(fixed, see edit) We currently use Meraki MX64 client VPN in combination with a local Windows NPS server (radius) so that users can authenticate with their Windows credentials. This works fine but I want to protect the connections with MFA, so I installed the 'NPS Extension for Azure MFA' on the NPS server. Unfortunately I cannot get that to work in combination with our client-VPN. When having it enabled, users cannot establish a VPN connection anymore. They are able to enter their user/pass when the Windows VPN client asks for it but after that it just times out without the user being prompted for MFA: The NPS server logs the following on these connection attempts: "NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User testuser1@exampledomain.com with response state Discard, ignoring request." "NPS Extension for Azure MFA: NPS AuthN extension bypassed for User testuser1@exampledomain.com with response state Discard" I have ran the Azure MFA NPS health check script and that shows no issues. The testuser also has a valid Entra ID P1 subscription. Further more, the users are able to use MFA on Microsoft services. The settings I'm using on the NPS server are the working settings that were already in place for the non-MFA client-VPN as described in this article: https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN_IPsec I also have set the radius timeout in the Meraki dashboard to 180 but that doesn't make a difference. I'm having the feeling that it might just be a simple setting in my NPS server that can fix the problems. Can anyone that also uses that NPS Extension for Azure MFA on their NPS server share their settings? Or does anyone have any advice on how I could possibly fix my issues? note: I know Anyconnect can do MFA flawlessly with SAML but Anyconnect is not an option for us. Thanks in advance EDIT: Nvm, i fixed it. Turns out I erroneously swapped around two registry key values earlier when I was troubleshooting the early stages 😑 Hitting myself with a hammer in the head. Btw, now that it's working, I can confirm that using the starter radius settings from the Meraki article from above, are enough to get it working in combination with the extra NPS extension (this is something I was wondering about a lot during my earlier troubleshooting).
... View more