How to set Proxy settings for Microsoft Network Policy Server (NPS) Radius for Azure / Entra AD MFA
I just worked on a fun one. My customer is spinning up a Microsoft NPS server to proxy authentication requests from Radius to Azure Entra Active Directory. The problem was, when they tested the radius connection, it would never reply. We took a network trace, and sure enough, it never replied. Here's what that looked like in Wireshark. Why though? The next step that's supposed to happen after the radius request is received is the ping out to Entra AD. Here's what that looked like in the trace, overlaid with the radius request. That's a problem. In packet 129 the NPS server makes the initial TCP connection to login.microsoftonline.com. That's SYN/ACKnowledged in packet 130, and the ACK in packet 131 finishes the three-way TCP handshake successfully. Then in packet 131, the NPS server sends the TLS Client Hello message. That packet is never acknowledged, so the NPS server retransmits it several more times (the packets in black and red.) This pattern of succe