Skip to main content
English (UK)

Migrating from On-Premises RADIUS (NPS) to RADIUS as a Service

This authoritative guide details the technical architecture, implementation methodology, and business impact of migrating from on-premises Microsoft Network Policy Server (NPS) to a cloud-native RADIUS as a Service model. It provides IT leaders and network architects with practical frameworks to reduce operational overhead, eliminate single points of failure, and secure enterprise authentication across distributed venues.

📖 5 min read📝 1,066 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
PODCAST SCRIPT: Migrating from On-Premises RADIUS (NPS) to RADIUS as a Service Duration: ~10 minutes | Voice: UK English, Male, Senior Consultant tone --- SEGMENT 1: INTRODUCTION AND CONTEXT Welcome to the Purple WiFi technical briefing series. Today we're tackling a migration that's sitting on the roadmap of a significant number of enterprise IT teams right now: moving away from on-premises RADIUS — specifically Microsoft's Network Policy Server — to a cloud-hosted RADIUS as a Service model. If you're managing WiFi authentication across a hotel group, a retail estate, a stadium, or a public-sector campus, this is directly relevant to you. The on-premises NPS model has served us well for the better part of two decades, but the operational overhead, the single-point-of-failure risk, and the scaling limitations are becoming increasingly hard to justify — particularly when cloud-native alternatives now offer enterprise-grade reliability at a fraction of the total cost of ownership. Over the next ten minutes, we'll cover the technical architecture of both approaches, walk through a structured migration methodology, look at two real-world implementation scenarios, and finish with the key decision frameworks you need to make this call confidently. Let's get into it. --- SEGMENT 2: TECHNICAL DEEP-DIVE First, let's make sure we're aligned on what RADIUS actually does in your network stack. RADIUS — Remote Authentication Dial-In User Service — is the protocol defined in RFC 2865 that handles authentication, authorisation, and accounting for network access. In a WiFi context, it's the backbone of IEEE 802.1X port-based access control. When a device connects to a WPA2-Enterprise or WPA3-Enterprise SSID, the access point acts as a RADIUS client — what we call a Network Access Server — and forwards the authentication request to the RADIUS server. The server validates the credentials, typically against Active Directory or an LDAP directory, and returns an Access-Accept or Access-Reject response. That's the fundamental flow. Now, in the on-premises NPS model — Network Policy Server is Microsoft's RADIUS implementation bundled with Windows Server — you're running that authentication logic on hardware you own, in a data centre or server room you maintain. The NPS server holds your network policies, your certificate infrastructure for EAP-TLS or PEAP-MSCHAPv2, and your connection request policies. It works. It's mature. But it comes with a set of operational realities that compound over time. The first is hardware dependency. Your NPS server is a physical or virtual machine that requires patching, capacity planning, and eventual hardware refresh. In a multi-site deployment — say, a hotel group with properties across the UK — you're either running a centralised NPS with WAN dependency, or you're deploying NPS instances at each site and managing them individually. Neither is elegant. The second is availability. A single NPS instance is a single point of failure for your entire authentication infrastructure. Yes, you can deploy NPS in a failover pair, but that doubles your hardware and licensing overhead, and it still doesn't give you the geographic redundancy that a cloud service provides natively. The third is scalability. NPS was designed for corporate LAN environments. When you're handling thousands of concurrent authentication requests during a stadium event or a conference centre peak, the throughput limitations of a single NPS instance become very apparent. Authentication latency spikes, and users experience connection failures at exactly the moment you can least afford it. RADIUS as a Service addresses all three of these constraints architecturally. The cloud RADIUS provider runs a distributed, geo-redundant cluster of RADIUS servers. Your access points point to cloud-hosted RADIUS endpoints rather than an on-premises server. Authentication requests are load-balanced across the cluster, and failover is automatic and transparent. The provider handles patching, capacity scaling, and certificate management. From your perspective as the network operator, RADIUS becomes a consumed service rather than a managed component. The authentication protocols themselves don't change. You're still running IEEE 802.1X with EAP-TLS, PEAP-MSCHAPv2, or EAP-TTLS depending on your client device mix. The difference is where the RADIUS server lives and who is responsible for its operational continuity. There's an important security consideration here that I want to address directly, because it comes up in almost every client conversation. Moving RADIUS to the cloud means your authentication traffic is traversing the public internet to reach the cloud RADIUS endpoint. This is mitigated through two mechanisms. First, RADIUS traffic between the Network Access Server and the RADIUS server is protected using a shared secret and MD5-based message authentication. Second, and more importantly for modern deployments, you should be running RadSec — RADIUS over TLS, defined in RFC 