Friday, 14 March 2014

Microsoft NPS as a RADIUS Server for WiFi Networks: RADIUS Client Limits

The Microsoft Network Policy Server (NPS) is often used as a RADIUS server for WiFi networks. It can provide authentication and authorization services for users on a wireless network.

I put this document together to highlight one particular little 'gotcha' when using NPS with Windows 2008.

Windows 2008 comes in three flavours:
  • Data Centre
  • Enterprise
  • Standard
When using NPS as a RADIUS server, you have to add a number of 'RADIUS clients' to the configuration of the NPS server. These are the devices on your WiFi network that will send the RADIUS requests to NPS each time a user tries to logon to the network. The screenshot below shows where RADIUS clients are configured in NPS:


The RADIUS request contains username and password information for the user trying to logon to the network. The request is generally checked against a Windows AD domain to see if the user is supplying a valid set of AD credentials to access the WiFi network.

In controller-based WiFi networks (e.g. Cisco, Meru, Aruba), the controller is generally the source of the RADIUS requests (i.e. the RADIUS client). If you have a WiFi network of 4 wireless controllers and 200 access points, you just add the 4 controllers as RADIUS clients in NPS. The diagram below demonstrates this point - there is one controller, therefore one RADIUS client:


However, if you are using a WiFi architecture which does not use a controller (e.g. Aerohive, Xirrus, AirTight), then each AP is the source of RADIUS requests (i.e. the RADIUS clients). If you have a network work of 200 APs, you need to add 200 RADIUS clients to NPS. The diagram below shows how APs become RADIUS clients in a controller-less network:



(Note: there are also some other cases, such a Cisco's Flexconnect, where the controller is the RADIUS client in normal operation, but the APs take-over that role in a controller failure situation - yeah, confusing...)

In Windows 2008, there is a restriction when using NPS with the 'Standard' edition which may cause an issue. When using the Datacenter or Enterprise versions of Windows 2008, NPS can support an unlimited number of RADIUS clients, and will also support IP ranges for RADIUS clients (which is useful if you have a lot of APs and they are all on the same subnet).

The Standard edition, however, can only support 50 RADIUS clients and does not allow ranges of IP addresses for RADIUS clients.

The limitation with the Standard edition is rarely an issue in controller-based networks, as there are generally a very low number of controllers. However, when using non-controller WiFi solutions, you may well hit the 50-device (i.e. AP) limit. In summary, if you are using more than 50 APs in a controller-less deployment, Windows 2008 Standard edition will not meet your needs - you must deploy the Enterprise or Data Centre edition.

The following document from Microsoft details the limitations: http://technet.microsoft.com/en-us/library/cc770442(v=ws.10).aspx

Windows 2012

Finding the corresponding information for Windows 2012 is a little bit more tricky. However, I did manage to dig out this document which seems to indicate varying numbers of clients depending on the edition (wow, there are a lot of them). Check out the line titled: "IAS Connections" in this document: http://www.microsoft.com/en-sg/download/confirmation.aspx?id=38809

I have summarized the information below:


Edition
Max IAS (NPS) Connections
Windows Server 2012 Datacenter
2,147,483,647
Windows Server 2012 Standard
2147483647
Windows Server 2012 Essentials
10
Windows Server 2012 Foundation
10
Microsoft Hyper-V® Server 2012
50
Windows Storage Server 2012 Standard
50
Windows Storage Server 2012 Workgroup
50
Windows MultiPoint Server 2012 Premium
2,147,483,647
Windows MultiPoint Server 2012 Standard
10

Beyond the PDF document I have linked to above, I can't find any other official references to the 2012 limitations around NPS - if you find any, please add them in the comments section of this article.