RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug

JBurgod
Conversationalist

RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug

I just spent all day trying to get RADIUS authentication for Client VPN to work on 2 separate Windows 2019 Servers.

 

I hope others find this post before they waste an entire day.

 

If you are having RADIUS authentication issues with Windows Server 2019 NPS, please be aware their is a known bug that has not been fixed or patched as of the June 2020 roll-up.

 

The bug relates to the Windows Firewall and the NPS server role. Although adding the NPS server role creates the appropriate Windows Firewall rules, there is a bug with the IAS (NPS) service SID that prevents the Firewall service from properly targeting the IAS service. Thus, despite the rules being there, the traffic was still being blocked.

 

I was able to find a work around (thank you Google and all those that came before me).

 

From an elevated command prompt on the NPS server run the following command:

 

sc sidtype IAS unrestricted

 

Restart the server, and viola!

 

There is also a second workaround where the scope of the firewall rule is set to any service. If you prefer this method, it is referenced in the links below.

 

Resources & References:

https://social.technet.microsoft.com/Forums/en-US/cf047df5-ed4a-46b9-9564-c9db5a9bc8dc/windows-serve...

https://windowsserver.uservoice.com/forums/295059-networking/suggestions/35724043-fix-default-nps-fi...

https://community.ui.com/questions/FYI-Windows-Server-2019-NPS-for-RADIUS-broken-w-fix/364c7c17-b3d3...

https://directaccess.richardhicks.com/2018/11/27/always-on-vpn-and-windows-server-2019-nps-bug/

 

Enjoy!

2 REPLIES 2
Q313
Conversationalist

1 year later and this gift keeps giving.

 

You are legend.

 

Thank you for the direction.

Comstasis
Conversationalist

Thank you so much for posting this! I already spent a day troubleshooting (Labor Day. Fun). I finally just disabled the firewall on the 2019 server, cause why not. Clearly the rule is there, but sure enough that allowed authentication to take place. Really frustrating! Anyway, that's when I googled and found your article, so at least getting it resolved should be much faster!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels