Select Update certificates that use certificate templates
Register NPS in Active Directory. In Server Manager. Navigate to Roles > Network Policy and Access Services > NPS (Local). Right Click NPS (Local) and choose Register server in Active Directory. Review authorization notification. Click OK. Computer now Authorized. Click OK.
Force Group Policy Update. Click Start > Run. Type gpupdate /force. Allow update to finish.
Review Issued Certificates. Navigate to Roles > Active Directory Certificates Services > Your CA > Issued Certificates. We can now see the NPS Certificate has been issued to our machine RCDNCALO\W2K8-STATIC$. This was auto-enrolled after registering NPS with Active Directory and forcing a Group Policy Update. This will be the Server side certificate used for applicable EAP Authentication Methods.
Create RADIUS Clients adding your WLC(s). Open Server Manager Navigate to Roles > Network Policy and Access Services > NPS (Local) > RADIUS Clients and Servers > RADIUS Clients. Right Click and click New. Populate Friendly name, Address (IP or DNS). For Shared Secret, leave Template to None. Choose Manual and type Shared Secret and matching Confirm shared secret. Click OK. (example uses cisco123).
Create new 802.1X Configuration. Navigate to Roles > Network Policy and Access Services > NPS (Local). Click dropdown in Standard Configuration section then SelectRADIUS server for 802.1X Wireless or Wired Connections. Click Configure 802.1X. For type of 802.1X Connections: select Secure Wireless Connections. Provide a Name for the policy or accept default Secure Wireless Connections. Click Next.
Confirm RADIUS client is present. This client was added previously. Add additional RADIUS clients as required. Click Next.
Select EAP method type for this policy.For PEAP choose Microsoft: Protected EAP (PEAP). For EAP-TLS choose Microsoft: Smart Card or other Certificate (our example is configuring PEAP).Select Configure. Verify Certificate issued reflects the certificate that NPS autoenrolled. Our NPS certificate template provided a one year validity period, where-as the Root CA certificate is for five years. Notice the Certificate reflects the FQDN for the Windows Server we are installing NPS on: w2k8-static.rcdncalo.wireless. The other certificate is the actual Root CA that matches the name from the Root CA installation earlier which is not what we want to select. Click OK. Click Next.
Add desired Windows Groups. These can be machine or user groups. We are adding default Domain Users group for example. Click OK. Click Next.
Do not configure Traffic Controls at this time. This can be used for VLAN assignment and other VSA Attributes to provide AAA override settings to the WLC. Click Next.
Add RADIUS server to WLC. Navigate in the WLC GUI to SECURITY > AAA > RADIUS > Authentication. Click New… Provide Server IP Address for NPS server. Provide Shared Secret and Confirm Shared Secret. Click Apply.