Community discussions

MikroTik App
 
h4x
just joined
Topic Author
Posts: 5
Joined: Sat Mar 24, 2018 6:12 am

IKE2 NPS Authentication with Azure MFA

Sun Mar 29, 2020 12:54 pm

I currently run a Windows NPS server with the Azure MFA plugin and it works perfectly for SSTP and L2TP Authentication.

In looking to remove the use of the shared IPSec secret, I attempted to get IKEv2 Radius authentication working however it doesn't seem to work. In the NPS logs, the following is printed:

"NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User <username> with response state AccessReject, ignoring request."

This message also appears if attempting to perform Radius authentication using OpenVPN.

Along with the inability to set the mode-config for IKE2 authentication, this is currently limiting me from removing the need for L2TP.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6523
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKE2 NPS Authentication with Azure MFA

Sun Mar 29, 2020 2:39 pm

What do you mean with "inability to set the mode-config for IKE2 authentication", I have that working. You can set the mode-config in the identity used for IKE2 access.
The other problem seems more a problem in Windows, try to ask it in the relevant Microsoft forums...
 
h4x
just joined
Topic Author
Posts: 5
Joined: Sat Mar 24, 2018 6:12 am

Re: IKE2 NPS Authentication with Azure MFA

Sun Mar 29, 2020 2:56 pm

What do you mean with "inability to set the mode-config for IKE2 authentication", I have that working. You can set the mode-config in the identity used for IKE2 access.
The other problem seems more a problem in Windows, try to ask it in the relevant Microsoft forums...
What I mean is that it's currently not possible to dynamically set the mode-config using attributes from Radius. Unless that's undocumented.

RouterOS works fine with NPS when using L2TP or SSTP but fails with OpenVPN or IKE2 so there must be something different to the way the radius client authenticates for these two protocols compared to the ones that work.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6523
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKE2 NPS Authentication with Azure MFA

Sun Mar 29, 2020 9:34 pm

I intended to try radius authentication for IKE2 and of course the first thing I noticed is that there is no documentation for radius attributes sent and expected...
But I abandoned the experiment when I found the clients I wanted to use do not support EAP authentication, which made it kind of useless.
For now I use PSK with ID (with an identity per user) and for this setup it would be possible to have a different mode-config for each user. But I do not require it.
(to my disappointment, a more complicated mode-config does not work with my client either.... bummer!)
 
mladeng
just joined
Posts: 1
Joined: Tue Feb 11, 2020 8:39 pm

Re: IKE2 NPS Authentication with Azure MFA

Wed May 20, 2020 5:19 pm

I currently run a Windows NPS server with the Azure MFA plugin and it works perfectly for SSTP and L2TP Authentication.

In looking to remove the use of the shared IPSec secret, I attempted to get IKEv2 Radius authentication working however it doesn't seem to work. In the NPS logs, the following is printed:

"NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User <username> with response state AccessReject, ignoring request."

This message also appears if attempting to perform Radius authentication using OpenVPN.

Along with the inability to set the mode-config for IKE2 authentication, this is currently limiting me from removing the need for L2TP.
Can you please help me with configuring Azure MFA with L2TP. My radius authentication was working fine but when I install NPS extensions it stops working.
What is your setting for type of network access server: Unspecified or Remote access server (VPN)?
I receive error as yours:
NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User test with response state AccessReject, ignoring request.
and
NPS Extension for Azure MFA: NPS AuthN extension bypassed for User test-azure with response state AccessReject

Who is online

Users browsing this forum: Bing [Bot], llubik, markos222, mtgate, pe1chl, td32, thsun and 136 guests