![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
25,221 questions
Thank you for posting your query on Microsoft Q&A, from above description I could understand that user is not getting an MFA prompt but denied message while trying connect to WIFI using NPS extension.
Please do correct me if this is not the case by responding in the comments
As per NPS Extension Errors error message above is displayed under following condition:
This response is used when additional information is required from the user to complete the authentication or authorization process. The NPS server sends a challenge to the user, requesting further credentials or information. It usually precedes an Access-Accept or Access-Reject response.
Although NPS doesn't support number matching, the latest NPS extension does support time-based one-time password (TOTP) methods such as the TOTP available in Authenticator, other software tokens, and hardware FOBs. TOTP sign-in provides better security than the alternative Approve/Deny experience. Make sure you run the latest version of the NPS extension.
Anyone who performs a RADIUS connection with NPS extension version 1.2.2216.1 or later is prompted to sign in with a TOTP method instead of Approve/Deny. Users must have a TOTP authentication method registered to see this behavior. Without a TOTP method registered, users continue to see Approve/Deny.
Suggestion:
- Kindly validate the NPS extension version, if running *1.2.2216.1 then ensure that TOTP authentication method *is registered and Microsoft Authenticator registered as an authentication method
- If running any of the earlier versions then you need to modify the registry to require users to enter a TOTP: 1.2.2131.2 1.2.1959.1 1.2.1916.2 1.1.1892.2 1.0.1850.1 1.0.1.41 1.0.1.40
To create the registry entry to override the Approve/Deny options in push notifications and require a TOTP instead:
- On the NPS Server, open the Registry Editor.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
- Create the following String/Value pair: undefinedundefined
- Restart the NPS Service.
In addition:
undefined> The NPS Server where the NPS extension is installed must be configured to use PAP protocol. For more information, see Determine which authentication methods your users can use.
undefinedundefinedMSCHAPv2 doesn't support TOTP. If the NPS Server isn't configured to use PAP, user authorization fails with events in the AuthZOptCh log of the NPS Extension server in Event Viewer:
NPS Extension for Azure MFA: Challenge requested in Authentication Ext for User npstesting_ap. You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications.
- If your organization uses Remote Desktop Gateway and the user is registered for a TOTP code along with Authenticator push notifications, the user can't meet the Microsoft Entra multifactor authentication challenge and Remote Desktop Gateway sign-in fails. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications with Authenticator.
undefinedThanks,
Akshay Kaushik
undefinedPlease "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
