Wi-Fi authorization in Active Directory/RADIUS (Windows Server 2008 R2)

This article describe how to configure RADIUS authentication (WPA/WPA2 Enterprise) in Wi-Fi Access Points

First step. Install “Network Policy and Access Services”.

In Server Manager use Add Role:


Check “Routing and Remote Access Services”


In “Select Role Services” windows check “Network Policy Server”:


“Next-Next-Finish” will install required component.

Second step. Configure Network Policy Server.

You can configure NPS from Server Manager or Administrative Tools (Network Policy Server Snap-In).

By default, NPS configured to log “Rejected authentication requests” and “Successful authentication requests”. You can change this settings by clicking right mouse button on “NPS (local)” node and check Properties menu field. Logging options is on the General page. You can check or change ports in Ports page.


Log file path can be changed in Accounting menu. This can help resolve connection error.


Now need to change default “Use Windows authentication for all users” policy in “Connection Request Policies” from “NPS (local) – Policies – Connection Request Policies” menu:


In last “Settings” page check “Authentication” and “Accounting” menu. In “Authentication” menu set “Authenticate requests on this server”. In “Accounting” – clear check box from “Forward accounting requests to this RADIUS server group”.

2013-08-29_171636 2013-08-29_171621

Add network policy in “NPS (local) – Policies – Network Policies” menu.


In fist “Specify Network Policy Name and Connection Type” page set Policy name:


In second “Specify Conditions” page add Windows Group that you want grant access:


In “Specify Access Permission” page check “Access granted”.

In “Configure Authentication Methods” page use “Add” menu to add “Microsoft: Protected EAP (PEAP)” authentication method” and uncheck all other authentication method:


Another step in this page. Check “Microsoft: Protected EAP (PEAP)” authentication type and use “Edit” button to select certificate:


Click “Next” twice to “Configure Settings” page. In “Encryption” menu unckeck all check boxes except “Strong encryption (MPPE 128-bit)”:


Finish creating network policy.

Step three. Add RADIUS client and register NPS server in Active Directory.

You should add RADIUS client from “NPS (local) – RADIUS Clients and Servers – RADIUS Clients” menu.


Add values in “New RADIUS Client” window. Friendly name, Address (IP or DNS) and Shared secret. In Advanced tab check RADIUS Standard:


Register RADIUS server in Active Directory by clicking right mouse button on “NPS (local)” and press “Register server in Active Directory”:


Step four. Configure Wi-Fi Access Point.

In Access Point setting set WPA/WPA2 Enterprise authentication method:


In RADIUS settings page add RADIUS server IP address, port 1812 (by default) and shared secret from previous step:


Configuration done. Now you can connect to Wi-Fi by using windows login and password.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.