A few customers have asked me this one. Traffic considerations are important as placing the Network Policy Server (NPS) on the other end of a WAN link to your switch or wireless access point could pose significant design issues should you either have a small link or a lot of clients on the other end. Of course other issues such as WAN link stability must be considered in any decision such as this.

So how much traffic does each NAP authentication and subsequent authorization pass generate? The answer is roughly 10k per authN/authZ. So thats pretty small though multiply that with the number of clients you have and then further multiply it by the re-AuthN period. You should have a rough idea of the traffic you will be sustaining on your WAN link. Of course, based on the re-authN period (usually in seconds) you could also divide it down to kb/s so you can estimate a sustained traffic load based on the number of clients.

Based on this, if you do have to place an NPS server at the remote branch because of traffic loads make it also an RODC and control the password replication policy of the clients that can authenticate aswell as the users. That will make the replication traffic more efficient and improve authN redundancy should the link fail.