Windows 2019 Server has a bug which can prevent Network Policy Server (NPS) from working properly.

With the NPS role installed, the default inbound Windows firewall rules for ports 1812 and 1813 will be open and appear working, however connections will fail; turning on Windows Firewall logging for dropped packets on the NPS server will show traffic for those ports being dropped.

This may impact standalone implementations of NPS, or implementation of Always on VPN where NPS is a component of the solution.

There appears to be an issue with the IAS service SID, which can be resolved by typing from an admin command prompt on the NPS server:

sc sidtype IAS unrestricted

And rebooting the server after the command has run.

First seen from Richard Hicks website (https://directaccess.richardhicks.com/) and has proved a useful piece of info in recent NPS implementations.