Always on VPN does not complete connection when using conditional access

Murray 6 Reputation points

We are completing a proof of concept for AOVPN using on-premises 2019 VPN+NPS server, IPSec/EAP and Azure AD conditional access to enforce MFA. The Windows 10 devices we are using to connect are Azure AD domain joined, and are managed via Intune.

We have been able to get everything working by following the process here, the conditional access connection flow completes. We can connect to the VPN using either the Azure issued certificate, or our own on-premises issued certificate just fine.

The problem we have is when we first try to connect, conditional access flow commences, we are successful with the MFA prompt, and the flow returns to the client to connect to the VPN server but it just gets stuck connecting like in the screenshot below (we have left it here for 1min, 2min, 10min always the same). We have to disconnect and reconnect a few times at this point to get it to work. When reconnecting it doesn't kick off the conditional access as we are already approved, and just connects.

I have completed a few packet captures on the client, and see that it never even attempts to connect to our VPN server after completing the conditional access flow. There won't be any network activity reaching to our VPN server until we do the disconnect/reconnect.

According to conditional access client connection flow documented here step 4 the client is issued the short-lived Azure ad token then proceeds to step 5: the VPN client uses the Azure AD-issued certificate to authenticate with the VPN server. So there must be an issue here somewhere.

Should we be expecting that we have to disconnect/reconnect several times after the conditional access connection flow completes?


Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
525 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,189 questions
{count} vote