Forum Discussion

Nettric's avatar
Nettric
Copper Contributor
Oct 30, 2025

Deploying Multiple NPS Servers

I have been working on ditching our password-based WiFi with WPA2-Enterprise.

On DC1 I deployed internal CA, NPS, and group policies that auto-request certs and deploy wireless network settings. Cisco AP is pointed to DC1 as the radius server. NPS has been registered in AD and wireless network policy has been created. Test laptops get their cert and connect just fine. It's working.

For redundancy, I installed NPS on DC2. This NPS instance has also been registered in AD, and I imported the NPS config from DC1 to DC2 NPS. Cisco AP has DC1 as first radius server and DC2 as second radius server.

If I stop NPS on DC1 to force the Cisco AP to authenticate against DC2, test laptops won't authenticate and connect. 

What am I missing? They're configured exactly the same (except DC1 hosts the CA...I was under the assumption the CA is AD integrated).

Active Directory
Hyper-V
networking
security
windows server

2 Replies

  • Nettric's avatar
    Nettric
    Copper Contributor
    Oct 31, 2025

    Much appreciated... 

    I resolved this issue. It was a Windows firewall issue, only. Apparently, there is still a bug where when NPS role is installed and the Windows firewall rules are auto-created, the firewall rules don't actually work. I had to manually add an inbound rule for Radius Authentication and Radius Accounting.

    Once I did that, I disabled NPS on DC1, leaving DC2 as the only NPS server, and my test clients connected just fine. Thanks Microsoft.

    Side note: Yes, the trusted root cert from my CA was present on the test client and all needed certs had already been issued to DC2 and were present in DC2's Personal folder.

  • hasanemresatilmis's avatar
    hasanemresatilmis
    MCT
    Oct 31, 2025

     

    Even though your CA is AD-integrated and auto-enrollment works, DC2 must explicitly trust the issuing CA and have access to the full certificate chain. Here's what to check:

     

    DC2 must have the CA certificate in its Trusted Root Certification Authorities store

    • Open certlm.msc on DC2.
    • Navigate to Trusted Root Certification Authorities > Certificates.
    • Ensure your internal CA certificate is present.
    • If missing, export it from DC1 and import it manually.

     

    DC2 must have the Intermediate CA (if applicable)

    • If your CA uses an intermediate certificate, make sure DC2 has it in Intermediate Certification Authorities.

     

    DC2 must have a valid server certificate for EAP-TLS

    • NPS uses a server certificate to identify itself during the TLS handshake.
    • Confirm that DC2 has a certificate with:
      • Server Authentication EKU
      • Subject Name or SAN matching the server's name
      • Issued by your internal CA
    • You can use auto-enrollment or manually request it via MMC > Certificates (Computer) > Personal > Request New Certificate.

     

    Check NPS Policy Conditions

    Even if you exported the NPS config, double-check:

    • Connection Request Policies and Network Policies on DC2.
    • Ensure the NAS IP Address or NAS Identifier conditions match what the Cisco AP sends.
    • If DC1 had a policy scoped to its own IP or hostname, DC2 might be rejecting requests.

     

    Test with NPS Logging

    Enable logging on DC2:

    • Open NPS console > Accounting > Log File Properties
    • Enable Log authentication requests
    • Check logs under %SystemRoot%\System32\LogFiles

    This will show whether DC2 is receiving requests and why it's rejecting them.

Resources