Deploying the NPS agent

The UserLock NPS agent is a DLL registered in the Network Policy Server (NPS) service.
It is triggered when a user authenticates through RADIUS and during session start or end events (RADIUS accounting).

This integration allows UserLock to apply access policies and multi-factor authentication (MFA) for users connecting via VPN or Wi-Fi.

You can install the NPS agent automatically from the UserLock console or manually on your NPS server.

💡️ The simplest way is to deploy the NPS agent directly from the UserLock console.

See: Install from the console

If you cannot deploy the NPS agent from the console, you can install it manually on your NPS server.

1. Copy and registrer the module

   1. Copy the corresponding DLL file from the UserLock installation folder %windir%\System32\ on the server (for example, C:\Program Files\UserLock IIS Agent).

   2. Open an elevated Command Prompt (Run as Administrator).

   3. Run the registration command matching your IIS server architecture:

      Server architecture	File to copy	Command to register
      32-bit	ULIasAgent.dll	regsvr32 C:\Windows\System32\ULIasAgent.dll
      64-bit	ULIasAgent_x64.dll (rename to ULIasAgent.dll)	regsvr32 C:\Windows\System32\ULIasAgent.dll

2. Register communication settings

   Create the following registry key to allow the IIS agent to communicate with the UserLock servers:

   • Registry path:
     HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IAS

   • Keys:

     Value name	Type	Description
     UserLockServer	REG_SZ	Name of the Primary UserLock server
     UserLockServerBackup	REG_SZ	Name of the Backup UserLock server

After the NPS Agent is installed/uninstalled (through the console, or manually), its status in the Environment ▸ Machines page will be Installing/Uninstalling.

To make it effective:

1. Stop the Routing and Remote Access (RemoteAccess) service.

   Note: will close all VPN connections.

2. Stop the Network Policy Server (IAS) service.

3. Start the Routing and Remote Access (RemoteAccess) service.

4. Start the Network Policy Server (IAS) service.

Here are PowerShell commands to do that:

# Stop the "Routing and Remote Access" (RemoteAccess) service:
Stop-Service RemoteAccess

# Note: will close all VPN connections.
# Stop the "Network Policy Server" (IAS) service:
Stop-Service IAS

# Start the "Routing and Remote Access" (RemoteAccess) service:
Start-Service RemoteAccess

# Start the "Network Policy Server" (IAS) service:
Start-Service IAS

1. Uninstall the agent directly from the UserLock console.

2. The agent status will appear as Uninstalling . Restart the services as described in the Step 2 section to complete the process.

1. Unregister the DLL:
   regsvr32 /u C:\Windows\System32\ULIasAgent.dll

2. The agent will be disabled but still loaded in memory.

3. Restart the services as described in the Step 2 section to complete the process.

Some Wi-Fi Access Points (WAP) do not fully comply with RADIUS standards and may not send disconnection notifications.

As a result, the same session (same user account, same device, possibly the same Wi-Fi Access Point) may appear multiple times in UserLock.

To prevent these duplicates, the NPS agent provides two optional DWORD (32-bit) registry settings in: HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IA

The behavior depends on how both keys are configured.
Mixing the values of these two options lets you control how UserLock handles reconnecting users on the same or different Wi-Fi Access Points.