1.Installing NPS Windows Server 2012 #

Installing Network Policy Server in Windows Server 2012 R2

Network Policy Server, what is NPS all about?

NPS enables you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization.

You also can use NPS as a RADIUS proxy to forward connection requests to NPS or other RADIUS servers that you configure in remote RADIUS server groups.

You can use NPS to implement network-access authentication, authorization, and client health policies with any combination of the following 3 functions:

• RADIUS server

• RADIUS proxy

• NAP policy server

This will be a very long step to go through, so please take your time and make sure you have a working domain lab for you to install & configure NPS…

What you will find in my post today will be straight forward process to deploy & configure NPS, there was many things you can do with NPS.. so please spend some time browsing to Microsoft technet for more details information…

Lets get started by installing NPS role and this NPS role later will be use to support RADIUS…

1 – On the Domain server (OSI-ADDS01), open Server Manager, click Add roles and features


2 – Next, on the Select installation type interface, click Role-based or feature based installation, and then click Next to proceed…


3 – On the Select destination server interface, click Next…


4 – On the Select server roles interface, select the Network Policy and Access Services check box and then click Next…


5 – On the Select features interface, just click Next to proceed…


6 – Next, on the Network Policy and Access Services page, click Next…


7 – Next, on the Select role services interface, click Network Policy Server check box, and then click Next…


8 – On the Confirm installation selections interface, click Install…


9 – Next, verify that our installation was successful, and then click Close…


10 – Next, on the Server Manager, click Tools and then click Network Policy Server…


11 – In Network Policy Manager interface, in the navigation pane, right-click NPS (Local), and then click Register server in Active Directory


12 – In the Network Policy Server message box, just click OK to proceed…


13 – In the subsequent Network Policy Server interface, click OK


2.Configuring NPS Windows Server 2012 #

Configuring NPS.

14 – Next, lets continue with configuring NPS Templates… In the Network Policy Server console, right-click Shared Secrets, and then click New


15 – Next, in the New RADIUS Shared Secret Template interface, in the Template name box, type OSI Security (you can fill in any name you prefer), then in the Shared secret and Confirm shared secret boxes, type your preferred password and then click OK…


16 – Next, right-click RADIUS Clients, and then click New…


17 – Next, in the New RADIUS Client interface, in the Friendly name box, type OSI-NPS, then you need to key in the IP Address of the NPS Server, which in my case, click Verify to confirm the IP Address, then click Resolve so that it will identify the correct IP Address, click OK to proceed…


18 – Next, in the New RADIUS Client interface, under Shared Secret, in the Select an existing Shared Secrets template area, click OSI Security, and then click OK.


19 – Next, lets configure RADIUS accounting for logging purposes…


20 – In the Accounting Configuration introduction Wizard, click Next…


21 – On the Select Accounting Options interface, click Log to a text file on the local computer, and then click Next…


22 – On the Configure Local File Logging interface, click Next…


23 – On the Summary interface, click Next…


24 – On the Conclusion interface, click Close…


25 – Next, we need to configure and test our RADIUS Client.. In the Network Policy Server console, expand RADIUS Clients and Servers, then right-click RADIUS Clients, and then click New


26 – In the New RADIUS Client interface, please clear the Enable this RADIUS client check box, then you can click Select an existing template check box.. verifythat your existing template listed in the list then click OK…


We have done installing & configuring NPS in our domain server which OSI-ADDS01 server, now it’s time for us to configure Routing and Remote Access in RADIUS Client (OSI-NPS server)…

27 – On the OSI-NPS Server, open Server Manager, click Add Roles and features…


28 – On the Before you begin interface, click Next…


29 – On the Select installation type interface, click Next…


30 – On the Select destination server, click Next to proceed…


31 – On the Select server roles interface, click Remote Access box and click Next…


32 – On the Select features interface, click Next…


33 – Next, on the Remote Access interface, click Next…


34 – On the Select role services, make sure you click DirectAccess and VPN (RAS)check box, and then click Next…


35 – On the Web Server Role (IIS) interface, proceed with Next…


36 – On the Select role services interface, proceed with Next…


37 – On the Confirm installation selections interface, click Install…


38 – On the Installation progress interface, click close…


39 – Next, open Server Manager click Tools and click Routing ans Remote Access


40 – Next, in the Routing and Remote Access console, right-click NPS (Local), and then click Configure and Enable Routing and Remote Access


