For network access and policy management capabilities, Microsoft’s RADIUS server and proxy tool is the Network Policy Server (NPS). NPS offers authentication, authorization, and accounting (AAA), enables the use of heterogeneous network equipment and ensures the health of network devices.
The RADIUS protocol provides the configuration and management of authentication for network clients central to NPS functionality. Current editions of NPS are installable via the Network Policy and Access Services (NPAS) feature in Windows Server 2016 and Server 2019.
This article looks at what RADIUS servers are, the purpose of Network Policy Servers, their role in networking, and best practices for managing NPS.
Learn more about the range of server types, functions, and purposes in our Guide to Servers.
What Is the RADIUS Protocol?
RADIUS stands for Remote Authentication Dial-In User Service and was initially a client-server protocol for dial-up connections. While dial-up has lost its luster in enterprise use, RADIUS servers remain a convenient way to offload authentication from access points.
RADIUS servers can run on Windows or Unix servers and, most importantly, allow administrators to control who can connect to the network. Clients for the RADIUS server represent network access points; users make requests to RADIUS clients that pass along the request to the RADIUS server for authentication.
What Do RADIUS Servers Do?
Within communication protocols for networks, like user datagram protocol (UDP) or transmission control protocol (TCP), RADIUS servers communicate with network access servers.
A client device makes a connection request to the network access server (NAS). The NAS works with the RADIUS server, relying on its AAA capabilities to authenticate the user and respond with permission for the proper configuration.
Read more: What is Server Management?
What Is the Purpose of NPS?
Network Policy Server is the solution for Windows network administrators using RADIUS capabilities. Not only does NPS offer configurable policies for network access, but it also ensures non-Microsoft devices can connect once authenticated.
By placing users and client devices in groups or automating classification, administrators can control the types of clients and permissions available to network users. This control allows for continued management of access policies and also enables event logging for accounting purposes. NPS also scans requests to ensure client health and maintain network integrity.
Read more: Server Security Best Practices.
The 3 Roles of NPS
NPS performs AAA for wireless, switch, remote access dial-up, and VPN connections as a RADIUS server. Administrators configure network access servers — e.g., WAP and VPN servers — as RADIUS clients, and log event data on the local hard disk or a SQL Server database.
NPS can configure access policies and manage which RADIUS server a connection request delivers as a RADIUS proxy. This includes the ability to forward accounting data for replicating logs on multiple remote RADIUS servers for load balancing.
NPS Best Practices
Microsoft identifies seven areas of best practices when utilizing Network Policy Server. These are provided in the below table.
To learn more about the most recent updates to Network Policy Server, head to Microsoft’s NPS documentation.