In this post, we will cover the steps on how to configure Network Policy Server to allow VPN users to connect to the VPN server running on Windows Server 2019.

This is the third part of a four-part series on Install and Configure VPN with Remote Access Service in the Windows Server 2019.  We will create an NPS policy to allow only specific users to connect to the VPN server based on some specific conditions.

Understanding VPN Test Lab:

  • WS2K19-DC01: Domain Controller and DNS server.
  • WS2K19-VPN01: Remote Access Server with NPS role.
  • WS10-CLI01: Windows 10 Client Machine.

Create Active Directory Users and Groups:

1. On Domain Controller, Open Active Directory Users and Computers snap-ins.

1. Open Active Directory Users and Computers Console

2. Do as instructed below:

  • Create two AD users name Test User1 and Test User2.
  • Create a security group name:  TestUsers.
2. Create AD Users and Security Groups

3. Add both users to the security group.

3. Add AD Users to the Security Group

4. Check both users dial-in permission. Make sure Control access through NPS Network Policy is selected.

4. Check Dial-in Permission

Configure Network Policy Server:

We need to create an NPS policy to allow only specific users to connect to the VPN server based on specific conditions which we can define in the policy. We can configure NPS server from Network Policy Server management console.

5. On the VPN server, open server manager console.

6. Click on Tools and select Network Policy Server.

5. Open Network Policy Server Console

7. On NPS management console, expand Policies.

6. Expand NPS Policies

8. Expand and right-click on Network Policies and select New.

7. Create a New Network Policy

9. Specify a meaningful name to the policy.

8. Specify Name to New NPS Network Policy

10. Select Remote Access Server from the drop-down list as a type of Network Access Server. Click Next.   

9. Choose Remote Access Server From the Drop-down List

11. Click on Add to add the condition.

10. Click Add to Specify Conditions

12. Select Windows Groups and click on Add.

11. Select Windows Group and Click Add

13. Add the security group TestUsers as a condition. Click on Next.

12. Choose Security Group and Click Next

14. Make sure the Access granted radio button is selected. Click Next.

13. Select Access Granted if Condition Match

15. On the configure authentication methods page, click on Add.

16. Select Microsoft: Secure password (EAP-MS-CHAP v2) and click OK.

14. Select EAP-MS-CHAPv2 Protocol

17. Clear the check-box for MS-CHAP and click Next.

15. Clear MS-CHAP Check Box and Click Next

18. Click Next.

16. Click Next

19. Click Next on configure settings page.

17. Click Next on Configure Settings

20. Click on Finish to create NPS policy and close the console.

18. Click on Finish to Close the Wizard

21. Verify that the policy is at the top of the list in the NPS management console.

19. Verify The New Policy Should be Top of the List

That’s it. We have successfully Configure Network Policy Server (NPS) for VPN in Windows Server 2019

In the next post, we will configure port forwarding on the router to allow required ports for VPN service. We will also set up a VPN connection on Windows 10 to test VPN connectivity.