I have a AD-joined Windows Server 2019 Standard with NPS installed and AD connected.
When I try to RADIUS authenticate it always fails and this is unfixable so far.
The RADIUS Clients are configured as well as the Connection Request Policies (only NAS name as condition). Both work.
There is also a Network Policy with the following settings:
Conditions:
- User-Group: DOMAIN\VPN-Group
- NAS IPv4-Address: 172.31.1.1
Settings:
- Authentication method: PAP, SPAP
- ignore Benutzereinwähleigenschaften (connection policy thing that is set on the user in the AD - couldn't find out how that is called in English) (must be set otherwise NPS always tells the user is set to forbid which is also a lie)
- (everything else default)
In this configuration the NPS fails with reason code 16 (wrong credentials) which is a straight up lie. The credentials are correct and the account is not locked.
Using anything else than PAP makes NPS entirely refusing to use any network policy with reason code 48.
That is also complete bullshit as in the event log both conditions do clearly match the policy.
I tested it also with a different RADIUS client to ensure it's not a bug in that manufacturer's implementation.
