RADIUS Authentication using NPS on Server 2019 Bug
Windows Server 2019 introduced a bug in the Network Policy Server (NPS) role that causes RADIUS authentication to fail silently. NPS creates a correct-looking firewall rule for UDP port 1812 automatically, but traffic still doesn't pass. Earlier Windows Server versions aren't affected.
Many administrators discover that disabling Windows Firewall resolves the issue, then leave it disabled — which is not an acceptable security posture. The proper fix is a single PowerShell command.
The Problem
When NPS is installed on Server 2019, it creates firewall rules under the "Network Policy Server" display group. The rules appear valid in the firewall console, but the Windows Firewall component refuses to pass UDP 1812 traffic regardless.
The root cause is that the auto-created rules are scoped to the ias service. A bug in how Server 2019 handles this service scoping causes the rule to be ineffective.
The Fix
Remove the service restriction from the RADIUS-related NPS firewall rules:
Get-NetFirewallRule -DisplayGroup "Network Policy Server" |
Where-Object DisplayName -like "*RADIUS*" |
Set-NetFirewallRule -Service AnyThis changes the service filter from ias to Any, which allows the traffic through while keeping the firewall enabled and all other restrictions (ports, protocols, profiles) intact.
Revert If Needed
To restore the original service-scoped behaviour:
Get-NetFirewallRule -DisplayGroup "Network Policy Server" |
Where-Object DisplayName -like "*RADIUS*" |
Set-NetFirewallRule -Service iasVerify It's Working
After running the fix, test authentication from your VPN or wireless controller. You can also confirm traffic is reaching NPS by checking Event Viewer → Custom Views → Server Roles → Network Policy and Access Services — successful and failed authentication attempts are logged there.