Hi @Marcel ,
In order to increase the timeout settings for MFA on the NPS server, you need to go to Server Manager > Tools > Network Policy Server > In the NPS (Local) console, expand RADIUS Clients and Servers, and select Remote RADIUS Server > In the middle pane, go to SERVER GROUP Properties > Edit > Under the Load Balancing tab, configure these settings:
If this part is already configured correctly, then I do not think this is an issue on Microsoft's end.
These two threads reported a similar issue and suggest reaching out to their support to increase the timeout.
https://www.reddit.com/r/sysadmin/comments/n6thr6/azure_mfa_nps_vpn_timeout/
https://community.meraki.com/t5/Security-SD-WAN/Told-by-Meraki-Support-that-MFA-is-No-Longer-Available-for/m-p/78164
As stated by one of the Meraki engineers:
The radius session will expire after three retries of five seconds each or 15 total seconds of inactivity. So if your radius server can't process the multi-factor authentication fast enough then it will time out on the MX.
Support can change both the timeout (5 seconds) and retry (3 attempts) on the MX. If you reference this kb to Support, they'll be able to make the changes to the timeout and retries.
I am not certain about Meraki, but I also know that other VPN clients have a max setting and if you set it over that it will just revert back to default. I also recall a few cases where the timeout setting would get set, but not pushed to the client and so the client timed out before the server did. I've seen several VPN issues with Meraki today even where customers were reporting issues with push notifications being sent at the wrong times.
Let me know if this helps and if you have further questions though. If you would prefer to share logs over email I'm happy to troubleshoot that way as well.
-
If the information helped you, please Accept the answer. This will help us and other community members as well.