Skip to main content

Migrating from On-Premises RADIUS (NPS) to RADIUS-as-a-Service

This authoritative guide details the technical architecture, implementation methodology, and business impact of migrating from on-premises Microsoft Network Policy Server (NPS) to a cloud-native RADIUS-as-a-Service model. It provides IT leaders and network architects with practical frameworks to reduce operational overhead, eliminate single points of failure, and secure enterprise authentication across distributed venues.

📖 5 min read📝 1,066 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
PODCAST SCRIPT: Migrating from On-Premises RADIUS (NPS) to RADIUS as a Service Duration: ~10 minutes | Voice: US English, Male, Senior Consultant tone --- SEGMENT 1: INTRODUCTION AND CONTEXT Welcome to the Purple WiFi technical briefing series. Today we're tackling a migration that's sitting on the roadmap of a significant number of enterprise IT teams right now: moving away from on-premises RADIUS - specifically Microsoft's Network Policy Server - to a cloud-hosted RADIUS as a Service model. If you're managing WiFi authentication across a hotel group, a retail estate, a stadium, or a public-sector campus, this is directly relevant to you. The on-premises NPS model has served us well for the better part of two decades, but the operational overhead, the single-point-of-failure risk, and the scaling limitations are becoming increasingly hard to justify - particularly when cloud-native alternatives now offer enterprise-grade reliability at a fraction of the total cost of ownership. Over the next ten minutes, we'll cover the technical architecture of both approaches, walk through a structured migration methodology, look at two real-world implementation scenarios, and finish with the key decision frameworks you need to make this call confidently. Let's get into it. --- SEGMENT 2: TECHNICAL DEEP-DIVE First, let's make sure we're aligned on what RADIUS actually does in your network stack. RADIUS - Remote Authentication Dial-In User Service - is the protocol defined in RFC 2865 that handles authentication, authorization, and accounting for network access. In a WiFi context, it's the backbone of IEEE 802.1X port-based access control. When a device connects to a WPA2-Enterprise or WPA3-Enterprise SSID, the access point acts as a RADIUS client - what we call a Network Access Server - and forwards the authentication request to the RADIUS server. The server validates the credentials, typically against Active Directory or an LDAP directory, and returns an Access-Accept or Access-Reject response. That's the fundamental flow. Now, in the on-premises NPS model - Network Policy Server is Microsoft's RADIUS implementation bundled with Windows Server - you're running that authentication logic on hardware you own, in a data center or server room you maintain. The NPS server holds your network policies, your certificate infrastructure for EAP-TLS or PEAP-MSCHAPv2, and your connection request policies. It works. It's mature. But it comes with a set of operational realities that compound over time. The first is hardware dependency. Your NPS server is a physical or virtual machine that requires patching, capacity planning, and eventual hardware refresh. In a multi-site deployment - say, a hotel group with properties across the US - you're either running a centralized NPS with WAN dependency, or you're deploying NPS instances at each site and managing them individually. Neither is elegant. The second is availability. A single NPS instance is a single point of failure for your entire authentication infrastructure. Yes, you can deploy NPS in a failover pair, but that doubles your hardware and licensing overhead, and it still doesn't give you the geographic redundancy that a cloud service provides natively. The third is scalability. NPS was designed for corporate LAN environments. When you're handling thousands of concurrent authentication requests during a stadium event or a convention center peak, the throughput limitations of a single NPS instance become very apparent. Authentication latency spikes, and users experience connection failures at exactly the moment you can least afford it. RADIUS-as-a-Service addresses all three of these constraints architecturally. The cloud RADIUS provider runs a distributed, geo-redundant cluster of RADIUS servers. Your access points point to cloud-hosted RADIUS endpoints rather than an on-premises server. Authentication requests are load-balanced across the cluster, and failover is automatic and transparent. The provider handles patching, capacity scaling, and certificate management. From your perspective as the network operator, RADIUS becomes a consumed service rather than a managed component. The authentication protocols themselves don't change. You're still running IEEE 802.1X with EAP-TLS, PEAP-MSCHAPv2, or EAP-TTLS depending on your client device mix. The difference is where the RADIUS server lives and who is responsible for its operational continuity. There's an important security consideration here that I want to address directly, because it comes up in almost every client conversation. Moving RADIUS to the cloud means your authentication traffic is traversing the public internet to reach the cloud RADIUS endpoint. This is mitigated through two mechanisms. First, RADIUS traffic between the Network Access Server and the RADIUS server is protected using a shared secret and MD5-based message authentication. Second, and more importantly for modern deployments, you should be running RadSec - RADIUS over TLS, defined in RFC 6614 - which wraps the entire RADIUS conversation in a TLS tunnel. This gives you transport-layer encryption equivalent to HTTPS, eliminating the MD5 vulnerability and providing mutual authentication between