can easily read a device’s wireless settings and view the pre-shared key in plain text. PSK networks are also vulnerable to various attacks. In fact, 74% of data breaches start with privileged credential abuse.

A RADIUS network eliminates the risk of leaking your organization’s private information to snooping outsiders by enabling individual users to authenticate with unique credentials.

If you’re using Windows Server 2016, 2019, 2022, or 2025, you can install the built-in Network Policy Server (NPS) role to provide RADIUS functionality.

NPS as a RADIUS Server for Windows

In Windows, RADIUS servers are implemented through Network Policy Server. NPS allows the creation of both access policies for connection requests and configures Network Access Servers (NAS) to forward connection requests to remote RADIUS servers, which helps load-balance the connection requests.

NPS performs AAA services for the connection requests from:

• Wireless network
• Virtual private network (VPN) remote access
• 1X switches
• Dial-up
• Router-to-router connections

NPS is designed for on-premises infrastructure, so it may not be a suitable choice for organizations looking for cloud solutions. Also, it doesn’t blend well in a non-Windows environment. With the rise in cloud computing, compatibility with the cloud is a must for any technology seeking longevity in this industry.

Pre-requisites for Configuring a Microsoft RADIUS Server

Before you configure RADIUS, check for the following requirements:

• Windows 2022 installation
  • Here are step-by-step instructions.
• Windows 2022 Desktop Experience
• Devices that support WPA2-Enterprise
• An activated Domain Controller for Windows
• Active Directory installed on your Windows
  • Here are step-by-step instructions.
• NPS installation
  • Here are step-by-step instructions.

How to Set Up a Microsoft RADIUS Server for Windows

Step 1 – Create a New Group on AD

To facilitate the users with permission to access your network, create a group in the Active Directory Domain. Add all of the users that will authenticate through your new RADIUS.

1.Click on “Active Directory Users and Computers” under Tools in Server Manager:

source 

2.Now to create a new group, right-click on “Users”, followed by “New” to choose “Group”:

3.Name the AD group under “Group name”:

4.Right click on the the user (here user1) you want to authenticate through the new group  (here VpnAuthorisedUsers):

5.Now select the newly created group (VpnAuthorisedUsers):

 

Step 2 – Add Network Policy and Access Services Role

1.Add Roles and Features in the Server Manager console:

2.Select the type to install roles and features:

3.Select the server where you want the role to be installed:

4.Now add Network Policy and Access Services:

5.Then add the features you need in the wizard.

6.Add role services, select “Network Policy Server”:

7.Confirm and finish the installation:

Step 3 – Configure RADIUS using NPS

Follow the instructions below to configure RADIUS.

1.Select “Network Policy Server” for the server you installed the role (server is added under NAP)

2.Snap-In NPS to AD:

3.Create a new Radius Client under the option “RADIUS Clients and Servers”.

4.Give a name and IP for the device that will forward the authentication request to the RADIUS. Also, a password(shared secret) for the network:

source

5.Radius is now configured.

Microsoft RADIUS Security Concerns

Shared secrets are a weak form of authentication security. The server generates a key pair and copies it to every client machine. When connecting to the server, the client checks that the public key presented matches the one it has cached for that server.

An attacker can easily harvest the server’s private key and can act as an authenticated server. The client believes it is talking to an authentic server, and there is nothing that can be done to prevent this because pre-shared secrets have no revocation mechanism.

Digital certificates provide the strongest level of security and are also straightforward to authorize within a RADIUS environment.

As part of the authentication process, the RADIUS server checks a certificate revocation list (CRL) to confirm that a certificate is still valid and has not been revoked or expired. If an administrator determines that a certificate has been compromised, it can be added to the CRL. Once this happens, clients will immediately fail authentication because the revocation check will no longer pass.

This revocation mechanism is a key security advantage of certificate-based authentication, as it allows compromised credentials to be quickly invalidated across the entire system.

