cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9261
Views
0
Helpful
6
Replies

Microsoft 2016 NPS with Azure MFA extension refuses authencation for ASA and AnyConnect

tiwang
Level 3
Level 3

hi out there

I have a small problem where I try to autheticate a AnyConnect client trough a ASA agains a Microsoft 2016 NPS server with MFA extensions enabled.

I hit my Network Polici etc - but whatever I try the NPS refuses to authenticate my account and returns simply:

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State.
Request received for User John with response state AccessReject, ignoring request.

The NPS is defined as a std Radius server with MFA extension - if I permit access without authentication in the Connection Request Policy the MFA
extension nicely prompts for permission on my smartphone and the AnyConnect client connects.
There isnt that much I can configure on the Cisco ASA regarding the AAA Radius server - more or less just enable support for MS CHAPv2 or not...

I am out of ideas right now - what can cause a NPS server to refuse authentication from a Cisco ASA?

br ti

6 Replies 6

Rahul Govindan
VIP Alumni
VIP Alumni

Can you share a screenshot of your Connection request policy and Network Policy on the NPS? An example on how to set up the NPS bit is given here:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

I am also experiencing this issue. I've tried everything I've found via google and nothing's working. Love to know what I'm missing.

I had a similar issues setting up AnyConnect with Azure MFA.  Follow the link in @Rahul Govindan post to setup NPS without the Azure MFA extensions installed.  Once you have that working, follow the link below regarding installing the MFA NPS Extension.

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

hi - was from my side just a matter of the permitted protocols - have you solved your problem ? if not try to share a screenshot of the different policysettings - then can we probably quickly help you

Hi Tiwang,

Can you share what protocol(s) you permitted? Was it a change only on the ASA side? I'm getting this same error with ISE in between the VPN ASA and NPS Extension server.

Thanks,
Mark

Hi

Which protocols you enabled and which one you disabled. Mine is working partially. When users secondary authentication factor is a phone call it works without issue. But when users use a text code, the ASA is not receiving Radius attribute 25 from the NPS server. That caused an issue with users getting assigned to the wrong group policy.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: