Share via

Support for RadSec (RADIUS over TLS) in Windows NPS

Rui Evora 0 Reputation points
2026-04-09T14:06:07.2866667+00:00

Does Windows Network Policy Server support RadSec (RADIUS over TLS)? If not, could you please provide official documentation or a KB article confirming this limitation, as well as the recommended alternatives or solutions?

Windows for business | Windows Server | Networking | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 19,030 Reputation points Independent Advisor
    2026-04-09T14:48:37.8366667+00:00

    Hello,

    Windows Network Policy Server (NPS) does not support RadSec (RADIUS over TLS). NPS only implements RADIUS over UDP as defined in RFC 2865/2866, and Microsoft has not extended NPS to support TLS encapsulation. This limitation is confirmed in Microsoft’s official documentation for NPS, which describes supported protocols and features but makes no mention of RadSec.

    The security concern here is that RADIUS over UDP is vulnerable when traversing untrusted networks. Microsoft has introduced mitigations such as support for the Message-Authenticator attribute in Access-Request packets (added in recent cumulative updates), but this is not equivalent to RadSec. RadSec provides end-to-end TLS encryption of RADIUS traffic, which NPS does not implement.

    For organizations that require RadSec, the recommended alternatives are to deploy a third-party RADIUS server such as FreeRADIUS or Radiator, both of which support RadSec and can integrate with Active Directory or Microsoft Entra ID. Another supported approach is to place NPS behind a VPN or private network segment so that RADIUS traffic does not traverse untrusted networks, thereby mitigating exposure without RadSec.

    Official references you can rely on are:

    • Microsoft Learn – NPS Overview: confirms NPS implements RADIUS over UDP only.
    • Microsoft KB5040268: documents improvements to RADIUS security in NPS, specifically the Message-Authenticator attribute, but does not add RadSec.
    • Microsoft Q&A discussions: explicitly state that RadSec is not supported in NPS.

    In summary, NPS does not support RadSec, and Microsoft has not announced plans to add it. If RadSec is a compliance requirement, you will need to integrate a third-party RADIUS solution or secure NPS traffic through other means such as VPN encapsulation.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Domic Vo.

    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2026-04-09T14:06:23.1466667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Windows Network Policy Server (NPS) does not support RadSec (RADIUS over TLS).

    In the provided documentation, NPS is described as implementing the standard RADIUS protocol as defined in RFC 2865 and RFC 2866 and operating as a RADIUS server and proxy over the traditional UDP-based RADIUS transport. There is no mention of TLS-based RADIUS transport (RadSec) support, only standard RADIUS plus EAP/TLS-based authentication methods (such as EAP-TLS and PEAP-TLS) running over RADIUS.

    Additionally, current guidance around TLS in this context focuses on EAP methods and TLS versions (for example, Windows 11 enabling TLS 1.3 for EAP methods, with the explicit note that NPS does not support TLS 1.3 yet), not on RadSec transport support. This further indicates that NPS continues to use classic RADIUS transport rather than RadSec.

    Recommended alternatives or solutions from the available context are:

    1. Use NPS as a standard RADIUS server or proxy
      • NPS can be deployed as a RADIUS server or RADIUS proxy to centralize authentication, authorization, and accounting for wireless, VPN, dial-up, and other access types, using standard RADIUS over UDP.
      • NPS can also act as a RADIUS proxy between RADIUS clients and other RADIUS servers, including in multi-forest or outsourced access scenarios.
    2. Use EAP-TLS/PEAP-TLS for strong TLS-based authentication
      • Even without RadSec, NPS supports certificate-based EAP methods (EAP-TLS, PEAP-TLS) to provide TLS-protected authentication inside the RADIUS exchange.
      • Note that NPS currently does not support TLS 1.3 for these methods and must use earlier TLS versions as documented.
    3. Use NPS Extensions API or third-party RADIUS components
      • The NPS Extensions API allows development of extension DLLs for authentication, authorization, and accounting, but the documentation describes extensions within the RADIUS protocol model, not replacement of the underlying transport with RadSec.
      • For RadSec requirements, a third-party RADIUS server or proxy that explicitly supports RadSec can be placed in front of NPS, using RadSec on the external side and standard RADIUS when communicating with NPS.
    4. Follow current security and protocol guidance
      • For TLS-related issues with NPS (for example, TLS 1.3 behavior or recent RADIUS security updates), Microsoft provides security and support articles that address how NPS handles RADIUS and TLS, but these still assume classic RADIUS transport, not RadSec.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.