-
Notifications
You must be signed in to change notification settings - Fork 0
NPS RADIUS
The Network Policy Server module installs and configures NPS — Windows' RADIUS server — used for 802.1X (wired/wireless network access control), VPN authentication, and as the authentication back end for Always-On VPN. It is the first link in RackStack's security-operations arc: NPS (auth) → Always-On VPN (gateway) → CIS Compliance (posture) → SIEM Forwarder (log shipping).
New in v1.104.0: Network Policy Server (NPS / RADIUS) module.
- Accessing the Module
- Menu Options
- Adding a RADIUS Client
- Backup & Restore
- CLI / Headless Mode
- Security
- Related
Menu path: Configure Server > Roles & Features > [10] Network Policy Server (RADIUS)
The submenu shows whether the NPAS role is installed and offers install, client registration, configuration display, and backup/restore.
| Option | Description |
|---|---|
| [1] Install NPS Role | Installs Network Policy and Access Services (NPAS) with management tools. Reversible / Dry-Run-aware. |
| [2] Add RADIUS Client | Register a switch / access point / VPN gateway by friendly name, address, and shared secret. |
| [3] Show NPS Configuration | Dump the current clients + policies (netsh nps show config). |
| [4] Export Configuration | Back up the full NPS config to XML. |
| [5] Import Configuration | Restore from a prior export (snapshots current config first so it can be rolled back). |
Connection-request and network policies are authored in the NPS console or restored from a backup — those are multi-object policy trees that don't map to a safe one-shot prompt.
You provide a friendly name (e.g. Core-Switch-1), the client address (IPv4/IPv6/FQDN), and a shared secret. The shared secret is collected as a hidden SecureString, held only long enough to register the client, and never written to the Dry-Run queue or its JSON export. Removing the client is registered as an undo action.
netsh nps export writes the full configuration (clients + policies) to XML. You choose whether to include shared secrets in the export (off by default). Because an export with secrets is sensitive, backups are written to an Administrators + SYSTEM-only hardened directory, not a world-readable temp path. Import snapshots the current configuration first, so the change can be rolled back.
# Install the NPS (NPAS / RADIUS) role
RackStack.exe -Action NPSSetup
# JSON output for fleet automation
RackStack.exe -Action NPSSetup -OutputFormat JSONThe JSON envelope reports Installed, Success, and RestartNeeded.
- Shared secrets are
SecureStringthroughout, converted to plaintext only for the briefnetshcall and never persisted to the Dry-Run queue, its JSON export, or logs. - Config backups that may contain clear-text shared secrets land in the hardened state directory (
%ProgramData%\<ToolName>\state\NPSBackups, Admins + SYSTEM only). - The role install is reversible and Dry-Run-aware.
- Always-On VPN — RRAS VPN gateway that authenticates against this NPS server
-
CLI & Automation — full
-Actionreference - Configuration — defaults and batch keys
Configuration
Guides
- File Server Setup
- VHD Preparation
- Storage Manager
- Storage Backends
- Cluster Management
- Hyper-V Replica
- Configuration Export
- Drift Detection & Baselines
- Health Monitoring & Trends
- Agent Management
- Server Role Templates
- AD DS Promotion
- CLI & Automation
- Monitoring Integration
- System Debloat
- Windows Admin Center
Security Operations
Runbooks
Reference