NPS extenstion MFA - Twice - verification call

RndMaster 116 Reputation points
2021-03-02T00:41:05.253+00:00

We integrated NPS extension with Palo Alto VPN, we able to authenticate VPN using MFA. However, we get two time verification call, SMS, OTP and App verification to connect to the VPN.
There is 30 seconds lag between 1st and 2nd MFA Authentication.

Time out value is set to 60 sec on Palo Alto and 1 retry only, still experiencing the same issue.

In NPS, we are getting error below:

**Reason Code:          9
Reason:             The request was discarded by a third-party extension DLL file.**

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User with response state AccessReject, ignoring request.

I have tried all the suggestions on Internet but no luck.

Did anyone experience this issue or any suggestion?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
Accepted answer
  1. Priyavert Sharma 136 Reputation points
    2021-03-08T17:54:41.82+00:00

    Issue Resolved...

    It was at the Palo Alto end.

    Palo Alto was sending multiple request to Radius for NPS Authentication. We configured the PaloAlto Portal and Gateway to enable cookies using Self-signed certificate to fix the issue. Below are the links discussing the same issue:

    How to Install Duo Security 2FA for Palo Alto GlobalProtect VPN (RADIUS Configuration)
    https://www.youtube.com/watch?v=XdUfLzLK_5A

    Why are users receiving multiple Duo Push authentication requests while logging in to Palo Alto PAN-OS?
    https://help.duo.com/s/article/2054?language=en_US

    Palo Alto Global Protect configuration with Two factor Authentication
    https://www.youtube.com/watch?v=it4rzLkcOWk

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-03-02T05:54:39.587+00:00

    Hi @RndMaster · Thank you for reaching out.

    I have worked on similar issues where multiple verification calls were being made due to mismatch in Pre-Shared Key. I would suggest you to review the configuration from scratch and make sure PSK is entered wherever required and is configured with same value.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Priyavert Sharma 136 Reputation points
    2021-03-06T20:05:02.077+00:00

    Found Palo Alto is sending authentication twice to Radius server. It could be the cause of the issue. Started working with Network resources to look at the PaloAlto configuration. I will update you once I found any further update.

    Thanks,
    Priyavert