Microsoft | Windows Server 2012 Radius setup

How to setup Radius for authentication with for example a Cisco VPN Connection.

When opening the Dashboard after logon with the administrator user you have to choose Add roles and features

Choose Role-Based or feature-based installation and click on next

Select the server which get the new feature and click on next

Select network Policy and Access Services add the features

Click on Next

Do NOT change any settings and click on Next

Click on Next

Select Network Policy Server and click on Next

Select Restart if needed ( only when it’s possible to restart ) and click on Install

You can close this window but you can watch it finishing.

Select Tools > Network Policy Server

A new window wil open
Click right on NPS (Local) and select Register server in Active Directory

Click on OK to continue

Click on OK

Click on Radius Clients and Servers > Radius Clients (right click) > New

Add a device with a shared key to connect. And Click on OK
Create a new group in the Active Directory (call it for example VPN)
Create a new Network Policy

Click on Policies > Network Policies (right click) > New

Name the Policy simple and click on Next

Add a new Condition > Select Windows Groups > click on Add

Select the Windows group or groups and click on OK

Click on Next

Select Access Granted and click on Next

Select all options except the last one and click on Next

You get a message if you want to read it click on yes if not click on no.

Keep the settings to default and click on Next

Keep the settings to default and click on Next

Click on finish

23 thoughts on “Microsoft | Windows Server 2012 Radius setup”

  1. nice guide. this page was the 4th ranked page when i googled “server 2012 r2 radius” so i think you may want to consider cleaning up the screenshots. even clicking to the bigger images was like looking at them through a wet paper towel

    1. the pictures are just small. I’ve to redo the pictures which will be done in the up coming days. How ever it’s not much difference with a configuration on Windows server 2008 R2 🙂

  2. Pingback: » How my Wifi is unique

    1. It’s a nice blog unfortunately, I need to use a translator for it to read this blog post 🙂
      When you need such setup it’s great to use.

  3. Do you know if it possible to apply certain policies to certain clients, ie I want AD Group X to be able to authenticate on client X and AD group Y to be able to authenticate on client Y and so on?

    1. In the Small Business Server edition of 2008 and 2011 you are able to select where a user can connect to a computer. At the moment I am unable to look for this policy.

  4. The prompt after clicking “Register Service in Active Directory” says “clients must be authorized to read dial-in properties, etc.” Is it assumed my clients are authorized if they’re in the user list, or should I make sure some other setting is right first? Up until now, we’ve only used AD as authentication for a bunch of Macs to get on Windows Remote Desktop. I don’t want to kick everyone out and have to scramble to undo what I did. Thanks,
    ps. GREAT GUIDE!

    1. Jeff, there you choose how to say that clients can authenticate. If you create a security group in the Active Directory, it will be easier to maintain. Otherwise you need to change the dial-in properties of every user.
      I think the best solution for you is to create a security group > put the users in there > add group to the radius settings and your done. You don’t need to change the dial-in properties.
      I hope this will help you.

  5. we use Dlink DWC2000 controller & 8610 AP, on Windows Radius server ” Radius Clients” , should we add all AP ip address or only controller ip is sufficient ?

    1. It depends on the brand. for example a cisco wlan controller it’s not needed while for a netgear wlan controller you need to add all AP’s to the radius setup

      1. what do you recommend, irrespective of bands ? should we add AP also in Radius Clients.
        At the moment with controller its working, so cross checking.

  6. If it’s working now only with the controller installated. it’s not need to change it. ulease the vendor expliciet recommends it in it’s documentation for example the AP’s of netger we have running in our office are basically standalone but connected to the wlan controller this is why we need to add the ap’s of netgear to the radius.

    1. users are able to connect to Radius & users gets ip address also, but sometimes users are facing disconnection & connectivity with APIPA Ip address.
      What could be reason for users getting APIPA IP, we have sufficient ip address on DHCP pool.
      With WPA2 we don’t have such APIPA issue, with radius we are seeing this random APIPA issues.

  7. Hey Fred, nice post. Do you know if you can configure 2012R2 NTP Radius to support One Time Password (OTP) from a radius client? In my case the client would be a NetScaler AAA brokering incoming connections. I know NetScaler supports it but cannot find clear information regarding Radius…

  8. Hey Fred, great guide. I am unable to register server in Active Directory. I am using it to authenticate to Juniper switches and routers, which do not use Active Directory credentials. Can I just skip that part and add clients?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.