Home/Toolchest

RADIUS and NPS server detection report

Read-only PowerShell reporting script pattern to identify likely Microsoft NPS or other RADIUS-capable Windows servers using multiple evidence sources: NPS service presence, NPAS role/feature state, IAS/NPS event log activity, UDP 1812/1813 listener evidence, and registry indicators. Designed for migration discovery, audit support, and authentication troubleshooting.

Good For

  • Finding likely NPS servers before MFA, VPN, Wi-Fi, or NAC migrations
  • Building a host-by-host evidence report for audit or ticket attachments
  • Validating whether a server is actively handling RADIUS authentication or accounting
  • Scanning a known host list or an AD-filtered server set

How to Use It

  1. Choose target mode: use a curated remote host list for scoped investigations, or query AD for Windows Server computer objects when building a broader inventory.
  2. Run the collection from an admin workstation or management host with PowerShell remoting enabled and rights to query services, features, event logs, registry, and UDP endpoints on target servers.
  3. Collect five evidence types per host: IAS service presence/status, NPAS feature installation state, active UDP listener ports commonly used by RADIUS, recent NPS/IAS-related event log evidence, and IAS registry presence.
  4. Review the DetectionScore and LikelyRadiusOrNps fields instead of relying on one signal. A score of 2 or more is a practical threshold for likely NPS/RADIUS candidates; score 1 should be reviewed manually.
  5. Export full CSV for archive and a narrowed findings CSV for tickets, migration workbooks, or follow-up validation with application/network owners.

Execution Modes

  • remote-host-list
  • ad-filtered

Inputs and Outputs

Inputs

  • servers.txt
  • AD computer filter
  • PowerShell remoting access - (required)

Outputs

  • verbose-console
  • csv

Command Starter

Safe to run: read-only

# ---------------------------------------------------------------------
# Target selection — choose one mode, do not overwrite the list later
# ---------------------------------------------------------------------
$TargetMode = 'File'   # Supported starter modes: File or AD
$Targets = switch ($TargetMode) {
    'File' { Get-Content '.\servers.txt' }
    'AD'   { Get-ADComputer -Filter 'OperatingSystem -like "*Server*"' | Select-Object -ExpandProperty Name }
    default { throw 'TargetMode must be File or AD.' }
}

$OutputPath = '.\radius-nps-detection-report.csv'

# ---------------------------------------------------------------------
# Multi-signal NPS / RADIUS detection
# ---------------------------------------------------------------------
$Report = foreach ($Computer in $Targets) {
    try {
        Invoke-Command -ComputerName $Computer -ErrorAction Stop -ScriptBlock {
            $IasService = Get-Service -Name IAS -ErrorAction SilentlyContinue
            $NpasFeature = if (Get-Command Get-WindowsFeature -ErrorAction SilentlyContinue) {
                Get-WindowsFeature -Name NPAS -ErrorAction SilentlyContinue
            }

            $RadiusPorts = @(Get-NetUDPEndpoint -ErrorAction SilentlyContinue |
                Where-Object { $_.LocalPort -in 1812,1813,1645,1646 } |
                Select-Object -ExpandProperty LocalPort -Unique)

            # NPS audit events 6272-6274 help show recent authentication/accounting evidence when auditing is enabled.
            $RecentNpsEvents = @(Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=6272,6273,6274 } -MaxEvents 25 -ErrorAction SilentlyContinue)
            $RegistryIasPresent = Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Services\IAS'

            $Score = 0
            if ($IasService) { $Score++ }
            if ($NpasFeature -and $NpasFeature.InstallState -eq 'Installed') { $Score++ }
            if ($RadiusPorts.Count -gt 0) { $Score++ }
            if ($RecentNpsEvents.Count -gt 0) { $Score++ }
            if ($RegistryIasPresent) { $Score++ }

            [pscustomobject]@{
                ComputerName = $env:COMPUTERNAME
                Reachable = $true
                IASServicePresent = [bool]$IasService
                IASServiceStatus = if ($IasService) { $IasService.Status } else { $null }
                NPASFeatureInstalled = if ($NpasFeature) { $NpasFeature.InstallState } else { $null }
                RadiusPorts = ($RadiusPorts -join ', ')
                RecentNpsEventCount = $RecentNpsEvents.Count
                RegistryIASPresent = $RegistryIasPresent
                DetectionScore = $Score
                LikelyRadiusOrNps = ($Score -ge 2)
            }
        }
    }
    catch {
        [pscustomobject]@{
            ComputerName = $Computer
            Reachable = $false
            IASServicePresent = $null
            IASServiceStatus = $null
            NPASFeatureInstalled = $null
            RadiusPorts = $null
            RecentNpsEventCount = $null
            RegistryIASPresent = $null
            DetectionScore = 0
            LikelyRadiusOrNps = $false
            Error = $_.Exception.Message
        }
    }
}

$Report | Sort-Object LikelyRadiusOrNps, DetectionScore -Descending |
    Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
$Report | Sort-Object LikelyRadiusOrNps, DetectionScore -Descending | Format-Table -AutoSize

Validation

  • At least one known NPS server appears with IASServicePresent=true or NPASFeatureInstalled=Installed.
  • Servers expected to handle RADIUS show listener evidence on UDP 1812 and/or 1813, or have recent NPS/IAS event evidence if listeners are not observable.
  • Non-NPS servers do not cluster with high DetectionScore unless they have stale components or historical artifacts requiring manual review.
  • Unreachable systems are clearly marked with Reachable=false and an error message so missing evidence is not mistaken for negative evidence.

Reporting

  • Include ComputerName, Reachable, IASServiceStatus, NPASFeatureInstalled, RadiusPorts, DetectionScore, LikelyRadiusOrNps, and Error in ticket attachments.
  • Flag hosts with DetectionScore=1 as review-needed rather than confirmed NPS; note which evidence source triggered the finding.
  • Separate unreachable hosts from confirmed negatives in summaries to avoid false assurance.
  • For migration packs, add a manual owner-confirmed column after review: ConfirmedRole = NPS, RADIUS client only, historical artifact, or not applicable.

Safety Notes

  • This pattern is read-only, but remote event log and feature queries can fail on older systems or where remoting/firewall rules are restricted; capture those failures distinctly.
  • UDP listener evidence alone does not prove production use; combine it with event or service evidence before declaring a host active for RADIUS.
  • The IAS service name is used by Microsoft NPS; some environments may have third-party RADIUS services that require additional service-name or process-name checks.
  • Security log access may require elevated rights; if unavailable, keep the report but note reduced confidence for event-based detection.