How To Configure NPS and Active Directory For Dynamic Radius based Vlan assignment

How Configure NPS and Active Directory For Dynamic Radius based Vlan assignment


This document is to describe the steps to configure NPS(network policy servicer)server with below use case

  • Vlans need to be assigned based on different Radius group i.e Sales group to Vlan 10

Account group to Vlan 20.


      1. Open Active directory Users and Computers. Right click on Users .Create a new group.
      2. Give group name Vlan10(User is free to use any name)

        3. Like these create as many groups required.

         Make the group part of Domain Users by clicking on Member of tab and then click on add.

        4. Add AD user. Click on Users and right click. Select New users. Give name xyz(User chosen)

        5.  Give Username as xyz and click on OK


        Click on properties of the created user xyz and click on Dial In tab.

        Select Allow access and then press OK.


        Click on Member Of tab. 

        Add domain users and the radius group  by clicking on Add button


        Adding group

        Adding domain users

        8.Press Ok . Now the user is part of the domain user and group .

        Configuring NPS server


        9.Click on Network Policy and click on New

        10. Give policy name such as Vlan10_policy.Click on Next

        11. Click on Add button.

        12.  Select User Groups and click on Add.

        13. Adding user group .Click on Add Groups


        Click on Add Groups and add the configured AD group , in this example Vlan10.Click on OK


        Add another condition in Network policy that is Nas port type

        16. Select Nas port type and then add. Select Wireless –IEEE 802.11

        17.  Now Both the conditions are added.

        19. Click on constraints and select EAP methods that you want to be supported.

         20. Now click on Settings tab

        20. Click on Add button.Add three attributes

        Select Tunnel-Pvt-Group-ID,Tunnel-Medium-Type,Tunnel-Type

         Select Tunnel-Pvt-Group-ID


        Click on Add . Then click on Add

        22. Select String radio button under “Enter the attribute value in ”.Configure the vlan ID that you want to configure and click OK.

        23. This way add Tunnel-Medium-Type and Tunnel-Type attributes

        as 802(includes all 802 media plus Ethernet Calonical Format) and Tunnel-Type as Vlan