1

We have used Windows NPS for a RADIUS server for many years. We have a few complaints about that product.

  • Spring 2022 Windows Update broke functionality and led us to an 802.1X nightmare
  • Encryption cyphers are outdated (or maybe that’s just all of RADIUS?)
  • The Windows NPS look, feel, and functionality has not changed to my knowledge in the past 10+ years, which gives the impression that it’s soon to be deprecated like WSUS

Our current use-case for RADIUS is 802.1X (wired and wireless), Cisco switch admin user auth, and Palo Alto Firewall admin user auth.

I’ve looked at FreeRADIUS on a RHEL deployment a year or two ago but didn’t have the time to dedicate to it so I never really got a firm grip on it. The same can be said for PacketFence, although it’s much more than just RADIUS. It’s a full-blown NAC. From what I remember, that may have FreeRADIUS under the hood as well.

What are all of you kind folks using for RADIUS these days in your enterprise environments?

I am open to paid support options if it’s the right fit. I’m not sure about cloud RADIUS solutions as I’ve read some horror stories.

2 Spice ups
2

In my experience, RADIUS has always been a half-measure. /badjoke

In seriousness, RADIUS is used all over the place successfully and securely. It can be secured using TLS, but more traditionally it’s only been used within networks, so the known security shortfalls are really not that great a concern.

3

Did you mean Spring 2022 - that’s 3 years ago.

Ciphers*

It isn’t, it’s here to stay, at least for now and including in 2025

We use Radius built in to NPS, but also have Steel-belted Radius and Free Radius for different tasks.

Most services wrapped around Microsoft Management console (MMC) are appalling, but they serve a purpose. Much like Hyper-V, NPS / Radius are not going anywhere yet.

And Feb/March patches also break certificates for AOVPN/Wi-Fi/802.1x where certificates do not use strong binding - every layer you add means you have to be vigilant on patching

We just have to keep on things, be mindful and read up on any known issues.

4

I did… and yep that was 3 years ago.

I’m aware NPS still exists in Server 2025. Beyond that, I have no idea. Do you?

Any thoughts you’d like to share on the other 2 products you mentioned?

No argument there… and I could really go down a rabbit hole here but am going to just leave it at that. Sigh…

5

It hasn’t been announced as a deprecated (no more development) feature. Once that is announced, it will live on in supported Windows Server versions for 10 years - so you might need to stick with Server 2025.

If you want to know what MS will deprecate with Server 2027 or beyond, we can’t help you.
If you need to know what MS plans beyond 2035, we can’t help you.

But if your plan is to setup RADIUS/NPS now, on Server 2025, you can rest assured that you will be able to use it for 10 more years, and be able to access support from MS for that duration.

6

Unfortunately not, but since it’s available in 2025 and not mentioned, like WSUS, I expect since it’s used in AOVPN, DirectAccess and NPS, it’s here for some time yet.

NB Direct Access is being phased out, in favour of AOVPN. If AOVPN is here to stay, so is NPS and Radius.

Network Access Protection (NAP), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP) were deprecated, though.

Nothing directly related to replacing the existing Radius or NPS.

What is your goal, what are you looking to change for, apart from glitches you get with patches, which you get on all products and service, is there a reason you’re looking to change?

7

I use NPS for the same use cases. There are lots of things that don’t look like they get much development…and they probably don’t. The RADIUS protocol dates back to the 1990s. It needs to interoperate with other vendors. If the industry was pushing things forward, Microsoft probably would move ciphers forward too. DNS console looks about the same to me as it did in Windows 2000, but that doesn’t mean that DNS isn’t getting development. There are actually new features in there is you know where to look.

Now, I Microsoft would allow NPS to run under Windows Core, that would be a welcome improvement.

My only big issue with NPS was when I had my CA root expire, or something along those lines.

1 Spice up
8

My goal is to evaluate our RADIUS server options by hearing from others in the community.

9

I suppose I knew that, I guess what I meant is, is there something wrong with your existing to ask the question around radius options or is it not doing something you want to do?

10

Nothing other than what I had already stated in my original post. I’ll say this… the more time goes by, the less I am a fan of MS Windows products. That’s another rabbit hole that could be its own topic of discussion. Over the past number of years, I’ve evaluated and looked at comparable Linux server applications/services to replace previous Windows apps/services.

I’m definitely more of a Linux guy (mostly RHEL-based systems) these days.

11

Circling back around to this… I’m curious if anyone can share if they’re successfully using Windows NPS server in conjunction with Windows 11 clients doing computer certificate checks for 802.1x auth. If so, I’d like to hear more about your config.

That said, I was able to get FreeRadius working on a RHEL virtual using my Windows AD CA and Windows 11 client devices. I may have some more tweaks but at least from a PoC, it works; whereas NPS for me in that same config is no dice.