Microsoft NPS Configuration Guide

Download as PDFDownload as PDF

Updated 04/04/2023

How-to videos - produced by eduroam(UK): https://www.youtube.com/playlist?list=PLbKeiLya4JyA_6A10XKhnCzEY4eyApG4M

eduroam how to guide - Certificate requests (on a standalone CA or for the Jisc Certificate Service)
eduroam how to guide - Certificate requests (on an enterprise CA)
eduroam how to guide - Installing NPS
eduroam how to guide - Templates and configuring NPS (Part I)
eduroam how to guide - Configuring NPS (Part II)
eduroam how to guide - Configuring NPS for multiple SSIDs

How-to Configuration Guide Document - produced by eduroam(UK): contains screenshots specifically for eduroam(UK)

>>> eduroam(UK) Microsoft NPS Configuration Guide <<<

(The above contains Windows Server 2016 screenshots and incorporates relevant material from the Geant / UNINETT (Norway) document. At the time of production it presented a definitive all-in-one guide to deploying NPS for eduroam - but is now in need of the addition of some supplementaty material which is available in sister documents on this website).

ADDENDA:

1) Ref. Section 17 Visitor Connection Policy pattern matching regex expression for forwarding authentication requests to NRPS - please see item in section 5 of:
https://community.jisc.ac.uk/library/janet-services-documentation/faqs-e...

For an organisation with a realm ending in .ac.uk the following regex is recommended - to be used in the Connection Request Policy for eduroam Visitors ('proxy to eduroam') in the Condition: User Name box. It will result in auth requests with usernames that contain common non-eduroam realms not being forwarded to the NRPS:

@{1}(?!((.*\.(ax\.edu|ac\.edu|ax\.uk$|sc\.uk$|au\.uk$|ac\.ik$|ac\.u$|ac\.k$|ac\.ukj$|local))|((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)))(([-0-9a-zA-Z\.]+\.[-0-9a-zA-Z\.]+))$

2) IMPORTANT Advisory - only for organisations using Windows Server Certification Authority to generate the server certificate for the NPS ORPS.

December 2021: With the introduction of Android 12 it has come to light that the implementation of the X509v3 Extension: Basic Constraints in Windows Certification Authority appears to contain a bug which results in certificate validation (and hence authentication) failure with Android 12 when the technically accurate recommendations set out in https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations are strictly followed.

If you have created the CSR for your server certificate with BasicConstraints: CA:FALSE critical the pathlen parameter on the certificate will be zero. This will cause authentications with Android 12 to fail. You can test your certificate through the 'Check realm reachability' test on CAT in your Profile panel. Static connectivity test; Show server certificate details; scroll down to the Extensions and check the basicConstraints result. basicConstraints: CA:FALSE,pathlen:0 indicates that there is a problem and you should regenerate your server certificate setting BasicConstraints:CA:FALSE to NOT be 'critical'.

When creating your server certificate CSR and following section 8 of the NPS guide p31, on the Extensions tab, under Basic Constraints you should NOT tick the 'Make the basic constraints extension critical' box (and NOT tick the 'Enable this extension' box).

Note - organisations using commercial Certification Authorities for the provision of RADIUS server certificates, should continue to set Extension: Basic Constraints CA:FALSE but there is no need to mark this as 'critical' (it was only ever noted as problem with Mac OS X 10.8 (Mountain Lion) and most CAs disregard this anyway).

3) Ref. Section 14 Accounting 

Accounting packets must not be sent to the NRPS, so the tick boxes should be left blank. (Do not forward network access start and stop notifications to the NRPS.)