Windows Server 2019 and RADIUS

updated #security, #firewall edit this page

First of all, happy new year :) Today we will have a quick look at Windows Server 2019, more specifically the Network Policy Server role.

Background

I was recently asked to help with an enterprise WiFi deployment and decided to use a RADIUS server for authentication purposes. I went on to deploy a new Windows 2019 VM and installed the NPS role. After adding the RADIUS client and configuring the required policies, I added the NPS server’s IP address to the WiFi controller and tried to authenticate. A simple task generally, but this time it did not work.

Troubleshooting

The RADIUS server was located behind a NAT device so my first guess was that I had misconfigured a policy or mistyped an address or something. I double checked the configuration and, as it looked ok, started to scratch my head. In order to better understand what was going on, I installed wireshark on the NPS machine and saw packets incoming from the WiFi controller quite happily. But packet were only incoming, I could not find a single response coming from NPS. The Security Event Log on the VM, where you would typically find NPS logs, had no events related to NPS. So basically the NPS was not responding to RADIUS messages at all.

Solution

After a quick google search for “Windows 2019 NPS” I found an entry in the TechNet Forums (link below) where someone explained the Windows Firewall had to be configured to allow RADIUS (udp/1812, udp/1813) traffic even though such a rule did already exist. Sure enough, after adding the firewall rule, authentication worked.

DHCP Relay (update)

So today, half a year later, I had a very similar problem with DHCP relay. The Windows 2019 DHCP Server would receive DHCP requests from a relay agent but it would never respond to them. I configured the local firewall to allow traffic on UDP ports 67 and 69 and voilà, DHCP started working.