I configured AnyConnect Client feature on MX250 and pointed the authentication to our internal radius server setup. from MX250 I could ping the raduis server without any problem. I am able to get Azure MFA authentication when I try to connect to VPN but I get an error login failed.
Has anyone implemented AnyConnect VPN Client with radius server?
Filter the security event log on the NPS server for event IDs 6272 and 6273. Do they say they allowed for denied connection? If they say NPS denied the connection - why - and then fix the NPS rules.
If the connection was allowed, make sure you have increased the default RADIUS time out for AnyConnect to at least 30s (needs to be enough time for the push event to be sent to the user, the user to acknowledge it, and NPS to respond to the MX).
On a personal note; I've deployed NPS+Azure MFA a lot. I don't recommend it to clients. Typically you can expect it to stop working 1 to 2 times a year. The debugging is poor. You usually end up floundering around re-installing things until you randomly get it working again.
If you really need to use RADIUS based authentication - I would strongly recommend using Duo. Rock-solid. You won't have to touch it again after installation. Worth the extra money for the reliability.