NPS and Firewalls

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Firewalls can be configured to allow or block types of IP traffic to and from the computer or device on which the firewall is running. If firewalls are not properly configured to allow RADIUS traffic between RADIUS clients, RADIUS proxies, and RADIUS servers, network access authentication can fail, preventing users from accessing network resources.

Two types of firewalls might need to be configured to allow RADIUS traffic:

  • Windows Firewall on the local server running Network Policy Server (NPS).

  • Firewalls running on other computers or hardware devices.

Windows Firewall on the local NPS server

By default, NPS sends and receives RADIUS traffic by using User Datagram Protocol (UDP) ports 1812, 1813, 1645, and 1646. Windows Firewall on the NPS server is automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.

Therefore, if you are using the default UDP ports, you do not need to change the Windows Firewall configuration to allow RADIUS traffic to and from NPS servers.

In some cases, you might want to change the ports that NPS uses for RADIUS traffic. If you configure NPS and your network access servers to send and receive RADIUS traffic on ports other than the defaults, you must do the following:

  • Remove the exceptions that allow RADIUS traffic on the default ports.

  • Create new exceptions that allow RADIUS traffic on the new ports.

For more information, see Configure NPS UDP Port Information.

Other firewalls

In the most common configuration, the firewall is connected to the Internet and the NPS server is an intranet resource that is connected to the perimeter network.

To reach the domain controller within the intranet, the NPS server might have:

  • An interface on the perimeter network and an interface on the intranet (IP routing is not enabled).

  • A single interface on the perimeter network. In this configuration, NPS communicates with domain controllers through another firewall that connects the perimeter network to the intranet.

Configuring the Internet firewall

The firewall that is connected to the Internet must be configured with input and output filters on its Internet interface (and, optionally, its network perimeter interface), to allow the forwarding of RADIUS messages between the NPS server and RADIUS clients or proxies on the Internet. Additional filters can be used to allow the passing of traffic to Web servers, VPN servers, and other types of servers on the perimeter network.

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server.

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.

  • Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server.

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.

  • (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server.

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server.

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server.

    This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.

  • Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server.

    This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.

  • (Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server.

    This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server.

    This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

Filters on the perimeter network interface

Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server.

    This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.

  • Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server.

    This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.

  • (Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server.

    This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server.

    This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server.

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812.

  • Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server.

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the default UDP port that is used by NPS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813.

  • (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server.

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server.

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. This is the UDP port that is used by older RADIUS clients.

For added security, you can use the IP addresses of each RADIUS client that sends the packets through the firewall to define filters for traffic between the client and the IP address of the NPS server on the perimeter network.

Configuring the intranet firewall

The firewall that is connected to the intranet must be configured with input and output filters on its perimeter network interface (and, optionally, its intranet interface), to allow the forwarding of RADIUS messages between the NPS server on the perimeter network and domain controllers on the intranet. Additional filters can allow the passing of traffic to Web, VPN, and other types of servers on the perimeter network.

Separate input and output packet filters can be configured on the perimeter network interface and the intranet interface.

Filters on the perimeter network interface

Configure the following input packet filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:

  • Source IP address of the perimeter network interface of the NPS server.

    This filter allows traffic from the NPS server on the perimeter network.

Configure the following output filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:

  • Destination IP address of the perimeter network interface of the NPS server.

    This filter allows traffic to the NPS server on the perimeter network.

Filters on the intranet interface

Configure the following input filters on the intranet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the perimeter network interface of the NPS server.

    This filter allows traffic to the NPS server on the perimeter network.

Configure the following output packet filters on the intranet interface of the firewall to allow the following types of traffic:

  • Source IP address of the perimeter network interface of the NPS server.

    This filter allows traffic from the NPS server on the perimeter network.