Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff

Created on ‎12-01-2023 09:57 AM Edited on ‎01-14-2025 07:13 AM By Moderator

Article Id 287175

Troubleshooting Tip: Failed authentication when connecting to RADIUS NPS with Microsoft NPS extension for Azure MFA

Description This article describes how to resolve an authentication issue when FortiGate is authenticating through RADIUS NPS with Microsoft Entra multifactor Authentication via Azure. 
Scope FortiGate 7.2+
Solution

There are several instances where a system administrator may integrate FortiGate authentication through Network Policy Server (NPS) infrastructure with Microsoft Entra multifactor authentication. For instance, endpoints are able to connect to SSL VPN via RADIUS NPS then after several years or months, end-users are unable to connect to SSL VPN even though they did not make any changes.

 

Troubleshooting steps:

  1. Confirm that the authentication request reaches the FortiGate by running the following commands in the FortiGate. CLI:

diag debug console timestamp enable

diag debug res

diag debug application fnbamd -1

diag debug application authd -1

diag debug enable

diag test authserver radius <serverName> <scheme> <username> <password>

diag debug disable 

 

It should be possible to see that RADIUS Access-Request traffic reached the FortiGate, but the RADIUS is not sending a reply. Confirm this by analyzing the packet reaching the RADIUS server, such as by using Wireshark.

For example: diagnose sniffer packet <interface_name> <'filter'> <verbose> <count> <tsformat>.


diagnose sniffer packet port1 port 1812

Refer to this document: Packet capture.

 

  1. Verify that the NPS extension for Azure MFA was installed on the RADIUS server. To do so, open a Windows command prompt and enter the following:


appwiz.cpl

 

  1. Confirm the certificate validity through the certificate store if necessary.

  2. After confirming certificate validity, it should be possible to resolve the issue by renewing the self-signed certificate through the use of a PowerShell script located at C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is the installation drive).

 

The script will create a self-signed certificate, associate the public key with the service principal on Microsoft Entra ID, store the certificate in the local machine certificate store, grant access to the certificate's private key to the Network User, and finally, restart the NPS service. See this article for more information.

 

Additional steps for systems that use the Microsoft Azure Government:

  1. Connect to the NPS servers and launch a Windows command prompt, then enter the following:


regedit.msc

 

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.

Registry key

Value

AZURE_MFA_HOSTNAME

strongauthenticationservice.auth.microsoft.us

AZURE_MFA_RESOURCE_HOSTNAME

adnotifications.windowsazure.us

STS_URL

https://login.microsoftonline.us/

 

  1. Restart the NPS service on Microsoft Windows Server via services.msc
1382
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.