RADIUS - Configure NPS for vendor-specific attributes - P2S user groups - Preview

The following section describes how to configure Windows Server Network Policy Server (NPS) to authenticate users to respond to Access-Request messages with the Vendor Specific Attribute (VSA) used for user group support in Virtual WAN point-to-site-VPN. The following steps assume that your Network Policy Server is already registered to Active Directory. The steps may vary depending on the vendor/version of your NPS server.

The following steps describe setting up single Network Policy on the NPS server. The NPS server will reply with the specified VSA for all users who match this policy, and the value of this VSA can be used on your point-to-site VPN gateway in Virtual WAN.


  1. Open the Network Policy Server management console, and right click Network Policies -> New to create a new Network Policy.

    Screenshot of new network policy.

  2. In the wizard, select Access granted to ensure your RADIUS server can send Access-Accept messages after authentication users. Then, click Next.

  3. Name the policy and select Remote Access Server (VPN-Dial up) as the network access server type. Then, click Next.

    Screenshot of policy name field.

  4. On the Specify Conditions page, click Add to select a condition. Then, select User Groups as the condition and click Add. You may also use other Network Policy conditions that are supported by your RADIUS server vendor.

    Screenshot of specifying conditions for User Groups.

  5. On the User Groups page, click Add Groups and select the Active Directory groups that will use this policy. Then, click OK and OK again. You'll see the groups you've added in the User Groups window. Click OK to return to the Specify Conditions page and click Next.

  6. On the Specify Access Permission page, select Access granted to ensure your RADIUS server can send Access-Accept messages after authenticating users. Then, click Next.

    Screenshot of the Specify Access Permission page.

  7. For Configuration Authentication Methods, make any necessary changes, then click Next.

  8. For Configure Constraints select any necessary settings. Then, click Next.

  9. On the Configure Settings page, for RADIUS Attributes, highlight Vendor Specific and click Add.

    Screenshot of the Configure Settings page.

  10. On the Add Vendor Specific Attribute page, scroll to select Vendor-Specific.

    Screenshot of the Add Vendor Specific Attribute page with Vendor-Specific selected.

  11. Click Add to open the Attribute Information page. Then, click Add to open the Vendor-Specific Attribute Information page. Select Select from list and select Microsoft. Select Yes. It conforms. Then, click Configure Attribute.

    Screenshot of the Attribute Information page.

  12. On the Configure VSA (RFC Compliant) page, select the following values:

    • Vendor-assigned attribute number: 65
    • Attribute format: Hexadecimal
    • Attribute value: Set this to the VSA value you have configured on your VPN server configuration, such as 6a1bd08. The VSA value should begin with 6ad1bd.
  13. Click OK and OK again to close the windows. On the Attribute Information page, you'll see the Vendor and Value listed that you just input. Click OK to close the window. Then, click Close to return to the Configure Settings page.

  14. The Configure Settings now looks similar to the following screenshot:

    Screenshot of the Configure Settings page with Vendor Specific attributes.

  15. Click Next and then Finish. You can create multiple network policies on your RADIUS server to send different Access-Accept messages to the Virtual WAN point-to-site VPN gateway based on Active Directory group membership or any other mechanism you would like to support.

Next steps