cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug

Highlighted
Conversationalist

RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug

I just spent all day trying to get RADIUS authentication for Client VPN to work on 2 separate Windows 2019 Servers.

 

I hope others find this post before they waste an entire day.

 

If you are having RADIUS authentication issues with Windows Server 2019 NPS, please be aware their is a known bug that has not been fixed or patched as of the June 2020 roll-up.

 

The bug relates to the Windows Firewall and the NPS server role. Although adding the NPS server role creates the appropriate Windows Firewall rules, there is a bug with the IAS (NPS) service SID that prevents the Firewall service from properly targeting the IAS service. Thus, despite the rules being there, the traffic was still being blocked.

 

I was able to find a work around (thank you Google and all those that came before me).

 

From an elevated command prompt on the NPS server run the following command:

 

sc sidtype IAS unrestricted

 

Restart the server, and viola!

 

There is also a second workaround where the scope of the firewall rule is set to any service. If you prefer this method, it is referenced in the links below.

 

Resources & References:

https://social.technet.microsoft.com/Forums/en-US/cf047df5-ed4a-46b9-9564-c9db5a9bc8dc/windows-serve...

https://windowsserver.uservoice.com/forums/295059-networking/suggestions/35724043-fix-default-nps-fi...

https://community.ui.com/questions/FYI-Windows-Server-2019-NPS-for-RADIUS-broken-w-fix/364c7c17-b3d3...

https://directaccess.richardhicks.com/2018/11/27/always-on-vpn-and-windows-server-2019-nps-bug/

 

Enjoy!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.