41 – On the Routing and Remote Access Server Wizard interface, click Next


42 – On the Configuration interface, make sure you click Remote access (dial up or VPN)


43 – ON the Remote Access interface, click VPN check box…


44 – Next, in the VPN Connection interface, click the network interface named Ethernet 3, but make sure you clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next…


45 – On the IP Address Assignment interface, select From a specified range of addresses, and then click Next…


46 – On the Address Range Assignment interface, click New…


47 – On the New IPv4 Address Range interface, in the Start IP address, type, then in the End IP address, type, verify that 20 IP addresses were assigned for remote clients, and then click Next…


48 – On the Address Range Assignment interface, click Next…


49 – On the Managing Multiple Remote Access Servers interface, click Yes, set up this server to work with a RADIUS server, and then click Next…


50 – On the RADIUS Server Selection interface, in the Primary RADIUS server box, type ADDS01… In the Shared secret box, type your password and then click Next…


51 – In the Routing and Remote Access Server Setup Wizard, click Finish


52 – In the Routing and Remote Access dialog box, click OK…


53 – Next, switch to the OSI-ADDS01 domain server so that we can configure a Network Policy for RADIUS… in the Network Policy Server console, expand Policies, and then click Network Policies, in the details pane, right-click the policy at the top and bottom of the list, and then click Disable


54 – Next, right click Network Policies, and then click New


55 – In the New Network Policy Wizard, in the Policy name box, type OSI VPN Policy, and then in the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next…


56 – Next, on the Specify Conditions page, click Add, then in the Select condition dialog box, click NAS Port Type, and then click Add


57 – In the NAS Port Type dialog box, select the Virtual (VPN) check box, and then click OK…


58 – Next, on the Specify Conditions interface, click Next…


59 – Next on the Specify Access Permission interface, click Access granted, and then click Next…


60 – On the Configure Authentication Methods interface, click Next…


61 – On the Configure Constraints interface, click Next…


62 – On the Configure Settings interface, click Next…


63 – On the Completing New Network Policy interface, click Finish


64 – Next, on the  Network Policy Server console, verify your setting…


65 – Now lets test our RADIUS configuration with Windows 8.1 client, switch to Windows 8.1 client and log in as Administrator, then open Network and Sharing Center control panel, in the Network and Sharing Center, click Set up a new connection on network…


66 – On the Choose a connection option interface, click Connect to a workplace, and then click Next…


67 – On the How do you want to connect interface, click Use my Internet connection (VPN)


68 – Click I’ll set up an Internet connection later


69 – On the Type the Internet address to connect to interface, in the Internet address box, type, in the Destination name box, type OSI VPN, then select the Allow other people to use this connection check box, and then click Create…


70 – In the Network And Sharing Center window, right-click the OSI VPN connection, and then click Properties


71 – On the OSI VPN Properties, click the Security tab and then in the Type of VPN list, click Point to Point Tunneling Protocol (PPTP), then under Authentication, click Allow these protocols, and then click OK


72 – Next, right-click the OSI VPN connection, and then click Connect/Disconnect


73 – Next, in Network sign-in, in the User name box, type osi\administrator and password and then click OK…


74 – Lastly, wait few second for the VPN connection to be established. Ensure that your connection is successful




3.NPS Migration powershell #

Export and Import NPS Server Configuration to migrate or have a failover server.

You can export the entire NPS configuration — including RADIUS clients and servers, network policy, connection request policy, registry, and logging configuration — from one NPS server for import on another NPS server.

Use one of the following tools to export the NPS configuration:

  • In Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012, you can use Netsh, or you can use Windows PowerShell.
  • In Windows Server 2008 R2 and Windows Server 2008, use Netsh.


Do not use this procedure if the source NPS database has a higher version number than the version number of the destination NPS data-base. You can view the version number of the NPS database from the display of the netsh nps show config command.

Because NPS server configurations are not encrypted in the exported XML file, sending it over a network might pose a security risk, so take precautions when moving the XML file from the source server to the destination servers. For example, add the file to an encrypted, password protected archive file before moving the file. In addition, store the file in a secure location to prevent malicious users from accessing it.


If SQL Server logging is configured on the source NPS server, SQL Server logging settings are not exported to the XML file. After you import the file on another NPS server, you must manually configure SQL Server logging.

Export and Import the NPS configuration by using Windows PowerShell

For Windows Server 2012 and later operating system versions, you can export the NPS configuration using Windows PowerShell.

The command syntax for exporting the NPS configuration is as follows.

