NPS extenstion MFA - Twice - verification call

RndMaster 116 Reputation points

We integrated NPS extension with Palo Alto VPN, we able to authenticate VPN using MFA. However, we get two time verification call, SMS, OTP and App verification to connect to the VPN.
There is 30 seconds lag between 1st and 2nd MFA Authentication.

Time out value is set to 60 sec on Palo Alto and 1 retry only, still experiencing the same issue.

In NPS, we are getting error below:

**Reason Code:          9
Reason:             The request was discarded by a third-party extension DLL file.**

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User with response state AccessReject, ignoring request.

I have tried all the suggestions on Internet but no luck.

Did anyone experience this issue or any suggestion?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,646 questions
{count} votes

Accepted answer
  1. RNDMaster 136 Reputation points

    Issue Resolved...

    It was at the Palo Alto end.

    Palo Alto was sending multiple request to Radius for NPS Authentication. We configured the PaloAlto Portal and Gateway to enable cookies using Self-signed certificate to fix the issue. Below are the links discussing the same issue:

    How to Install Duo Security 2FA for Palo Alto GlobalProtect VPN (RADIUS Configuration)

    Why are users receiving multiple Duo Push authentication requests while logging in to Palo Alto PAN-OS?

    Palo Alto Global Protect configuration with Two factor Authentication

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,521 Reputation points

    Hi @RndMaster · Thank you for reaching out.

    I have worked on similar issues where multiple verification calls were being made due to mismatch in Pre-Shared Key. I would suggest you to review the configuration from scratch and make sure PSK is entered wherever required and is configured with same value.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. RNDMaster 136 Reputation points

    Found Palo Alto is sending authentication twice to Radius server. It could be the cause of the issue. Started working with Network resources to look at the PaloAlto configuration. I will update you once I found any further update.