Search This Blog

Showing posts with label NPS. Show all posts
Showing posts with label NPS. Show all posts

Friday, August 25, 2023

Windows 2019 NPS Server Firewall Exclusion

Description:

You have completed the NPS configuration using Windows Server 2019. You have put the correct secrets at the VPN servers. You also have make sure there's no Network Firewall between the VPN server and NPS Server. 

However client machine cannot connect to the VPN. And you cannot see the traffic reaching the NPS Server. There's nothing in the NPS Server event viewer.

Resolution:

At the NPS server, open command prompt with elevated permission and type:

sc sidtype IAS unrestricted

Restart the server after that.

Windows Defender Firewall on the NPS should be automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.

With Server 2019 this firewall exception requires a modification to the service account security identifier to effectively detect and allow RADIUS traffic. If this security identifier change is not executed, the firewall will drop RADIUS traffic. The above command changes the IAS (RADIUS) service to use a unique SID instead of sharing with other NETWORK SERVICE services.

Monday, July 24, 2023

Failed F5 Big-IQ connection to Azure MFA

Description

You have setup Azure MFA with NPS Extension in your Organization. You have make sure the firewall from and to your NPS server is configure properly. You have also make sure the internet connection from NPS Server to Azure MFA is working properly
Now, you want to test the the connection from your F5 Big-IQ to the NPS Server. However you got an error saying "Failed while connecting to radius server, server responded with: Access-Challenge". 
You also notice that there are No authentication challenge or prompt at Microsoft Authenticator Apps. 
From the event viewer you can see the following "NPS Extension for Azure MFA: CID xxxxx : Challenge requested in Authentication Ext for user Domain\UserName with state xxxxx".

Resolution

NPS extension version 1.2.2216.1 or later is prompted to sign in with a TOTP method instead of Approve/Deny. If the Client doesn't support it, take the following steps to return to the Approve/Deny behavior.
Go to NPS Server, open the Registry Editor.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
  2. Create the following String/Value pair:
    1. Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
    2. Value = FALSE
Restart the NPS Service.

Search Google