Great video, learned some stuff! How did you create the filter button to filter just the RADIUS packets?
@robofski
Жыл бұрын
Watched another of videos and figured out the way to create that filter button, thanks!!
@TheLillilnick
Жыл бұрын
Hey man really liked the video. I can definitely use some of the tools mentioned in a current issue NPS issue I am troubleshooting. Appreciate the information.
@nate.harris
Жыл бұрын
Glad it helped! If you can't make headway on the issue let me know, maybe I can help.
@sjeit-nowra
2 жыл бұрын
That was really good. Thanks for showing that. I have a question with the connection reject method. I have users from two subdomains, I have two RADIUS servers setup already, early on you have the event viewer showing a AccessReject event. Is it possible to have an access reject follow through to a secondary Connection Request Policy?
@nate.harris
2 жыл бұрын
The NPS server will not process requests in that manner. Once it gets a request it will attempt to match it to a policy (first Connection Request then Network policies), and it checks the request against each policy in numerical order starting at number 1. Once it matches the conditions of a Connection Request Policy, no matter the outcome it will not process another Connection Request Policy. So you need to create your policies in a fashion so that they will be processed in the order you want them, to ensure that a policy above the one you want to match isn't preventing NPS from even processing the request against your policy.
@adrianmuscat452
2 жыл бұрын
Hi Nate, Thanks for the video. I'm having issues using NPS with Azure MFA. I can see the Access Request packet coming in when I'm using NTRadping, but I don't see access accept or reject. Any ideas what I should check? Any help would be appreciated.
@adrianmuscat452
2 жыл бұрын
I just realised I needed to add the computer where I was testing from to the RADIUS clients in NPS
@nate.harris
2 жыл бұрын
@@adrianmuscat452 Excellent troubleshooting!
@adrianmuscat452
2 жыл бұрын
@@nate.harris However I still get AccessReject. I can see in AzureMfa -> AuthZ ->AuthZOptCh log the message: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User ... with response state AccessReject, ignoring request. If I check the security log I can see an event with successful logon (ID 4624) , logon Process: IAS, Authentication package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0. check next. I can't see event ID 6273 - Network policy server denied access to a user in my Network policy and access services log The only other event I see is Event ID: 4400 - A LDAP connection with domain controller ... for domain ... is established. Not sure what to
@nate.harris
2 жыл бұрын
@@adrianmuscat452 This means that Primary Authentication has failed, and thus the Azure MFA extension is saying that since it only performs Secondary Auth it cannot do so since the request it has received is in an Access Reject state. My other video shows how to remove the Registry Pointers to the MFA DLLs so that you can test primary authentication only. Once that is working you can add the pointers back and test MFA again: kzitem.info/news/bejne/pn6s14F7o6GjfaA
@TestTest-un7mn
3 жыл бұрын
Great video! Many thanks!
@bowersza
Жыл бұрын
Hi Nate! Thank you for this great troubleshooting video. It's really been a great help! I'm trying to move our users over to Azure MFA for VPN - we use Microsoft Routing and Remote Access on Windows 2022 Std - and I just cannot seem to get any MFA option to work. To cut to the chase, we're having an issue whereby the client machine attempting to establish the VPN connection gets rejected BEFORE they can enter the OTP. It appears that the connection is being terminated on the RRAS side, or on the client side. The VPN client terminates with the error: "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server." In this instance, i've checked the VPN client (Windows 11 22H2 using Native VPN) is set to PAP (just to test that all MFA options will work), RRAS server (Windows Server 2022 Std) is set to PAP for Authentication Methods, as well as NPS policies. I've even created a seperate Connection Policy to force the RADIUS client to use PAP to make 100% sure. If I disable the MFA extension, the VPN connection succeeds. I've also tested everything per this video and it all checks out. The only error in the log is: NPS Extension for Azure MFA: ErrorCode:: REQUEST_FORMAT_ERROR Msg:: Unable to get a username from the radius request Enter ERROR_CODE @ go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps. I did a Wireshark and it appears that my username is being received as part of the Access-Request id=4 AVP: t=User-Name(1) l=9 val=cbowers AVP: t=User-Password(2) l=18 val=Encrypted The Access-Challenge is issued: RADIUS Protocol Code: Access-Challenge (11) Packet identifier: 0x4 (4) Length: 108 Authenticator: cce9ce56843cb28dcbfcd8cd43b34272 [This is a response to a request in frame 455] [Time from request: 1.605747000 seconds] Attribute Value Pairs AVP: t=Proxy-State(33) l=10 val=0a32168700000038 AVP: t=Reply-Message(18) l=40 val=Enter Your Microsoft verification code AVP: t=State(24) l=38 val=33303065643364332d396639302d346166642d613034302d626431643032383334366235 and then nothing happens after this besides the connection being terminated. I've done troubleshooting as per your guide, and checked obvious things linke timeout settings on RADIUS and the RADIUS Settings in RAS which are all set to 90 seconds. I've also logged a support case with Microsoft to help. Do you perhaps have any other ideas? Open to anything at this stage Thanks again - appreciate your content and channel participation Chris
@nate.harris
Жыл бұрын
It appears you are using one time passcodes (like SMS) for authentication, and the Microsoft VPN client doesn't have a way to let the end user enter that passcode, therefore it just times out and fails. To confirm this change your default authentication method to Authenticator app or Phone call and see if that works. If so then you know it's a limitation on the VPN client as well as this form of MFA. This type of Azure MFA can only use the default method, as it's not a form of Modern Authentication (like a browser popup where you can change the method) so if the default fails then it all fails. Keep me posted on your testing as I'm curious myself.
@danielmkpa9374
2 жыл бұрын
Hi thanks for your video.
@ipxadmin
8 ай бұрын
Just in case someone else has the issue, my problem was that the password between the Azure AD and local AD was not synchronized correctly by the Azure AD Connect. As it was a mostly remote user the issue was not obvious... A quick reset on the local AD resolved the issue !!
@NineACESLimited
15 күн бұрын
I get the error message "The user attempted to use an authentication method that is not enabled on the matching network policy."
@danielmkpa9374
2 жыл бұрын
Does the wire shark come preinstalled with nps server?
@nate.harris
2 жыл бұрын
No, it is a separate download from Wireshark.org.
@vocker443
4 ай бұрын
My NPS agent goes offline multiple times per year for some issue or another. Today it returns "state Discard". DUO is way simpler and more reliable. I don't think Microsoft gives a shit if on-prem MFA or anything on-prem works anymore.
Пікірлер: 21