SecureW2 allows you to easily generate a custom private certificate authority (CA) and export the .p12 to then import into NPS. Or, you can import your AD CS certificates and use SecureW2 to enroll end-user devices to self-service themselves for client certificates for your AD CS certificate authority.

Your Windows Server RADIUS is now ready to go! Users will need to be manually added and removed from the security group unless you use an onboarding solution like the one offered by SecureW2. Check out our world-class automatic enrollment suite: JoinNow MultiOS.

JoinNow Cloud RADIUS: A Great Replacement for Microsoft RADIUS Server

NPS may be a good option for the Windows environment, but there are major shortcomings you must consider before you decide.

NPS is an on-premises server. On-prem infrastructures have various vulnerabilities ranging from intruders to calamities. One of the most frequent and severe threats is a zero-day attack. Mandiant Threat Intelligence observed that roughly 80% of successful cybersecurity breaches stem from zero-day attacks.

Cloud Radius networks are typically much better protected and highly resilient compared to their on-prem counterparts. End users and IT admins alike value both the convenience and versatility of cloud computing services, and it’s quickly overtaking on-site servers.

There is no native ability to connect NPS with cloud directories. It doesn’t even work with Microsoft’s own cloud platform, Microsoft Entra ID (formerly Azure AD), without workarounds and proxy servers. This means that NPS may not be a suitable choice for organizations looking for cloud-based solutions.

JoinNow Cloud RADIUS is a turnkey solution that allows you to bridge the gap between on-prem and cloud without expensive forklift upgrades. SecureW2 RADIUS and JoinNow Dynamic PKI services integrate seamlessly with every major vendor. We’ve worked with countless organizations to migrate to an all-cloud environment using Azure with Cloud RADIUS.

Schedule a demo to see how Cloud RADIUS works with your existing vendors.

---

Frequently Asked Questions

Does Windows have a RADIUS server?

Yes. Windows Server includes a built-in RADIUS solution called Network Policy Server. NPS is Microsoft’s implementation of the RADIUS protocol and can provide centralized authentication, authorization, and accounting for wireless networks, VPNs, and wired 802.1X connections.

NPS is available on supported versions of Windows Server, including Windows Server 2016, 2019, 2022, and newer releases. Administrators can configure it as both a RADIUS server and a RADIUS proxy. However, NPS is an on-premises server, and many environments may be better served by a cloud-based RADIUS solution.

Is the RADIUS server still used?

Yes. RADIUS is still widely used for enterprise Wi-Fi, VPN authentication, and network access control. Organizations commonly use RADIUS with 802.1X authentication to verify users and devices before granting network access.

Although the protocol has existed for decades, it remains relevant because it centralizes authentication and integrates with technologies like Active Directory, certificates, and cloud identity providers (IdPs). Many organizations now use cloud-based RADIUS services to simplify management and support modern cloud environments.

How hard is it to set up a RADIUS server?

Setting up a basic RADIUS server is relatively straightforward, but creating a secure and scalable deployment can be more complex. A Microsoft NPS deployment typically requires installing the NPS role, registering the server in Active Directory, adding RADIUS clients, and configuring network policies.

The difficulty usually comes from configuring certificates, integrating with identity providers, troubleshooting authentication issues, and supporting devices across different operating systems. Many organizations also need to configure 802.1X policies, VLAN assignments, or certificate-based authentication for stronger security.

What is the difference between RADIUS and Active Directory?

RADIUS and Active Directory serve different purposes. Active Directory stores user identities, credentials, groups, and policies, while RADIUS handles the authentication requests coming from network devices such as wireless access points and VPN servers.

In many Microsoft environments, NPS uses Active Directory as the identity source for authentication decisions.

Does Microsoft RADIUS support cloud identity providers?

Microsoft NPS primarily integrates with on-premises Active Directory. Connecting it directly to cloud identity providers such as Microsoft Entra ID often requires additional infrastructure, workarounds, or third-party integrations.

Because of this, some organizations choose cloud RADIUS platforms that integrate more easily with cloud IdPs.