6614 — which wraps the entire RADIUS conversation in a TLS tunnel. This gives you transport-layer encryption equivalent to HTTPS, eliminating the MD5 vulnerability and providing mutual authentication between the NAS and the RADIUS server. Any cloud RADIUS provider worth considering should support RadSec as standard. On the identity integration side, cloud RADIUS services typically support LDAP and LDAPS connections back to your on-premises Active Directory, or native integration with Azure Active Directory and Entra ID via SAML or SCIM. This means you don't need to migrate your user directory — the cloud RADIUS service queries your existing identity store, maintaining your existing user lifecycle management processes. For compliance-conscious organisations — and that includes anyone handling payment card data under PCI DSS, or personal data under GDPR — cloud RADIUS providers that are SOC 2 Type II certified and ISO 27001 accredited provide a stronger compliance posture than most organisations can achieve with self-managed NPS infrastructure. --- SEGMENT 3: IMPLEMENTATION RECOMMENDATIONS AND PITFALLS Right, let's talk about how you actually execute this migration without taking your authentication infrastructure offline. The methodology I recommend is a five-phase approach. Phase one is audit and inventory. Document every RADIUS client — every access point, every switch, every VPN concentrator — along with its current shared secret, the EAP method it's using, and any vendor-specific attributes in your NPS policies. This is the unglamorous work, but skipping it is the number one cause of migration failures. Phase two is pilot deployment. Stand up your cloud RADIUS instance and point a non-production SSID or a single test site at it. Validate that your EAP method works end-to-end, that your identity integration is functioning, and that your accounting data is flowing correctly. Phase three is parallel running. This is the critical risk mitigation step. Configure your access points with both the on-premises NPS server and the cloud RADIUS server as authentication targets, with the cloud service as primary and NPS as fallback. Run in this configuration for a minimum of two weeks across a full business cycle. Monitor authentication success rates, latency, and any policy discrepancies. Phase four is cutover. Remove the NPS fallback configuration and commit to cloud RADIUS as your sole authentication infrastructure. Do this during a planned maintenance window, and have a rollback procedure documented and tested. Phase five is decommission. Once you've validated stable operation for thirty days post-cutover, decommission the NPS servers and reclaim the hardware or virtual machine resources. The pitfalls I see most frequently are: certificate trust chain issues — specifically, client devices that don't trust the cloud RADIUS server's certificate because the CA isn't in their trusted store. Resolve this through your MDM or Group Policy before cutover. The second common pitfall is firewall rules. Cloud RADIUS requires outbound UDP 1812 and 1813 from your access points to the cloud endpoints, or TCP 2083 for RadSec. Ensure your network perimeter allows this traffic. Third: shared secret complexity. If your existing NPS shared secrets are weak, use the migration as an opportunity to rotate to cryptographically strong secrets, or better yet, move to RadSec and eliminate shared secrets entirely. --- SEGMENT 4: RAPID-FIRE Q&A Let me run through the questions I get most often on this topic. Can we keep Active Directory on-premises? Yes, absolutely. Cloud RADIUS connects to your on-premises AD via LDAPS. Your directory stays where it is. What happens if our internet connection goes down? This is the key dependency shift. With cloud RADIUS, internet connectivity becomes a dependency for authentication. Mitigate this with redundant WAN links or a local RADIUS proxy that caches authentication for known devices during outages. Does this affect our PCI DSS compliance? Moving to a certified cloud RADIUS provider typically improves your compliance posture. Ensure your provider can supply SOC 2 Type II reports and is included in your annual QSA assessment scope. How long does a full migration take? For a single site, two to four weeks. For a multi-site estate of fifty or more locations, plan for three to six months with a phased rollout. --- SEGMENT 5: SUMMARY AND NEXT STEPS To wrap up: the case for migrating from on-premises NPS to RADIUS as a Service is compelling on operational, financial, and compliance grounds. The migration itself is low-risk when executed with a structured parallel-running phase. The key technical decisions are your EAP method selection, your identity integration approach, and whether to implement RadSec for transport security — which I'd strongly recommend for any new deployment. Your immediate next steps: conduct the audit of your current RADIUS clients and policies, engage your cloud RADIUS provider for a pilot environment, and review your firewall rules and certificate trust chains before you start. For organisations running Purple WiFi's guest access platform, the RADIUS as a Service capability integrates directly with the guest WiFi authentication flow, giving you a single control plane for both corporate 802.1X authentication and guest network access management — with the analytics and compliance reporting built in. Thanks for listening. The full technical reference guide is available on the Purple website, and our solutions team is available for a scoping conversation if you're ready to move forward. --- END OF SCRIPT

