In my previous blog, I detailed the process of how a Network Policy Server (NPS) is used to integrate with an Azure VPN gateway using RADIUS to provide Multi-Factor Authentication (Azure MFA) for point-to-site connections to your Azure environment.
This is a follow-up to that, some additional troubleshooting for the NPS configuration.
Firewall
Network Policy Server – RADIUS has 4 default ports:-
RADIUS Authentication: 1812, 1645
RADIUS Accounting: 1813, 1646
These default ports are added to the local Windows Firewall, if you do need to change these ports in your Network Policy Server configuration remember to update local Windows Firewall and any additional outside firewall configurations.
NPS Extension
Usually a straightforward process, providing you are using the correct Azure AD Credentials and tenant ID, a handy blog by Microsoft to assist you further if you encounter a more troublesome issue
Troubleshooting after installation of NPS Configuration
If you followed by first NPS blog and have some issues with a successful VPN connection using Azure MFA, here is some troubleshooting steps to potential assist you:-
Eventviewer on NPS Server
Confirm the Azure AD user successfully tested their authentication? Time to review some logs via Eventviewer.
Eventviewer on NPS Server, locations below:-
Custom Views -> Server Roles -> Network Policy and Access Services
Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthZ
Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthN
Eventviewer:- Some errors decoded
Error: “An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”
Resolution:- Reinstall Azure MFA extension, potentially caused by incorrect TenantID entered during installation
Error: “An Access-Request message was received from RADIUS client 10.0.1.4 with a Message-Authenticator attribute that is not valid.”
Resolution:- Confirm Azure Virtual Network Gateway has the same RADIUS Password used as the NPS Radius Clients
Error: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User testuser@tamops.test with response state AccessReject, ignoring request.”
Resolution:- Ensure user permissions on domain Active Directory are correct, review Dial-> Network Access Permission within the user properties of the required Active Directory
Thomas Thornton 
“…review Dial-> Network Access Permission within the user properties…”
Life saver! First page of Google search results and this seems to be the only page with this solution. Majority of users were getting through, a handful reporting getting denied login. For this error, Microsoft only says to check firewall rules and ensure user is licensed. Pffft.
Awesome Satsun, glad the blog helped!
I do want to clarify that your instructions were clearer than Microsoft’s, since they do mention the Dial-in tab, but for those of us not familiar with it (it’s generally missing), I’d have not known it was in Active Directory user properties if it wasn’t spelled-out to me. 😀
Has anyone noticed the limitation that you can’t use CHAP and SMS authentication together? Seems like a step backwards forcing everyone to use PAP if they want SMS.
Yeah, the so far has been great though with any teams I know that use this type of setup
Thanks, dial-in tab was the problem. Some random users had “access denied” set.
Great news Joe, glad the post assisted 🙂