Unable to user Radius authentication

Troubleshooting should focus on two separate issues that appear in the logs:

1. NPS Event: "A RADIUS message was received from the invalid RADIUS client IP address 10.100.53.13"
2. Azure MFA NPS extension: "HTTPS_COMMUNICATION_ERROR" when calling the Azure MFA service

Address both in this order.

1. Fix the invalid RADIUS client error

This error means NPS is receiving RADIUS packets from 10.100.53.13, but that IP is not recognized as a valid RADIUS client in NPS:

• Open the NPS console.
• Go to RADIUS Clients and Servers → RADIUS Clients.
• Confirm that the entry for the Sangfor VDI server:
  • Has the exact IP address that NPS sees in the event (10.100.53.13). If the VDI server is behind NAT or a load balancer, NPS might actually see a different source IP; in that case, add that source IP as a RADIUS client instead.
  • Uses the same shared secret as configured on the Sangfor VDI RADIUS settings.

The NPS troubleshooting guidance explicitly calls out this scenario: when NPS logs Event ID 13 (invalid RADIUS client IP), the fix is to ensure the IP address is relevant and add it to the RADIUS Clients list if needed.

Once this is corrected, the "invalid RADIUS client" error should stop, and NPS will fully process the Access-Request.

2. Verify NPS and RADIUS configuration

After resolving the invalid client issue, validate the rest of the NPS configuration using the standard checklist:

• Ensure NPS auditing is enabled so all failures are logged (using auditpol as described in the checklist).
• In Event Viewer → Custom Views → Server roles → Network Policy and Access Services, look for Event ID 6273/6274 and check the reason code. For example, reason code 16 indicates invalid credentials and should be resolved by verifying username/password, account lockout, and correct domain.
• Confirm:
  • The Sangfor VDI RADIUS client is in RADIUS Clients and Servers.
  • The shared secret matches.
  • RADIUS ports (1812/1813 or 1645/1646) are allowed through any firewalls.
  • Network Policy and Connection Request Policy conditions and constraints match the Sangfor traffic and authentication method.

3. Troubleshoot the Azure MFA NPS extension error

The HTTPS communication error indicates that the NPS extension cannot successfully complete the MFA call to the Microsoft Entra MFA service.

Follow the documented MFA/NPS extension troubleshooting flow:

1. Verify the user is correctly enabled for MFA
   • Have the affected user sign in to the Microsoft Entra admin center.
   • If the user is prompted for MFA and can complete it successfully, MFA itself is configured correctly and the issue is specific to the NPS extension path.
2. Review the AzureMfa extension logs
   • On the NPS server, open Event Viewer → Applications and Services Logs → Microsoft → AzureMfa.
   • Correlate the HTTPS_COMMUNICATION_ERROR with the corresponding security/NPS events to see whether the failure happens before or after primary authentication.
3. Check RADIUS flow and NPS logs
   • Confirm that the NPS security log shows a full RADIUS transaction (for successful cases, four records in the NPS database-format log, as seen in the working example). The fact that failed attempts only show two records indicates the flow is terminating early—either due to the invalid client error or the MFA extension failing.
   • Use the NPS database-format logs in %SystemRoot%\System32\Logs and, if needed, parse them with a tool or export to a spreadsheet to see the exact sequence of RADIUS messages.
4. Network and firewall checks for the MFA extension
   • Ensure the NPS server can reach the Microsoft Entra MFA endpoints over HTTPS (outbound 443) and that no proxy or firewall is blocking or altering the traffic.
   • If a firewall or RADIUS-aware device is in the path, verify with that vendor that it supports the required RADIUS attributes and the newer standards (including Message-Authenticator) and that any required mitigations or configuration updates from that vendor are applied.
5. Check for known NPS/RADIUS issues with recent updates

Recent Windows security updates introduced stricter RADIUS behavior (for example, around the Message-Authenticator attribute). If the NPS server has the July 2024 or later security updates, and the Sangfor or firewall/RADIUS device has not been updated accordingly, RADIUS authentication can fail.

• Review the Windows release health information for the NPS server OS version for any emerging/known issues.
• Apply the guidance from the KB article on RADIUS authentication failures after the July 2024 update and ensure that the firewall/RADIUS solution supports the Message-Authenticator attribute in both requests and responses.
• If needed, work with the Sangfor and/or firewall vendor to implement their recommended mitigations.

5. Advanced diagnostics

If the above steps do not resolve the issue:

• Enable detailed NPS logging and parse the database-format logs to confirm where in the flow the failure occurs.
• Use a protocol analyzer such as Wireshark on the NPS server to capture RADIUS traffic between Sangfor VDI and NPS, and verify that:
  • The Access-Request is well-formed and includes expected attributes.
  • NPS responds with the appropriate Access-Challenge/Access-Accept/Access-Reject.

6. About arranging a Zoom session

This channel cannot arrange or join live sessions. For live troubleshooting with Sangfor and Microsoft together, open or update a support case with Microsoft Support and request a joint call; Microsoft Support can coordinate with the third-party vendor as needed.

References:

• Network Policy Server troubleshooting guidance
• Integrate your existing Network Policy Server (NPS) infrastructure with Microsoft Entra multifactor authentication
• Integrate your VPN infrastructure with Microsoft Entra multifactor authentication by using the Network Policy Server extension for Azure
• KB5043417: RADIUS authentication to NPS might fail with the July 2024 security update and later updates
• Advanced configuration options for the NPS extension for multifactor authentication