Step-by-Step guide to configure Microsoft Network Policy Server (NPS) for 802.1x authentication

NPS PEAP authentication setup:

On the NPS, create a new policy by clicking NPS(local) and then select RADIUS server for 802.1X wireless or Wired Connections and then proceed to click configure 802.1x which will open a wizard that will guide you to create an NPS policy.
However, you can use the following screenshots which represent the settings of a duplicated policy and use these settings in the wizard if you don’t have an existing policy to duplicate against.

Overview tab:


Conditions tab:

In this tab, you will be required to configure the NAS port type, which should be Ethernet. This way only ethernet users will authenticate against this policy.


NAS port type:


User groups:

You can simply click add groups and define the user Active Directory group you would like to match with this policy. NPS will authenticate the dot1x user against this AD group.


Constraints tab:

In the constraints tab you are meant to define all the constraints that must be matched before authorization request is sent to the Active Directory server. It is best to leave everything to default but choose the type of authentication you would like to use, i.e. password based (PEAP) or certificate based authentication.


Settings tab:

When configuring Ethernet based 802.1x, the following three attributes must be added for the switch to make sense of the information returned from the NPS. The Tunnel-Pvt-Group-ID defines the vlan to configure on the port upon successful authentication against this policy.


For wireless 802.1x based authentication, instead of tunnel attributes, you only need to specify the filter id which correlates with the SSID on the access point to grant access to the user upon successful authentication.

Since NPS policies are read based on the serial order of policies, it is important to ensure the defined NPS policy is placed before any other policy that has the same AD group configured in it. If this is not ensured, the switch would authenticate against a policy that doesn’t return any vlan id back to the switch resulting in lack of vlan assignment on the switch port. You can, however, have the same AD group configured in two different policies that have different constraints configured under the conditions tab. For example, a policy with wireless constraint will not authenticate against an ethernet based user and vice versa.

Got questions? Leave a comment! Let’s chat.

Rafay Rasool is a Network Specialist with over 8 years of experience designing, configuring and implementing core network solutions based predominantly but not limited to Juniper Routers, Switches and Firewalls along with other vendors such as Cisco, Huawei, Siemens, Aerohive, Ringmaster, Pulse etc for Internet Service Provider and Enterprise Networks.

Rafay is an avid supporter of network automation and likes to code and automate networking solutions.