Always On VPN and Windows Server 2019 NPS Bug

When deploying a Windows Server 2019 Network Policy Server (NPS) to support a Windows 10 Always On VPN implementation, administrators may encounter the following error when attempting to establish a VPN connection on a remote Windows 10 client.

Can’t connect to [connection name].

The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Always On VPN and Windows Server 2019 Network Policy Server Bug
In addition, an event ID 20227 from the RasClient will be recorded in the application event log with the following error message.

The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 812.

Always On VPN and Windows Server 2019 Network Policy Server Bug

Common Causes

Always On VPN error code 812 indicates an authentication policy mismatch between the client and the server. This often occurs when, for example, the server is configured to use Protected Extensible Authentication Protocol (PEAP), but the client is configured to use Microsoft CHAP Version 2 (MS-CHAP v2).

Troubleshooting

Carefully review the authentication policy on both the client and server to ensure they match. Next, enable firewall logging on the NPS server to log both allowed and dropped packets. Attempt another VPN connection and observe the firewall logs. In this example the firewall is dropping packets inbound on UDP port 1812.

Always On VPN and Windows Server 2019 Network Policy Server Bug

Interestingly, the default Windows firewall rule allowing inbound UDP port 1812 is enabled and set to allow for all profiles.

Always On VPN and Windows Server 2019 Network Policy Server Bug

Windows Server 2019 Bug

It appears that Microsoft’s recently released Windows Server 2019 has a bug that prevents NPS from working correctly out of the box. Specifically, it appears the default Windows firewall rules to allow inbound UDP port 1812 (RADIUS authentication) and inbound UDP port 1813 (RADIUS accounting) do not work. As a workaround the administrator can create new firewall rules to allow inbound UDP port 1812 and 1813 and restore NPS operation using the following PowerShell commands.

New-NetFirewallRule -Name “NPS-UDP-1812-In” -DisplayName “Network Policy Server (RADIUS Authentication – UDP-in)” -Description “Inbound rule to allow Network Policy Server to receive RADIUS authentication requests on UDP port 1812” -Group “Network Policy Server” -Protocol UDP -LocalPort 1812 -Direction Inbound -Profile Any -Action Allow -Enabled True

New-NetFirewallRule -Name “NPS-UDP-1813-In” -DisplayName “Network Policy Server (RADIUS Accounting – UDP-in)” -Description “Inbound rule to allow Network Policy Server to receive RADIUS accounting requests on UDP port 1813” -Group “Network Policy Server” -Protocol UDP -LocalPort 1813 -Direction Inbound -Profile Any -Action Allow -Enabled True

%d bloggers like this: