NPS Server Configuration To Integrate with Azure MFA:- Part2 (Troubleshooting)

In my previous blog, I detailed the process of how a Network Policy Server (NPS) is used to integrate with an Azure VPN gateway using RADIUS to provide Multi-Factor Authentication (Azure MFA) for point-to-site connections to your Azure environment.

This is a follow-up to that, some additional troubleshooting for the NPS configuration.

Firewall

Network Policy Server – RADIUS has 4 default ports:-

RADIUS Authentication: 1812, 1645

RADIUS Accounting: 1813, 1646

These default ports are added to the local Windows Firewall, if you do need to change these ports in your Network Policy Server configuration remember to update local Windows Firewall and any additional outside firewall configurations.

NPS Extension

Usually a straightforward process, providing you are using the correct Azure AD Credentials and tenant ID, a handy blog by Microsoft to assist you further if you encounter a more troublesome issue

Troubleshooting after installation of NPS Configuration

If you followed by first NPS blog and have some issues with a successful VPN connection using Azure MFA, here is some troubleshooting steps to potential assist you:-

Eventviewer on NPS Server

Confirm the Azure AD user successfully tested their authentication? Time to review some logs via Eventviewer.

Eventviewer on NPS Server, locations below:-

Custom Views -> Server Roles -> Network Policy and Access Services

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthZ

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthN

Eventviewer:- Some errors decoded

Error: “An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”

Resolution:- Reinstall Azure MFA extension, potentially caused by incorrect TenantID entered during installation

Error: “An Access-Request message was received from RADIUS client 10.0.1.4 with a Message-Authenticator attribute that is not valid.”

Resolution:- Confirm Azure Virtual Network Gateway has the same RADIUS Password used as the NPS Radius Clients

Error: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User testuser@tamops.test with response state AccessReject, ignoring request.”

Resolution:- Ensure user permissions on domain Active Directory are correct, review Dial-> Network Access Permission within the user properties of the required Active Directory

6 thoughts on “NPS Server Configuration To Integrate with Azure MFA:- Part2 (Troubleshooting)

  1. “…review Dial-> Network Access Permission within the user properties…”
    Life saver! First page of Google search results and this seems to be the only page with this solution. Majority of users were getting through, a handful reporting getting denied login. For this error, Microsoft only says to check firewall rules and ensure user is licensed. Pffft.

  2. I do want to clarify that your instructions were clearer than Microsoft’s, since they do mention the Dial-in tab, but for those of us not familiar with it (it’s generally missing), I’d have not known it was in Active Directory user properties if it wasn’t spelled-out to me. 😀

  3. Has anyone noticed the limitation that you can’t use CHAP and SMS authentication together? Seems like a step backwards forcing everyone to use PAP if they want SMS.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: