NPS Server Configuration To Integrate with Azure MFA:- Part2 (Troubleshooting)

In my previous blog, I detailed the process of how a Network Policy Server (NPS) is used to integrate with an Azure VPN gateway using RADIUS to provide Multi-Factor Authentication (Azure MFA) for point-to-site connections to your Azure environment.

This is a follow-up to that, some additional troubleshooting for the NPS configuration.


Network Policy Server – RADIUS has 4 default ports:-

RADIUS Authentication: 1812, 1645

RADIUS Accounting: 1813, 1646

These default ports are added to the local Windows Firewall, if you do need to change these ports in your Network Policy Server configuration remember to update local Windows Firewall and any additional outside firewall configurations.

NPS Extension

Usually a straightforward process, providing you are using the correct Azure AD Credentials and tenant ID, a handy blog by Microsoft to assist you further if you encounter a more troublesome issue

Troubleshooting after installation of NPS Configuration

If you followed by first NPS blog and have some issues with a successful VPN connection using Azure MFA, here is some troubleshooting steps to potential assist you:-

Eventviewer on NPS Server

Confirm the Azure AD user successfully tested their authentication? Time to review some logs via Eventviewer.

Eventviewer on NPS Server, locations below:-

Custom Views -> Server Roles -> Network Policy and Access Services

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthZ

Windows Logs -> Applications and Service Logs -> Microsoft -> AzureMfa -> AuthN

Eventviewer:- Some errors decoded

Error: “An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”

Resolution:- Reinstall Azure MFA extension, potentially caused by incorrect TenantID entered during installation

Error: “An Access-Request message was received from RADIUS client with a Message-Authenticator attribute that is not valid.”

Resolution:- Confirm Azure Virtual Network Gateway has the same RADIUS Password used as the NPS Radius Clients

Error: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User testuser@tamops.test with response state AccessReject, ignoring request.”

Resolution:- Ensure user permissions on domain Active Directory are correct, review Dial-> Network Access Permission within the user properties of the required Active Directory


  1. “…review Dial-> Network Access Permission within the user properties…”
    Life saver! First page of Google search results and this seems to be the only page with this solution. Majority of users were getting through, a handful reporting getting denied login. For this error, Microsoft only says to check firewall rules and ensure user is licensed. Pffft.

  2. I do want to clarify that your instructions were clearer than Microsoft’s, since they do mention the Dial-in tab, but for those of us not familiar with it (it’s generally missing), I’d have not known it was in Active Directory user properties if it wasn’t spelled-out to me. 😀

  3. Has anyone noticed the limitation that you can’t use CHAP and SMS authentication together? Seems like a step backwards forcing everyone to use PAP if they want SMS.

    1. Yeah, the so far has been great though with any teams I know that use this type of setup

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s