question

RndMaster-29 avatar image
0 Votes"
RndMaster-29 asked ·

NPS extenstion MFA - Twice - verification call

We integrated NPS extension with Palo Alto VPN, we able to authenticate VPN using MFA. However, we get two time verification call, SMS, OTP and App verification to connect to the VPN.
There is 30 seconds lag between 1st and 2nd MFA Authentication.

Time out value is set to 60 sec on Palo Alto and 1 retry only, still experiencing the same issue.

In NPS, we are getting error below:

 **Reason Code:            9
 Reason:                The request was discarded by a third-party extension DLL file.**

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User with response state AccessReject, ignoring request.

I have tried all the suggestions on Internet but no luck.

Did anyone experience this issue or any suggestion?

azure-active-directoryazure-ad-multi-factor-authentication
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The environment has 2 Domains in single forest (DomainA and DomainB). All users are in DomainA and NPS server is in DomainB.

Do you think it would be the issue for the NPS? Do we need to move NPS to DomainB?

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @RndMaster-29 · Thank you for reaching out.

I have worked on similar issues where multiple verification calls were being made due to mismatch in Pre-Shared Key. I would suggest you to review the configuration from scratch and make sure PSK is entered wherever required and is configured with same value.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @amanpreetsingh-msft for your message. I am using PAP for authentication so no certificate required. I tried cleaning up the NPS configuration / uninstall-reinstall NPS Extension with same outcome.

0 Votes 0 ·
RNDMaster-1939 avatar image
0 Votes"
RNDMaster-1939 answered ·

Found Palo Alto is sending authentication twice to Radius server. It could be the cause of the issue. Started working with Network resources to look at the PaloAlto configuration. I will update you once I found any further update.

Thanks,
Priyavert

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RNDMaster-1939 avatar image
0 Votes"
RNDMaster-1939 answered ·

Issue Resolved...


It was at the Palo Alto end.

Palo Alto was sending multiple request to Radius for NPS Authentication. We configured the PaloAlto Portal and Gateway to enable cookies using Self-signed certificate to fix the issue. Below are the links discussing the same issue:

How to Install Duo Security 2FA for Palo Alto GlobalProtect VPN (RADIUS Configuration)
https://www.youtube.com/watch?v=XdUfLzLK_5A

Why are users receiving multiple Duo Push authentication requests while logging in to Palo Alto PAN-OS?
https://help.duo.com/s/article/2054?language=en_US

Palo Alto Global Protect configuration with Two factor Authentication
https://www.youtube.com/watch?v=it4rzLkcOWk

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.