RADIUS and NPS server detection report

Good For

• Finding likely NPS servers before MFA, VPN, Wi-Fi, or NAC migrations
• Building a host-by-host evidence report for audit or ticket attachments
• Validating whether a server is actively handling RADIUS authentication or accounting
• Scanning a known host list or an AD-filtered server set

How to Use It

1. Choose target mode: use a curated remote host list for scoped investigations, or query AD for Windows Server computer objects when building a broader inventory.
2. Run the collection from an admin workstation or management host with PowerShell remoting enabled and rights to query services, features, event logs, registry, and UDP endpoints on target servers.
3. Collect five evidence types per host: IAS service presence/status, NPAS feature installation state, active UDP listener ports commonly used by RADIUS, recent NPS/IAS-related event log evidence, and IAS registry presence.
4. Review the DetectionScore and LikelyRadiusOrNps fields instead of relying on one signal. A score of 2 or more is a practical threshold for likely NPS/RADIUS candidates; score 1 should be reviewed manually.
5. Export full CSV for archive and a narrowed findings CSV for tickets, migration workbooks, or follow-up validation with application/network owners.

Execution Modes

• remote-host-list
• ad-filtered

Inputs and Outputs

Inputs

• servers.txt
• AD computer filter
• PowerShell remoting access - (required)

Outputs

• verbose-console
• csv

Command Starter

Safe to run: read-only

$ServerListTargets = Get-Content .\servers.txt
$AdServerTargets = Get-ADComputer -Filter 'OperatingSystem -like "*Server*"' -Properties OperatingSystem | Select-Object -ExpandProperty Name
$Targets = $ServerListTargets  # Use this mode for a curated host list
$Targets = $AdServerTargets    # Or switch to this mode for AD-discovered servers
$Report = foreach ($Computer in $Targets) { Invoke-Command -ComputerName $Computer -ScriptBlock { $svc = Get-Service -Name IAS -ErrorAction SilentlyContinue; $feat = Get-WindowsFeature -Name NPAS -ErrorAction SilentlyContinue; $listeners = Get-NetUDPEndpoint -ErrorAction SilentlyContinue | Where-Object { $_.LocalPort -in 1812,1813,1645,1646 }; $evt = Get-WinEvent -LogName 'Security' -MaxEvents 200 -ErrorAction SilentlyContinue | Where-Object { $_.ProviderName -match 'NPS|IAS|Microsoft-Windows-NPS' } | Select-Object -First 5 TimeCreated,Id,ProviderName; $npsLog = Get-WinEvent -ListLog * -ErrorAction SilentlyContinue | Where-Object { $_.LogName -match 'Network Policy and Access Services|NPS|IAS' } | Select-Object -ExpandProperty LogName; $reg = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\IAS' -ErrorAction SilentlyContinue; [pscustomobject]@{ ComputerName=$env:COMPUTERNAME; Reachable=$true; IASServicePresent=[bool]$svc; IASServiceStatus=if($svc){$svc.Status}else{$null}; NPASFeatureInstalled=if($feat){$feat.InstallState}else{$null}; RadiusPorts=($listeners.LocalPort | Sort-Object -Unique) -join ','; NpsEventLogNames=($npsLog -join ';'); RecentNpsEvents=($evt | ForEach-Object { "{0}:{1}" -f $_.TimeCreated.ToString('s'),$_.Id }) -join '; '; RegistryIASPresent=[bool]$reg; DetectionScore=((@([bool]$svc,[bool]($feat.InstallState -eq 'Installed'),[bool]$listeners,[bool]$evt,[bool]$reg) | Where-Object { $_ }).Count); LikelyRadiusOrNps=((( @([bool]$svc,[bool]($feat.InstallState -eq 'Installed'),[bool]$listeners,[bool]$evt,[bool]$reg) | Where-Object { $_ }).Count) -ge 2) } } -ErrorAction Stop } catch { [pscustomobject]@{ ComputerName=$Computer; Reachable=$false; IASServicePresent=$null; IASServiceStatus=$null; NPASFeatureInstalled=$null; RadiusPorts=$null; NpsEventLogNames=$null; RecentNpsEvents=$null; RegistryIASPresent=$null; DetectionScore=0; LikelyRadiusOrNps=$false; Error=$_.Exception.Message } } }
$Report | Sort-Object LikelyRadiusOrNps,DetectionScore -Descending | Export-Csv .\radius-nps-detection-report.csv -NoTypeInformation -Encoding UTF8
$Report | Sort-Object LikelyRadiusOrNps,DetectionScore -Descending | Format-Table ComputerName,Reachable,IASServiceStatus,NPASFeatureInstalled,RadiusPorts,DetectionScore,LikelyRadiusOrNps -Auto
$Report | Where-Object { $_.LikelyRadiusOrNps -or $_.DetectionScore -ge 1 } | Export-Csv .\radius-nps-detection-findings.csv -NoTypeInformation -Encoding UTF8

Validation

• At least one known NPS server appears with IASServicePresent=true or NPASFeatureInstalled=Installed.
• Servers expected to handle RADIUS show listener evidence on UDP 1812 and/or 1813, or have recent NPS/IAS event evidence if listeners are not observable.
• Non-NPS servers do not cluster with high DetectionScore unless they have stale components or historical artifacts requiring manual review.
• Unreachable systems are clearly marked with Reachable=false and an error message so missing evidence is not mistaken for negative evidence.

Reporting

• Include ComputerName, Reachable, IASServiceStatus, NPASFeatureInstalled, RadiusPorts, DetectionScore, LikelyRadiusOrNps, and Error in ticket attachments.
• Flag hosts with DetectionScore=1 as review-needed rather than confirmed NPS; note which evidence source triggered the finding.
• Separate unreachable hosts from confirmed negatives in summaries to avoid false assurance.
• For migration packs, add a manual owner-confirmed column after review: ConfirmedRole = NPS, RADIUS client only, historical artifact, or not applicable.

Safety Notes

• This pattern is read-only, but remote event log and feature queries can fail on older systems or where remoting/firewall rules are restricted; capture those failures distinctly.
• UDP listener evidence alone does not prove production use; combine it with event or service evidence before declaring a host active for RADIUS.
• The IAS service name is used by Microsoft NPS; some environments may have third-party RADIUS services that require additional service-name or process-name checks.
• Security log access may require elevated rights; if unavailable, keep the report but note reduced confidence for event-based detection.