SafeNet Agent for NPS
The SafeNet Agent for NPS adds strong authentication to Microsoft's Network Policy Server (NPS) environments, by transferring Remote Authentication Dial-In User Service (RADIUS) requests received by NPS to the SAS PCE or STA.
NPS is the Microsoft implementation of a RADIUS server, and is included in the Microsoft Windows Server 2012, 2016, 2019, 2022, and 2025 families. The NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, remote access (dial-up and VPN), and router-to-router connections.
Release Information
Release Summary – SafeNet Agent for NPS 3.0.3
The SafeNet Agent for NPS 3.0.3 release resolves some customer-reported issues.
Resolved Issues
| Severity | Issue | Synopsis |
|---|---|---|
| M | SASNOI-19212 | Earlier, non-admin users were able to open the NPS management console. Now, the user will be prompted to enter administrator credentials, and the management console will open only after the credentials are provided. |
| L | SASNOI-3478 | While exporting the NPS settings (File > Export Current Configuration) from the management console, a pop-up stating Restart the NPS server for changes to take place appeared even if there was no change in the management console. Now, the above message only displays if there is a configuration change in the management console. |
Release Summary – SafeNet Agent for NPS 3.0.2
The SafeNet Agent for NPS 3.0.2 release introduces a new registry key and resolves some customer-reported issues.
Extended Operating System Support
The SafeNet Agent for NPS 3.0.2 now supports Windows Server 2022 (64-bit).
Resolved Issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-15812 | While validating with NTRadPing, triggers were not working even if the pre-auth rule was set. A new registry key, AllowPreAuthRule, is now added to support the use of pre-authentication rules for the Active Directory (AD) users. |
| H | SASNOI-14991 | The RADIUS return attribute Mapped-IP-Address was causing the NPS agent to crash due to not being able to fetch the correct IP address. Now, the agent captures the correct IP address, which is correctly displayed on NTRadPing as well. |
Release Summary – SafeNet Agent for NPS 3.0.1
The SafeNet Agent for NPS 3.0.1 release resolves some customer-reported issues.
Resolved Issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-12340 | The SafeNet Agent for NPS installed on Windows Server 2012 R2 now does not crash if the initial RADIUS request contains some attributes (such as Event-Timestamp, Stripped-User-Name, Realm) from the FreeRADIUS server. |
| H | SASNOI-12025 | The NPS agent throwing the error "Network Policy Server discarded the Push token request when radius attribute ratAuthenticator value is empty" is now resolved. The authentication is working correctly now. |
Release Summary – SafeNet Agent for NPS 3.0.0
The SafeNet Agent for NPS 3.0.0 introduces new features and resolves a known issue.
New Features and Enhancements
Enhanced Security
The AES-GCM encryption algorithm is now used to provide faster and more secure protection of data exchange.
Thales Branding
The SafeNet Agent for NPS 3.0.0 has been redesigned with the Thales branding. With this release, the installer name is also changed to SafeNet Agent for NPS.
Extended Operating System Support
The SafeNet Agent for NPS 3.0.0 now supports Windows Server 2019 (64-bit).
Resolved Issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-10366 | The SafeNet Agent for NPS does not intercept the authentication requests that come to the NPS server if the Connection Request Policy is set to Authenticate requests on this server. |
| H | SASNOI-10519 | The authentication works correctly in the migration mode when the NPS agent is installed on the NPS migration server. |
Release Summary – SafeNet Agent for NPS 2.1.0
The SafeNet Agent for NPS 2.1.0 introduces new features and resolves a known issue.
New Features and Enhancements
Support for Transport Layer Security v1.2
Support for Transport Layer (TLS) v1.2 protocol has now been added.
Extended Operating System Support
The SafeNet Agent for NPS now supports Windows Server 2016 (64-bit).
Security Enhancements
To better secure the communication between channels, the SafeNet Agent for NPS 2.1.0 contains certain security enhancements at infrastructure and agent level.
Upgrade from Version 2.0
The SafeNet Agent for NPS 2.1.0 supports upgrade from version 2.0.
Resolved Issue
| Severity | Issue | Synopsis |
|---|---|---|
| M | SASNOI-3600 | The SafeNet Agent for NPS now works correctly when receiving an authentication request using the MS-CHAP-v2 protocol. |
Release Summary – SafeNet Agent for NPS 2.0
The SafeNet Agent for NPS 2.0 introduces new features and repairs several known issues.
