vMX-M + Client VPN + Radius&NPS + Azure MFA(optional)

SOLVED
rabusiak
Getting noticed

vMX-M + Client VPN + Radius&NPS + Azure MFA(optional)

Ahoj!

Did anyone was able to implement solution from Subject? 😄

I have vMX-M in Azure. I've enabled Client VPN and I used Active Directory auth without any issues. DC is on VM in Azure, same vnet, but different subnet. MX use DC as main DNS server.
Now I decided to switch to RADIUS + NPS to implement some restrictions like specific group in AD or even Azure MFA. I followed this instruction:

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN
I deployed new server (same subnet as dc), add it to domain and install NPS role, register with ad etc.

Unfortunately auth doesn't work. On client side I get error 691 when trying to connect. I believe issue is with radius conf in dashboard or with vMX itself because I don't have any requests in radius server event log.
Radius server has firewall disabled and no NSG assigned.
Azure network watcher tells me that traffic between vmx and radius server is not restricted.
Radius secret is fairy simple and doesn't contain any special characters.

What else could be the issue?

1 ACCEPTED SOLUTION
rabusiak
Getting noticed

After some time, I managed to set this up. If someone needs help - reach me out for details 🙂

View solution in original post

6 REPLIES 6
mmzzaq
Here to help

The AD account that is connecting, does it have Control access through NPS Network Policy enabled? (Account > Dial-in > Control access through NPS Network Policy). Is the account also a member of the correct group?

My account had Dial-in set to Control access through NPS Network Policy by default, I changed it also to Allow but still no difference. I don't have any AD groups in request policies so it should allow all users. Anyway even with dial-in set to deny access I still should have rejected requests in radius server event logs but I have nothing there...

PhilipDAth
Kind of a big deal
Kind of a big deal

NPS and Azure MFA is a pig of a solution when you have problems because of poor logging.

 

Start by removing the MFA component from NPS, and get it working vanilla.  This will help chop the problem in two.  If it works you know you have an issue with the MFA configuration.  If it doesn't work you know you have a problem with the RADIUS configuration.

 

A common cause of getting nothing logged in the NPS event view is the RADIUS key not matching.

 

Check the security event log on the NPS server for events 6272 or 6273.

 

If you are seeing nothing at all, you may not have auditing configured to create NPS event logs.  This post has some info on checking your audit policy and enabling settings if not turned on.

https://social.technet.microsoft.com/Forums/ie/en-US/064f3e68-42fa-4669-aede-838e7cc7df92/nps-events... 

rabusiak
Getting noticed

After some time, I managed to set this up. If someone needs help - reach me out for details 🙂

CptnCrnch
Kind of a big deal
Kind of a big deal

Wouldn't it be easier if you could let us know at least a shortened version? From my point of view, that's the spirit that keeps great forums like this one so useful.

rabusiak
Getting noticed

Small discovery about this setup.
I'm slowly putting this VPN in "production mode" and I started to receive feedback from users that they cannot connect because they have not enough time to perform 2FA (push notification or ms call). Radius, by default has 60seconds timeout but Meraki only 3 😉 In some newer MX firmwares you can modify this yourself at the bottom of radius configuration page, in older you need to ask the support.
After I increased it also to 60seconds on Meraki side I get some improvement but still, users had only around 20seconds...
I spend couple of hours with Meraki and Microsoft supports on this case without any luck and then I found this help article on DUO site! Hope it will save somebody a lot of time with troubleshooting - the problem was on client device 🙂

Windows VPN client
If you are using a Windows VPN client and you continue to experience issues after you have increased the RADIUS timeout and the retries, you may need to increase the value of the MaxConfigure Registry key on the client machine to 60: 
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\MaxConfigure=60

How do I adjust the RADIUS timeout on Meraki? (duo.com)

Get notified when there are additional replies to this discussion.