VPN and RADIUS endpoints

If MFA for VPN and RADIUS endpoints is not working, refer to the following troubleshooting points. By default, the NPS extension logs can be found at C:\Program Files\ManageEngine\Identity360 Cloud NPS Extension\logs. The logs are stored in idsagent-common.log file.

1. MFA is not prompting, but authentication is successful with primary verification.
2. Access is denied after installing the NPS extension for MFA.
3. Access is denied even after successful MFA.
4. Multiple SecureLink emails are sent, but authentication still fails.
5. Troubleshooting error codes.

1. MFA is not prompting, but authentication is successful with primary verification.

There are multiple possible causes for this issue. Use the steps below to identify and resolve them.

Cause 1: Connectivity issue between Identity360 and the NPS server.

How to check: Look for the error code IDS-4106 in the logs at: C:\Program Files\ManageEngine\Identity360 Cloud NPS Extension\logs\idsagent-common.log.

Solution:

• Ensure the NPS server has a stable internet connection with Identity360, then try again.
• If you want users to login, bypassing MFA, during connectivity issues, set the BypassConnectionError flag in the customizations.json file to true.

Cause 2: MFA is not enabled in Identity360.

How to check: In the admin portal, go to Applications > Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints and verify if additional authentication factors are enabled.

Solution: Complete the MFA configuration for VPN and RADIUS Endpoints by following the steps here.

Cause 3: User is invalid or not licensed for MFA.

How to check:

• In the admin portal, check if the user exists in Universal Directory > All Users.
• To check if the user is assigned a license, go to Settings > Administration > License Management > Manage License > Licensed Users.

Solution:

• Ensure the user is a valid member of your organization in the Universal Directory.
• Confirm that your organization has purchased the MFA and SSO component in the license subscription.
• Assign an MFA license to the user under Settings > Administration > License Management > Manage License > Unlicensed Users > Assign License.

Cause 4: User is not fully enrolled for the required MFA factors.

How to check: In the admin portal, go to Reports > Universal Directory > MFA Reports > Enrolled Users and check if the user is enrolled for the MFA factors configured in Applications > Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints.

Solution:

• Ensure the user is enrolled in the VPN MFA factors that are configured in Applications > Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints.
• If you want to deny access to users who have not completed MFA enrollment, enable the Deny VPN login for partially enrolled users option in Advanced Settings.

Cause 5: NPS extension is unable to read OTP or TOTP from the RADIUS request.

How to check:

• Check the logs for the message Empty or no challenge from user.
• If VPN Client Verification is enabled for VPN and RADIUS Endpoints in Applications > Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints, ensure that PAP is being used for RADIUS authentication, as non-PAP protocols (EAP or MS-CHAPv2) may cause issues.

Solution:

• VPN Client Verification only supports the PAP protocol. Change the authentication protocol to PAP in both the NPS server and VPN server.
• Alternatively, switch to SecureLink Email Verification, which works with all RADIUS protocols.

Cause 6: Request is bypassed due to NPS extension filtering based on custom settings.

How to check: Look for the error code IDS-4104 in the logs at: C:\Program Files\ManageEngine\Identity360 Cloud NPS Extension\logs\idsagent-common.log.

Solution:

• Ensure the isMFAEnabled flag in C:\Program Files\ManageEngine\Identity360 Cloud NPS Extension\conf\customizations.json is set to true.
• If you have configured connection request or network policies in customizations.json, use Event Viewer to check if VPN or RADIUS requests meet the defined conditions:
  • Open Event Viewer.
  • Navigate to Custom Views > Server Roles > Network Policy and Access Services.
  • Verify that the validated policy aligns with the configured policies.

2. Access is denied after installing the NPS extension for MFA.

There are multiple possible causes for this issue. Use the steps below to identify and resolve them.

Cause 1: Connectivity issue between Identity360 and the NPS server.

How to check: Look for the error code IDS-4106 in the logs at: C:\Program Files\ManageEngine\Identity360 Cloud NPS Extension\logs\idsagent-common.log.

Solution:

• Ensure the NPS server has a stable internet connection with Identity360, then try again.
• If you want users to login, bypassing MFA, during connectivity issues, set the BypassConnectionError flag in the customizations.json file to true.

Cause 2: User is not fully enrolled for the required MFA factors.

How to check: Go to Reports > Universal Directory > MFA Reports > MFA Attempts and check if the status shows a not enrolled error.

Solution:

• Ensure that the user is enrolled for the required VPN MFA factors.
• If you want to allow login for users who have not yet enrolled in MFA, temporarily disable the Deny VPN login for partially enrolled users option in Advanced Settings. This does not apply to passwordless authentication.

Cause 3: Incorrect passwordless authentication configuration.

How to check: If the NPS extension was installed before enabling passwordless authentication in Identity360, the configuration may be incomplete, leading to VPN access issues.

Solution: Reinstall the NPS extension after enabling passwordless authentication in Identity360 under Applications > Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints to ensure proper configuration.

Cause 4: Access is denied when passwordless Authentication is enabled.

How to check:

• In the admin portal, go to Applications > Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints and check if the Enable passwordless verification using Identity360 checkbox is enabled.
• If enabled, check if any of the issues listed in MFA is not prompting, but authentication is successful with primary verification are occurring.

Solution: Follow the corresponding solutions to resolve the issue.

3. Access is denied even after successful MFA.

Cause: When using VPN Client Verification, the RADIUS attributes configured in the network policy of the NPS server are not sent to the RADIUS client, such as a VPN or endpoint server. This can result in incorrect access levels, giving the user too much access, too little access, or no access at all.

Solution: Instead of relying on the NPS server to send RADIUS attributes, enable the Send additional RADIUS attributes to the VPN server after successful authentication option under Advanced Settings to ensure that the correct RADIUS attributes are sent to the VPN server after MFA, allowing the right access permissions to be applied.

4. Multiple SecureLink emails are sent, but authentication still fails.

Cause: The RADIUS client, such as a VPN or endpoint server is stopping the MFA process due to minimal RADIUS timeout settings.

Solution: Check the RADIUS authentication timeout settings on both the RADIUS client (VPN server or other RADIUS clients) and the RADIUS server (NPS). The timeout should be longer than the MFA session time set for VPN in Identity360. For detailed steps, refer to the Advanced Settings document.

Troubleshooting error codes