Score:0

Windows NPS refusing all network policies or ignoring correct credentials

in flag

I have a AD-joined Windows Server 2019 Standard with NPS installed and AD connected.

When I try to RADIUS authenticate it always fails and this is unfixable so far. The RADIUS Clients are configured as well as the Connection Request Policies (only NAS name as condition). Both work.

There is also a Network Policy with the following settings:

Conditions:

  • User-Group: DOMAIN\VPN-Group
  • NAS IPv4-Address: 172.31.1.1

Settings:

  • Authentication method: PAP, SPAP
  • ignore Benutzereinwähleigenschaften (connection policy thing that is set on the user in the AD - couldn't find out how that is called in English) (must be set otherwise NPS always tells the user is set to forbid which is also a lie)
  • (everything else default)

In this configuration the NPS fails with reason code 16 (wrong credentials) which is a straight up lie. The credentials are correct and the account is not locked.

Using anything else than PAP makes NPS entirely refusing to use any network policy with reason code 48.

That is also complete bullshit as in the event log both conditions do clearly match the policy.

I tested it also with a different RADIUS client to ensure it's not a bug in that manufacturer's implementation.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.