Meraki Community

mmzzaq

(fixed, see edit)

We currently use Meraki MX64 client VPN in combination with a local Windows NPS server (radius) so that users can authenticate with their Windows credentials. This works fine but I want to protect the connections with MFA, so I installed the 'NPS Extension for Azure MFA' on the NPS server. Unfortunately I cannot get that to work in combination with our client-VPN. When having it enabled, users cannot establish a VPN connection anymore. They are able to enter their user/pass when the Windows VPN client asks for it but after that it just times out without the user being prompted for MFA:

The NPS server logs the following on these connection attempts:

"NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User testuser1@exampledomain.com with response state Discard, ignoring request."

"NPS Extension for Azure MFA: NPS AuthN extension bypassed for User testuser1@exampledomain.com with response state Discard"

I have ran the Azure MFA NPS health check script and that shows no issues. The testuser also has a valid Entra ID P1 subscription. Further more, the users are able to use MFA on Microsoft services. The settings I'm using on the NPS server are the working settings that were already in place for the non-MFA client-VPN as described in this article: https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN_IPs...
I also have set the radius timeout in the Meraki dashboard to 180 but that doesn't make a difference.

I'm having the feeling that it might just be a simple setting in my NPS server that can fix the problems. Can anyone that also uses that NPS Extension for Azure MFA on their NPS server share their settings? Or does anyone have any advice on how I could possibly fix my issues?

note: I know Anyconnect can do MFA flawlessly with SAML but Anyconnect is not an option for us.

Thanks in advance

EDIT: Nvm, i fixed it. Turns out I erroneously swapped around two registry key values earlier when I was troubleshooting the early stages 😑 Hitting myself with a hammer in the head.
Btw, now that it's working, I can confirm that using the starter radius settings from the Meraki article from above, are enough to get it working in combination with the extra NPS extension (this is something I was wondering about a lot during my earlier troubleshooting).

PhilipDAth

I was involved in working on such a configuration recently that was working and then stopped. I believe this is no longer a supported configuration by Microsoft. It is my understanding that pure push notifications are no longer supported, only notifications that require users to enter a verification code ("verified push"), and that this can not be done with Microsoft client VPN.
Lots of things other than client VPN have been broken by this change. Example Google:
https://learn.microsoft.com/en-us/answers/questions/1396620/when-the-nps-extension-requests-authenti...

You should buy some AnyConnect licences and move to using AnyConnect+SAML with EntraID.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

mmzzaq

Works perfectly fine for me and the Microsoft documentation also seems to indicate that this shouldn't be an issue.

Like I said in my startpost, Anyconnect is unfortunately not an option for us (https://community.meraki.com/t5/Security-SD-WAN/MX64-AnyConnect-VPN-Split-tunnel-profile/m-p/233704#...)

PhilipDAth

When you say it works perfectly fine - then what is the issue?

mmzzaq

It looks you are not reading half of what I wrote. Check the top of my first post and the bottom of my first post. That's something I already added before your first reply.

Meraki Community

MX client-VPN in combination with NPS Extension for Azure MFA

MX client-VPN in combination with NPS Extension for Azure MFA