Cisco WLC and Windows NPS as a RADIUS server.

Today I was needed to reconfigure AIR-CT5760 to use Windows NPS as RADIUS servers for Wireless client authentication.

Here is a list of useful documents about it:
5760/3850 Series WLC PEAP Authentication with Microsoft NPS Configuration Example - MUST READ.
External RADIUS Server EAP Authentication with 5760/3850 WLC Configuration Example.
Converged Access -802.1X/EAP using External server, Local radius/LDAP on 5760 WLC and 3850.

If you have only one RADIUS server the configuration is pretty simple:

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 exit

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

If you have two servers and you really want to be sure that switchover will work, you have to configure a little bit more (please refer to the greatest document from Cisco - Demystifying RADIUS Server Configurations):

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

radius server NPS-192.168.1.2
 address ipv4 192.168.1.2
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 server name NPS-192.168.1.2
 exit

radius-server dead-criteria time 15 tries 2
radius-server deadtime 5

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

For me, the most useful show command listed below:

AIR-CT5760-WLC#show aaa servers | i id|State|Dead|Quarant|request
RADIUS: id 1, priority 1, host 192.168.1.1, auth-port 1645, acct-port 1646
     State: current UP, duration 73029s, previous duration 0s
     Dead: total time 0s, count 84
     Quarantined: No
     Authen: request 1429752, timeouts 14115, failover 0, retransmission 10956
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
RADIUS: id 2, priority 2, host 192.168.1.2, auth-port 1645, acct-port 1646
     State: current UP, duration 150814s, previous duration 0s
     Dead: total time 0s, count 10
     Quarantined: No
     Authen: request 8417, timeouts 8085, failover 2209, retransmission 6084
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 619681, timeouts 593, failover 0, retransmission 593
AIR-CT5760-WLC#

Admin area