Extend authentication timeout for VPN SSTP with MFA

Question

I have the following setup:

• a local (RRAS) Routing and Remote Access service set up as an SSTP VPN server
• a local RADIUS + (NPS) Network Policy Server with Entra NPS addon installed
• AD to AAD Connect Service to sync local and cloud accounts

The user is able to run the configured VPN profile on their device to attempt a login, and then gets promoted via their authenticator app to approve, but most of the time the user does not have enough time to approve the push notification. MFA push notification has a timeout of around a minute in Azure so why is it that the RRAS/NPS server only gives what seems to be 3-4 seconds before loading out and posting an error.

Additionally, the error received in the timeout is extremely inaccurate since it has nothing to do with the policy but the user taking too long to approve the push notification :

I have done over a dozen tests now timing the amount of time I have between the login attempt and when the push notification message works, after 5 or so seconds it no longer registers and the attempt fails all the time. If keep refreshing the authenticator app and jump on the push notification within the second it works all the time, so it is most definitely time-based and not a configuration issue.

How can this be extended on the RRAS/NPS server to be something more reasonable?

Additional Note: with Entra MFA disabled, the user authenticates and connects to the VPN in less than a second, so authentication speed between the VPN server, NPS and domain is fast, it is 100% the amount of time it takes for the NPS server to authenticate against Azure MFA.

Answer 1

Hey Krystian, to extend the authentication timeout for your SSTP VPN with MFA, you’ll need to adjust the timeout settings in your NPS server. Check the RADIUS client or network policy settings in NPS and increase the timeout (e.g., to 60-90 seconds) to give users enough time to approve the MFA push notification. If that doesn’t work, consider reaching out to Microsoft Support for help with the Entra NPS extension.

Rgds,

Alex

Answer 2

Hi @Krystian Blaszkowicz
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: Extend authentication timeout for VPN SSTP with MFA

Solution: Resolved by @Krystian Blaszkowicz
"You found the option; it was hidden on the VPN Server itself".

"Open RRAS Management Console:

On the Windows Server, open the Server Manager.

Go to Tools, and then select Routing and Remote Access.

1. Access VPN Server Properties:
   • In the RRAS management console, right-click the server's name (the RRAS server) in the left pane and select Properties.
   1. Navigate to the Security Tab:
      • In the Properties window, go to the Security tab.
      1. Authentication Methods:
         • Click on Authentication Methods.
         1. RADIUS Authentication:
            • If RADIUS authentication is enabled, click the RADIUS Authentication button
2. Set the Server Timeout Value:

• Modify the Server timeout value (seconds). The default is 30 seconds.
  • To minimize discarded requests, set this value to 60 seconds or more, up to 90 or 120 seconds."

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.