RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug
I just spent all day trying to get RADIUS authentication for Client VPN to work on 2 separate Windows 2019 Servers.
I hope others find this post before they waste an entire day.
If you are having RADIUS authentication issues with Windows Server 2019 NPS, please be aware their is a known bug that has not been fixed or patched as of the June 2020 roll-up.
The bug relates to the Windows Firewall and the NPS server role. Although adding the NPS server role creates the appropriate Windows Firewall rules, there is a bug with the IAS (NPS) service SID that prevents the Firewall service from properly targeting the IAS service. Thus, despite the rules being there, the traffic was still being blocked.
I was able to find a work around (thank you Google and all those that came before me).
From an elevated command prompt on the NPS server run the following command:
sc sidtype IAS unrestricted
Restart the server, and viola!
There is also a second workaround where the scope of the firewall rule is set to any service. If you prefer this method, it is referenced in the links below.