NPS extension for MFA helps to make use of Azure MFA for on VPN connectivity. Although the documentation from Microsoft is straight forward to explain how that work and how to configure, we don’t have much information online.
Let’s assume that you have a Radius server as
- I have configured Cisoco-ASA to use lab-DCRadius. On NPS server, I have configured CiscoASA as Radius client to access connection
- Test the VPN using Cisco AnyConnect to LabVPN.Lab.com
From the following diagram, illustrate the flow. (The above said registry keys play the role of transferring the secondary Auth to Azure MFA)
Once you confirm that VPN is working,
Install the NPS extension from here, there are 2 version 188.8.131.52 & 184.108.40.206 (220.127.116.11 is available but on request to Microsoft)
To make sure Azure MFA accept the request from the NPS server,
Once you install it you have to run the script that comes with the NPS extension
- Run Windows PowerShell as an administrator.
- Change directories.
- cd “C:\Program Files\Microsoft\AzureMfa\Config”
- Run the PowerShell script created by the installer.
- Sign in to Azure AD as an administrator.
- PowerShell prompts for your tenant ID. Use the Directory ID GUID that you copied from the Azure portal in the prerequisites section.
- PowerShell shows a success message when the script is finished.
What this does is it
- Sets the registry with a some values
- Creates a self-signed certificate on your server and uploade the certificate on Azure.
To verify check the following registry key
To verify the certificate,
- Open MMC -> File- > Add/Remove Snap-in-> Certificate -> Local Computer, Click Ok
- Navigate to Certificates -> Personal – >Certificates
You will find a certificate with the tenant Id.
- Go to the properties of the certificate, under details tab, look for Thumbprint, Copy it somewhere.
- Now open Azure module for Windows PowerShell
- Run the command in the screenshot
- Copy the value in to a notepad and save it as .cer (if you have more than one cert, you might see more values. You have to copy each one of them in to a separate file and save it as .cer)
- Now open the save .cer file.
- Now under details tab, look for Thumbprint property.
Computer these 2 thumbprint and make sure they matches.
- What if registration fails – This usually happens either if your AD account doesn’t have access to local certificate store or Azure portal (GA admin is the requirement to upload the cert)
- How do I disable MFA on one of the NPS server to test it?
- You can disable the MFA on NPS server. This is essential to find out when you are troubleshooting to narrow down which NPS server is having the issue. To disable the MFA on a NPS server without de-registering it,
- Navigate to the registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serevice\AuthSrv\Parameters, Empty the following key values
- This will stop the NPS to look for Secondary Auth
- How to renew the certificate when it expires
- The certificate usually has 2 years of validity. You can renew it by simply running AzureMfaNpsExtnConfigSetup.PS1
Recently, I have seen the ver. 18.104.22.168 is causing performance issue. There is a newer version which fixes the problem 22.214.171.124.