When Should You Use a Windows RADIUS Server?

Network Policy Server (NPS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. NPS provides centralized authentication, authorization, and accounting (AAA) capabilities to your network. Under this setup, your network access server (NAS) acts as a RADIUS client and sends all connection requests from users to a RADIUS server running NPS on Windows, which then provides authentication and authorization information back to the NAS. While users are connected to your network, NPS logs their activities as part of its RADIUS accounting role.

What Is the RADIUS Protocol?

RADIUS is a client-server networking protocol with AAA management features that uses the connectionless User Datagram Protocol (UDP) for its transport layer and uses port 1812 for authentication and port 1813 for authorization.

Since UDP does not require a reliable connection across a network, using RADIUS means minimal network overhead. However, this can also lead to request timeouts in case of poor network quality. When this happens, the RADIUS client sends another request to the server. To ensure that RADIUS runs on a secure network connection, there have been past initiatives to make it work with Transmission Control Protocol (TCP), but these have not gone beyond the experimental stage.

As a client-server networking protocol, RADIUS has client and server components. In a typical network that uses RADIUS, the authentication and authorization process goes like this:

  1. A NAS serves as a RADIUS client and passes authentication requests to a RADIUS server that runs as a background process on Windows or any other server operating system.
  1. The RADIUS server authenticates the user credentials and checks the user’s access privileges against its central database, which can be in a flat file format or stored on an external storage source such as SQL Server or Active Directory Server.
  1. When the RADIUS server finds the users and their associated privileges in its database, it passes back an authentication and authorization message back to the NAS, which then allows the user access to the network and its array of applications and services.
  1. The NAS, still acting as a RADIUS client, passes accounting requests back to the RADIUS server while users are connected to the network. These requests log all user activities onto the RADIUS server.

RADIUS supports various authentication mechanisms, including Challenge-Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP) and Extensible Authentication Protocol (EAP).

The combined authentication and authorization operation in RADIUS minimizes traffic flow and makes for a more efficient network. RADIUS also supports multifactor authentication (MFA) using one-time passwords or some other mechanism, which often require client and server to pass more messages than normal.

In larger networks, a RADIUS server can also act as a proxy client to other RADIUS servers.

RADIUS or LDAP: Which Is Better for Centralized Authentication?

Like RADIUS, Lightweight Directory Access Protocol (LDAP) is used for user authentication and authorization. LDAP performs this role by accessing and managing directory services, such as Microsoft’s proprietary Active Directory service. As to which is better depends on your specific requirements.

Since LDAP uses TLS, the connections and messages between client and server are always encrypted. Moreover, since LDAP uses TCP, chances of dropped requests are nil, although this often means more network overhead. LDAP is also simpler to set up than RADIUS.

On the other hand, LDAP does not support user accounting, though this can be accommodated using other tools such as Syslog. It also does not support multifactor authentication out of the box, though you can use other solutions if you need this feature.

By default, RADIUS does not encrypt any of the other attributes passed between client and server, except for passwords. It does support other authentication mechanisms such as EAP, allowing it to circumvent this weakness. You can also implement other security mechanisms, such as putting servers and clients behind virtual private networks (VPNs), with RADIUS.

Although more complex, RADIUS supports user accounting and MFA, making it ideal for use in large enterprises. However, it is also useful for smaller organizations looking to secure their networks.

Network Policy Server as a RADIUS Server

NPS was known as Internet Authentication Service (IAS) in earlier Windows versions. Starting with Windows 2008, IAS became NPS, with Microsoft adding new features to the component, including Network Access Protection and IPv6 support. NPS works with for many types of networks.

To authenticate user credentials on your Windows network, NPS relies on an Active Directory Domain Services (AD DS) domain or the local Security Accounts Manager (SAM) user accounts database. You can use NPS as part of a single sign-on solution when the server running it belongs to an AD DS domain. In this case, NPS authenticates users via the directory service’s user-account database, logging authenticated users into the AD DS domain.

With RADIUS, NPS acts as the central location for user data related to authentication, authorization and accounting, instead of the NAS. If you combine NPS with Remote Access Services, you can use RADIUS to authenticate and authorize users in your remote access networks.

A RADIUS server running NPS provides the easiest authentication mechanism for Windows Servers running on AWS.

Network Policy Server as a RADIUS Proxy

Aside from having NPS as a RADIUS server on Windows, you can also use NPS as a RADIUS proxy client that forwards authentication or accounting messages to other RADIUS servers.

Some scenarios where this use case is useful include if you:

Secure Your Application Access with Two-Factor Authentication and Parallels RAS

Parallels® Remote Application Server (RAS) has a wide range of features that can help secure access to your applications and data, including support for MFA using any RADIUS server.

Parallels RAS provides high-availability configuration support for two RADIUS servers. High-availability modes for RADIUS servers may be set as Active-Active, to make use of both servers simultaneously, or as Active-Passive, for failover purposes.

Moreover, with Parallels RAS, you can create filtering rules for users based on user, IP address, MAC address and gateway. Using client policies, you can group users and push different Parallels Client settings to your user devices.

Parallels RAS also supports smart card authentication, kiosk mode and Security Assertion Markup Language single sign-on (SAML SSO) authentication. It also supports Secure Sockets Layer (SSL) or Federal Information Processing Standard (FIPS) 140-2 protocol encryption in accordance with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

Parallels RAS comes with a standard Reporting Engine that allows your raw data to be transformed into visual and intuitive reports.

Check out how Parallels RAS can help secure your networks by downloading the trial.