See my blog post on Configure Radius/VPN server with NPS. There are some differences you need to make.
The blogpost was about Radius and RAS and NPS all on the same server. Well, the MFA extension for NPS which you have to install will cause your RAS service to crash. You have to install RAS on another server. Make sure that you set the secret and that you declare this new RAS server as a Radius client on the NPS server.
If your organization is going to use a VPN client that does not have an interface to enter text then you should select Phone Call as your default MFA authentication method rather than Text. Go back to the MFA setup and change it. Admins should take note of this. For this blog we will use the Windows 10 VPN client so we will use phone call.
On a separate server from your NPS/Radius server install RAS/VPN. This Msft doc has steps for the RAS/VPN server setup.
Implement the Azure MFA NPS Extension
To implement the Azure MFA NPS Extension –
- Download the NPS Extension from the Microsoft Download Center
- Copy the binary to the Network Policy Server you want to configure
Run setup.exe and follow the installation instructions
If you encounter errors, double-check that the following two libraries are installed –
The installer creates a PowerShell script in this location: C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive)
- Open an elevated PowerShell prompt
cd “C:\Program Files\Microsoft\AzureMfa\Config”
- When prompted, sign in as your Azure Active Directory tenant, global administrator
- When prompted, provide the tenant ID (Directory ID)
- Restart the NPS server
Go to your Windows 10 Client and Add a VPN connection to the Server using the credentials of the user that is the VPN group. You will get a call and once you verify, you will be connected.