RADIUS With Windows Server 2012R2

22nd July 2016

RADIUS is a form of network security that can link into your Windows Domain. The most common use (at least in my experience) is to secure Wireless Networks. Using RADIUS has the advantage of no shared key that has to be entered on each device, you can allow all domain computers to connect with their computer account and limit users to some trusted staff who only need their domain account to connect.

Before I started I had a fully functioning Windows Domain Controller with AD setup for normal use.


Active Directory Certificate Services is used to generate the certificate that your RADIUS server will use to identify itself.

Open the Add Roles and Features wizard from server manager, select your DC and tick Active Directory Certificate Services.

Adding ADCS

Agree to the required features and click next. Click next again on the features screen and again on the AD CS screen.

On the Role Services screen you only need Certification Authority ticked.

Select Certification Authority

Click Next and then confirm the install.

Once the install finishes click Configure Active Directory Certificate Services on the destination server.

Configure Active Directory Certificate Servers on the destination server

In the wizard that pops up select the user you want to install the service as (in my case it was the same as my logged in user) and hit next.

When asked to Select Role Services to configure tick Certification Authority.

Select services to configure

Select Enterprise CA and hit next, then select Root CA and hit next.

Select Create a new private key and hit next. On the Cryptographic screen change the hash algorithm from the insecure sha1 to sha256 and click next.

Crypto Setup

Leave the CA Name at the default and hit next, do the same with the validity period and database location.

On the Confirmation screen make sure that everything is as it should be and then hit Configure.

Confirmation Screen

After configuration completes hit close.


RADIUS is part of the Network Policy and Access Services role in Server 2008+ and is installed like the ADSC role.

Go to the Select Server Roles screen and tick Network Policy and Access Services, agree to the required features and hit next.

Select NPAS

Hit next on the Features screen and again on the NPAS introduction.

On the Role Services screen you only need Network Policy Server selected.

NPS Role

On the Confirmation screen hit Install.

After the install finishes you can hit Close.

Open Network Policy Server from the start menu and before you configure your RADIUS network right click Templates Management -> Shared Secrets and select New.

Give your Key a name and either type in or generate a secret.

Set the Key Name

At this point I normally go into my Wireless system and create the new RADIUS network whilst I have my generated key in the clipboard.

With that template created head back to the main NPS screen and select RADIUS server for 802.1X Wireless or Wired Connections and click Configure 802.1X under it.

NPS Screen

Select Secure Wireless Connections and click next (you can change the name if you want to).

Create Network

You need to add each access point to the list which can be pretty tedious.

Adding Clients

When adding an AP select the shared secret template we made earlier. Once you have added all your access points hit next.

Add Client

On the Configure an Authentication Method screen select Microsoft: Protected EAP (PEAP) and click Configure.

Set the authentication method

Change to the certificate for your DC, dc.domain.local NOT domain-dc-ca.

EAP Properties

On the Specify User Groups screen add your Domain Users and Domain Computers groups and click next.

Click next on the Configure Traffic Controls screen.

On the last screen confirm all the details and then hit finish.


You now have a RADIUS a network! Domain joined computers can now connect with seemingly no password as their computer account allows them to authenticate. None domain devices can authenticate with any user account.