NPS Extension for Azure MFA - MFA part not working?
Question
Wednesday, August 16, 2017 12:26 PM
Hi,
I've setup a new environment to test the new NPS extension for MFA, the solution is being tested with RRAS VPN access. I've setup everything as per this blog - http://jtpedersen.com/index.php/2017/02/13/setup-vpn-to-use-mfa-with-nps-extension/
1x RRAS server (2016) and is configured with RRAS and routing roles along with NPS
1x NPS server (2016) just has NPS installed and configured
1x 2016 DC with AAD Connect syncing to Azure AD (this AD has a Premium license and MFA enabled)
Everything seems to be working up to a point. That point is when I try and connect to the VPN from Windows 10 VPN client I get the following error in the event log on the NPS server that has the extensions installed
NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User TUser@domain.co.uk with response state AccessChallenge, ignoring request.
As this is a new product there is very little troubleshooting info out there and I am a bit stuck on what to do next.
Any advice would be great.
Cheers
Rob
All replies (12)
Wednesday, August 16, 2017 2:31 PM ✅Answered
You are experiencing a limitation of RRAS. RRAS, RD Gateway and some other systems aren't capable of processing Access-Challenge RADIUS responses. This limits the methods of MFA that you can use with these systems. Phone call and mobile app push notifications should work fine. Neither SMS nor mobile app verification codes (OTPs) will work because we don't have a way to challenge the user for their OTP, which is the purpose of the Access-Challenge response. Most VPN systems such as Cisco, Juniper and Citrix Netscaler are able to process the Access-Challenge response and will prompt the user for their OTP, but RRAS doesn't have this capability.
Monday, September 4, 2017 9:12 PM ✅Answered
Ok, I've got it working....woohoo!
First off there are some much better instructions here. They are a lot less complicated that the blogs above.
The issue that was causing my problem was that I was using an account that was also a member of another AAD, this other AAD also had MFA enabled on this account.
I created a new dedicated account within the AAD that I wanted to MFA extension to consume from, made that account a GA of the AAD and didn't enable MFA on it. When configuring the MFA extension (via the PowerShell script) I specified this new dedicated account, and it all just worked. Before reinstalling I did remove the current AAD MFA certificate from the NPS server, go to local machine -> personal -> certs and delete the certificate that has your tenant ID as the "Issued to" column.
Hope this helps
Rob
Wednesday, August 16, 2017 2:36 PM
Thanks for the reply, I suspected that this might be the case. The test user only has authentication phone configured within their MFA setup as shown below
Is there a configuration I am missing somewhere?
Thanks
Thursday, August 17, 2017 10:24 AM
The limit of challange/reponse is that no pop-up will be shown for you to enter a code.
Not supported verification options:
- OATH
- SMS
So the following verification options should work:
- Call my Phone -> confirm with #
- Mobile App -> Approv on mobile
Your image shows phone verification as active option.
The number must be configured +31xxxxx is the 0 in the entered number this format, because i except no 0 after a country code.
Thursday, August 17, 2017 10:50 AM
Hi
Thanks for the reply, I took your point on the phone and to remove that from the equation I've changed the verification to the app and verified that.
But I am still getting this error in the event logs on the NPS server
Something isn't happy on the MFA side.
Thursday, August 17, 2017 11:21 AM
Which settings do you use for the VPN connection?
In this case It only should use MS-CHAPv2 and username/password
Thursday, August 17, 2017 11:34 AM
Hi,
VPN client is the Win10 (1703) and is set to username/password. The security is set to MS-CHAPv2....
The VPN policy configuration is this:
And for my troubles I get a new error now....
Gotta laugh sometimes :)
Thursday, August 17, 2017 12:38 PM
I know the feeling.
Maybe repeatative, but to be sure.
- You got 2 policy as shown in the blog.
- Additional, in AD on the DIAL IN pane, the user is Allow Access, not deny of control access through NPS.
The process should be
VPN request -> (Accounting) NPS checks credentials, when OK -> NPS MFA. (2 policy reasons). Handover of the policies may be the cause. I don't have a test environment right now, to reproducere the scenario.
You already look at, I saw: [http://microsoftplatform.blogspot.nl/2017/02/securing-rd-gateway-with-mfa-using-new.html
](http://microsoftplatform.blogspot.nl/2017/02/securing-rd-gateway-with-mfa-using-new.html)Can you check the setup with this blogpost, it's a bit the same configuration, only the target is Azure MFA server on-premise, but also uses the two policy setup.
/nl-nl/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-rdg
Thursday, August 17, 2017 1:19 PM
Again, thanks for the reply.
I have been using those blogs to setup the environment so I know them quiet well now :) I even burnt my old environment and rebuilt from scratch to make sure I was doing everything correctly. They make it look so easy! :)
I've got a call open with MS support now so hopefully they will be able to do a bit of troubleshooting from the Azure MFA side (it will be interesting to see if the NPS MFA is hitting Azure and what it's hitting it with)
When I get to the bottom of this I'll post up my finding as I am sure I won't be the only one to hit these issues.
Monday, September 4, 2017 4:30 PM
Hi,
did you find a s solution? I get the same error...
Jens
Monday, September 4, 2017 4:38 PM
No, at the moment it's not working. I've been working with the product team on this and they believe they have identified the issue but currently do not know how to resolve it. As soon as a fix is found I'll post up here with the detail.
Rob
Friday, August 24, 2018 5:51 AM
Thank you <g class="gr_ gr_26 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="26" id="26">Rob</g>. It solved my issue.
Vishal