header_image.png

Executive Summary

For nearly two decades, Microsoft’s Network Policy Server (NPS) has been the default RADIUS implementation for enterprise networks. However, as venue operators scale across distributed locations—from retail chains to global hospitality groups—the operational burden of managing on-premises authentication infrastructure has become a significant liability.

Migrating to RADIUS as a Service shifts authentication from a managed hardware component to a consumed cloud service. This architectural transition eliminates the single point of failure inherent in standalone NPS deployments, removes hardware refresh cycles, and provides the elastic scalability required for high-density environments like stadiums and conference centres. For IT managers and network architects, this guide provides a vendor-neutral, structured methodology for migrating 802.1X authentication to the cloud without impacting production traffic, ensuring compliance with PCI DSS and GDPR, and reducing authentication infrastructure OpEx by up to 80%.

Technical Deep-Dive: Architecture and Standards

To understand the migration, we must first examine the architectural shift in how IEEE 802.1X port-based access control is delivered.

The Limitations of On-Premises NPS

In a traditional deployment, access points act as the Network Access Server (NAS), forwarding authentication requests to an on-premises NPS server. The NPS server evaluates connection request policies, validates credentials against an identity store (typically Active Directory via LDAP), and returns an Access-Accept or Access-Reject message.

This model presents three critical constraints for modern networks:

  1. Hardware Dependency & Maintenance: NPS requires dedicated physical or virtual machines, demanding continuous patching, capacity planning, and lifecycle management.
  2. High Availability Complexity: Achieving redundancy requires deploying NPS in a failover pair, doubling licensing costs without providing true geographic redundancy.
  3. Throughput Bottlenecks: During peak concurrency—such as a stadium ingress or retail peak trading hours—a single NPS instance can become a bottleneck, leading to authentication timeouts and degraded user experience.

The Cloud RADIUS Architecture

RADIUS as a Service abstracts the authentication layer. Cloud providers operate distributed, geo-redundant clusters of RADIUS servers. The NAS points to these cloud endpoints, and requests are load-balanced automatically.

architecture_comparison.png

Transport Security: The Role of RadSec When moving RADIUS to the cloud, authentication traffic traverses the public internet. While traditional RADIUS uses a shared secret and MD5 hashing, modern deployments must implement RadSec (RADIUS over TLS, RFC 6614). RadSec wraps the entire RADIUS conversation in a TLS tunnel (typically TCP port 2083), providing transport-layer encryption equivalent to HTTPS and mutual authentication between the NAS and the cloud RADIUS endpoint.

Identity Integration Cloud RADIUS does not require migrating your user directory. Services typically support LDAPS connections back to on-premises Active Directory or native API integrations with Azure Active Directory (Entra ID) via SAML or SCIM. This ensures your existing user lifecycle management processes remain intact.

For venues leveraging Guest WiFi platforms, cloud RADIUS integrates directly, providing a unified control plane for both corporate 802.1X authentication and guest network access, complete with advanced WiFi Analytics .

Implementation Guide: A 5-Phase Methodology

Executing a migration without downtime requires a structured, phased approach.

migration_checklist.png

Phase 1: Audit and Inventory

Before making any changes, document the current state:

  • RADIUS Clients: Identify every NAS (access points, switches, VPN concentrators).
  • Policies: Document existing NPS connection request and network policies, including Vendor-Specific Attributes (VSAs) used for VLAN assignment.
  • EAP Methods: Identify which Extensible Authentication Protocol methods are in use (e.g., EAP-TLS, PEAP-MSCHAPv2).

