NPS Server Configuration To Integrate with Azure MFA:- Part2 (Troubleshooting)

In my previous blog, I detailed the process of how a Network Policy Server (NPS) is used to integrate with an Azure VPN gateway using RADIUS to provide Multi-Factor Authentication (Azure MFA) for point-to-site connections to your Azure environment.

This is a follow-up to that, some additional troubleshooting for the NPS configuration.


Network Policy Server – RADIUS has 4 default ports:-

RADIUS Authentication: 1812, 1645

RADIUS Accounting: 1813, 1646

These default ports are added to the local Windows Firewall, if you do need to change these ports in your Network Policy Server configuration remember to update local Windows Firewall and any additional outside firewall configurations.

NPS Extension

Usually a straightforward process, providing you are using the correct Azure AD Credentials and tenant ID, a handy blog by Microsoft to assist you further if you encounter a more troublesome issue

Troubleshooting after installation of NPS Configuration

If you followed by first NPS blog and have some issues with a successful VPN connection using Azure MFA, here is some troubleshooting steps to potential assist you:-

Eventviewer on NPS Server

Confirm the Azure AD user successfully tested their authentication? Time to review some logs via Eventviewer.

Eventviewer on NPS Server, locations below:-

Custom Views -> Server Roles -> Network Policy and Access Services

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthZ

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthN

Eventviewer:- Some errors decoded

Error: “An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”

Resolution:- Reinstall Azure MFA extension, potentially caused by incorrect TenantID entered during installation

Error: “An Access-Request message was received from RADIUS client with a Message-Authenticator attribute that is not valid.”

Resolution:- Confirm Azure Virtual Network Gateway has the same RADIUS Password used as the NPS Radius Clients

Error: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User testuser@tamops.test with response state AccessReject, ignoring request.”

Resolution:- Ensure user permissions on domain Active Directory are correct, review Dial-> Network Access Permission within the user properties of the required Active Directory

1 thought on “NPS Server Configuration To Integrate with Azure MFA:- Part2 (Troubleshooting)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: