Windows 2012 R2 NPS-Radius with Pfsense OpenVPN

I got a project recently to deploy Windows 2012 R2 NPS server with Wireless Authentication and I decided to spend some time to study on the Windows 2012 R2 NSP in more detail

Scenario #1  – NPS – Radius (Username & Password Authentication) with PfSense OpenVPN 

Please refer to the following high level steps on the configuration of Windows 2012 R2 NPS-RADIUS

  1. Create a AD Group for VPN users
  2. Enable NPS-RADIUS Features
  3. Register the RADIUS Server in AD
  4. Create a RADIUS Client with Share Secret Key
  5. Create a new Network Policy with processing order = 1 and only allow users in VPN Group to login
  6. Accounting & Logging features in NPS-RADIUS
#Create a AD Group for VPN Users
New-ADGroup -Name "MyVPN" `
    -SamAccountName MyVPN `
    -GroupCategory Security `
    -GroupScope Global `
    -DisplayName "VPN Users" `
    -Path "OU=Sales,DC=MonsterBean,DC=Com" `
    -Description "Members who allow for VPN"  

#Add VPN Users to the MyVPN Group 
Add-ADGroupMember MyVPN -Members vpn1
Get-ADGroupMember myvpn

#Enable NPS - Radius Server 
Import-Module ServerManager

Add-WindowsFeature -Name NPAS-Policy-Server -IncludeManagementTools

#To register NAP in AD 
#To add the NAP Server to "RAS and IAS Server" Group 
netsh ras add registeredserver

#Create a Radius Client 
New-NpsRadiusClient -Name pfsense -Address -sharedsecret P@ssw0rd -NapCompatible:$true

#Export & Import the NPS Configuration to XML file
Export-NpsConfiguration -Path "C:\temp\Npsconfig.xml"
Import-NpsConfiguration -Path "C:\temp\Npsconfig.xml"

Add a new “Network Policies” with Process Order “1” and specify the VPN Group allow only users in VPN Group to login via OpenVPN

** Leave other setting as default for this lab


Accounting & Logging in NSP

  1. Go to “Accounting” and select “Log to a text file on the local computer” – I will test the SQL Server database in my next lab soon


  1. Please unchecked “If logging failed, discard connection requests” – if enable, users will not be able to login if the logging is failed. Please go to C:\Windows\System32\LogFiles\ to have a look on the detail log files generated


Please download IAS Viewer or NPS Log Monitor (Trial version) if you would like to view the log files easily as the default log file is abit hard to read


  1. Filter the following ID 6272, 6273 and 6278 to only focus on Event generated by Network Policy Server


If the user is no in VPN Group, he / she will be deny to login via the default “Connection to other access servers”

Configuration of OpenVPN on Pfsense 2.2.6 

Please refer to the following steps which I had successfully deploy OpenVPN in my pfsense 2.2.6 by following the reference link below

  1. Setup Authentication Server – Select RADIUS and point it to NPS Server with the Share Secret Key provided
  2. Create Certificate Authority, Server Certificate, User Certification and Revocation Certification
  3. Setup OpenVPN Server, Configure the Firewall and Install OpenVPN Client Export Utility
  4. Prepare the Windows Package and install OpenVPN Client on Windows 10
  5. Connecting to OpenVPN from my Windows 10 machine successfully

Reference link on how to configuration OpenVPN in pfsense