How to set Proxy settings for Microsoft Network Policy Server (NPS) Radius for Azure / Entra AD MFA
I just worked on a fun one.
My customer is spinning up a Microsoft NPS server to proxy authentication requests from Radius to Azure Entra Active Directory. The problem was, when they tested the radius connection, it would never reply.
We took a network trace, and sure enough, it never replied. Here's what that looked like in Wireshark.
Why though? The next step that's supposed to happen after the radius request is received is the ping out to Entra AD. Here's what that looked like in the trace, overlaid with the radius request.
That's a problem. In packet 129 the NPS server makes the initial TCP connection to login.microsoftonline.com. That's SYN/ACKnowledged in packet 130, and the ACK in packet 131 finishes the three-way TCP handshake successfully. Then in packet 131, the NPS server sends the TLS Client Hello message. That packet is never acknowledged, so the NPS server retransmits it several more times (the packets in black and red.)
This pattern of successful TCP handshake but nothing after the TLS Client Hello or a reset (RST) after the TLS Client Hello is what it looks like when an SSL/TLS inspection firewall is blocking connections to endpoint.
When this occurs, there are three possible solutions:
1. Ask the Firewall team to whitelist/allow the TLS endpoints required for the NPS server. Those endpoints are documented here. Entra MFA Extension for NPS Network requirements (learn.microsoft.com)
2. Abandon all technology and adopt a nomadic or agrarian lifestyle.
3. Configure the NPS server to use a proxy server provided by the firewall team.
My customer chose option 3.
How to configure the NPS MFA extension to use a proxy server:
NPS runs as a service under the SYSTEM account, so forcing it to use a proxy means configuring a proxy for the system account. There are multiple ways to do this, but here's the one that works consistently for me.
1. Configure the proxy settings for your user account with inetcpl.cpl or the System >> Settings >> Proxy tool.
2. Open regedit.exe. Browse down and export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections to a file.
3. Right-click and Edit the registry file you exported, and change HKEY_CURRENT_USER\ to HKEY_USERS\S-1-5-18\. Save that file and import it into the registry.
That fixed it for my customer.
Note that this sets the proxy information for all services running as the local system account. You should think through the impact of this before making that change at 11:00 a.m. on a Friday. ;)
HTH, and Thanks!
Comments