I just spent all day trying to get RADIUS authentication for Client VPN to work on 2 separate Windows 2019 Servers.
I hope others find this post before they waste an entire day.
If you are having RADIUS authentication issues with Windows Server 2019 NPS, please be aware their is a known bug that has not been fixed or patched as of the June 2020 roll-up.
The bug relates to the Windows Firewall and the NPS server role. Although adding the NPS server role creates the appropriate Windows Firewall rules, there is a bug with the IAS (NPS) service SID that prevents the Firewall service from properly targeting the IAS service. Thus, despite the rules being there, the traffic was still being blocked.
I was able to find a work around (thank you Google and all those that came before me).
From an elevated command prompt on the NPS server run the following command:
sc sidtype IAS unrestricted
Restart the server, and viola!
There is also a second workaround where the scope of the firewall rule is set to any service. If you prefer this method, it is referenced in the links below.
Resources & References:
https://social.technet.microsoft.com/Forums/en-US/cf047df5-ed4a-46b9-9564-c9db5a9bc8dc/windows-serve...
https://windowsserver.uservoice.com/forums/295059-networking/suggestions/35724043-fix-default-nps-fi...
https://community.ui.com/questions/FYI-Windows-Server-2019-NPS-for-RADIUS-broken-w-fix/364c7c17-b3d3...
https://directaccess.richardhicks.com/2018/11/27/always-on-vpn-and-windows-server-2019-nps-bug/
Enjoy!
