NPS Role and Configuration - Part 4

Is where you tell the system to put the client in your choice of VLAN. This must be done for LAN & W-LAN Separately.


Configure your AGDLP Domain Local Security Groups and place the child – Security Groups in their respective NPS_VLAN_020X_CLIENT Group. Do not use separate WLAN & LAN Domain Local Security groups, because you’ll probably get conflicts in your network.


Server 2012

Import-Module Servermanager

Install-WindowsFeature –name napas-policy-server –includemangementtools


Server 2016 / 2019

Get-windowsfeature npas

Install-WindowsFeature -Name npas –includemanagementtools


NPS Powershell Installation



Configure all of your Network Equipment to use an Pre-Shared Key for communicating with your NPS Radius Server.


Create an NPS Shared Secret




Add all of your Network Devices to the List of Radius Client, include AP's, but not PoE Switches, you'll be tagging those in their configuration.






Next Configure the Policies




Select Configure 802.1X which will bring up the installation for Wired / Wireless


I'll show you some basics now, and at the end it should be configured completely by yourself.


What I do, is at least perform a check on the Wired and Wireless connection, in case someone attempts to make a connection.

In that case, I will not have the noise when I look up certain clients in the log.






Note: this is an empty group.




Leave the defaults.




Remove Certificate Authentication, remove mschapv2 selections and select only pap, spap




Do the same for Wired and Guest VLAN 500, but I'll show you next what to adjust


Next: Configure a Client VLAN, (you do all)

This one, Wired and Wireless seperately








And for WLAN




Do this for VLAN200 to VLAN204


Enabling the Guest VLAN

Same proces, but here's what's different.



Now when all enabled you can reorder the sequence in which the NPS Radius server responds to clients.

Don't forget to also set the Connection Request Policy's in the right order. You cannot program that.





Reorder Policy

# NPS Policy Re-Order configuration

# cmd, RunAs


netsh nps set np name="NPS_VLAN_0200_CLIENTS_WLAN" processingorder ="10"

netsh nps set np name="NPS_VLAN_0200_CLIENTS_LAN" processingorder ="11"

netsh nps set np name="Secure Wired (Ethernet) Connections - GUEST VLAN" processingorder ="250"


And if you filled the rest, this is applicable.


netsh nps set np name="NPS_VLAN_0201_CLIENTS_WLAN" processingorder ="12"

netsh nps set np name="NPS_VLAN_0201_CLIENTS_LAN" processingorder ="13"

netsh nps set np name="NPS_VLAN_0202_CLIENTS_WLAN" processingorder ="14"

netsh nps set np name="NPS_VLAN_0202_CLIENTS_LAN" processingorder ="15"

netsh nps set np name="NPS_VLAN_0203_CLIENTS_WLAN" processingorder ="16"

netsh nps set np name="NPS_VLAN_0203_CLIENTS_LAN" processingorder ="17"

netsh nps set np name="NPS_VLAN_0204_CLIENTS_WLAN" processingorder ="18"

netsh nps set np name="NPS_VLAN_0204_CLIENTS_LAN" processingorder ="19"



netsh nps set np name="Connections to Microsoft Routing and Remote Access server" processingorder ="100003"

netsh nps set np name="Connections to other access servers" processingorder ="100004"