Microsoft Network Policy Server (NPS) is Microsoft’s AAA RADIUS server. It authorizes and authenticates users and devices for network connections. NPS is an on-premise RADIUS server and uses the Active Directory Domain Services (ADDS) for 802.1X authentication. Being an on-premise server, NPS lacks support for cloud solutions and needs specific add-ons and third-party solutions. You can set up Microsoft Network Policy Server (NPS) in the cloud by:
- Deploying NPS on Microsoft Azure Virtual Machine
- Using Entra ID MFA with an NPS Extension
- Using Entra ID with a Cloud RADIUS Solution
Deploy NPS on Microsoft Azure Virtual Machine (VM)
To deploy NPS as a RADIUS server on a Microsoft Azure VM, you must create a VM, install the NPS role, and configure it for RADIUS accounting and authentication. You also must develop additional network policies and VPN connections with other on-premise infrastructure.
As a RADIUS server proxy, the NPS server sends accounting and authentication requests to the corresponding RADIUS servers. You can use it to direct messages between RADIUS clients and RADIUS servers (network access servers). These RADIUS servers perform user authentication, authorization, and accounting for the connection attempt.
Advantages of Setting Up NPS on Microsoft Azure VM
The main advantage of a VM is that it is fully scalable. VMs are available in ample storage capacities that can be dynamically adjusted for optimum resource management. They can be set up across various regions for a more secure network. They come with built-in security features like Microsoft Azure Defender and firewalls and comply with security standards.
Disadvantages of Setting Up NPS on Microsoft Azure VM.
The main disadvantage of setting up NPS on Microsoft Azure VM is that it requires constant maintenance, robust security, and timely patches and security updates. You also need a dedicated team of resources to ensure compliance and uptime.
Microsoft Azure VM lacks the capacity for real-time authorization changes as it does not have event hooks to notify the application of any change in network events.
As your organization adapts to cloud-based network infrastructure, consider migrating from an on-premise AD to Azure. You may need to use Microsoft Entra ID Connect, which may increase the chances of troubleshooting potential connection errors with legacy servers and network vulnerabilities.
Using Microsoft Azure AD Multi-Factor Authentication with an NPS Extension
You can also use the NPS extension for Microsoft Entra ID MFA to enable cloud-based MFA in your existing NPS infrastructure. The extension adds an extra authentication factor through phone calls, SMS, or application-based verification.
Here, NPS acts as an adapter between the RADIUS server and cloud-based Microsoft Entra ID MFA to add an extra authentication factor for federated and synced users and devices on a network.
When a user or device requests to connect to a VPN or RADIUS client, the NPS server authenticates them with the on-premise AD. Upon successful authentication, the NPS extension requests a second challenge authentication method via phone call, SMS, or authenticator app from the Microsoft Entra ID MFA.
Advantages Of NPS Extension for Microsoft Entra ID MFA
The NPS Extension for Entra ID MFA can be added directly to your existing on-premise infrastructure without adding extra servers or tools. As an administrator, you can manage MFA policies and users from the Entra ID without adding any additional monitoring tools.
Disadvantages of NPS Extension On Entra ID MFA
The NPS extension does not replace the on-premise NPS server, which requires constant security, patch updates, and regular maintenance. It acts as an extension and does not talk to Entra ID directly for RADIUS authentication, thus adding the burden of proper configuration.
NPS extension does not provide an event log, and all RADIUS events must be viewed manually, making it hard to diagnose and troubleshoot event failures. Unlike the Entra ID MFA with cloud applications, you cannot apply for conditional access on the NPS extension, which fails to provide granular access control on the network.
Using Microsoft Entra ID with a Cloud RADIUS Solution
Hosting NPS on the cloud requires a complex configuration process, regular security updates, and a dedicated team of resources to keep the infrastructure up and running smoothly at all times. However, a Cloud RADIUS solution works with the existing cloud-based Microsoft Entra ID infrastructure, eliminating the need for an on-premise RADIUS server. It is fully managed on the cloud and can be scaled up or down according to your growing needs.
A Cloud RADIUS solution provides up to 99.99% uptime for wi-fi and VPN authentication without adding additional servers to your network. EAP-TLS supports certificate-based authentication on a WPA2-Enterprise network for passwordless authentication with conditional access policies for granular access control.
Move Away From On-Premise RADIUS to SecureW2s Cloud RADIUS
Using Microsoft NPS in the cloud for 802.x authentication requires the right tools to make the job easy. Too many add-ons drive the network’s costs and create more work for IT admins. SecureW2’s Cloud RADIUS is a vendor-neutral solution that can authenticate any network device and ensure your network is secure. You get a secure Cloud RADIUS server and easy-to-use certificate and onboarding services that can quickly enable AD CS and provision server and client certificates for authentication.
SecureW2 provides all the necessary tools to deploy a certificate-based network, including a turnkey PKI solution and Managed Gateway APIs for seamless certificate-based network authentication. Without an onboarding solution, allowing users to configure certificates manually will undoubtedly lead to numerous support ticket requests due to the complex configuration process associated with certificates.
JoinNow Connector PKI allows users to self-configure their devices for certificates in minutes. The process involves only a few clicks, and once completed, the user is equipped with a certificate and can be immediately authenticated.
Our Cloud RADIUS solution integrates with major MDMs, IDPs, and threat intelligence platforms like Crowdstrike to detect risky users and devices and auto-revoke certificates to deny access without causing major network outages. You can also export RADIUS events to SIEM to better correlate events and incident response and generate audit reports to ensure compliance.
Check out our pricing page to see if our cost-efficient solutions can fit your organization.
Vivek Raj