We need to migrate RADIUS server supporting Cisco VPN server from old FreeBSD server to a new server running Windows Server 2012. I've set up and configured Network Policy Server to support Cisco VPN server as a RADIUS client. Now AD domain users can authenticate successfully and establish VPN connection.
However, to finish migration, we need to transfer 130 or so old user accounts to the new RADIUS server. I don't want to create them in AD. I'd like to store them in local Windows user database. However, if I add local user groups to the network policy allowing to authenticate against RADIUS server, VPN connections with those credentials could not be established. NPS simply does not apply the policy to the local user (in the log I can see that the last policy checked is "Connections to other access servers" which is the last in the policy list).
How could I force NPS to authenticate users against the local user database as well?