hi out there
I have a small problem where I try to autheticate a AnyConnect client trough a ASA agains a Microsoft 2016 NPS server with MFA extensions enabled.
I hit my Network Polici etc - but whatever I try the NPS refuses to authenticate my account and returns simply:
NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State.
Request received for User John with response state AccessReject, ignoring request.
The NPS is defined as a std Radius server with MFA extension - if I permit access without authentication in the Connection Request Policy the MFA
extension nicely prompts for permission on my smartphone and the AnyConnect client connects.
There isnt that much I can configure on the Cisco ASA regarding the AAA Radius server - more or less just enable support for MS CHAPv2 or not...
I am out of ideas right now - what can cause a NPS server to refuse authentication from a Cisco ASA?
Can you share a screenshot of your Connection request policy and Network Policy on the NPS? An example on how to set up the NPS bit is given here:
I had a similar issues setting up AnyConnect with Azure MFA. Follow the link in @Rahul Govindan post to setup NPS without the Azure MFA extensions installed. Once you have that working, follow the link below regarding installing the MFA NPS Extension.
hi - was from my side just a matter of the permitted protocols - have you solved your problem ? if not try to share a screenshot of the different policysettings - then can we probably quickly help you
Can you share what protocol(s) you permitted? Was it a change only on the ASA side? I'm getting this same error with ISE in between the VPN ASA and NPS Extension server.
Which protocols you enabled and which one you disabled. Mine is working partially. When users secondary authentication factor is a phone call it works without issue. But when users use a text code, the ASA is not receiving Radius attribute 25 from the NPS server. That caused an issue with users getting assigned to the wrong group policy.