This Tutorial will guide you through installing Microsoft’s Network Policy Server NPS and configure it to authenticate remote VPN users (via Active Directory Security Groups) that are connecting via a Cisco ASA Firewall..

1. The first step is to Add the Network Policy Server Role. Open up Server Manager, right click on Roles and click Add Roles.

2. The Add Roles Wizard begins. Click Next.

3. Tick the box next to Network Policy and Access Services and click Next.

4. An introduction to Network Policy and Access Services is displayed. Click Next.

5. Please a tick in the box next to Network Policy Server and click Next.

6. This window displays the conformation of the role to be installed. Click Install.

7. The Role has been installed successfully. Click Close.

8. To access the Network Policy Server management console click on Start – All Programs – Administrative Tools – Network Policy Server

9. First thing to do when configuring your Network Policy Server is to create a New Client. The client is the device that will be passing the authentication request through to your Network Policy Server. Expand RADIUS Clients and Servers, right click on RADIUS Clients and click on New.

10. Give the Client a friendly name, enter in the IP address of the device from which the authentication request will be coming and lastly enter in the shared secret and click Ok. The shares secret must be the same on your Network Policy Server and the RADIUS Client device.

11. The RADIUS Client is now listed.

12. Next, we will create a Network Policy. The Network Policy is the set of Criteria the RADIUS client and/or user must meet in order to be authenticated. Expand Policies and right click on Network Policies and click New.

13. Give the Policy a name and leave the network access server selection as Unspecified.

14. Conditions are where you specify the criteria that must be met in order for the Authentication request to be successful.

15. We are going to add a Condition to check if the User is a member of the Windows Active Directory Security Group called VPN Users. (I have previously created this security group in Active Directory). Click Add.

16. Click on Add Groups.

17. Type the name of the Security Group you create for your VPN Users and click Ok.

18. The Group is now added. Click Ok.

19. As you can see the Windows Group – VPN Users is now listed as a condition. Click Next.

20. When the condition is met we would like to Grant Access. Select Access granted. You can also optionally grant or deny access based on the Dial-In properties of the user account. Click Next.

21. For this install we will select MS-CHAP-v2, Click Next. Normally the Cisco ASA Firewall will authenticate to RADIUS using PAP, however with a few CLI commands we can get it using MS-CHAP-v2 (Firstly with tunnel-group tunnel-group-name ppp-attributes, secondly authentication eap-proxy – Source

22. You have the option to configure certain constraints on this page. For example you may wish to restrict authentication between certain times of the day. Click Next.

23. On this screen there are more optional settings to configure for the Policy.

24. You may wish to change the Encryption settings, make sure the settings match up on both ends.

25. The Network Policy is now completed. Review the settings and Click Finish.

26. Last step to do is to move the policy processing order to the top. Right click on the Policy that you just created and click Move Up until it’s positioned at the top.

27. Your Network Policy Server is now complete.

All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.


  1. Any suggestions on a how-to to setup the ASA side, as well as the client using the MS VPN client? I followed the instructions linked in this article for the ASA config, but I’m still getting an Error 800 when trying to connect.

Leave a Reply

Your email address will not be published.



This site uses Akismet to reduce spam. Learn how your comment data is processed.