Forum Discussion
VPN Integration with Network Policy Server (NPS) RADIUS Accounting?
Hello,
Looking to integrate our 3rd party VPN solution with MSFT Defender for Identity.
The solution is using Microsoft's Network Policy Server (NPS) for authentication, and there are options inside NPS's Connection Request Policies for forward RADIUS accounting logs.
I have this configured and enabled the VPN RADIUS Accounting settings in MSFT Defender for Identity but I am not getting anything or "Accessed VPN locations".
I read on here about making sure the <User-Name data_type="1"></User-Name> field forwarded by NPS matches the user UPN. In my case it was realm\user and using regex I changed this to mailto:user@domain.com which matches the AD UPN attribute.
However I am not getting any data.
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/always-on-vpn-integration/m-p/2071568
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/atp-and-vpn-integration-vpn-login-with-upn/m-p/1346577
Here is the event when NPS is configured to dump to log file.
<Event><Timestamp data_type="4">09/22/2021 06:28:30.133</Timestamp><Computer-Name data_type="1">XXXXX</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-Identifier data_type="1">XXXXX</NAS-Identifier><Calling-Station-Id data_type="1">XXXXX</Calling-Station-Id><Client-IP-Address data_type="3">172.16.XXX.XXX</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XXXXX</Client-Friendly-Name><Proxy-Policy-Name data_type="1">XXXXX</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><User-Name data_type="1">user@domain.com</User-Name><SAM-Account-Name data_type="1">XXXXX</SAM-Account-Name><NP-Policy-Name data_type="1">NetMotion</NP-Policy-Name><Class data_type="1">311 1 172.16.XXX.XXX 08/30/2021 07:33:12 1463</Class><Authentication-Type data_type="0">8</Authentication-Type><Fully-Qualifed-User-Name data_type="1">XXXXX</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>6 Replies
- EliOfek
Microsoft
See some details here about the needed RADIUS format:
https://docs.microsoft.com/en-us/defender-for-identity/install-step6-vpn
If it's still not helping, open a support case, support can give you best effort support to show you what is "broken" in the format that will cause MDI to ignore the message.
Make sure to have a network trace ready containing the radius messages sent to the sensor.It looks like the NPS server is not forwarding accounting messages to the DC based on wireshark data, we use the Azure MFA extensions and I read somewhere because of this it can't forward them.
Is there a way to feed this data into identity protection by other means? We have the NPS accounting logs on disk in DTS Compliant format.In MCAS we can upload logs (https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker), can we upload the NPS logs and have that tied to the "Accessed VPN Locations"?
- EliOfekSadnly no, Radius messages (properly formatted) are currently the only way.
