Configuring Microsoft NPS for eduroam-US

Thank you to Derek O'Flynn at LSUHSC for contributing these instructions and images to the documentation.
If you have any questions or comments regarding these instructions please contact the eduroam-US Team and we will work with you to assist as much as possible.

Update: Thanks to James Macdonell at CSU San Bernardino, we have even better and more detailed instructions for NPS. You can find them here. The older instructions below will stay around in case someone still finds them useful.


To configure Microsoft Windows 2008 Server NPS for eduroam-US please follow the following directions. We do not include detailed instructions on general NPS configuration. It is required that the administrator have some knowledge of NPS configuration. 

These instructions utilize Cisco WLAN controllers configured with the “eduroam” SSID.  The controllers are used to map the configured policies.  If your institution has a different 802.11, and thus different 802.1x settings, you will need to accommodate your system's mapping of policies. This may be as simple as only needing to add a forwarding rule and the inbound eduroam-US Top-Level rule.


Create a Remote RADIUS Group called “eduroam”

Define the eduroam-US top-level RADIUS server as a member

Configure the following Connection Request Policies:

  • eduroam - <LOCAL>

    • Replace "<LOCAL>" with an appropriate value.  This is used to map local realms.  In the case of the example images "<LOCAL>" is "LSUHSC".
  • eduroam - External

    • This policy is used to forward the request.
  • eduroam - USTopLevel

    • This policy is used to map the request from eduroam-US.  In the example images this profile is called "eduroam-UTK".

eduroam - <LOCAL> eduroam - External eduroam - USTopLevel

Configure the following Network Policies:

  • eduroam - <LOCAL>

    • Replace "<LOCAL>" as above. This is used to authenticate local realms.
  • eduroam - USTopLevel

    • Used to authenticate requests from eduroam-US.

eduroam - <LOCAL> eduroam - USTopLevel

In Network policies you will see MSCHAPv1 and such, but this may be ignored because on the connection policies we are overriding all authentication methods using PEAP.

Add the eduroam-US server as a client: