8. August 2016

NPS 2012 for two factor authentication with privacyIDEA

The Microsoft Network Policy Server (NPS) is the Microsoft RADIUS server. It also provides additional services like Network Access Protection (NAP) and quarantine.

This integration guide will lead you step by step through the process of configuring NPS to work with privacyIDEA.

Network overview

Your setup might look like this or be a bit different. We assume, that you already have a NPS server installed. You may have some RADIUS clients like a firewall, VPN, switch, router or client computers connected to your NPS server.

The RADIUS request on the NPS is forwarded to privacyIDEA.

The RADIUS request is still sent to the Microsoft NPS. But then the RADIUS request is forwarded to privacyIDEA which verifies the one time password (OTP) and thus performs the two factor authentication.

Configure NPS for two factor authentication

Create privacyIDEA RADIUS client

On your privacyIDEA system you are also running the FreeRADIUS server with privacyIDEA. The NPS will forward the RADIUS request to the privacyIDEA server. Thus the NPS acts as a RADIUS client.

You need to add the client configuration to /etc/freeradius/clients.conf:

client NPSServer {
    secret = mySpecialNPSsecret
    ipaddr =

Change the IP address of your NPS server accordingly and make up a good new RADIUS secret. Restart the FreeRADIUS server.

    service freeradius restart

Configure NPS

Create a new RADIUS server group

We assume, that you already performed the basic setup of the NPS server and that you already installed privacyIDEA. On your Windows 2012 server open the Network Policy Server configuration tool.

Create a new forward RADIUS server

Under RADIUS clients and servers create a new Remote RADIUS server.

Name the new remote RADIUS server group

Create a new RADIUS server group and give it an identifying name, you remember. Like privacyIDEA.

Now you can add several RADIUS servers to this group. In this basic configuration we simply add the one RADIUS server of privacyIDEA. So click the button Add to add the privacyIDEA RADIUS server to this group.

Set the IP address of the privacyIDEA system
Specify the RADIUS secret for the communication with privacyIDEA RADIUS server

When adding the privacyIDEA RADIUS server to the server group you need to specify the IP address and the RADIUS shared secret. On the first tab give the IP address and on the second tab you need to set the RADIUS secret (e.g. mySpecialNPSsecret).

Click OK, to add the server to the server group.

If you are running more than one privacyIDEA server you can repeat this step for all of your privacyIDEA servers.





Now you have one privacyIDEA server in your server group.

One privacyIDEA RADIUS server in the server group

Create a new policy

Policies define how the NPS reacts to authentication requests. You need to define a policy, that tells the NPS server which RADIUS requests should be forwarded to the privacyIDEA server group.

Go to Policies and on Connection Request Policies right click and click New.

Create a new Connection Request Policy

The policy needs a nice name, so that you can identify it in the list.

Create a new policy with a new name

You can add as many conditions as you wish to. If these conditions are met, the policy will trigger. So in this basic example we just create a condition matching Client IPv4 Address in our subnet.

Define conditions

In the Authentication section we check Forward Request to the following RADIUS server group and select our group “privacyIDEA”.

Choose the previously defined server group “privacyIDEA”

You may add additional attributes to the request. But in our basic example, we can leave this untouched.

No attributes needed

The basic policy for forwarding two factor authentication requests to the privacyIDEA system is done. You may click the button Finish which takes you back to the overview.

Finish policy definition

You may define several policies in the list, reorder and enable and disable these policies. In our basic example we are just using the single policy, that forwards the requests to privacyIDEA.

Policy ordering


Configuring the NPS to forward two factor authentication requests to privacyIDEA is easy. Using more specialized functions of NPS like more conditions and more sophisticated policies you can combine the best from two wolds. Using NPS for your Windows Network access and privacyIDEA for a flexible centralized two factor authentication and management system.

Contact us for planning your network setup or get your service level agreement for privacyIDEA today.

Latest news
26. March 2024
privacyIDEA in Pasadena
In March, three colleagues visited the Southern California Linux Expo in Pasadena to present privacyIDEA and NetKnights. Cornelius Kölbel, founder of NetKnights, also gave a presentation on “A decade of Open Source”.
19. March 2024
NetKnights GmbH has released version 4.3.0 of the privacyIDEA Authenticator app. New features have been added, such as the import of tokens and a new search function.


Drücken Sie "Enter" zum Starten der Suche


Press "Enter" to start the search