Always on VPN does not complete connection when using conditional access
We are completing a proof of concept for AOVPN using on-premises 2019 VPN+NPS server, IPSec/EAP and Azure AD conditional access to enforce MFA. The Windows 10 devices we are using to connect are Azure AD domain joined, and are managed via Intune.
We have been able to get everything working by following the process here, the conditional access connection flow completes. We can connect to the VPN using either the Azure issued certificate, or our own on-premises issued certificate just fine.
The problem we have is when we first try to connect, conditional access flow commences, we are successful with the MFA prompt, and the flow returns to the client to connect to the VPN server but it just gets stuck connecting like in the screenshot below (we have left it here for 1min, 2min, 10min always the same). We have to disconnect and reconnect a few times at this point to get it to work. When reconnecting it doesn't kick off the conditional access as we are already approved, and just connects.
I have completed a few packet captures on the client, and see that it never even attempts to connect to our VPN server after completing the conditional access flow. There won't be any network activity reaching to our VPN server until we do the disconnect/reconnect.
According to conditional access client connection flow documented here step 4 the client is issued the short-lived Azure ad token then proceeds to step 5: the VPN client uses the Azure AD-issued certificate to authenticate with the VPN server. So there must be an issue here somewhere.
Should we be expecting that we have to disconnect/reconnect several times after the conditional access connection flow completes?
Thank you for your detailed post and I apologize for the late response!
I just wanted to check in and see if you were able to resolve this issue? If you're still having issues and would like to work with our support team on this, please let me know.
Thank you for your time and patience throughout this issue.
Thanks for checking with us. We have been unable to find any solution for this so far. We would be definitely interested in working with support if that's an option.
We have this exact same issue. Conditional access policy to enforce only device compliance works flawlessly. If we force MFA it goes through the MFA process successfully then sticks at "connecting." Hitting "cancel" and then connecting again works for as long as the session is set (for our testing it is set to 4 hours). Once the session period is up, it goes through the MFA process again (which completes successfully) then gets stuck at connecting the same as before.
We've tried using the Radius AzureMFA plugin and it works fine, but does not offer any flexibility and does not allow for alternative MFA types. We really need this method to work but until now I haven't found anyone with this same issue!
i'm trying to setup the same for my customer. Always On VPN Device and User Tunnel with a Hybrid Join. Everything is working except the Conditional Access. I don't even receive the popup for the MFA.
Did you set it up with a VPN or a Custom Configuration Policy?
Same issue here. Good to know that we are not the only one. It's a showstopper for going in production use. We have the same prerequisite as Murray-3042 in our environment.
We are in the same situation as well. We also build a proof of concept for an Always On VPN setup with Conditional Access and experienced the same behaviour.
After the authention flow has passed there is no connectivity to the RAS server. After disconnecting/cancelling the connection a few times the connection established.
I hope there will be an update/fix to get this resolved.
We solved the issue. In the conditional access settings we activated the sign in frequency which led to the described result. After deactivating the sign in frequency everything worked as intended.
Thanks for the reply, we did some tests and it seems this is - indeed - working. It does however not help me with the business case most clients expect / want; MFA authentication before accessing company data. If it's not possible to set a sign-in frequence, you only need to re-authenticate every 90days? Or is there some other way to force the MFA authentication request?
One thing we also discovered when setting the sign-in frequence to - for example 1hour - for testing purposes, is that we see in the Windows Credentials manager that your Windows- and certificate based credentials disappear, and it takes a few minutes, even after authenticating after the MFA request, for them to be accessable again.
Still trying to find a way to make this work like you expect...
We're having the same problem (and found this thread while looking for a solution).
Sign in to comment