In my previous blog, I detailed the process of how a Network Policy Server (NPS) is used to integrate with an Azure VPN gateway using RADIUS to provide Multi-Factor Authentication (Azure MFA) for point-to-site connections to your Azure environment.
This is a follow-up to that, some additional troubleshooting for the NPS configuration.
Network Policy Server – RADIUS has 4 default ports:-
RADIUS Authentication: 1812, 1645
RADIUS Accounting: 1813, 1646
These default ports are added to the local Windows Firewall, if you do need to change these ports in your Network Policy Server configuration remember to update local Windows Firewall and any additional outside firewall configurations.
Usually a straightforward process, providing you are using the correct Azure AD Credentials and tenant ID, a handy blog by Microsoft to assist you further if you encounter a more troublesome issue
Troubleshooting after installation of NPS Configuration
If you followed by first NPS blog and have some issues with a successful VPN connection using Azure MFA, here is some troubleshooting steps to potential assist you:-
Eventviewer on NPS Server
Confirm the Azure AD user successfully tested their authentication? Time to review some logs via Eventviewer.
Eventviewer on NPS Server, locations below:-
Custom Views -> Server Roles -> Network Policy and Access Services
Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthZ
Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthN
Eventviewer:- Some errors decoded
Error: “An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”
Resolution:- Reinstall Azure MFA extension, potentially caused by incorrect TenantID entered during installation
Error: “An Access-Request message was received from RADIUS client 10.0.1.4 with a Message-Authenticator attribute that is not valid.”
Resolution:- Confirm Azure Virtual Network Gateway has the same RADIUS Password used as the NPS Radius Clients
Error: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User firstname.lastname@example.org with response state AccessReject, ignoring request.”
Resolution:- Ensure user permissions on domain Active Directory are correct, review Dial-> Network Access Permission within the user properties of the required Active Directory