How to configure the NPS to manage RADIUS authentication with Omada Controller

NPS on the Windows Server can work as RADIUS Server to manage RADIUS authentication with Omada Controller. As shown below, NPS can perform centralized authentication for wireless connections when acting as a RADIUS Server. This article will introduce you how to configure the NPS on the Windows Server 2012 R2 to work with Omada Controller.

By default, there are no network services in the Windows Server. So we need to add roles manually to implement the corresponding function. Besides NPS, we also need to install Active Directory Domain Services and Active Directory Certificate Services. Only in this way, NPS can authenticate user accounts. Therefore, we will describe it in the following steps:

· Install Active Directory Domain Service

· Install Active Directory Certificate Services

· Install Network Policy and Access services

· Create Group and User

· Configure RADIUS Clients and Network Policies

· Example of the External RADIUS Server.

I. Install Active Directory Domain Services

NPS must be registered in Active Directory so that it has permission to read the dial-in properties of user accounts during the authorization process. So we need to install Active Directory DS and promote it to a domain controller first.

II. Install Active Directory Certificate Services

Besides Active Directory DS, we need to install Active Directory Certificate Services. After installation, it will issue a certificate to Active Directory DC and Windows Server.

Note: If it doesn’t issue the certificate to Windows Server, we need to apply for a certificate for the Windows Server from the CA to ensure SSL encryption.

III. Install Network Policy and Access services

Go to Server Manager to install Network Policy and Access Services. After that, we should register the NPS in Active Directory DS so that it has permission to access user account and information while processing connection requests.

IV. Create Group and User

After installing Active Directory DS, please go to the Active Directory Administrative Center to create a group and add new users to this group. (These users are used to login and access the internet.)

Don’t forget to change the dial-in property to “Control access through Network Policy Server”, to allow users of this group to access the network through the NPS network policy.

V. Configure RADIUS Clients and Network Policies

RADIUS client can create RADIUS access request messages and forward them to the RADIUS server. To configure NPS as a RADIUS server, we must configure RADIUS clients and network policy.

To add the EAP as a client, enter the device’s IP address and give it the friendly name “tplink_nps” and manually enter a “Shared Secret”. The Shared Secret is used to verify that the RADIUS client is allowed to process auth-requests through the RADIUS server.

Note: The Radius Client role is transferred from EAP to Omada Controller since Controller 3.1.4.

To compatible with WPA-Enterprise and portal RADIUS, we should enable “Unencrypted authentication (PAP, SPAP)” when configuring the network policies.

VI. Example of the External RADIUS Server

After installed and configured on the Windows Server, NPS can work as a RADIUS Server. Here we take the External RADIUS Server portal as an example, use NPS to authenticate users who connect to the portal SSID.

· RADIUS Server IP: IP address of the Windows Server；

· RADIUS Port: The default port is 1812;

· RADIUS Password: It is the shared secret that we input the RADIUS Client page.

After configuring the portal, we can connect to the portal SSID, input the username and password, and then we will be able to access the internet.