This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello. I am using VMWare Horizon VDI with RADIUS 2-factor authentication. I need to change the RADIUS server to Microsoft NPS with NPX Extension for Azure AD MFA. Everything is working but for MFA I am getting with a text message with validation code or a Deny/Approve pop-up, depending on the default sing-in method other the user.
I want the user to get an one-time passcode in their Microsoft Authenticator App. Is there a way to change this on the NPS server?
We do have number-match enabled on our Azure tenant but that only work with 0365, not RADIUS.
Thanks
Yes, you can change the default sign-in method for MFA to the Microsoft Authenticator App on the NPS server. To do this, you'll need to configure the NPS server to use the Azure MFA NPS extension and then specify the desired authentication method in the RADIUS authentication policy. You can find detailed instructions on how to do this in the Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension.
Hello @Christian Carrasco !
Please follow the link here and read the following Note;
Regardless of the authentication protocol that's used (PAP, CHAP, or EAP), if your MFA method is text-based (SMS, mobile app verification code, or OATH hardware token) and requires the user to enter a code or text in the VPN client UI input field, the authentication might succeed. But any RADIUS attributes that are configured in the Network Access Policy are not forwarded to the RADIUS client (the Network Access Device, like the VPN gateway). As a result, the VPN client might have more access than you want it to have, or less access or no access.
As a workaround, you can run the CrpUsernameStuffing script to forward RADIUS attributes that are configured in the Network Access Policy and allow MFA when the user's authentication method requires the use of a One-Time Passcode (OTP), such as SMS, a Microsoft Authenticator passcode, or a hardware FOB.
So ithink this will be quite helpful!
If this answer helped you kindly mark it as Accepted and Up-Vote !
Otherwise we can discuss further details to help you as well
Best regards!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 87%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello! I have similar problem, Im using FortiClient IPSec VPN, and when im trying to log in with mobile push notification as the second factor all works fine, but when I'm trying to use SMS code as a second factor connection fails. I tryied to run this script, but it didnt work for me. If there any othe options? Or how this script might work for me?
P.S. Im using PAP protocol, receiving sms and prompt for it, but connection fails.
On NPS i get error with code 21
Reason Code: 21
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.