Enable "reversible password encryption" for your domain users.
Globally:

Admin Tools - Group Policy Management
Choose your forest, domain and then right click your Default Domain Policy and choose Edit.
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Store passwords using reversible encryption = Enabled.

Per User:

I prefer doing it globally, but you can do it on a per user basis by opening your domain user's properties and checking "Store password using reversible encryption" on the Account tab.

*Restart the domain controller after these Group Policy changes.

Enable Windows Server 2008 Network Policy Server (NPS)

Add the "Network Policy and Access Services" role to your domain controller.
Enable these role services during installation:
Network Policy Server
Routing & Remote Access Services
Remote Access Service
Routing

Verify the RADIUS Port Numbers

Server Manager -> Roles -> Network Policy and Access -> Right-click NPS (Local) -> Properties -> Ports Tab.
Verify the defaults for Authentication are 1812,1645.
Verify the defaults for Accounting are 1813, 1646.
The 18 set is for a secure connection, or vice-versa. You can change things to match your RADIUS client, but the defaults should be fine.

Add a new RADIUS Client

NPS (Local) -> RADIUS Clients and Servers -> RADIUS Clients -> Right-click Add new Client.
Add a name, the ip address of your client and create a shared secret.

Add a new Network Policy

NPS (Local) -> Policies -> Right-click Network Policies -> Add new.
Enter a name and leave Type of network access server as Unspecified. Click Next.
Add a condition. Choose Windows Groups. Add a Group ("Domain Users" for example). Click OK, then Next.
Choose Access Granted. Click Next.
Leave the default Authentication Methods. Click Next.
Leave the Default Constraints. (Although they look like some cool new features you may want to use.) Click Next.
Leave the Default Settings. Click Next.
Click Finish.

Granting or Denying Access to Users

Right click a domain user -> Properties -> Dial-in tab.
You can Grant or Deny here, but I just leave the NPS Policy we setup earlier to allow all domain users through.

Configure your RADIUS Client

In this case, I enable a PPTP VPN server on my pfSense firewall and point it to my domain controller/NPS services machine where we just configured everything. Input the shared secret and then login from anywhere!
Albert.Nawaro Reviewed by Albert.Nawaro on . how to add radius in server 2008 Enable "reversible password encryption" for your domain users. Globally: Admin Tools - Group Policy Management Choose your forest, domain and then right click your Default Domain Policy and choose Edit. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Store passwords using reversible encryption = Enabled. Per User: I prefer doing it globally, but you can do it on a per user basis by opening your Rating: 5