A common problem with Microsoft RADIUS (NPS) user authentication is a pesky little setting within each user profile in Active Directory. While logged in as a Domain Admin, open the user properties within Active Directory and select the Dial-In tab. The first section is named “Network Access Permission.” To allow the user to authenticate through Microsoft RADIUS/NPS, select the “Allow access” option and then “OK” to save the changes. Wait the appropriate amount of time for the change to replicate to all domain controllers or force the replication with “repadmin” command. For a screenshot of this Dial-in tab and other related items, see the following Microsoft Networking Blog article. This setting applies to all RADIUS clients including Wifi and VPN users.
- Creating a secure 802.1x wireless infrastructure using Microsoft Windows (blogs.technet.com)
While it may be possible to set up your NPS policies to ignore this setting, in practice it is just safer and more reliable to set every wifi/vpn user to “allow” on the active directory dial-in tab and then the NPS policies will still force other restrictions on domain groups permitted, etc.