2008R2 - Network Policy Server Bug


  • I'm setting up a Network Policy Server on Server 2008R2 for an SSL VPN on a fortigate firewall. I just installed the role, added the radius client and added a new network policy called "VPN Users" as the 1st policy.  At this point, I'm unable to connect unless I disable the two polices that are created by default.   I don't understand why I have to do this when the VPN Users policy is #1 on the list. It appears that the NPS checks all polices and is not just going down the list until one is matched (as it states in Microsofts documentation). Is this a bug?  I'd like it if someone can explain how this works for me.

    Tuesday, September 10, 2013 5:38 PM

All replies

  • Hi,

    That’s not a bug but by design.

    A default connection request policy is created when you install NPS. The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally. If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy. However, at least one connection request policy must be running on your NPS server for it to authenticate and authorize connection requests from RADIUS clients.

    Quote from:

    NPS: Network Policy Server (NPS) should have at least one connection request policy enabled

    More information:

    Verify NPS Configuration

    Hope this helps.

    Alex Lv

    • Proposed as answer by Meinolf Weber Monday, September 16, 2013 12:28 PM
    Wednesday, September 11, 2013 9:56 AM
  • I have the default connection request policy in place.  It hasn't been changed.  My issue is not with the connection request policy but the Network Policy.  Please see the pictures above.  The Network Policy doesn't seem to be processing correctly.  It doesn't start on policy 1 and then move its way up, looking for a policy that matches.  It seems to be working in a way that it needs to match all policies.
    Monday, September 16, 2013 3:29 PM
  • Hi,

    Please notice the "Access Type" , if the client network action accord with the two  default policy and and the two default policy is enable it will do the action "Deny Access".

    Alex Lv

    Tuesday, September 17, 2013 7:15 AM

  • Hi,

    I would like to check if you need further assistance.


    Alex Lv

    Monday, September 23, 2013 7:53 AM