the NAS and the RADIUS server. Any cloud RADIUS provider worth considering should support RadSec as standard. On the identity integration side, cloud RADIUS services typically support LDAP and LDAPS connections back to your on-premises Active Directory, or native integration with Azure Active Directory and Entra ID via SAML or SCIM. This means you don't need to migrate your user directory - the cloud RADIUS service queries your existing identity store, maintaining your existing user lifecycle management processes. For compliance-conscious organizations - and that includes anyone handling payment card data under PCI DSS, or personal data under CCPA/CPRA - cloud RADIUS providers that are SOC 2 Type II certified and ISO 27001 accredited provide a stronger compliance posture than most organizations can achieve with self-managed NPS infrastructure. --- SEGMENT 3: IMPLEMENTATION RECOMMENDATIONS AND PITFALLS Right, let's talk about how you actually execute this migration without taking your authentication infrastructure offline. The methodology I recommend is a five-phase approach. Phase one is audit and inventory. Document every RADIUS client - every access point, every switch, every VPN concentrator - along with its current shared secret, the EAP method it's using, and any vendor-specific attributes in your NPS policies. This is the unglamorous work, but skipping it is the number one cause of migration failures. Phase two is pilot deployment. Stand up your cloud RADIUS instance and point a non-production SSID or a single test site at it. Validate that your EAP method works end-to-end, that your identity integration is functioning, and that your accounting data is flowing correctly. Phase three is parallel running. This is the critical risk mitigation step. Configure your access points with both the on-premises NPS server and the cloud RADIUS server as authentication targets, with the cloud service as primary and NPS as fallback. Run in this configuration for a minimum of two weeks across a full business cycle. Monitor authentication success rates, latency, and any policy discrepancies. Phase four is cutover. Remove the NPS fallback configuration and commit to cloud RADIUS as your sole authentication infrastructure. Do this during a planned maintenance window, and have a rollback procedure documented and tested. Phase five is decommission. Once you've validated stable operation for thirty days post-cutover, decommission the NPS servers and reclaim the hardware or virtual machine resources. The pitfalls I see most frequently are: certificate trust chain issues - specifically, client devices that don't trust the cloud RADIUS server's certificate because the CA isn't in their trusted store. Resolve this through your MDM or Group Policy before cutover. The second common pitfall is firewall rules. Cloud RADIUS requires outbound UDP 1812 and 1813 from your access points to the cloud endpoints, or TCP 2083 for RadSec. Ensure your network perimeter allows this traffic. Third: shared secret complexity. If your existing NPS shared secrets are weak, use the migration as an opportunity to rotate to cryptographically strong secrets, or better yet, move to RadSec and eliminate shared secrets entirely. --- SEGMENT 4: RAPID-FIRE Q&A Let me run through the questions I get most often on this topic. Can we keep Active Directory on-premises? Yes, absolutely. Cloud RADIUS connects to your on-premises AD via LDAPS. Your directory stays where it is. What happens if our internet connection goes down? This is the key dependency shift. With cloud RADIUS, internet connectivity becomes a dependency for authentication. Mitigate this with redundant WAN links or a local RADIUS proxy that caches authentication for known devices during outages. Does this affect our PCI-DSS compliance? Moving to a certified cloud RADIUS provider typically improves your compliance posture. Ensure your provider can supply SOC 2 Type II reports and is included in your annual QSA assessment scope. How long does a full migration take? For a single site, two to four weeks. For a multi-site estate of fifty or more locations, plan for three to six months with a phased rollout. - SEGMENT 5: SUMMARY AND NEXT STEPS To wrap up: the case for migrating from on-premises NPS to RADIUS-as-a-Service is compelling on operational, financial, and compliance grounds. The migration itself is low-risk when executed with a structured parallel-running phase. The key technical decisions are your EAP method selection, your identity integration approach, and whether to implement RadSec for transport security - which I'd strongly recommend for any new deployment. Your immediate next steps: conduct the audit of your current RADIUS clients and policies, engage your cloud RADIUS provider for a pilot environment, and review your firewall rules and certificate trust chains before you start. For organizations running Purple WiFi's guest access platform, the RADIUS-as-a-Service capability integrates directly with the guest WiFi authentication flow, giving you a single control plane for both corporate 802.1X authentication and guest network access management - with the analytics and compliance reporting built in. Thanks for listening. The full technical reference guide is available on the Purple website, and our solutions team is available for a scoping conversation if you're ready to move forward. - END OF SCRIPT

header_image.png

Executive Summary

For nearly two decades, Microsoft's Network Policy Server (NPS) has been the default RADIUS implementation for enterprise networks. However, as venue operators scale across distributed sites - from retail chains to global hospitality groups - the operational burden of managing on-premises authentication infrastructure has become a significant liability.

Migrating to RADIUS as a Service transforms authentication from a managed hardware component into a consumed cloud service. This architectural shift eliminates the single points of failure inherent in standalone NPS deployments, removes hardware refresh cycles, and provides the elastic scalability required for high-density environments such as stadiums and conference centers. For IT managers and network architects, this guide provides a vendor-neutral, structured methodology for migrating 802.1X authentication to the cloud without impacting production traffic, ensuring compliance with PCI-DSS and GDPR, and reducing authentication infrastructure OpEx by up to 80%.

Technical Deep-Dive: Architecture and Standards

To understand this migration, we must first examine the architectural shift in how IEEE 802.1X port-based access control is delivered.

The Limitations of On-Premises NPS

In a traditional deployment, the access point acts as the Network Access Server (NAS), forwarding authentication requests to an on-premises NPS server. The NPS server evaluates connection request policies, validates credentials against the identity store (typically Active Directory via LDAP), and returns an Access-Accept or Access-Reject message.

This model presents three critical limitations for modern networks:

  1. Hardware dependency and maintenance: NPS requires dedicated physical or virtual machines, demanding continuous patching, capacity planning and lifecycle management.
  2. High-availability complexity: Achieving redundancy requires deploying NPS in failover pairs, which doubles licensing costs without providing true geographic redundancy.
  3. Throughput bottlenecks: During peak concurrency (such as stadium ingress or retail peak trading hours), a single NPS instance can become a bottleneck, causing authentication timeouts and a degraded user experience.

Cloud RADIUS Architecture

RADIUS as a Service abstracts the authentication layer. The cloud provider operates distributed, geographically redundant clusters of RADIUS servers. The NAS points to these cloud endpoints, and requests are load-balanced automatically.

architecture_comparison.png

Transport security: the role of RadSec When RADIUS moves to the cloud, authentication traffic traverses the public internet. While legacy RADIUS relies on shared secrets and MD5 hashing, modern deployments must implement RadSec (RADIUS over TLS, RFC 6614). RadSec encapsulates the entire RADIUS conversation in a TLS tunnel (typically TCP port 2083), providing transport-layer encryption equivalent to HTTPS along with mutual authentication between the NAS and the cloud RADIUS endpoint.

Identity integration Cloud RADIUS does not require you to migrate your user directory. Services typically support LDAPS connections back to on-premises Active Directory, or native API integration with Azure Active Directory (Entra ID) via SAML or SCIM. This ensures your existing user lifecycle management processes remain unchanged.

For venues leveraging a Guest WiFi platform, cloud RADIUS integrates directly, providing a unified control plane for both corporate 802.1X authentication and guest network access, complete with advanced WiFi Analytics .

Implementation Guide: The 5-Phase Methodology

Executing the migration without service disruption requires a structured, phased approach.

migration_checklist.png

Phase 1: Audit and Inventory

Before making any changes, document the current state:

  • RADIUS clients: Identify every NAS (wireless access points, switches, VPN concentrators).
  • Policies: Document existing NPS connection request and network policies, including vendor-specific attributes (VSAs) used for VLAN assignment.
  • EAP methods: Identify which Extensible Authentication Protocol methods are in use (e.g., EAP-TLS, PEAP-MSCHAPv2).

Phase 2: Pilot Deployment

Provision the cloud RADIUS instance and configure a non-production SSID or a single test site. Validate identity directory integration (e.g., Entra ID synchronization) and confirm that EAP methods function correctly end to end.

Phase 3: Parallel Running (Risk Mitigation)

Configure production NAS devices to use both the cloud RADIUS servers (primary) and the legacy NPS servers (backup) simultaneously. Maintain this configuration for a minimum of two weeks. Monitor authentication success rates, latency metrics, and accounting data flows to identify any policy discrepancies before cutover.

