So I realize that this is a Windows NPS issue, but has anyone seen this?
On the Network Policy, when I remove the condition that the user in the incoming request has to be a member of a certain user group, the policy works.
But when I specifiy the user group in the conditions, the policy is not hit.
I've checked that the user is a member of the group.
And the windows event log shows that the incoming request has the proper user name.
Puzzling....