Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

wlc and microsoft server 2008R2 NPS


could someone pls give me a brief idea on how to use microsoft server 2008R2 NPS with cisco wlc 4400.

am i correct, each LWAPP AP have to be connected to NPS . (this AP is also called access server)?

when client tries to connect to the wlan, (in this case lets say we want a user in AD, after providing its creds, can access the network, internet etc) the auth req is sent from AP to NPS/RADIUS?

where does WLC come into play here, what does WLC do?

Thanks for help in advance,


Cisco Employee

wlc and microsoft server 2008R2 NPS


Wats u teling exactly holds good for Autonomous Infrastructure not for LWAPP based.. in WLC (LWAPP) based.. its the WLC management ip is the AAA client.. RADIUS protocol runs between WLC and the IAS / ACS and between the AP and the WLC its LWAPP tunnel..

Here is the link which nat give some more info on the same!!

Please dont forget to rate the usefull posts!!



New Member

wlc and microsoft server 2008R2 NPS

thanks Shaqpappi and Surendra, will try it later.

One more question on the same topic, I am using MS NPS server  2008R2. On the RADIUS clients ,should not I just need to add the WLC4402  only? Do I have to add all the catalyst switches and aironets as well to implement 802.1X EAP-TLS??

Thank you.

New Member

Re: wlc and microsoft server 2008R2 NPS

It is assumed you are using 802.1x correct? If so then it works like this:

In security/radius/authentication you must configure an ip address to where your clients will get a user certificate (only one example of many ways you can configuration) also there needs to be a pre-shared key that matches one entered in authenticating server. For instance it's "password" then both radius server and wlc need to have exact same key.

So basically your wlc will push wifi clients to radius server to get authenticated and once it confirms user is in all proper security groups in AD it tells controller user is okay to access network. Obviously it's more complex but this is a general overview.

Sent from Cisco Technical Support iPad App