Posts Tagged ‘radius’

  • Install a new NPS Server ( cannot be existing as MFA will take over existing requests such as Wifi! ) 
  • Installed Azure AD NPS Plugin and Enroll in Azure AD
  • Add a Radius Client to the NPS server of the IP ( VIP ) of the Netscaler 
  • Add the Radius server in Authentication – Set Timeout to 10Seconds , set Password to MsChapv2 Set NASID to MFA
  • NPS Server Policies

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

VERBOSE: PowerShell meta provider initialization failed.
VERBOSE: PowerShell meta provider initialization failed.
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name
‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7302 char:25
+ …     $null = PackageManagement\Import-PackageProvider -Name $script:Nu …
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProv
   ider

 

Run this before

 

To enabled TLS 1.2,  you may need to run this before

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to authenticate a user with their AD credentials and the error displayed

The remote connection was denied because of the username and password combination

In the Event Log on the Meraki 

 

Also saw these errors

msg: invalid DH group 19.
 msg: invalid DH group 20.

msg: failed to begin ipsec sa negotiation.

You need a TLS Certificate on the Domain Controller and Radius server for Communication , run the below powershell 

New-SelfSignedCertificate -DnsName domaincontroller.domain.local -CertStoreLocation cert:\LocalMachine\My

This will create a cert for you in Personal / Certificates for the Local Computer

You will need to use the MMC to copy this to the Trusted Root Certification Authorities

 

I also has issues with Radius with the error : msg: failed to begin ipsec sa negotiation.

After following these settings : https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

In the end I had to Clear out the Conditions in the network polices ( Specifically the Calling Station ID ) and re-add

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setup MFA Server to proxy radius connections between Gateway and Radius server ( Network Policy Server ) 

image

Add the gateway as a Radis Client for the MFA Server

image

Setup Radius Target):

image

Connect Remote Desktop Gateway to MFA server

image

Fix the timeout settings for the request 

Under Remote Radius Server open the TS Gateway Server Group. Then choose edit.

image

Change seconds without response before request is considered dropped to 60 seconds.

image

On the NPS server add MFA server as radius client. So I open the NPS Console on the ADC and add new radius client :

image

Here I have created the MFA Radius client on the ADC:

image

 Connection Request Policies Add MFA server as condition 

image

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)