You need to consider several requirements when designing firewall access and an NPS solution. The firewall considerations typically need to be addressed both on the servers participating as well as any intermediate network-level firewalls in between those servers and between the servers and the clients.
Because RADIUS traffic uses UDP ports 1812, 1813, 1645, and 1646, this traffic must be allowed to access servers involved in this traffic, such as the NPS server. When installed, this traffic is automatically added as an exception on the NPS server.
The NPS server serves as a management interface to the RADIUS server, RADIUS proxy, and NAP policy server. You can configure NPS in several complex scenarios: as a full RADIUS server implementation, as a proxy to another RADIUS server, as both a RADIUS server and proxy, as a RADIUS server with remote accounting servers, and as a remote RADIUS to Windows User Mapping server. This last scenario means that the NPS server forwards the authentication request to a remote RADIUS server but performs authorization with Windows user account information.