Phase 2: Pilot Deployment

Provision the cloud RADIUS instance and configure a non-production SSID or a single test site. Validate the identity directory integration (e.g., Entra ID sync) and ensure the EAP method functions end-to-end.

Phase 3: Parallel Running (Risk Mitigation)

Configure the production NAS devices to use both the cloud RADIUS server (Primary) and the legacy NPS server (Fallback). Run this configuration for a minimum of two weeks. Monitor authentication success rates, latency metrics, and accounting data flows to identify any policy discrepancies before cutover.

Phase 4: Cutover

During a scheduled maintenance window, remove the legacy NPS fallback configuration from the NAS devices. Commit entirely to the cloud infrastructure. Ensure your rollback procedure is documented and tested.

Phase 5: Decommission

After 30 days of stable operation, securely decommission the legacy NPS servers and reclaim the compute resources.

Best Practices & Compliance

When designing your cloud RADIUS architecture, adhere to the following standards:

  • Mandate RadSec: Never send RADIUS traffic over the public internet using standard UDP 1812/1813 if RadSec (TCP 2083) is supported by your NAS hardware.
  • Certificate Trust Chains: Ensure client devices trust the Certificate Authority (CA) that issued the cloud RADIUS server's certificate. Push the root CA to managed devices via MDM or Group Policy prior to migration.
  • Compliance Posture: Select a cloud RADIUS provider that maintains SOC 2 Type II certification and ISO 27001 accreditation. This significantly simplifies your annual PCI DSS assessments, particularly for Retail and Hospitality environments.

For broader network design principles, consult our guides on Setting Up WiFi for Business: A 2026 Playbook and Understanding RSSI and Signal Strength for Optimal Channel Planning .

Troubleshooting & Risk Mitigation

Failure Mode Root Cause Mitigation Strategy
Authentication Timeouts Firewall blocking outbound UDP 1812/1813 or TCP 2083. Verify perimeter firewall rules permit outbound traffic to the specific IP ranges of the cloud RADIUS provider.
Certificate Trust Errors Client devices lack the Root CA in their trusted store. Deploy the Root CA via MDM/GPO before Phase 3 (Parallel Running).
VLAN Assignment Fails Vendor-Specific Attributes (VSAs) not mapped correctly in cloud policies. Replicate exact VSA string formats from NPS to the cloud RADIUS policy engine during Phase 1.
WAN Outage Impact Loss of internet drops access to cloud RADIUS. Deploy redundant WAN links or implement a local RADIUS proxy that caches credentials for known devices.

ROI & Business Impact

Migrating to RADIUS as a Service delivers measurable business outcomes:

  • Cost Reduction: Eliminates hardware procurement, Windows Server licensing, and the engineering hours spent on patching and maintenance. Typical OpEx reduction is 60-80%.
  • Reliability SLA: Cloud providers offer financially backed 99.99% uptime SLAs, compared to the typical 97-98% achieved by single-site NPS deployments.
  • Agility: New sites can be brought online instantly without provisioning local authentication hardware, accelerating deployment timelines for Transport hubs and Healthcare facilities.

Listen to our senior consulting team discuss the strategic implications in this 10-minute briefing:

Key Definitions

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

The core protocol used by enterprise WiFi networks to validate user credentials before granting network access.

NPS (Network Policy Server)

Microsoft's implementation of a RADIUS server and proxy, bundled as a role in Windows Server.

The legacy on-premises infrastructure that organizations are actively migrating away from to reduce maintenance overhead.

NAS (Network Access Server)

The device that acts as the gateway to the network and passes authentication requests to the RADIUS server.

In a wireless context, the NAS is typically the WiFi Access Point or Wireless LAN Controller.

RadSec (RADIUS over TLS)

A protocol defined in RFC 6614 that transports RADIUS packets over a TCP connection encrypted with TLS.

Essential for cloud RADIUS deployments to ensure credential data is encrypted while traversing the public internet.

