KB ID 0001759
I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite simple.
So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).
Azure MFA With Microsoft NPS Pre-Requisites
The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license.
“But I can use the Authenticator App with my Office 365 subscription?”
Well yes you can, but we are not authenticating to office 365 are we?
Below you can prove the licence is allocated in Office 365
And the same in Azure AD.
Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.
Azure MFA With Microsoft NPS: Deploying NPS
So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.
Install-WindowsFeature NPAS -IncludeManagmentTools
From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory > OK > OK
Execute the following PowerShell command to create a registry key
New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null
Enable NPS RADIUS on Windows Firewall
Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;
Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any
Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)
You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.
Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.
Configure NPS for RADIUS Access
Note: You may already have this configured, if so please skip to the next section.
The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK
Policies > Network Policies > New > Give it a sensible name > Next.
Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.
Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.
Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.
Enable Azure MFA With Microsoft NPS
Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.
To actually enable it against your Azure AD, Execute the following PowerShell commands;
cd "c:\Program Files\Microsoft\AzureMfa\Config" .\AzureMfaNpsExtnConfigSetup.ps1
Eventually you will be asked to authenticate to Azure, do so with an administrative account.
You will be asked to provide your Azure Tennant ID.
When complete REBOOT THE NPS SERVER!
Testing Azure MFA With NPS
Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;
Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.
And on my phone I get prompted to allow
Troubleshooting (NPS Azure MFA Not Working)
Event ID 6274: The Request Was Discarded by a third-party extension DLL file.
This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 15/07/2021 16:42:58 Event ID: 6274 Task Category: Network Policy Server Level: Information Keywords: Audit Failure User: N/A Computer: PKI-02.pnl.com Description: Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information. User: Security ID: PNL\tanya.long Account Name: tanya.long Account Domain: PNL Fully Qualified Account Name: pnl.com/PNL/Users/Tanya Long Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: - Calling Station Identifier: - NAS: NAS IPv4 Address: 192.168.254.254 NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Virtual NAS Port: 6 RADIUS Client: Client Friendly Name: Firewall Client IP Address: 192.168.254.254 Authentication Details: Connection Request Policy Name: Use Windows authentication for all users Network Policy Name: NP-Azure-MFA Authentication Provider: Windows Authentication Server: PKI-02.pnl.com Authentication Type: PAP EAP Type: - Account Session Identifier: - Reason Code: 9 Reason: The request was discarded by a third-party extension DLL file.
Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection
In my case I had re-install the NPS Azure extension.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 15/07/2021 17:24:39 Event ID: 6273 Task Category: Network Policy Server Level: Information Keywords: Audit Failure User: N/A Computer: PKI-02.pnl.com Description: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: NULL SID Account Name: tanya.long Account Domain: PNL Fully Qualified Account Name: PNL\tanya.long Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: - Calling Station Identifier: - NAS: NAS IPv4 Address: 192.168.254.254 NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Virtual NAS Port: 10 RADIUS Client: Client Friendly Name: Firewall Client IP Address: 192.168.254.254 Authentication Details: Connection Request Policy Name: Use Windows authentication for all users Network Policy Name: - Authentication Provider: Windows Authentication Server: PKI-02.pnl.com Authentication Type: Extension EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 21 Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
Related Articles, References, Credits, or External Links
Pete Great Article ! for any connect it may be worthwhile using SAML with O365 it bypasses the need for Radius all together and works great.
Agree 100% I only used the ASA as a RADIUS client, because its what I had to hand on the test bench 🙂
(And if I had problems, it’s easy to debug!)
Thats true Jason, but you need an ASA running newer than 9.4 or the ‘no ca-check’ command that you need as part of the SAML trustpoint will get rejected.
I am getting the 6274 log error. However, the user I am testing has the Microsoft E5 license, so I am terribly confused as to why I am getting the error.
me too. But it seems to be an error on Radius Client.
Do you found a solution?
We were able to fix the issue b
y renewing the certificate
cd “c:\Program Files\Microsoft\AzureMfa\Config”
Our certificate was expired. To renewal, we ran above script on our mfa servers
Great article Pete! Do you happen to know if will allow for MFA via SMS?
I dont but Ill throw it open…..
Is there any way that I will be able to perform a ONE TIME MFA bypass for some of the users who are MFA enabled? This is really essential for situations where any user does not has his mobile with him and yet still requires access at that immediate point in time?
You can have a backup device set in Azure? You can even get the system to ring you on a landline, other than that No.