Intermittent "Login failed" with Azure MFA extension for NPS

MD89 1 Reputation point
2021-11-03T05:29:45.043+00:00

Hi there,

For our remote VPN connections, we use Cisco AnyConnect + ASA and the MFA extension for Azure. This is working most of the time for all users. Sometimes some of the users get "Login failed" on their AnyConnect client immediately after they try to login. Sometimes they can login from the second attempt, sometimes it starts working in 5/10 minutes. Sometimes they can login using another VPN server, sometimes it fails for both simultaneously. If the user tries with a VPN server without MFA - there are no issues.

MFA log:

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User XXXXXX with response state AccessReject, ignoring request.

NPS log:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: XXXXXX
Account Domain: XXXXXX
Fully Qualified Account Name: XXXXXXXXXXX

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: X.X.X.X
Calling Station Identifier: X.X.X.X

NAS:
NAS IPv4 Address: X.X.X.X
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 1944260608

RADIUS Client:
Client Friendly Name: XXXXXXX
Client IP Address: X.X.X.X

Authentication Details:
Connection Request Policy Name: Remote-VPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: XXXXXXXXXXXXXXXX
Authentication Type: Extension
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 21
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

How can I find why it was rejected?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-11-10T23:23:48.16+00:00

    Hi @MD89 ,

    What error do you see in the Event Viewer? I'll be able to help diagnose much more accurately if I have this.

    If you are getting a username/password error, you can update the passwords and make sure everything in the integration guide has been configured as described. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect#:~:text=When%20you%20integrate%20Cisco%20AnyConnect%20with%20Azure%20AD%2C,in%20one%20central%20location%20-%20the%20Azure%20portal.

    Then, make sure you have added the users to the Cisco Any connect App in the Azure portal.

    Then, restart the services and the server.

    I'm providing a pretty long list of additional possibilities so apologies in advance if you have tried some of these. The DLL error can happen any of the following reasons (among others):

    1) The user for which NPS rejects the requests have unicode characters in their passwords. The NPS does not support Unicode passwords and it can fail for that reason. You can change the user's password to resolve this. (This could be the case if this is failing for some users and not others, but likely not the case if the users can login sometimes and not others as you described.)

    2) Timeout observed within any firewall that you may have within your network.

    3) During my own setup of this extension I have received this error when the request was timing out too soon, when the latest version of the extension was not installed, and when there were old certificates on the server that needed to be removed.

    If the request is timing out too soon, make sure that it's set to at least 60 seconds to give enough time for the request to succeed.

    148278-radiustimeout.png

    4) Make sure also you have the latest version of the extension installed, as well as all Windows updates. Older versions sometimes threw that DLL error. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#install-the-nps-extension

    5) Make sure that there aren't any duplicate or old certificates on the server.

    You can check for old certificates using:

     Get-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -ReturnKeyValues 1  
    

    Then you can remove duplicates using:

     Remove-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -KeyIds <enterkeyidhere>  
    

    6) The connection method is not allowed by network policy

    7) NPS does not have access to the user account database on the domain controller.

    8) There is an issue with the primary authentication. Check the NPS logs and authentication requests related to any of the users receiving the error.

    9)
    The NPS server must be able to communicate with the specified URLs: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#network-requirements

    If you provide me with the event viewer information and any additional logs, I'll be happy to help diagnose this further.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.