Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff

Created on ‎12-01-2023 09:57 AM Edited on ‎12-01-2023 10:57 AM By Moderator

Article Id 287175

Troubleshooting Tip: Failed authentication when connecting to RADIUS NPS with Microsoft NPS extension for Azure MFA

Description This article describes how to resolve an authentication issue when FortiGate is authenticating through RADIUS NPS with Microsoft Entra multifactor Authentication via Azure. 
Scope FortiGate 7.2+
Solution

There are several instances where a system administrator may integrate FortiGate authentication through Network Policy Server (NPS) infrastructure with Microsoft Entra multifactor authentication. For instance, endpoints are able to connect to SSL VPN via RADIUS NPS then after several years or months, end-users are unable to connect to SSL VPN even though they did not make any changes.

 

Troubleshooting steps:

  1. Confirm that the authentication request reaches the FortiGate by running the following commands in the FortiGate CLI:

di de res

di de app fnbamd -1

di de en

di test authserver radius <serverName> <scheme> <username> <password>

di de dis <- Disable the debug after debug collection.

 

It should be possible to see that RADIUS Access-Request traffic reached the FortiGate, but the RADIUS is not sending a reply. Confirm this by analyzing the packet reaching the RADIUS server, such as by using Wireshark.

 

  1. Verify that the NPS extension for Azure MFA was installed on the RADIUS server. To do so, open a Windows command prompt and enter the following:

appwiz.cpl

 

  1. Confirm the certificate validity through the certificate store if necessary.

  2. After confirming certificate validity, it should be possible to resolve the issue by renewing the self-signed certificate through the use of a PowerShell script located at C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is the installation drive).

The script will create a self-signed certificate, associate the public key with the service principal on Microsoft Entra ID, store the certificate in the local machine certificate store, grant access to the certificate's private key to the Network User, and finally, restart the NPS service. See this article for more information.

 

Additional step for systems that use the Microsoft Azure Government:

  1. Connect to the NPS servers and launch a Windows command prompt, then enter the following:

regedit.msc

 

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.

Registry key

Value

AZURE_MFA_HOSTNAME

strongauthenticationservice.auth.microsoft.us

AZURE_MFA_RESOURCE_HOSTNAME

adnotifications.windowsazure.us

STS_URL

https://login.microsoftonline.us/

 

  1. Restart the NPS service on Microsoft Windows Server via services.msc
545
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.