Export-NpsConfiguration -Path <filename>

The following table lists parameters for the Export-NpsConfiguration cmdlet in Windows PowerShell. Parameters in bold are required.

Parameter Description
Path Specifies the name and location of the XML file to which you want to export the NPS server configuration.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

Export Example

In the following example, the NPS configuration is exported to an XML file located on the local drive. To run this command, run Windows PowerShell as Administrator on the source NPS server, type the following command, and press Enter.

Export-NpsConfiguration –Path c:\config.xml

For more information, see Export-NpsConfiguration.

After you have exported the NPS configuration, copy the XML file to the destination server.

The command syntax for importing the NPS configuration on the destination server is as follows.

Import-NpsConfiguration [-Path] <String> [ <CommonParameters>]

Import Example The following command imports settings from the file named C:\Npsconfig.xml to NPS. To run this command, run Windows PowerShell as Administrator on the destination NPS server, type the following command, and press Enter.

PS C:\> Import-NpsConfiguration -Path “C:\Npsconfig.xml”

Export and Import the NPS configuration by using Netsh

You can use Network Shell (Netsh) to export the NPS server configuration by using the netsh nps export command.

When the netsh nps import command is run, NPS is automatically refreshed with the updated configuration settings. You do not need to stop NPS on the destination computer to run the netsh nps import command, however if the NPS console or NPS MMC snap-in is open during the configuration import, changes to the server configuration are not visible until you refresh the view.


When you use the netsh nps export command, you are required to provide the command parameter exportPSK with the value YES. This parameter and value explicitly state that you understand that you are exporting the NPS server configuration, and that the exported XML file contains unencrypted shared secrets for RADIUS clients and members of remote RADIUS server groups.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To copy an NPS server configuration to another NPS server using Netsh commands

  1. On the source NPS server, open Command Prompt, type netsh, and then press Enter.
  2. At the netsh prompt, type nps, and then press Enter.
  3. At the netsh nps prompt, type export filename=path\file.xml” exportPSK=YES, where path is the folder location where you want to save the NPS server configuration file, and file is the name of the XML file that you want to save. Press Enter.

This stores configuration settings (including registry settings) in an XML file. The path can be relative or absolute, or it can be a Universal Naming Convention (UNC) path. After you press Enter, a message appears indicating whether the export to file was successful.

  1. Copy the file you created to the destination NPS server.
  2. At a command prompt on the destination NPS server, type netsh nps import filename=path\file.xml“, and then press Enter. A message appears indicating whether the import from the XML file was successful.

4.NPS Migration GUI #

Migrate Network Policy Server (NPS)

  1. Migrate to a new server with new NetBIOS Name and New IP Address
  2. Migrate to a new server retaining NetBIOS Name and IP Address

Step1: Backup NPS Server, NPS Policy & certificate

  1. Open NPS Policy Server from Server Manager>Right Click on NPS(Local)>Export Configuration.
  2. Select I am aware that I am exporting all shared secret. Click Ok>Export as a XML File into a UNC path accessible to new server.
  3. right Click on Template Management>Export Template to a File. Export as a XML File into a UNC path accessible to new server.
  4. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Export Certificate with Private Key.
  5. Use Windows Backup to backup NPS server. If NPS server is virtualized, then simply right click the virtual machine from Hyper-v manager and rename the machine. Now Power of the VM.

Step2: Build a new Server.

  1. Build a new server. Activate Windows. Assign TCP/IP and join to the domain.
  2. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Import Certificate with Private Key.
  3. From Roles and Feature Wizard>add network Policy and Services>Select NPS, NAP and Health registration services, Click Next>Select Certificate Authority>Select Certificate>Select Finish Installation.

Step3: Register NPS.

  1. If you have retained NetBIOS Name and IP Address mentioned in scenario 2 then you don’t  need to re-register. It’s already registered.
  2. If you have a different NetBIOS Name and IP address then Right Click NPS(Local)>Register NPS Server to Active Directory.

Step4: Import NPS Policies

  1. Open NPS Policy Server>right Click on NPS(Local)>Import Configuration. Point to the XML file you have exported in step1 and import the file.
  2. Right Click on Template Management>Import template from a File. Point to the XML file you have exported in step1 and import the file.

Step5: Test Client

  1. Connect a client using WIFI or VPN whichever purpose you have configured NPS.
  2. Open Event Viewer in NPS Server and Check Security log. You will see clients are connected successfully.
Help Guide Powered by Documentor
Suggest Edit