New Features and Enhancements
Support for Push OTP
The SafeNet Agent for NPS 2.0 supports the Push OTP function with MobilePASS+ when SAS Authentication Server Cloud Edition 3.9.1 and later versions become available.
Support for Return Attributes
The SafeNet Agent for NPS 2.0 supports the use of SafeNet server-defined user or group RADIUS Return Attributes.
Gemalto Branding
The SafeNet Agent for NPS 2.0 has been updated with Gemalto branding.
Upgrade from Version 1.31
The SafeNet Agent for NPS 2.0 supports upgrade from version 1.31.
Resolved Issue
| Severity | Issue | Synopsis |
|---|---|---|
| L | SASIL-2640 | The SafeNet Agent for NPS now works correctly when receiving an authentication request from Aruba ClearPass. |
Advisory Notes
Administrator Credentials Required
The SafeNet Agent for NPS must run with administrator credentials. This applies to the installation of the agent and to running SafeNet Agent Management Console options.
Logging with Push OTP
When logging to a website supporting the Push OTP function, the user enters the Username, leaves the password field empty, and clicks the login button. The user will then receive a prompt on their MobilePASS+ app, to accept or reject the logon request. On accepting the logon request, the user is logged in to the website.
Known Issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-3589 | Description: Authentication fails using challenge-response token if CHAP or MS-CHAP-v2 protocol is employed. Workaround: None. Will be fixed in a future release. |
| H | SASNOI-3533 | Description: The Server Status Check always reports that the Secondary (Failover) Server is off-line, even if it is running correctly. Workaround: None. Will be fixed in a future release. |
| H | SASNOI-3499 | Description: An error message is encountered while installing the NPS agent on non-English Operating Systems. Workaround: None. Will be fixed in a future release. |
| H | SASNOI-3366 | Description: Push functionality does not work when NPS is configured using the Token Validator Proxy (TVP) Agent. Workaround: Add an exception that when NPS is configured with Proxy, connection to the TVP should route directly. |
| H | SASIL-3183 | Description: If the ${prod_family} Agent for NPS is working via a proxy server, when running the Server Status Check procedure (SafeNet Agent Management Console > Authentication Test), the ${sas_short}/${sta_short} server is reported as being off-line, even though it is running correctly. Workaround: None. Will be fixed in a future release. |
Compatibility and Component Information
System Requirements
Prerequisites
Microsoft .NET Framework 4.8 must be installed on the same computer as the SafeNet Agent for NPS.
Operating Systems
-
Windows Server 2016 (64-bit)
-
Windows Server 2019 (64-bit)
-
Windows Server 2022 (64-bit)
-
Windows Server 2025 (64-bit)
Authentication Management Platforms
-
STA
-
SAS PCE 3.9.1 and later
Authentication Protocols
The SafeNet Agent for NPS supports the following authentication protocols:
-
PAP
-
CHAP
-
MS-CHAP v2
The following restrictions apply when working in Challenge/ Response mode:
-
Tokens in Challenge/ Response mode are supported only for PAP.
-
GrIDSure tokens are supported only for PAP and MS-CHAP v2. MS-CHAP v2 requires SAS PCE 3.9.1 or later.
Note
To use GrIDSure with the SafeNet Agent for NPS, the user must utilize an external GrIDSure service (for example SAS Self Service Portal).
Push OTP
The SafeNet Agent for NPS supports the Push OTP function with MobilePASS+ when working with the STA as well as the SAS PCE 3.9.1 and later versions.
Note
-
High Push OTP utilization can lower the authentication throughput in the NPS.
-
To use PUSH OTP, ensure that the agent's server can connect with the PUSH Service. If you are using a proxy with the agent's server, add the IP address of the PUSH Service in the proxy.
When using Push OTP, we recommend the following settings in the RADIUS Client:
Multiple NPS servers |
Timeout: 60 seconds Retries: 1 |
| Single NPS server | Timeout: 20 seconds Retries: 3 |
Upgrade
The SafeNet Agent for NPS v3.0.3 supports upgrade from v2.0 onwards.
Note
Upgrade from versions earlier than 2.0 is not supported.
Upgrade is not supported on Windows Server 2019.