Phase 4: Cutover

During a scheduled maintenance window, remove the legacy NPS backup configuration from the NAS devices. Transition fully to the cloud infrastructure. Ensure your rollback procedure is documented and tested.

Phase 5: Decommissioning

After 30 days of stable operation, securely decommission the legacy NPS servers and reclaim the compute resources.

Best Practices and Compliance

Adhere to the following standards when designing your cloud RADIUS architecture:

  • Mandate RadSec: If your NAS hardware supports RadSec (TCP 2083), never send RADIUS traffic over the public internet using standard UDP 1812/1813.
  • Certificate trust chain: Ensure client devices trust the Certificate Authority (CA) that issues the cloud RADIUS server certificates. Push the root CA to managed devices via MDM or Group Policy before the migration.
  • Compliance posture: Choose a cloud RADIUS provider that maintains SOC 2 Type II attestation and ISO 27001 certification. This significantly simplifies your annual PCI DSS assessments, particularly for retail and hospitality environments.

For broader network design principles, see our guides: Setting Up WiFi for Business: A 2026 Guide and Understanding RSSI and Signal Strength for Optimal Channel Planning .

Troubleshooting and Risk Mitigation

Failure mode Root cause Mitigation strategy
Authentication timeouts Firewall blocking outbound UDP 1812/1813 or TCP 2083. Verify perimeter firewall rules allow outbound traffic to the cloud RADIUS provider's specific IP ranges.
Certificate trust errors Root CA missing from the client device's trust store. Deploy the root CA via MDM/GPO before Phase 3 (parallel running).
VLAN assignment failures Vendor-specific attributes (VSAs) not mapped correctly in the cloud policy. During Phase 1, replicate the exact VSA string formats from NPS into the cloud RADIUS policy engine.
WAN outage impact Loss of internet connectivity prevents access to cloud RADIUS. Deploy redundant WAN links, or implement a local RADIUS proxy that caches credentials for known devices.

ROI and Business Impact

Migrating to RADIUS as a Service delivers measurable business outcomes:

  • Cost reduction: Eliminates hardware procurement, Windows Server licensing, and the engineering hours spent on patching and maintenance. Typical OpEx reductions are 60-80%.
  • Reliability SLAs: Cloud providers offer financially backed 99.99% availability SLAs, compared with the 97-98% availability typical of a single-site NPS deployment.
  • Agility: Bring new sites online instantly without provisioning local authentication hardware, shortening deployment timelines for transport hubs and healthcare organizations.

Listen to our senior consultant team discuss the strategic implications in this 10-minute briefing:

Key Definitions

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

The core protocol used by enterprise WiFi networks to validate user credentials before granting network access.

NPS (Network Policy Server)

Microsoft's implementation of a RADIUS server and proxy, bundled as a role in Windows Server.

The legacy on-premises infrastructure that organizations are actively migrating away from to reduce maintenance overhead.

NAS (Network Access Server)

The device that acts as the gateway to the network and passes authentication requests to the RADIUS server.

In a wireless context, the NAS is typically the WiFi Access Point or Wireless LAN Controller.

RadSec (RADIUS over TLS)

A protocol defined in RFC 6614 that transports RADIUS packets over a TCP connection encrypted with TLS.

Essential for cloud RADIUS deployments to ensure credential data is encrypted while traversing the public internet.

EAP (Extensible Authentication Protocol)

An authentication framework frequently used in wireless networks and point-to-point connections.

Determines how the client and server securely exchange credentials (e.g., certificates via EAP-TLS, or passwords via PEAP).

VSA (Vendor-Specific Attribute)

Custom attributes defined by hardware vendors within the RADIUS protocol to support proprietary features.

Crucial during migration; VSAs are often used to assign authenticated users to specific network VLANs dynamically.

LDAPS (Lightweight Directory Access Protocol over SSL)

A secure protocol for querying and modifying directory services like Active Directory.

Used by cloud RADIUS services to securely query on-premises identity stores without migrating the user directory to the cloud.

802.1X

An IEEE standard for port-based network access control (PNAC).

The underlying standard that uses RADIUS to ensure only authenticated devices can pass traffic onto the enterprise LAN or WLAN.

Worked Examples

A 200-property hotel group currently runs local NPS servers at each site for staff 802.1X authentication. They are migrating to Entra ID (Azure AD) and want to decommission the local servers. How should they approach the migration?

