Michael McNamara

technology, networking, virtualization and IP telephony

Microsoft Windows Server 2019 NPS Firewall Bug?

by

I do some consulting on the side, helping end-users and resellers with technical hurdles or issues in their environments. It’s been a pretty good side hustle for me over the years and it can be a welcome distraction from the daily grind.

A reseller recently asked me for assistance with an issue they were having setting up 802.1X authentication for their wireless users and devices. In the early Windows 95 days you needed to make sure you had the correct patches and drivers to get the built-in WPA supplicant (Wireless Zero Configuration) to work properly but these days this solution is pretty well documented across the net and most client devices work right out of the box.

I had assumed that the problem would be something simple but after 2 hours of troubleshooting I too was stumped by a little but apparently well known issue on Windows Server 2019 with NPS (Network Policy Server) which replaced IAS (Internet Authentication Service) starting back in Windows Server 2008. Apparently the default firewall rules added during the NPS server role installation don’t work!

It turns out that this bug goes all the way back to November of 2018. I found a post written by Richard M. Hicks titled, Always On VPN and Windows Server 2019 NPS Bug. That’s just crazy… that’s more than two years ago and apparently Microsoft still hasn’t decided to correct the issue.

Here’s a tip for all those budding network or system administrators trying to troubleshoot 802.1X wireless authentication requests. Whether you are using Microsoft’s NPS or HPE/Aruba ClearPass or Cisco Identity Services Engine (ISE). I find having a tool to generate some RADIUS authentication requests to validate that your RADIUS server is responding and working properly is invaluable. I personally like NTRadPing as it’s easy to use, just drop it in a folder and launch it on a Windows desktop or laptop. Occasionally you might need to hack the RADIUS dictionary file (raddict.dat) that accompanies the application but that’s pretty easy as well.

Have you got any stories to share?

Cheers!

Recent Posts

Categories

SUBSCRIBE BY EMAIL