EAP (Extensible Authentication Protocol)

An authentication framework frequently used in wireless networks and point-to-point connections.

Determines how the client and server securely exchange credentials (e.g., certificates via EAP-TLS, or passwords via PEAP).

VSA (Vendor-Specific Attribute)

Custom attributes defined by hardware vendors within the RADIUS protocol to support proprietary features.

Crucial during migration; VSAs are often used to assign authenticated users to specific network VLANs dynamically.

LDAPS (Lightweight Directory Access Protocol over SSL)

A secure protocol for querying and modifying directory services like Active Directory.

Used by cloud RADIUS services to securely query on-premises identity stores without migrating the user directory to the cloud.

802.1X

An IEEE standard for port-based network access control (PNAC).

The underlying standard that uses RADIUS to ensure only authenticated devices can pass traffic onto the enterprise LAN or WLAN.

Worked Examples

A 200-property hotel group currently runs local NPS servers at each site for staff 802.1X authentication. They are migrating to Entra ID (Azure AD) and want to decommission the local servers. How should they approach the migration?

  1. Deploy a cloud RADIUS service that integrates natively with Entra ID via SAML/SCIM.
  2. Configure the cloud RADIUS policies to map Entra ID groups (e.g., 'Front Desk', 'Management') to specific VLAN VSAs.
  3. At a pilot property, configure the access points to use RadSec to connect to the cloud RADIUS endpoint.
  4. Push the cloud RADIUS server's Root CA to all staff devices via Microsoft Intune.
  5. Run parallel authentication at the pilot site, then execute a phased rollout across the remaining 199 properties.
Examiner's Commentary: This approach removes 200 physical/virtual servers from the estate, drastically reducing the attack surface and maintenance overhead. Integrating directly with Entra ID eliminates the need for complex site-to-site VPNs back to a central Active Directory.

A stadium with 50,000 capacity experiences authentication failures on their corporate SSID during major events because their on-premises NPS server cannot handle the throughput of thousands of devices roaming simultaneously.

  1. Audit the existing NPS policies and EAP methods.
  2. Provision a cloud RADIUS service capable of auto-scaling to handle high authentications per second (APS).
  3. Establish an LDAPS connection from the cloud RADIUS service to the stadium's on-premises Active Directory.
  4. Update the stadium's high-density wireless LAN controllers to point to the cloud RADIUS endpoints as the primary authentication servers.
Examiner's Commentary: By offloading the RADIUS processing to a cloud cluster, the stadium leverages elastic compute resources that scale dynamically during event ingress, resolving the bottleneck without requiring the venue to over-provision expensive local hardware.

Practice Questions

Q1. Your organization is migrating to Cloud RADIUS. The security team mandates that no authentication traffic can be sent over the internet in cleartext or using deprecated hashing algorithms like MD5. What protocol must you configure on your wireless LAN controllers?

Hint: Look for the protocol that wraps RADIUS in a TLS tunnel.

View model answer

You must configure RadSec (RADIUS over TLS). RadSec establishes a TLS tunnel over TCP port 2083 between the NAS and the cloud RADIUS server, providing transport-layer encryption and mutual authentication, satisfying the security team's requirements.

Q2. During Phase 3 (Parallel Running) of your migration, you notice that users are authenticating successfully against the cloud RADIUS server, but they are not being placed in the correct network segments. What is the most likely configuration gap?

Hint: How does a RADIUS server tell an access point which network segment to use?

View model answer

The Vendor-Specific Attributes (VSAs) for dynamic VLAN assignment have not been configured correctly in the cloud RADIUS policies. You must ensure the exact VSA strings used in the legacy NPS server are replicated in the cloud environment so the NAS knows which VLAN to assign to the user.

Q3. A client device is repeatedly failing EAP-TLS authentication against the new cloud RADIUS service, but it works fine against the legacy NPS server. The device logs show an 'untrusted server' error. How do you resolve this?

Hint: EAP-TLS requires the client to trust the server's identity.

View model answer

The client device does not have the Root Certificate Authority (CA) that issued the cloud RADIUS server's certificate in its trusted root store. You must deploy the Root CA to the client device using a Mobile Device Management (MDM) solution or Group Policy.