Azure MFA with NPS - 20 seconds timeout extension

Marcel 11 Reputation points
2022-10-03T09:31:38.267+00:00

I set up new Meraki VPN solution - it uses RADIUS auth, NPS role is installed on an Azure VM and there is also Microsoft plugin installed which redirects each radius request to Azure MFA for second authentication method. That part is working fine. I would like to allow connecting users to have at least 60seconds to perform 2FA. Meraki is set to wait 60seconds for a radius response, radius itself, by default also waits 60seconds. Apparently, this MFA plugin waits only 20 seconds for 2FA because it rejects connections after this period. I can see this is radius logs aswell as while capturing packets on meraki side. Is it possible (and how) to extend Azure MFA plugin timeout?

Here is documentation I followed while setting everything up: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,381 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,706 Reputation points Microsoft Employee
    2022-10-04T21:45:52.777+00:00

    Hi @Marcel ,

    In order to increase the timeout settings for MFA on the NPS server, you need to go to Server Manager > Tools > Network Policy Server > In the NPS (Local) console, expand RADIUS Clients and Servers, and select Remote RADIUS Server > In the middle pane, go to SERVER GROUP Properties > Edit > Under the Load Balancing tab, configure these settings:

    247565-image.png

    If this part is already configured correctly, then I do not think this is an issue on Microsoft's end.

    These two threads reported a similar issue and suggest reaching out to their support to increase the timeout.
    https://www.reddit.com/r/sysadmin/comments/n6thr6/azure_mfa_nps_vpn_timeout/
    https://community.meraki.com/t5/Security-SD-WAN/Told-by-Meraki-Support-that-MFA-is-No-Longer-Available-for/m-p/78164

    As stated by one of the Meraki engineers:

    The radius session will expire after three retries of five seconds each or 15 total seconds of inactivity. So if your radius server can't process the multi-factor authentication fast enough then it will time out on the MX.

    Support can change both the timeout (5 seconds) and retry (3 attempts) on the MX. If you reference this kb to Support, they'll be able to make the changes to the timeout and retries.

    I am not certain about Meraki, but I also know that other VPN clients have a max setting and if you set it over that it will just revert back to default. I also recall a few cases where the timeout setting would get set, but not pushed to the client and so the client timed out before the server did. I've seen several VPN issues with Meraki today even where customers were reporting issues with push notifications being sent at the wrong times.

    Let me know if this helps and if you have further questions though. If you would prefer to share logs over email I'm happy to troubleshoot that way as well.

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.