  1. Deploy a cloud RADIUS service that integrates natively with Entra ID via SAML/SCIM.
  2. Configure the cloud RADIUS policies to map Entra ID groups (e.g., 'Front Desk', 'Management') to specific VLAN VSAs.
  3. At a pilot property, configure the access points to use RadSec to connect to the cloud RADIUS endpoint.
  4. Push the cloud RADIUS server's Root CA to all staff devices via Microsoft Intune.
  5. Run parallel authentication at the pilot site, then execute a phased rollout across the remaining 199 properties.
Examiner's Commentary: This approach removes 200 physical/virtual servers from the estate, drastically reducing the attack surface and maintenance overhead. Integrating directly with Entra ID eliminates the need for complex site-to-site VPNs back to a central Active Directory.

A stadium with 50,000 capacity experiences authentication failures on their corporate SSID during major events because their on-premises NPS server cannot handle the throughput of thousands of devices roaming simultaneously.

  1. Audit the existing NPS policies and EAP methods.
  2. Provision a cloud RADIUS service capable of auto-scaling to handle high authentications per second (APS).
  3. Establish an LDAPS connection from the cloud RADIUS service to the stadium's on-premises Active Directory.
  4. Update the stadium's high-density wireless LAN controllers to point to the cloud RADIUS endpoints as the primary authentication servers.
Examiner's Commentary: By offloading the RADIUS processing to a cloud cluster, the stadium leverages elastic compute resources that scale dynamically during event ingress, resolving the bottleneck without requiring the venue to over-provision expensive local hardware.

Practice Questions

Q1. Your organization is migrating to Cloud RADIUS. The security team mandates that no authentication traffic can be sent over the internet in cleartext or using deprecated hashing algorithms like MD5. What protocol must you configure on your wireless LAN controllers?

Hint: Look for the protocol that wraps RADIUS in a TLS tunnel.

View model answer

You must configure RadSec (RADIUS over TLS). RadSec establishes a TLS tunnel over TCP port 2083 between the NAS and the cloud RADIUS server, providing transport-layer encryption and mutual authentication, satisfying the security team's requirements.

Q2. During Phase 3 (Parallel Running) of your migration, you notice that users are authenticating successfully against the cloud RADIUS server, but they are not being placed in the correct network segments. What is the most likely configuration gap?

Hint: How does a RADIUS server tell an access point which network segment to use?

View model answer

The Vendor-Specific Attributes (VSAs) for dynamic VLAN assignment have not been configured correctly in the cloud RADIUS policies. You must ensure the exact VSA strings used in the legacy NPS server are replicated in the cloud environment so the NAS knows which VLAN to assign to the user.

Q3. A client device is repeatedly failing EAP-TLS authentication against the new cloud RADIUS service, but it works fine against the legacy NPS server. The device logs show an 'untrusted server' error. How do you resolve this?

Hint: EAP-TLS requires the client to trust the server's identity.

View model answer

The client device does not have the Root Certificate Authority (CA) that issued the cloud RADIUS server's certificate in its trusted root store. You must deploy the Root CA to the client device using a Mobile Device Management (MDM) solution or Group Policy.

Continue reading in this series

The Security Benefits of RADIUS as a Service for Hybrid Workforces

This technical reference guide explains how RADIUS as a Service secures network access for hybrid workforces across distributed venues. It covers the architecture, security benefits, and deployment steps for replacing on-premise RADIUS infrastructure with a cloud-managed authentication service. For IT managers and network architects at hotels, retail chains, stadiums, and public-sector organisations, this guide provides the evidence needed to evaluate and act on a cloud RADIUS migration this quarter.

Read the guide →

The Security Benefits of RADIUS as a Service for Hybrid Workforces

This technical reference guide explains how RADIUS as a Service secures network access for hybrid workforces across distributed venues. It covers the architecture, security benefits, and deployment steps for replacing on-premise RADIUS infrastructure with a cloud-managed authentication service. For IT managers and network architects at hotels, retail chains, stadiums, and public-sector organisations, this guide provides the evidence needed to evaluate and act on a cloud RADIUS migration this quarter.

Read the guide →

Integrating RADIUS as a Service with Cloud Directories (Azure AD & Google Workspace)

This technical reference guide details how to integrate RADIUS as a Service with cloud directories - Microsoft Entra ID and Google Workspace - for enterprise WiFi authentication. It covers the architectural shift from on-premises NPS to cloud-native RADIUS, the deployment of certificate-based EAP-TLS authentication, and the operational best practices for securing wireless access across hospitality, retail, and public-sector environments. For IT managers and network architects already invested in cloud identity, this guide bridges the gap between directory management and physical network security.

Read the guide →