Recently I was tasked with setting up an Active Directory environment as the Radius authentication backend for a VPN solution, allowing users in the correct AD group to access the VPN using their AD credentials.
Sounds easy enough….. right? Well, then this wouldn’t be a good read would it 🙂
It seems the built-in Windows Server feature Network Policy Server (NPS) has a pretty serious known bug in it. Not directly serious because of what it does, but rather serious due to lazy administrators not putting appropriate measures in place to circumvent it – keep reading!
The NPS bug only affects Windows Sever 2019 and does not affect 2016 and below, so if you are happily running 2k16 servers (or older!) then fear not, you are OK!
In order to understand how the bug works (or does not work!) its important to have a brief understanding of how RADIUS communicates. This is done via UDP on port 1812 by default and is sent every time a client attempts authentication.
The bug occurs in the Windows firewall component of the NPS role and effectively refuses to pass data on UDP port 1812 even though it has automatically created a correct firewall rule within the Windows firewall config.
Practically what this means is all your authentication requests will fail and you will be left scratching your head as to why.
During troubleshooting you may turn off the firewall and find this has cured the issue with authentication requests once again passing. Sadly for the security of the server this is where most admins will start and end, leaving the server exposed and vulnerable with a disabled firewall.
So the question is, what’s the real solution?
After some serious head scratching I worked it out – running a PowerShell command to set the default NPS rules service to “Any” and thus allow the rules to function as expected:
Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any
And just in case you need to undo it:
Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service ias
That’s it, you should now have RADIUS requests passing correctly and still be able to have your Windows firewall enabled!
Michael Hosker