Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

P1 Licence Requirement Azure MFA With Microsoft NPS

And the same in Azure AD.

P1 Licence Requirement

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

P1 Licence MFA

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

Install-WindowsFeature NPAS -IncludeManagmentTools

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Register NPS in Active Directory

Execute the following PowerShell command to create a registry key

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

NPS Azure MFA

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

NPS Allow RADIUS Windows Firewall

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Azure Tenant ID

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

User AD NPS

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Create RADIUS Client

Policies > Network Policies > New > Give it a sensible name > Next.

NPS Network Policy

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

NPS Network AD User Groups

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

NPS Network RADIUS Friendly Name

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

NPS EAP Types

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

NPS Extension for Azure

To actually enable it against your Azure AD, Execute the following PowerShell commands;

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

Setup NPS Extension for Azure.

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

Authenticate to Azure

You will be asked to provide your Azure Tennant ID.

NPS and Azure Tenancy

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

Test NPS Azure MFA

And on my phone I get prompted to allow

Authenticator Azure

 

Authentication successful!

Test NPS Azure MFA Sucessfull

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Event ID 6274

Full Error

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Event ID 6273

Full Error

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

 

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

12 Comments

  1. Pete Great Article ! for any connect it may be worthwhile using SAML with O365 it bypasses the need for Radius all together and works great.

    Post a Reply
    • Hi Jason,
      Agree 100% I only used the ASA as a RADIUS client, because its what I had to hand on the test bench 🙂

      (And if I had problems, it’s easy to debug!)

      Post a Reply
    • Thats true Jason, but you need an ASA running newer than 9.4 or the ‘no ca-check’ command that you need as part of the SAML trustpoint will get rejected.

      Pete

      Post a Reply
  2. I am getting the 6274 log error. However, the user I am testing has the Microsoft E5 license, so I am terribly confused as to why I am getting the error.

    Post a Reply
    • me too. But it seems to be an error on Radius Client.
      Do you found a solution?

      Post a Reply
      • We were able to fix the issue b
        y renewing the certificate

        cd “c:\Program Files\Microsoft\AzureMfa\Config”
        .\AzureMfaNpsExtnConfigSetup.ps1

        Post a Reply
        • Our certificate was expired. To renewal, we ran above script on our mfa servers

          Post a Reply
  3. Great article Pete! Do you happen to know if will allow for MFA via SMS?

    Post a Reply
    • I dont but Ill throw it open…..

      Post a Reply
  4. Hi Pete,

    Is there any way that I will be able to perform a ONE TIME MFA bypass for some of the users who are MFA enabled? This is really essential for situations where any user does not has his mobile with him and yet still requires access at that immediate point in time?

    Thanks
    Steven

    Post a Reply
    • You can have a backup device set in Azure? You can even get the system to ring you on a landline, other than that No.

      Post a Reply

Leave a Reply to Rajesh Cancel reply

Your email address will not be published. Required fields are marked *