Microsoft's Windows Server platform provides a RADIUS server, an economical option for those already running (or planning to run) a Windows Server. Starting with Windows Server 2008, Microsoft provides the RADIUS service with its Network Policy Server (NPS) role, whereas previously it was provided by the Internet Authentication Service (IAS) role. Like most other Windows Server roles, NPS configuration is GUI-based.
NPS provides different functionality depending on the edition of Windows Server 2008 or 2008 R2. The Web Server edition is the only one that doesn't include the NPS role/feature. The Standard Edition supports a maximum of 50 RADIUS clients (access points) and a maximum of two remote RADIUS server groups. The RADIUS client can be defined by using a fully qualified domain name or an IP address, but groups of RADIUS clients can't be defined by specifying an IP address range. The Enterprise and Datacenter editions allow an unlimited number of RADIUS clients and remote RADIUS server groups, and allow defining RADIUS clients via IP address ranges in addition to a domain name or single IP.
NPS supports the basic common authentication protocols: PEAP, EAP-TLS, PAP, SPAP, CHAP, MD5, MS-CHAP, MS-CHAPv2 and EAP-MD5. Additionally, Microsoft allows plug-ins of other vendors' EAP methods on NPS. RSA's one-time password (OTP) method is one example of this.
For authentication NPS only allows the use of Active Directory for the user account database, in addition to being able to proxy requests to other RADIUS servers for processing. For RADIUS accounting you can write to a text file and/or store in a Microsoft SQL Server database.
We evaluated NPS in Windows Server 2008 R2 on a VMware virtual machine. Before enabling NPS we performed the initial configuration of Windows Server and set up an Active Directory domain. Then we used the documentation from Help and Support within Windows for information on how to configure NPS for 802.1X, which we found complete and thorough, targeted toward administrators. Next we spent about 10 minutes enabling the Certificate Services role and creating a certificate authority (CA). Next we enabled the NPS role and registered it with Active Directory, which was done in less than five minutes.
Then we selected the 802.1X configuration scenario and ran the configuration wizard that helped us add RADIUS clients (access points), select the authentication protocol (PEAP) and choose user groups to apply to the NPS server. The wizard also allowed us to configure traffic controls, which are RADIUS attributes (such as VLAN assignments) you can configure to be sent to the RADIUS clients and applied to authenticated and authorized users.