NPS + WiFi Domain Authentication
1. PURPOSE
To configure secure WiFi authentication using Microsoft Network Policy Server integrated with Active Directory, enabling domain-based access control.
2. SCOPE
- Domain-joined client machines
- Wireless Access Points (e.g., EnGenius, Aruba)
- NPS Server (RADIUS)
- Certificate Services (for EAP-TLS)
3. PREREQUISITES
- Domain Controller operational
- NPS role installed on Windows Server
- Clients joined to domain
- DNS properly configured
- Time synchronization with DC
- (For EAP-TLS) Certificate Authority configured
4. ARCHITECTURE
5. IMPLEMENTATION STEPS
STEP 1:
Install NPS Role
On Windows Server:
Install-WindowsFeature NPAS -IncludeManagementToolsOpen:
nps.msc
STEP 2:
Register NPS in Active Directory
- Right-click NPS (Local)
- Click: Register server in Active Directory
✔ Required to read AD user/computer accounts
STEP 3:
Configure RADIUS Client (Access Point)
Go to:
-> RADIUS Clients → New
Add:
- Name: AP Name
- IP Address: AP IP
- Shared Secret: (must match AP config)
STEP 4:
Configure Connection Request Policy
-> Policies → Connection Request Policies
- Use default OR create new
- Ensure authentication is processed locally
STEP 5:
Create Network Policy
->Policies → Network Policies → New
Conditions
Choose based on requirement:
Option A: User-based authentication
- Add: Domain Users
Option B: Machine-based authentication (recommended)
- Add: Domain Computers
Constraints
Authentication Methods:
✔ For secure setup (Recommended):
- Smart Card or other certificate (EAP-TLS)
OR
✔ For basic setup:
- PEAP (MS-CHAP v2)
Settings
- Grant access
- No VLAN (or configure if needed)
STEP 6:
Configure Certificate (For EAP-TLS)
Using Active Directory Certificate Services:
- Create Computer/User certificate template
- Enable auto-enrollment via GPO
- Ensure certificate appears on client:
certlm.msc
STEP 7:
Configure WiFi Access Point
On AP (e.g., EnGenius):
- Security Mode: WPA2/WPA3 Enterprise
- RADIUS Server IP: NPS Server
- Port: 1812
- Shared Secret: same as NPS
STEP 8:
Configure WiFi via GPO
Open:
gpmc.mscNavigate:
-> Computer Configuration → Policies → Windows Settings → Wireless Network (IEEE 802.11)
Configure:
- SSID Name
- Security: WPA2-Enterprise
- Authentication Method:
- EAP-TLS (recommended)
- or PEAP
STEP 9:
Apply Group Policy
On client:
gpupdate /forceRestart system
6. VALIDATION
✔ WiFi SSID visible
✔ Client connects automatically (machine auth)
✔ No credential prompt (EAP-TLS)
✔ Successful login
Related Articles
GoDaddy - Domain Renewal .COM etc
Step-by-Step: Renew Domain in GoDaddy Login to GoDaddy Go to the GoDaddy website: https://www.godaddy.com Click Sign In (top right). Enter your username/email and password. Open Domain Portfolio After login, click My Products. Go to Domains or Domain ...To resolve the communication issue while joining the Child domain controller
Root Cause: Follow the below steps to resolve the communication issue between Active Directory and the Child Domain controller Turn off all the firewall profile Domain Profile Private Profile Public Profile Once all the profiles are turned off, check ...How to Unregister (Remove) a Crashed Domain Controller from Active Directory
Steps to Unregister a Crashed Domain Controller Applies To Windows Server (All versions with Active Directory Domain Services) Active Directory Environments Issue Description A Domain Controller (DC) has crashed or is permanently offline and cannot ...Granting Network Properties Management Permission Without Full Admin Access
These steps allow users to manage network properties on domain-joined laptops without granting full administrative privileges. Step 1: Login as domain administrator -> Step 2: Locate to users and group management console -> Step 3: Select the group ...Configure / Enable Default 2-Year Online Archive Policy Organization-Wide
Objective Enable the default Exchange Online auto archive retention policy across the organization to automatically move emails older than 2 years to the Online Archive mailbox. Background Currently, Online Archive retention is not enabled ...